AdMod V01.28.00cpp Joe Richards (support@joeware.net) October 2023
-help Basic help.
-? Basic help.
-?? Advanced help.
-???? Shortcut help.
-sc? Shortcut help.
-csv? CSV / ADCSV help.
-sd? Security Descriptor help.
Usage:
AdMod [switches] [attr-action]
Switches: (designated by - or /)
[CONNECTION OPTIONS]
-h host:port Host and port to use. If not specified uses port 389 on
default LDAP server. Localhost can be specified as '.'.
Port can also be specified via -p.
IPv6 IP address w/ port is specified [address]:port
[UPDATE OPTIONS]
-b basedn RFC 2253 DN to work on. If basedn is not specified
the program will read from stdin anything piped to it
or if you want you can type the DNs there followed by
a ctrl-z to terminate the pipe.
-safety x How many objects before safety kicks in. Default 10.
-cm Clear Membership. This switch is required to perform
in order to clear the membership of a group.
-updatenchead Allow a change to the NC Domain Head object (top object in a domain)
[ACTIONS]
-rm Delete specified object(s).
-del Alias for -rm.
-add Add an object. Specify DN with -b and attributes normally.
At the very least you will need to specify objectclass.
-undel x Undelete specified object(s), uses lastknownparent unless
an alternate parent is supplied in x. Requires K3+.
-undel y;x Undelete specified object(s), uses previous RDN and lastknownparent
unless an alternate parent is supplied in x and name in y. Requires K3+.
-rename x Rename object to RDN of x.
-move x Move object to parent specified by x (within domain).
-move y;x Move object to parent specified by x (within domain) and rename to y.
-rbmove x Alias for -move x + -rnpb domaindn.
-rbmove y;x Alias for -move y;x + -rnpb domaindn.
Attr-Action
Format: attribute : operation : value(s)
This field is broken up into three main sections. Not all
sections are required for all operations. The three sections
are the attribute section, operation section, and value section.
By default the delimiter between the sections is the : character
however you may change this with the -delim option.
Type AdMod /?? for details.
Notes:
o This tool could be considered dangerous, it can quickly make some
serious changes to your directory. Use it only when you know what
you are doing. I take no responsibility for you dorking up your
directory. The safety option will bail the whole operation if there
are more objects to work on than specified with the -safety option.
o This tool was written with simple US ASCII in mind. UNICODE and special
ASCII characters such as characters with umlaut's or graphics may not
be processed correctly due to how the command prompt handles those
characters. If you see this occurring, redirect the input from a text file
with the command prompt redirection symbols and it is possible the program
will operate correctly. If not, you do not need to tell me, I know and I
am working to correct it in some future version... no timeline.
Type AdMod /?? for more notes.
Ex1:
admod -b dc=test,dc=net "description::Joe's Domain"
Change Description of test.net object.
Ex2:
admod -b cn=joe,cn=users,dc=test,dc=net "drink:++:Coke;Mountain Dew;Labatt's;Water"
Add some drinks to joe's user object in the directory
Ex3:
admod -b cn=joe,cn=users,dc=test,dc=net "drink:-:Water"
Removes water from the drink list for joe...
Ex4:
admod -b cn=joe,cn=users,dc=test,dc=net "drink:+:Vodka"
Adds vodka to the drink list for joe...
Ex5:
admod -b cn=joe,cn=users,dc=test,dc=net "drink::Water"
Replaces the entire list with just water for joe...
Ex6:
admod -b cn=joe,cn=users,dc=test,dc=net "drink:+-:Water;Lemonade"
Replaces the entire list with water and lemonade for joe...
Ex7:
admod -b cn=someuser,cn=users,dc=test,dc=net -add objectclass::user samaccountname::someuser
Create disabled user someuser.
Ex8:
admod -b cn=someuser,cn=users,dc=test,dc=net -move ou=u,dc=test,dc=com
Move user someuser to ou=u.
Ex9:
admod -b cn=someuser,cn=users,dc=test,dc=net -rm
Delete someuser.
Ex10:
admod -users -rb cn=someuser unicodepwd::newpassword -optenc
Administrative password reset for user named someuser.
Ex11:
admod -users -rb cn=someuser unicodepwd:-:oldpassword unicodepwd::newpassword -optenc
Change password for user named someuser.
This software is Freeware. Use at your own risk.
I do not warrant this software to be fit for any purpose or use and
I do not guarantee that it will not damage or destroy your system.
Contact support@joeware.net via email for licensing information to package
this utility in commercial products.
See full Warranty documentation or download the latest version
on https://www.joeware.net.
If you have improvement ideas, bugs, or just wish to say Hi, I
receive email 24x7 and read it in a semi-regular timeframe.
You can usually find me at support@joeware.net
AdMod V01.28.00cpp Joe Richards (support@joeware.net) October 2023
-help Basic help.
-? Basic help.
-?? Advanced help.
-???? Shortcut help.
-sc? Shortcut help.
-csv? CSV / ADCSV help.
-sd? Security Descriptor help.
Usage:
AdMod [switches] [attr-action]
Switches: (designated by - or /)
[CONNECTION OPTIONS]
-h host:port Host and port to use. If not specified uses port 389 on
default LDAP server. Localhost can be specified as '.'.
Port can also be specified via -p.
IPv6 IP address w/ port is specified [address]:port
-p port Alternate method to specify port to connect to.
-hh host:port Combines -h with -arecex
-hd host:port Combines -h with -default
--------------Advanced--------------
-kerbenc Kerberos Encryption (LDAP_OPT_ENCRYPT).
-optenc Alias for -kerbenc (LDAP_OPT_ENCRYPT).
-ssl Use SSL.
-starttls Use StartTLS
-sslignoresrvcert Ignore any problems with the SSL server cert.
-delegation Delegated bind (ISC_REQ_DELEGATE).
-arecex Hostname has the actual host name, not domain name.
-url xx Specify LDAP(S) URL - LDAP://host:port/basedn...
See https://www.ldap.com/ldap-urls
[UPDATE OPTIONS]
-b basedn RFC 2253 DN to work on. If basedn is not specified
the program will read from stdin anything piped to it
or if you want you can type the DNs there followed by
a ctrl-z to terminate the pipe.
-safety x Only modify objects if <= x. Default 10.
-cm Clear Membership. This switch is required to perform
in order to clear the membership of a group.
-updatenchead Allow a change to the NC Domain Head object (top object in a domain)
--------------Advanced--------------
-null Use null base for base DN.
-rootdse Like -null.
-root Determine and use root partition for base DN.
-config Determine and use configuration partition for base DN.
-schema Determine and use schema partition for base DN.
-default Determine and use default partition for base DN.
-rb xx Relative Base, use with special base DN's above.
So you could specify -default and -rb cn=users.
-rnpb xx New Parent Base, Used for move, undelete, rename.
Possible Values:
domainnc - The domain portion of the object DN
Can also be used as part of a DN
-rnpb OU=SomeOU,OU=OU2,domainnc
domaindn - Alias for domainnc
defaultnc- Alias for domainnc
users - Users container of domain of object DN
fgpp - FGPP container of domain of object DN
msa - MSA container of domain of object DN
-users Use cn=users,<default domain> for base.
-forestdns Use ForestDNS NDNC for base.
-domaindns Use DomainDNS NDNC for base.
