I needed to do some mass updates to Active Directory today, and decided it would be pointless to write a script if it can just be done quickly with the command line tools. With Server 2003, Microsoft added the ds* programs, which make certain things handy. Such as if you want to list all users whose usernames start with a, you can run dsquery user domainroot -samid a* -limit 0
. If I wanted to set a roaming profile path for all those users, I can pipe it to dsmod like this: dsquery user domainroot -samid a* -limit 0|dsmod user -profile "profilepath"
.
So what do you think happens if you want to remove the profile setting? Apparently either the command parser or the tool treats "" like it doesn't exist rather than a blank field. When piping the list of DNs from the query, this results in the tool crashing and asking to submit an error report (it appears it doesn't handle additional input after that error condition well, not that it sees the first DN as a path and doesn't like it, as attempting to add other options didn't help).
In the end I found it easier to just modify my script that keeps AD in sync with the ERP data (using Net::LDAP) to also remove profile attributes from the subset I want. I guess at least there are tools that often work. Maybe the next version of Windows Server will improve this.
So yesterday one of our Active Directory DCs failed due to running out of memory. Some of the fun error messages that ensued:
CN=Configuration,DC=<subdomain>,DC=<domain>,DC=<tld> <SiteName>\<DCName> via RPC DC object GUID: <GUID> Last attempt @ (never) was successful
Source: <SiteName>\<DCName> ******* 305 CONSECUTIVE FAILURES since (never)
The effects of KCC and dynamic replication partners...
Copyright ©2000-2008 Jeremy Mooney (jeremy-at-qux-dot-net)