Sunday, September 04, 2005 5:21 PM bart

Bulk Active Directory operations - an example

A couple of minutes ago I had to reset the password for a bulk series of demo accounts on a web server for web design courses. Some time ago we created 99 accounts in Active Directory which have - using FTP User Isolation - access to FTP as well as FrontPage Server Extensions. The idea is pretty simple: every user has a name "web%%" (web01 - web99) and a password "COURSEweb%%" (COURSEweb01 - COURSEweb99). However, the accounts of last year did not work anymore because the password was expired. So, I had to write some app to reset the passwords in bulk. Initially I thought of using System.DirectoryServices with C# but I gave the command-line a try. With success! Here is the result:

FOR /L %%I IN (1,1,9) DO dsmod user "CN=web0%%I,OU=Course,OU=Web Users,DC=mydomain,DC=local" -pwd COURSEweb0%%I -pwdneverexpires yes

FOR /L %%I IN (10,1,99) DO dsmod user "CN=web%%I,OU=Course,OU=Web Users,DC=mydomain,DC=local" -pwd COURSEweb%%I -pwdneverexpires yes

Note: I'm using two percent signs to refer to the variable because I need to store these two commands in a .bat file. If you run it directly from the command prompt, drop the extra percent sign in front of the variable %I.

As asked by the course instructor, I set the password to "never expire" to avoid future problems when he has to teach a course again and I'm not available. But don't do this with non-locked down accounts. The accounts I'm managing in here are locked down and can only be used through FTP and FPSE, with disk quota enforced and no rights on other folders.

Challenge for readers: If you find an elegant way to reduce both lines to just one line with 0-filling at the beginning of the account name and password, let me know. A one-line solution would be much cuter :-).

Another interesting script I deliver is one to disable/enable the accounts after/before lesson sessions:

FOR /L %%I IN (1,1,9) DO dsmod user "CN=web0%%I,OU=Course,OU=Web Users,DC=mydomain,DC=local" -disabled yes

FOR /L %%I IN (10,1,99) DO dsmod user "CN=web%%I,OU=Course,OU=Web Users,DC=mydomain,DC=local" -disabled yes

I guess you can infer the code to enable accounts yourself :-). | Digg It | Technorati | Blinklist | Furl | reddit | DotNetKicks


No Comments