-dcs Use Domain Controllers container of default domain for base.
-gpo Use System Policies container of default domain for base.
-psocontainer Use PSO Container of default domain for base.
-quotas Use NTDS Quotas container of default domain for base.
-ldappolicy Use Ldap Query Policies container for base.
-xrights Use Extended Rights container for base.
-partitions Use Partitions container for base.
-sites Use Sites container for base.
-subnets Use Subnets container for base.
-exch Use Exchange Services container for base.
-fsps Use Foreign Security Principals container for base.
-sitelinks Use Site Links Container for base.
-legacydns Use Legacy DNS Container for base.
-displayspecifiers User Display Specifiers container in config for base.
-ds Use Directory Service container in config for base.
-svcs Use Services container in config for base.
-msa Use Managed Service Accounts Container for base.
-roles Use Roles relative base (for ADLDS).
-delobjs Use Deleted Objects relative base from whatever base defined plus -showdel.
-do Alias for -delobjs.
-delobjs+ Use Deleted Objects relative base from whatever base defined plus -showdel+.
-do+ Alias for -delobjs+.
-system Use System container of specified Domain NC or the default NC for base.
-fgpp Use Password Settings Object Container for base.
-t xxx Timeout value for query, default 120 seconds.
-unsafe Don't have a safety, modify objects no matter how many.
-upto xx Modify up to xx objects and then stop.
-cont Continue with objects even if errors.
-treedelete Used in combination with -rm/-del to delete branch
-treenuke Used in combination with -rm/-del to delete everything
in a branch. Like -treedelete but works for >16k objects.
-recycle Allow forced recycle of deleted objects.
-showdel Enable the show deleted objects control.
-showdel+ Enable the show deleted objects and recycled objects controls.
-showrecycled Enable the recycled objects controls.
-permissive Permissive modify. (LDAP_SERVER_PERMISSIVE_MODIFY_OID)
-policyhints Enable LDAP_SERVER_POLICY_HINTS_OID. (KB2443871)
-nr Do not follow referrals - client side.
-hackon Special update mode (schUIP).
[ACTION OPTIONS]
-rm Delete specified object(s)
-del Alias for -rm.
-add Add an object. Specify DN with -b and attributes normally.
At the very least you will need to specify objectclass.
-undel x Undelete specified object(s), uses lastknownparent unless
an alternate parent is supplied in x. Requires K3+. Can add
additional attribute values with :+: or :++: ops.
-rename x Rename object to RDN of x.
Can use variable expansion if using ADCSV such as {{samaccountname}}
-move x Move object to parent specified by x (within domain).
-move y;x Move object to parent specified by x (within domain) and rename to y.
-rbmove x Alias for -move x + -rnpb domaindn.
-rbmove y;x Alias for -move y;x + -rnpb domaindn.
-bmod x Dynamic expansion style Base Modification for UNDEL/MOVE for the base DN.
This brings the CSV Variable Expansion of the DN to single objects.
-stdinadd x Take list of quoted DNs and add to specified attribute x.
-stdinrm x Take list of quoted DNs and remove from specified attribute x.
-stdinreplace x Take list of quoted DNs and replace values of specified
attribute x.
NOTE: The stdinxx switches also allow for SIDs or GUIDs to be specified for input.
-stdinsort x Sorts DN's that have been piped in in multi-DN mode, the
default sort is hierarchical, but can specify case-sensitive
alphabetic sort with csalpha or case-insensitive with cialpha
-stdinsortreverse Sorts DN's that have been piped in in multi-DN mode in
reverse hierarchical order for deletes.
-getsecin AdMod requests that you type attribute vaue for any attribute where you
specify {*} as the value. It will ask by attribute name. Think of
using with 'secret' values you don't want on the command line like pwd.
--------------Advanced--------------
-delim x x specifies delimiter for attribute sequence. Default :
-mvdelim x x specified delimiter for value sequence. Default ;
-xdom x Cross domain move, move to DC x. Use with -move. Must
specify FQDN of destination DC as parameter of -xdom.
The cross domain move has specified requirements which
are the same for all mechanisms used. To see the requirements
please look up IADsContainer::MoveHere in MSDN Library.
[OUTPUT OPTIONS]
-elapsed Display elapsed time in seconds
-exterr Show Extended Error info. DSID Info...
-appver Output AdMod versioning info.
-progress Display Progress Bar for CSV operations in the title bar.
-pause Pause before closing AdMod.exe executable.
-extsrvinfo Give additional server info for bind string info.
[AUTHENTICATION OPTIONS]
--------------Advanced--------------
-u userID Userid authentication. AD simple bind supports All ID
formats. Secure bind only supports ID formats 1 and 2.
Digest Bind supports ID formats 1 and 3.
No userid specified indicates anonymous authentication.
ID Formats
1. domain\userid (SAM Format / NT Format)
2. user@domain.com (userPrincipalName)
3. cn=user,ou=someou,dc=domain,dc=com (DN)
-up pwd Password for specified userid. * indicates to ask for password.
Password can be clear text password or ENCPWD:xxx format as
created by the adfind -encpwd switch
-simple Simple Bind
-digest Digest Bind (LDAP_AUTH_DIGEST). Automatically enabled if bind
string starts with 'cn='
-ntlm NTLM Bind (LDAP_AUTH_NTLM).
[MISC OPTIONS]
--------------Advanced--------------
-po Print options. This switch will dump to the command line all
all switches with values and attributes specified.
-tmpobj xx For object adds, will create dynamic objects with lifetime of
xx seconds. If no value specified, will have lifetime of 7 days.
For dynamic object updates it will set new TTL value per parameter.
-dynamic xx Alias for -tmpobj.
-log xxx Log information to file xx. (default admod.log).
-append Append to log versus overwrite log.
-chgpwd:op:np CHANGE password with old password op to new password np.
Alias is -changepwd:op:np.
-setpwd:np SET password to new password np.
-sdsimple Turn off some of the automatic SDDL handling when specifying an SDDL
-sdverbatim Do not sort / reorder SDDL string that is complete and needs no transformation.
-sdwhatif [BETA] Do not make Security Descriptor change, just output what should happen.
-sd xx Grab current security descriptor and modify based on the string in xx. See /sd?.
-sdni xx Like -sd but does not grab existing Security Descriptor. See /sd?
-dsd xx Grab default security descriptor and modify based on the string in xx. See /sd?.
-trim Trim working set, may possibly reduce RAM use when reading large CSVs.
Automatically done when >= 20000 lines in CSV input.
-replacedn xxx:yyy Replaces xxx in DNs with yyy. Following special cases:
"" alias for _all
_all replaces all of the following:
_config <CONFIG> replaced with configuration DN
_schema <SCHEMA> replaced with schema DN
_default <DEFAULTNC> replaced with default NC DN
_root <ROOT> replaced with root NC DN
_sites <SITES> replaced with sites DN
_subnets <SUBNETS> replaced with subnets DN
_exch <EXCH> replaced with Exchange services DN
_dcs <DCS> replaced with Domain Controllers DN
_fsps <FSPS> replaced with ForeignSecurityPrincipal DN
_msa <MSA> replaced with Managed Service Accounts DN
_psc <PSA> replaced with Password Settings Container DN
_gpo <GPO> replaced with Group Policy Container DN
_services SERVICES> replaced with Services DN in Config NC
-replacedndelim x Specifies delimiter to separate replacedn strings
-verifgc xx [BETA] Specify GC dnshostname to use for object validation.
