Google

Home
Most Popular
Petals

|
*
2007/07/10
 20:17:38

ds utilities and removing attributes

I needed to do some mass updates to Active Directory today, and decided it would be pointless to write a script if it can just be done quickly with the command line tools. With Server 2003, Microsoft added the ds* programs, which make certain things handy. Such as if you want to list all users whose usernames start with a, you can run dsquery user domainroot -samid a* -limit 0. If I wanted to set a roaming profile path for all those users, I can pipe it to dsmod like this: dsquery user domainroot -samid a* -limit 0|dsmod user -profile "profilepath".

So what do you think happens if you want to remove the profile setting? Apparently either the command parser or the tool treats "" like it doesn't exist rather than a blank field. When piping the list of DNs from the query, this results in the tool crashing and asking to submit an error report (it appears it doesn't handle additional input after that error condition well, not that it sees the first DN as a path and doesn't like it, as attempting to add other options didn't help).

In the end I found it easier to just modify my script that keeps AD in sync with the ERP data (using Net::LDAP) to also remove profile attributes from the subset I want. I guess at least there are tools that often work. Maybe the next version of Windows Server will improve this.