AdMod

Summary

Command line Active Directory modification tool. This is the natural extension to AdFind. I was primarily prompted by dsmod, dsmove, dsrm.exe not being what I wanted them to be when I wanted them to be.

Warranty

See warranty.

PlatForms

Current Version

Version 1.28.00 - October 8, 2023

Modification(s) from previous version

Security Requirements

There are no local security requirements for running AdMod  other than the ability to launch executables. Ability to modify objects in Active Directory and ADAM/ADLDS will be dependent on the security configured for the directory.

The -undel option will require permissions to see into the cn=Deleted Objects container if that is where the object is.... By default, this requires administrator permissions.

Language

C++. Compiled with Visual Studio 2022

Source Code Availability

None

Story

AdFind had been around for some time and I kept thinking and hearing, well what about modifying the directory? My main problem besides free time to think about it was how do I properly set up the input for the modifications. I needed something fairly easy. That is a lot tougher than you think unless you do what the ds* folks did in terms of hard coding for specific attributes which I specifically did not want to do.

Finally I got a brainstorm on how to handle the input of the data. So voila, here it is. Note I did think that the ability for the ds* tools to take a feed from the dsquery tool was very cool and I specifically added that capability in AdMod. This way you can search from adfind (with -dsq option) or from dsquery to generate the list of objects to be updated.

In V01.07.00 I added CSV functionality. Quite honestly, this blows CSVDE out of the water because it can do updates to existing objects as well as add new objects. However, this is complicated stuff, you need to fully read the usage given to you when you type admod /csv? and understand it before running with it. Again, any tool that modifies AD or ADAM should be considered dangerous, including this one. I try to protect people from cutting themselves wherever I can but I can't block every possible thing that someone may do that could hurt themselves and honestly, it isn't my job to. So... understand what you are doing before you do it. If you aren't sure, test it in on a test lab AD or ADAM first.

In V01.21.00, a highly delayed update, over 8 years,  I added a bunch of functionality around modifying Security Descriptors. I have long disliked DSACLS and for outputting ACLs I set up AdFind years ago to do it in a much more, IMO, readable format. Now with AdMod I have put together what I think is an easier update model than DSACLS and is definitely faster than DSACLS especially when updating multiple objects which DSACLS doesn't do at all. Another big difference from DSACLS is that it allows to strip off specific ACEs instead of outright revoking ALL access for a given security principal. This security descriptor functionality is exceptionally dangerous, test test test before using in production. Understand what you are doing. AdMod will NOT protect you from doing something stupid.

Download

You do not have to supply the email address. I would like you to fill that in though so that I have an idea on how popular a tool really is. If I see 1000 downloads with 900 different email addresses I know it is more widespread than one that has 1000 downloads and 200 different email addresses because the same person needed to keep downloading it for some reason.

Email Address: Optional
 
Sponsored Link:

Version History

 


As seen in


Usage

    Download and type admod /?

See current usage screens