-eignore Don't bail out if -e doesn't load any switches/params.
-e xxx Load switches from environment. Will read env vars with prefix
and dash (adfind-) by default and load them in. To
specify a different prefix, specify string after -e. For
example to specify the host switch create an env var of
adfind-h. To specify a switch that doesn't take a
a value, specify a value of {~} because you can't set a
an environment variable to blank. Unfortunately it is not
currently possible to specify Attr-Action combinations with
the environment variables. By default, Admod will read any
environment variables prefixed with (joeware-default-admod-)
without specifying -e.
Ex: Modify ADAM config NC on localhost port 5000.
set adam1-h=.:5000
set adam1-config={~}
set adam1-u=thispc\myid
set adam1-up=ENCPWD:EhfEeD0ZVyV9O2AdWzoNyXzYrQwVJm9cN1
adfind -e adam1 description:: his is a test"
NOTE: The Environment switch mentions AdFind for the default names for
the environment variables, this is not a typo. You can override
if you prefer, but the idea is to use the same vars for consistency
between the two command line apps.
-ef xxx Load switches from file (default file = admod.cf), one
switch per line. Attr-Action strings are placed on multiple lines
Ex: Modify ADAM config NC on localhost port 5000.
edit file adam1.cf
-h .:5000
-config
description::this is a test
admod -ef adam1.cf
By default AdMod will process the default configuration
file 'joeware_default_admod.cf' without specifying -ef.
ENVIRONMENT NOTES
There are five levels for specifying switches, a lower level will
not override a higher level. The levels from highest to lowest:
1. Command line switches
2. Environment variable specified via -e
3. Environment file specified via -ef
4. Default environment variables prefixed with joeware-default-admod-
5. Default environment file joeware_default_admod.cf
Attr-Action
Format: attribute : operation : value(s)
This field is broken up into three main sections. Not all
sections are required for all operations. The three sections
are the attribute section, operation section, and value section.
By default the delimiter between the sections is the : character
however you may change this with the -delim option.
attribute This is the name of the attribute to be manipulated
Any attribute that is a valid attribute for the ldap
directory is a valid value here.
___BINARY ATTRIBUTES___
Some attributes do not accept text based values. The
immediate examples are GUIDs and SIDs. Binary updates are
a little different than normal string updates and
require encoding. To specify this encoding, prefix
the attribute with one of the following prefixes:
GUID## Encodes friendly format GUIDs
ex: {26C18F02-9B73-495B-9F53-8207FC72527D}
ex: 26C18F02-9B73-495B-9F53-8207FC72527D
SID## Encodes friendly format SIDs
ex: S-1-5-21-1862701446-4008382571-2198042679
HEX## Encodes even number of Hex characters. White space
is filtered out.
ex: FFEA 34FD 76DA
BIN## Alias for HEX##.
ex: FFEA 34FD 76DA
TXT## Encodes text into binary. Can embed hex characters
by escaping hex character with slash such as \0a.
Also several "standard" escape characters are
supported \a, \b, \f, \n, \r, \t, \v
ex: street address\ncity,state\nzipcode
SD## Encodes SDDL into security descriptor
ex: D:PAI(OA;;GA;;;BA)
BASE64## Encodes data into BASE64 format.
IMPORTFILE## Encodes a file into binary.
ex: IMPORTFILE##jpegphoto::c:\temp\mypic.jpg
DNWBIN## Encode DN with Binary. Format DNWBIN##attr;dn;value
ex: DNWBIN##someattr:cn=someobject,dc=dom,dc=com:AE729FD2
DNWSTR## Encode DN with text string. Format DNWSTR##attr;dn;value
ex: DNWSTR##someattr:cn=someobject,dc=dom,dc=com:TestString
DNWTXT## Alias for DNWSTR
You encode time values to int8 format with the following
prefixes:
UTC## Encodes UTC Time value.
LOCAL## Encodes Local Time value.
The formatting for UTC and LOCAL is:
YYYY/MM/DD-HH:MM:SS (HH:MM:SS is optional)
CURRENT## Encodes current timevalue.
CURRENT requires a delta value to be specified in the value
field of the attr-action string. Such as CURRENT##attrib::0
for no delta. Deltas can be specified in days, hours, minutes
or seconds with a string appended to the integer value:
d for days - ex: CURRENT##accountexpires::30d
h for hours - ex: CURRENT##accountexpires::24h
m for minutes - ex: CURRENT##accountexpires::300m
s for seconds - ex: CURRENT##accountexpires::900s
Specify -(value) to go back in time, ex: -30d
You can also specify the delta as dd:hh:mm:ss
DELTA## Encodes delta only value, no modification from current timevalue.
Use the same formatting as CURRENT##.
You encode time values to Generalized Time format with the following
prefixes:
UTCGT## Encodes UTC Time value.
LOCALGT## Encodes Local Time value.
The formatting for UTC and LOCAL is:
YYYY/MM/DD-HH:MM:SS (HH:MM:SS is optional)
CURRENTGT## Encodes current timevalue.
CURRENTGT requires a delta value to be specified in the value
field of the attr-action string. Such as CURRENTGT##attrib::0
for no delta. Deltas can be specified in days, hours, minutes
or seconds with a string appended to the integer value:
d for days - ex: CURRENTGT##accountexpires::30d
h for hours - ex: CURRENTGT##accountexpires::24h
m for minutes - ex: CURRENTGT##accountexpires::300m
s for seconds - ex: CURRENTGT##accountexpires::900s
Specify -(value) to go back in time, ex: -30d
You can also specify the delta as dd:hh:mm:ss
operation This is the operation to perform.
Valid operations are:
(blank) Update the attrib with the new value.
+ Add a value to an attribute.
- Clear an attribute or value in an attribute.
++ Add multiple values to an attribute.
+- Replace all values with multiple new values.
-- Remove multiple values from an attribute.
value(s) This specifies values to use.
If you are doing a multivalue operation with ++, +-, or --
you will separate the values with ;, or alternatively
you can specify a different MV delimiter with -mvdelim.
__OPERATION NOTES__
o +,++,+-,-- operations all require values specified.
o - operation doesn't require a value. No value clears all
all values. Value specified clears one value.
o Trying to add multiple values to a single value attribute
will result in error.
o Doing an update operation (blank op - ::) to a multivalue
will wipe all values and replace with the one single value.
Notes:
o This tool could be considered dangerous, it can quickly make some
serious changes to your directory. Use it only when you know what
you are doing. I take no responsibility for you dorking up your
directory. The safety option will bail the whole operation if there
are more objects to work on than specified with the -safety option.
o This tool was written with simple US ASCII in mind. UNICODE and special
ASCII characters such as characters with umlaut's or graphics may not
be processed correctly due to how the command prompt handles those
characters. If you see this occurring, redirect the input from a text file
with the command prompt redirection symbols and it is possible the program
will operate correctly. If not, you do not need to tell me, I know and I
am working to correct it in some future version... no timeline.
o This tool is exceptionally powerful when used in conjunction with
a command line LDAP query tool such as my own AdFind with the -dsq
or -adcsv switches or dsquery from Microsoft.
o If you get an error in an update operation, no modification is made
to the specific object, even if say 3 changes were valid and one wasn't.
