Earlier this year, I had a need in a project to set the password for a large number of Active Directory accounts simultaneously. Here’s the solution I came up with for this particular need.
To use this technique, you’ll need ldifde (included with Windows Server 2003), grep (included with Mac OS X and most Linux distributions; Win32 versions available on the Internet), a text editor with search and replace functionality (advanced geeks are free to use sed), and dsmod (from the Windows Server 2003 Resource Kit).
First, export the list of user accounts out of Active Directory using ldifde. The command will look something like this:
ldifde -d â€œCN=Users,DC=company,DC=comâ€ -r â€œ(objectclass=user)â€
This creates a file called â€œexport-1.ldifâ€. Using grep, filter this file down to only the full distinguished names of the users:
less export-1.ldif | grep 'dn: ' > export-2.ldif
Note that you’ll need to use â€œtypeâ€ instead of â€œlessâ€ on a Win32 system. Also, on a Win32 system you’ll need to use double quotes instead of single quotes in the grep command. This creates a file called â€œexport-2.ldifâ€.
Load this file into the text editor and make the following changes:
- Remove all occurrences of â€œdn: â€ (there is a space after the colon)
- Add a double quotation mark before CN= at the start of each line
- Add a double quotation mark after =com at the end of each line
Save this modified file as â€œexport-3.ldifâ€.
Finally, pipe this file through to the dsmod program to set passwords for all the users in the file:
type export-3.ldif | dsmod user -pwd newpass1 -mustchpwd yes
Full help for the dsmod command line syntax is available using â€œdsmod /?â€ or â€œdsmod user /?â€.
You can add â€œ > filenameâ€ to the end of the above command to log the output of the dsmod command to a file. You can then use grep to parse this file to ensure that the command was successful for all users.
Comments are now closed.