If you are clearing attributes and you aren't sure if one of the
is populated, use the -permissive switch.
o When performing multi-DN modifications, the errorlevel will be set to the
last error encountered. So if you go through 8 DNs and hit 3 errors,
only the last will be passed back to you via %errorlevel%. Also note
that the error will be an LDAP error, not a Win32 error.
o Be very very careful of treedelete option.
o The RPC based IADsUser.SetPassword method via #setpwd# has been removed.
o The proper mechanism to set the password is to either set the unicodepwd
attribute or the userpassword attribute and specify the -optenc switch
to enable encrytion of the traffic to the server.
ex: unicodepwd::newpassword
Ex1:
admod -b dc=test,dc=net "description::Joe's Domain"
Change Description of test.net object.
Ex2:
admod -b cn=joe,cn=users,dc=test,dc=net "drink:++:Coke;Mountain Dew;Labatt's;Water"
Add some drinks to joe's user object in the directory
Ex3:
admod -b cn=joe,cn=users,dc=test,dc=net "drink:-:Water"
Removes water from the drink list for joe...
Ex4:
admod -b cn=joe,cn=users,dc=test,dc=net "drink:+:Vodka"
Adds vodka to the drink list for joe...
Ex5:
admod -b cn=joe,cn=users,dc=test,dc=net "drink::Water"
Replaces the entire list with just water for joe...
Ex6:
admod -b cn=joe,cn=users,dc=test,dc=net "drink:+-:Water;Lemonade"
Replaces the entire list with water and lemonade for joe...
Ex7:
admod -b cn=someuser,cn=users,dc=test,dc=net -add objectclass::user samaccountname::someuser
Create disabled user someuser.
Ex8:
admod -b cn=someuser,cn=users,dc=test,dc=net -move ou=u,dc=test,dc=com
Move user someuser to ou=u.
Ex9:
admod -b cn=someuser,cn=users,dc=test,dc=net -rm
Delete someuser.
Ex10:
admod -users -rb cn=someuser unicodepwd::newpassword -optenc
Administrative password reset for user named someuser.
Ex11:
admod -users -rb cn=someuser unicodepwd:-:oldpassword unicodepwd::newpassword -optenc
Change password for user named someuser.
--------------Advanced--------------
Ex12:
admod -b cn=someuser,cn=users,dc=test,dc=net guid##guidattr::85C04D89-D68C-4785-B801-DBF980F97C5C
Sets GUID value on some guid based attrib on someuser.
Ex14:
admod -b cn=someuser,cn=users,dc=test,dc=net "bin##binattr::3f 4567 0e 69"
Sets binary blob on some binary based attrib on someuser.
------AdFind + AdMod Examples-------
Ex15:
adfind -default -f "&(objectcategory=person)(scriptpath=*)" -dsq | admod -unsafe scriptpath:-
Removes logon script from all users in default domain.
Ex16:
adfind -gc -b -f "proxyaddresses=*" -dsq | admod -unsafe proxyaddresses:-
Removes proxyaddresses attribute from all objects in forest.
Ex17:
adfind -b ou=badcomputers,dc=test,dc=net -f "objectcategory=computer" -dsq |admod -unsafe -rm
Delete all computer objects in specified OU...
Ex18:
adfind -bit -default -f useraccountcontrol:AND:=2 -dsq |admod -unsafe -move ou=disabled,dc=test,dc=net
Move all disabled objects in default domain to specified OU...
Ex19:
adfind -default -f "&(name=compa*)" -showdel -dsq |admod -undel
Undelete any objects named compa* and place back in last known parent...
Ex20:
adfind -default -f "&(name=compa*)" -showdel -dsq |admod -undel ou=undeleted,dc=test,dc=net
Undelete any objects named compa* and place back in ou named undeleted....
Ex21:
adfind -bit -default -f "&(objectcategory=computer)(useraccountcontrol:AND:=32)" useraccountcontrol -adcsv
| admod useraccountcontrol::{{.:CLR:32}} -upto 1000
Clear PWD_NOTREQD flag on up to 1000 computer accounts.
Ex22:
adfind -default -rb cn=users -f "objectclass=user" -dsq
| admod -default -rb cn=theusers,cn=users -stdinadd member
Add all users in the user's container to the theusers group.
This software is Freeware. Use at your own risk.
I do not warrant this software to be fit for any purpose or use and
I do not guarantee that it will not damage or destroy your system.
Contact support@joeware.net via email for licensing information to package
this utility in commercial products.
See full Warranty documentation or download the latest version
on https://www.joeware.net.
If you have improvement ideas, bugs, or just wish to say Hi, I
receive email 24x7 and read it in a semi-regular timeframe.
You can usually find me at support@joeware.net
AdMod V01.28.00cpp Joe Richards (support@joeware.net) May 2021
-help Basic help.
-? Basic help.
-?? Advanced help.
-???? Shortcut help.
-sc? Shortcut help.
-csv? CSV / ADCSV help.
-sd? Security Descriptor help.
Usage:
AdMod [switches] [attr-action]
Switches: (designated by - or /)
AdMod Shortcuts
===============
Shortcuts are not actual commands themselves but instead are aliases for a
sequence of other commands so you do not have to recall or type the longer commands.
Shortcuts actually a combination of various other switches. To see exactly
what switches are specified on your behalf, use the -po switch in combination
with the shortcut switch and it will show you everything that is submitted.
Since these shortcuts are simply a combination of switches auto-entered for
you it means that generally you can use the other switches to add
to the query to focus it further or get output closer to what you need.
If you have an issue with any of these shortcuts, remember you can just
enter the proper combination of real switches yourself. In general the
shortcuts will work on Windows 2000-2008 AD, and ADAM/ADLDS.
Any limitations should be notated under the specific shortcut documentation.
--------------Shortcuts--------------
-sc help Display Shortcut usage
OPERATIONAL SHORTCUTS
**********************
See http://msdn.microsoft.com/en-us/library/cc223297(PROT.13).aspx for
descriptions of operational attributes and usage/caveats.
-sc refreshschema Schema cache refresh (schemaUpdateNow)
-sc defrag:xx Initiate AD DIT Online Defrag. xx is the number of
seconds to run the defrag. (doOnlineDefrag)
-sc checkphantoms Check phantoms. Run on IM. (checkPhantoms)
-sc fixlinks Fix links. Run on IM. (doLinkCleanup)
-sc igcc Invalidate GC Connection. Run on IM. (invalidateGCConnection)
-sc refreshugc Update Universal Group Cache. (updateCachedMemberships)
-sc rsc Refresh Server Certificate. (renewServerCertificate)
-sc xferschema Transfer schema role to this machine (becomeSchemaMaster).
-sc xferdm Transfer Domain Master to this machine (becomeDomainMaster).
-sc xferrid Transfer Rid Master to this machine (becomeRidMaster).
-sc xferim Transfer Infrastructure Master to this machine
(becomeInfrastructureMaster).
-sc xferpdc:xxx Transfer PDC to this machine. xxx is domain SID (becomePdc).
-sc ddb:xx Dump Database, xx specifies space delimited list
of attributes (dumpDatabase).
-sc ddblinks Dump Links from Database (dumpLinks).
-sc ddbreferences xx Dump references from Database for the specified DN (dumpReferences).
-sc dldapstate Dump LDAP State from Database (dumpLDAPState).
-sc refreshrid:xxx Refresh RID pool. xxx is domain SID (invalidateRidPool).
-sc fi Rebuild object container ancestry during SDPROP. (fixupInheritance).
-sc rh Recalculate GAL/NSPI Hierarchy. (recalcHierarchy).
-sc gc Start garbage collection (doGarbageCollection).
-sc phantomgc Start phantom garbage collection (doGarbageCollectionPhantomsNow).
-sc runpag Start adminSDHolder process (runProtectAdminGroupsTask).
Must specify PDC for the -h/-hh switch.
-sc runsamupg Start SAM Upgrade tasks (runSamUpgradeTasks).
-sc rso:xxx;yyy Replicate single object DN yyy from NTDS Settings DN xxx
(replicateSingleObject).
-sc rsos:xxx;yyy Replicate secrets to RODC for single object DN yyy from NTDS
Settings DN xxx (replicateSingleObject - SECRETS_ONLY).
Specify RODC as target host with -h/-hh.
-sc rodcpurge:xxx RODC Purge Secrets. xxx is DN of object to purge. (rODCPurgeAccount)
(replicateSingleObject).
-sc removelo:xxx;yyy Remove lingering object. xxx is GUID of Master DC, yyy is GUID of object.
(removeLingeringObject).
-sc enablerecyclebin Enable recycle bin in ADLDS or AD Forest.
-sc enablefeature:xx;yy Enable arbitrary feature with DN xx and GUID yy.
OBJECT CREATION SHORTCUTS
*************************
-sc adau:x;y;z Add x users with password y and template z. If y is not
specified a random password of 15-20 characters will be generated
If - is specified for the password, a password attribute argument
will not be specified so you can specify the argument yourself.
The template should be the full DN of a user you want to create.
AdMod will rename the RDN with _x which is an autogenerated increasing
number. This shortcut is for Active Directory.
-sc adamau:x;y;z Same as -sc adau but for ADAM.
-sc adag:x;y;z Add x groups with type y and template z. Y can be an integer value that
specifies the grouptype setting or you can specify a letter for the type
of group:
u for universal
g for global
l for domain local
s appended to any of the above for a security enabled group
The template should be the full DN of a group you want to create.
AdMod will rename the RDN with _x which is an autogenerated increasing
number. This shortcut is for Active Directory.
-sc adamag:x;y;z Same as -sc adag but for ADAM.
-sc adac:x;z Add x computer objects with template z. The template should be
the full DN of a group you want to create. AdMod will rename the
RDN with _x which is an autogenerated increasing number. This
shortcut is for Active Directory.
-sc adaou:x;z Add x OU objects with template z. The template should be
the full DN of an OU you want to create. AdMod will rename the
RDN with _x which is an autogenerated increasing number. This
shortcut is for Active Directory.
-sc adamaou:x;z Same as -sc adaou but for ADAM.
-sc adacon:x;z Add x container objects with template z. The template should be
the full DN of a container you want to create. AdMod will rename the
RDN with _x which is an autogenerated increasing number. This
shortcut is for Active Directory.
-sc adamacon:x;z Same as -sc adacon but for ADAM.
MISC SHORTCUTS
**************
-sc uacset:xxx Set UAC value. Must be used in combination with adfind -adcsv
with userAccountControl specified in outputted attributes.
-sc uacclear:xxx Clear UAC value. Must be used in combination with adfind -adcsv
with userAccountControl specified in outputted attributes.
xxx Values:
ACCOUNTDISABLE - Disable Account (2)
PASSWD_NOTREQD - Password not required (32)
DONT_EXPIRE_PASSWD - Don't expire password (65536)
SMARTCARD_REQUIRED - Smart card required (262144)
TRUSTED_FOR_DELEGATION - Trusted for delegation (524288)
USE_DES_KEY_ONLY - Use DES key only for Kerberos (2097152)
DONT_REQUIRE_PREAUTH - Don't require Preauthentication (4194304)
TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION - Trusted to authenticate (16777216)
-sc uacsetx:xxx Set UAC integer value specified in xxx.
-sc uacclearx:xxx Clear UAC integer value specified in xxx.
-sc ad-disable Shorter cut for uacset:accountdisable.
-sc ad-enable Shorter cut for uacclear:accountdisable.
-sc csh Clear sIDHistory. Must be used in combination with adfind -adcsv
with sIDHistory specified in outputted attributes.
-sc importschema:xx Imports schema mods from CSV file xx.
SECURITY DESCRIPTOR SHORTCUTS
*****************************
-sc sdreset[:x] Reset Security Descriptor to Default Security Descriptor
for object or alternate object x if specified.
-sc sdresetdelprot[:x] Like -sc sdreset but also protects the DACL from inheritance.
-sc sddelprot+ Protect object from deletion/tree delete.
-sc sddelprot- Remove deletion/tree delete protection from object.
-sc sdinherit+ Allow (Add) inheritance from DACL of specified object.
-sc sdinherit- Block (Remove) inheritance from DACL of specified object.
-sc sdstrip:xxx Remove ACEs that specify Security Principal xxx.
-sc sdpiped[:xx] Set SD on object to SD piped in via CSV with optional xx mods.
-sc sd:xx Get current SD and apply xx mods.
Examples:
Ex1: Creating 1000 enabled users w/ random passwords via template.
admod -sc adau:1000;;cn=myuser,cn=users,dc=test,dc=loc
Ex2: Clear all SidHistories on all objects with SidHistory values in domain (all one line)
adfind -default -f sidhistory=* sidhistory -adcsv | admod -sc csh -unsafe
Ex3A: Clear PWD_NOTREQD flag on up to 1000 computer accounts. (all one line)
adfind -bit -default -f "&(objectcategory=computer)(useraccountcontrol:AND:32)" useraccountcontrol -adcsv
| admod -sc uacclearx:32 -upto 1000
Ex3B: Clear PWD_NOTREQD flag on up to 1000 computer accounts. (all one line)
adfind -bit -default -f "&(objectcategory=computer)(useraccountcontrol:AND:32)" useraccountcontrol -adcsv
| admod -sc uacclear:PASSWD_NOTREQD -upto 1000
Ex4A: Disable user with name joe. (all one line)
adfind -default -f "&(samaccounttype=805306368)(name=joe)" useraccountcontrol -adcsv
| admod -sc uacsetx:2
Ex4B: Disable user with name joe. (all one line)
adfind -default -f "&(samaccounttype=805306368)(name=joe)" useraccountcontrol -adcsv
| admod -sc uacset:ACCOUNTDISABLE
Ex5: Reload schema
admod -sc refreshschema
This software is Freeware. Use at your own risk.
I do not warrant this software to be fit for any purpose or use and
I do not guarantee that it will not damage or destroy your system.
Contact support@joeware.net via email for licensing information to package
this utility in commercial products.
See full Warranty documentation or download the latest version
on http://www.joeware.net.
If you have improvement ideas, bugs, or just wish to say Hi, I
receive email 24x7 and read it in a semi-regular timeframe.
You can usually find me at support@joeware.net
AdMod V01.28.00cpp Joe Richards (support@joeware.net) October 2023
-help Basic help.
-? Basic help.
-?? Advanced help.
-???? Shortcut help.
-sc? Shortcut help.
-csv? CSV / ADCSV help.
-sd? Security Descriptor help.
Usage:
AdMod [switches] [attr-action]
Switches: (designated by - or /)
AdMod CSV Options
=================
-csv Enable CSV input from STDIN. Add -csvfile for file.
-jtsv Enable joe TSV options for CSV mode. \t, |, and ".
-csvfile x Use CSV File x instead of taking info from STDIN.
-csvdelim x Delimiter to use for separating attributes in CSV input,
default (,).
-csvmvdelim x Delimiter to use for separating multiple values in input,
default (;).
-csvq x Character used for quoting attributes, default (").
-csvmodnull x Specify behavior during CSV modify operations when
there is a blank value for the field in the CSV file.
If not specified, AdMod will submit the update as
it is specified which will generate an attribute
conversion / invalid syntax error. Alternate values:
IGNORE - Ignores blank fields for object modifications
CLEAR - Clear attribute with blank field
-counterstart x Integer value to start in counter enumerator.
-bmod x Add op only. Base modification expansion string.
-autobase x:y Add op only. Autobase generation. x is count of DNs to
create and y is base value to expand for DN.
-import Import mode, pull all attributes in CSV. This works
in ADD and UPDATE mode. In UPDATE mode it will detect
if the attribute is single or multivalued and use an
ADD (INSERT) or REPLACE as appropriate. There are special
cases for SAM Attributes where the schema doesn't align with
how AD treats them, like description. Cases like this will
require you to handle them via the standard attribute operations.
i.e. description::{{.}}
As of V01.15.00 AdMod will filter out attributes from
being imported that do not exist in the Windows based
destination directory.
If -csv is specified but no attribute operations are
specified -import is automatically enabled. If -import
is specified but -csv isn't, -csv is enabled. -import will
also automatically enable -stdinsort and -replacedn _all.
-importpass1 Special import mode. Used for -add only, filters out the
DN based attributes that could cause an import failure
because they don't exist yet in the directory.
-importpass2 Special import mode. Used for modify only, filters out all
non-DN based attributes that can't be added in the initial
pass.
-importexclattr x Attributes to exclude in import, semicolon delimited.
-expand Variable expansion mode. Automatically enabled when
ADCSV detected. See below for expansion details. Note
that -csv switch will be enabled as well. This switch
CAN be used in non-CSV modes however, you can't expand
values from the CSV fields because there aren't any. :)
-dotcount xx Display a dot (.) for every xx lines read. Default 1000
The CSV option only partially supports deletes and undeletes. Due to the nature of
those commands and the inherent danger, they are simply used for supplying the list
of DNs and expansion (see below) is NOT enabled.
The CSV option fully supports renames, adds, and modifications.
Something to keep in mind when pulling in CSV data is that AdMod will not
magically handle ordering for you. For instance, if you have group1 that
has a member of group2 and you are importing groups, the import will fail unless
group2 is created before group1. If you have group1 as a member of group2 and
group2 is a member of group1 (i.e. recursive nesting) then you need to create
the groups in one pass and then in a second pass populate the membership.
CSV will accept CSV input from file via -csvfile, through the PIPE (|) or
through redirection (<). If you are unfamiliar with redirection, please Google
for 'Using command redirection operators'
IMPORT
======
The -import switch will look at the CSV fields and import anything that is listed
that you haven't specified directly. If you have a CSV file with a filtered list
of attributes, it is likely you can use this directly. If you are working with
a complete CSV dump, you will most likely need to filter some attributes out of
the stream. This is done with the -importexclattr switch. When in UPDATE mode
the imported attributes are processed as value adds. That means they will NOT
overwrite existing values. This means single value attributes that are already
populated will return 'Attribute Or Value Exists'. To sidestep that, you need
to specify an attribute operation such as description::{{.}}.
The -importexclattr excludes several attributes by default even if you do not
specify any other attributes:
createTimeStamp
distinguishedName
dSCorePropagationData
lastLogonTimestamp
logonHours
modifyTimeStamp
msDS-Cached-Membership
msDS-Cached-Membership-Time-Stamp
objectCategory
objectGUID
objectSid
replUpToDateVector
repsFrom
repsTo
sIDHistory
subRefs
uSNChanged
uSNCreated
whenChanged
whenCreated
As of V01.15.00 if you would like to remove one of those attributes from the
filter list, you can specify the switch with the attribute with an appended dash
such as -importexcladdr objectsid-
CSVDE SUPPORT
=============
The CSV functionality in AdMod was not designed to interact with CSVDE. However,
it should be able to be used. One thing that can be an immediate problem is due
to how CSVDE handles escaped characters. These special characters are commas in
DNs and control characters. For some reason, CSVDE escapes these characters with
a double backslash instead of a single backslash. This is odd since the LDAP API
outputs the escaped characters and accepts the escaped characters with a single
backslash. Instead of guessing how that should be handled or writing a whole
separate module for parsing CSVDE AdMod ignores it. :). This means that you need
to clean them up yourself with some form of search and replace or parsing. Once
that is accomplished, you can feed the CSVDE generated file to AdMod with the -CSV
switch. AdMod will handle the binary formatting that CSVDE uses which is to
enclose the binary value in X' and '.
SIZE LIMITS
===========
There is no check for the size of update/add request. This means that if you try
to import a group with some large number of members it is possible and even
likely that it will fail if the update exceeds the LDAP packet size maximum.
The number of members will be limited based on the size of the DNs of the
members. Correction of this issue will occur in some future version of AdMod.
ADCSV
=====
There is also a special ADCSV submode which is automatically invoked when AdMod
detects the ADCSV header on info piped in from AdFind. You can invoke this mode
by specifying -ADCSV in the AdFind command line. The ADCSV mode sends some
additional information over from switches from AdFind including:
o Value for empty fields
o CSV Delimiter
o CSV Multivalue Delimiter
o CSV Quote Character
o Host
o Port
o User ID (if specified on AdFind command line)
o Password (if specified on AdFind command line)
o Simple Bind True/False
o -hh value if specified
o -url value if specified
o SSL True/False
The obvious benefit here is that if you use something other than the default
values you won't have to specify that to AdMod, it can figure it out on its own.
Also the Host and Port specified means you hit the same server and port you pulled
the information from. However, if for some reason you want to, you can override
the values with switches directly applied to the AdMod command line.
EXPANSION
=========
AdMod supports 'expansion' of strings with 'variables' to generate values on
the fly. There is both base DN and attribute level expansion that can occur.
The variables available for use are composed both of fields available in the
CSV input and some additional special values offered up by AdMod. In non-CSV
mode the DN modifier special values are not available.
Expansion Strings
-----------------
An expansion string is simply a string that has 'operations' embedded in it that
require expansion. This is EXTREMELY powerful functionality that can often be used
in the place of scripting. These operations are designated by a start/end markers
and can be intermixed in the string with other operations or plain text. The start of
operation marker is '{{' and the end of operation marker is '}}'. Within the
markers you can specify values. These values can be various opcodes or field names
from the CSV input. Any CSV fields specified *must* be in the CSV data stream or
AdMod will immediately terminate.
On top of the values, you have the option to specify modifiers to 'tweak' the
values. Modifiers are specified by a colon (:) character or in a couple
of special specifically documented cases a double colon (::) following
the value. All values can have either the _lc (lowercase)or _uc (uppercase)
modifier applied. Some opcode values have additional modifiers that can be
specified.
So an operation will look something like
{{value[:modifier]}}
The brackets around the modifier indicate that it is optional.
OpCodes are differentiated from CSV fields by having a leading and trailing
asterisk in the name. So while you may have an attribute named parent, to use
the parent OpCode you would use *parentdn*. That way you could use both the parent
CSV field and the parent OpCode in a single Expansion string without confusion.
There are two available mechanisms to specify "the CSV field that matches the
attribute name". These are '.' and NULL. So if you needed to to do something like:
useraccountcontrol::{{useraccountcontrol:SET:32}}
you could alternately specify expansion string in these two alternate formats
useraccountcontrol::{{.:SET:32}}
useraccountcontrol::{{:SET:32}}
which obviously reduces the amount of typing and redundancy.
Available OpCodes
.................
o *cnt* - This is an enumerator. The value is incremented for every DN
processed. The counter starts at 0 by default, but this can be modified
with the -counterstart switch.
Usage: {{*cnt*}}
o *rnd* - This is a random character generator. The value is randomly
generated individually every time it is encountered. There are three
optional modifiers available for this opcode: minimum length, maximum
length, and character set specified as :min:max:char_set. The default
values for the modifiers are:
* min 15
* max 25
* char_set 0123456789abcdefghjkmnpqrtuvwxyzABCDEFGHJKLMNP
QRTUVWXYZ#%_-=+:;{}[],.?~
The following pre-constructed character sets can be specified:
__lc Lowercase English alphabet
__uc Uppercase English alphabet
__spec Special characters - !@#$%*_-=+:;{}[],.?|~
__num Numbers 0-9
__hex Hex characters 0-9 a-f
Usage: {{*rnd*}}
{{*rnd*:5:10}}
{{*rnd*:5:10:0123456789ABCDEF}}
{{*rnd*:5:10:__hex}}
{{*rnd*:5:10:__uc__lc}}
o *dn* - DN of current object.
Usage: {{*dn*}}
o *rdn* - RDN of current object.
Usage: {{*rdn*}}
o *parentdn* - Parent DN of current object.
Usage: {{*parentdn*}}
o *domaindn* - Domain DN of current object.
Usage: {{*domaindn*}}
o *rootnc* - DN of Root Domain. Alias *forestnc*
Usage: {{*rootnc*}} or {{*forestnc*}}
o *defaultnc* - DN of the Default domain.
Usage: {{*defaultnc*}}
o *confignc* - DN of the Configuration partition.
Usage: {{*confignc*}}
o *schemanc* - DN of the Schema partition.
Usage: {{*schemanc*}}
o *ndc* - Non-Domain portion of DN of current object.
Usage: {{*ndc*}}
o *name* - Name of current object.
Usage: {{*name*}}
o *origname* - Original name of current object prior to bmod expansion.
Usage: {{*origname*}}
o *secprin* - Security Principal from RootDSE msDS-PrincipalName (current security context domain\userid format).
Usage: {{*secprin*}}
o *sid*:secprin - Convert secprin to SID String.
Usage: {{*sid*:domain1\administrators}}
o *isid*:secprin - Convert secprin to <SID=SID String>. Useful Group Membership adds.
Usage: {{*isid*:domain1\administrators}}
o *ldssid*:ldsdn - Convert lds DN to SID String.
Usage: {{*ldssid*:cn=someobj,ou=someou,o=someorg}}
o *hostfqdn* - FQDN of the host.
Usage: {{*hostfqdn*}}
o *domaindns* - DNS value for domain name. Alias *domain*
Usage: {{*domaindns*}} or {{*domain*}}
o *rootdns* - DNS value for rood domain name. Alias *forestdns*.
Usage: {{*rootdns*}} or {{*forestdns*}}
o *now* - Current local time in format YYYY/MM/DD-HH:MM:SS TZ String
Usage: {{*now*}}
o *now_utc* - Like *now* but UTC TZ
Usage: {{*now_utc*}}
o *now_int8* - Like *now* but in int8 integer format. There are three
optional modifiers available for this opcode: modify type, delta value
integer. The modify types are:
* +d Add delta days
* -d Subtract delta days
* +h Add delta hours
* -h Subtract delta hours
* +m Add delta minutes
* -m Subtract delta minutes
Usage: {{*now_int8*}}
{{*now_int8*:+h:6}}
o *enclocal_int8* - Encode time/date string into int8. There is a mandatory
modifier for this opcode which specifies the date/time to encode. The format
of the time to encode is YYYY/MM/DD[-HH:MM:SS]. The date aspect of the
modifier is required, the time is optional.
After the mandatory modifier you can add the same optional modifiers
mentioned for *now_int8* above. NOTE: There is a deviation from the
standard modifier notation to add this additional modifier. Instead
of using a single colon (:), you need to specify a double colon (::)
to avoid collision with the colons.
Usage: {{*enclocal_int8*:2006/11/07-08:00:00}}
{{*enclocal_int8*:2006/11/07-08:00:00::+d:10}}
o *encutc_int8* - Like *enclocal_int8* but UTC TZ.
Usage: {{*encutc_int8*:2006/11/07-08:00:00}}
{{*encutc_int8*:2006/11/07-08:00:00::+d:10}}
CSV Field Modifiers
...................
o _lc - Change string to all lowercase.
Usage: {{somecsvfield:_lc}}
o _uc - Change string to all uppercase.
Usage: {{somecsvfield:_uc}}
o enclocal_int8 - Encode time/date string into int8. This CSV Field
modifier does not have the mandatory modifier of the date/time value
from the opcode of the same name as it is passed in the CSV Field. It
does, however have the same optional modifiers as the opcode with the
same modifier specifier deviation. I.E. The double colon (::).
Usage: {{somecsvfield:enclocal_int8}}
{{somecsvfield:enclocal_int8::+d:10}}
o encutc_int8 - Like enclocal_int8 but UTC TZ.
Usage: {{somecsvfield:encutc_int8}}
{{somecsvfield:encutc_int8::+d:10}}
o allvals - Glue the multiple values in a specific attribute into a single
string. The default glue character is the semicolon (;). An alternate glue
character (or string) can be specified as a modifier. This modifier is
specified with the special double colon modifier (::) separator.
Usage: {{somecsvfield:allvals}}
{{somecsvfield:allvals::|}}
o int8+d - Takes int8 CSV field and adds days to it. It has one required
modifier, the integer value for number of days.
Usage: {{somecsvfield:int8+d:5}}
o int8-d - Takes int8 CSV field and subtracts days from it. It has one
required modifier, the integer value for number of days.
Usage: {{somecsvfield:int8-d:5}}
o int8+h - Takes int8 CSV field and adds hours to it. It has one required
modifier, the integer value for number of hours.
Usage: {{somecsvfield:int8+h:5}}
o int8-h - Takes int8 CSV field and subtracts hours from it. It has one
required modifier, the integer value for number of hours.
Usage: {{somecsvfield:int8-h:5}}
o int8+m - Takes int8 CSV field and adds minutes to it. It has one required
modifier, the integer value for number of minutes.
Usage: {{somecsvfield:int8+m:5}}
o int8-m - Takes int8 CSV field and subtracts minutes from it. It has one
required modifier, the integer value for number of minutes.
Usage: {{somecsvfield:int8-m:5}}
o Various logical/mathematical operators - This is a catch-all for several
math functions available. They all follow the same format:
somecsvfield:operator:intvalue
The intvalue field can be specified in three formats
* Binary - bnnnn where nnnn is a binary string.
* Hex - 0xnnnn where nnnn is a hex string.
* Decimal - nnnn where nnnn is a decimal string.
The list of logical/mathematical operators
* CLR - Clear bits specified by intvalue.
* SET - Set bits specified by intvalue.
* AND - Logical AND (value&=intvalue)
* OR - Logical OR (value|=intvalue)
* XOR - Logical XOR (value^=intvalue)
* + - Addition (value+=intvalue)
* - - Subtraction (value-=intvalue)
* * - Multiplication (value*=intvalue)
* / - Division (value/=intvalue)
Usage: {{somecsvfield:SET:0x02}}
{{somecsvfield:CLR:2}}
{{somecsvfield:+:500}}
o r - This is the replace modifier. It has two values that you need to
specify, string to find and the string to replace it with. It will
replace the first occurrence of the string found.
In cases where either replacement string has embedded colons, you can
specify the separate fields with $ (dollar signs) instead of colons by
prefixing the modifier with $
Usage: {{somecsvfield:r:somestring1:somestring2}}
{{somecsvfield:$r$somestring1$somestring2}}
o r_ci - Same as r, but case-insensitive.
Usage: {{somecsvfield:r_ci:somestring1:somestring2}}
{{somecsvfield:$r_ci$somestring1$somestring2}}
o rall - This is the replace all modifier. It has two values that you need to
specify, string to find and the string to replace it with. It will replace
every instance of the string found.
Usage: {{somecsvfield:rall:somestring1:somestring2}}
{{somecsvfield:$rall$somestring1$somestring2}}
o rall_ci - Same as rall, but case-insensitive.
Usage: {{somecsvfield:rall_ci:somestring1:somestring2}}
{{somecsvfield:$rall_ci$somestring1$somestring2}}
Examples:
Ex1: Creating 1000 enabled users w/ random passwords via template. (all one line)
admod -add -autobase 1000:cn=myuser,cn=users,dc=test,dc=loc -bmod cn={{*origname*}}_{{*cnt*}},{{*parent*}}
objectclass::user -kerbenc unicodepwd::{{*rnd*:6:8}} samaccountname::{{*name*}}
useraccountcontrol::512 -exterr
Ex2: Copy OU structure from AD to ADAM (all one line)
adfind -default -f objectcategory=organizationalunit objectclass description -adcsv
| admod -h adamsrv -add -replacedn "dc=test,dc=loc:ou=mytestou" -import -unsafe -exterr
Ex3: Copy the first 25 users from AD into ADAM as userProxies (all one line)
adfind -default -f samaccounttype=805306368 -maxe 25 objectsid displayname -adcsv
| admod -h adamsrv -add -bmod {{*RDN*}},ou=userproxies,ou=import,ou=mytestou
objectclass::userproxy displayname::{{.}} objectsid::{{.}} -unsafe -exterr
Ex4: Rename user accounts to lastname,firstname (all one line)
adfind -default -f samaccounttype=805306368 sn givenname -adcsv
| admod -rename {{sn}}\,{{givenname}} -unsafe
Ex5: Export group from AD and then reimport group into AD in two passes.
Export Group
adfind -b CN=g1,OU=tmptestou,DC=test,DC=loc displayname objectclass grouptype member -csv >group.csv
Import Group w/o members
admod -csv -add -import -importexclattr member -exterr < group.csv
Import Group members
admod -csv -expand member:++:{{.}} -exterr < group.csv
Ex6: Clear all SidHistories on all objects with SidHistory values in domain (all one line)
adfind -default -f sidhistory=* sidhistory -adcsv | admod sid##sidhistory:--:{{.}} -unsafe
This software is Freeware. Use at your own risk.
I do not warrant this software to be fit for any purpose or use and
I do not guarantee that it will not damage or destroy your system.
Contact support@joeware.net via email for licensing information to package
this utility in commercial products.
See full Warranty documentation or download the latest version
on http://www.joeware.net.
If you have improvement ideas, bugs, or just wish to say Hi, I
receive email 24x7 and read it in a semi-regular timeframe.
You can usually find me at support@joeware.net
AdMod V01.28.00cpp Joe Richards (support@joeware.net) October 2023
-help Basic help.
-? Basic help.
-?? Advanced help.
-???? Shortcut help.
-sc? Shortcut help.
-csv? CSV / ADCSV help.
-sd? Security Descriptor help.
Usage:
AdMod [switches] [attr-action]
Switches: (designated by - or /)
AdMod Security Descriptor Options
=================================
-sdnoowner Do not return owner info in Security Descriptor for {getsd}.
-sdnogroup Do not return group info in Security Descriptor for {getsd}.
-sdnodacl Do not return DACL info in Security Descriptor for {getsd}.
-sdnosacl Do not return SACL info in Security Descriptor for {getsd}.
-sdna Get SD No Admin - aka -sdnosacl for {getsd}.
-onlydacl Only return DACL info in Security Descriptor for {getsd}.
-onlysacl Only return SACL info in Security Descriptor for {getsd}.
-sdsimple Turn off some of the automatic SDDL handling when specifying an SDDL
-exterr Useful for breaking up SDDL string if seeing "Error in SDDL conversion"
-sdwhatif [BETA] Will show you what SD will actually be set. I highly
recommend using this when initially using this functionality.
-sd xx Grab current security descriptor and modify based on the string in xx.
-dsd xx Grab default security descriptor and modify based on the string in xx.
-sdkeepgeneric Do not replace the G* rights masks (GA,GW,GR,GX) with expanded values.
NOTE: Don't forget to check out the Short Cut Usage for SD related Short Cuts.
AdMod allows for a series of advanced security descriptor modifications via the
SD## functionality. Primarily the focus here has been on the nTSecurityDescriptor
however it should work for any security descriptors stored in Active Directory.
If you encounter any specific issues please let me know at support@joeware.net.
The basic SD## functionality takes an SDDL string, please see the Microsoft SDDL
documentation for details on what that format looks like or check out the -rawsddl
output of security descriptors in AdFind. If you are not familiar with SDDL format
security descriptors I **HIGHLY** recommend you not mess with this functionality in
AdMod because the Active Directory you could outright break will be your own.
The SD## SDDL functionality in V01.21.00 and later versions of AdMod allow for
some additional functionality including the ability to have AdMod retrieve
the current security descriptor value. This is unusual for AdMod as you
normally have to provide all of the information yourself. However to replace
functionality in DSACLS.EXE and simply the commands I chose to have AdMod be able to
retrieve security descriptors. To retrieve the current security descriptor of an object
you simply specify {GETSD} where the SDDL string would normally be placed. So that
looks like
AD##ntsecuritydescriptor::{GETSD}
Of course getting and setting the identical security descriptor really has no value so
there are a set of any number of modifier parameters that allow you to modify the
value returned before setting. The parameters follow a basic format of:
{xy=(Owner|Group|FLAGS(ACE SDDL String))}
x: add or remove operation specified with + or -
y: Portion of security descriptor to modify
O = Owner
G = Primary group
D = DACL
S = SACL
Owner: SID or friendly name of security principal to set as Owner
x should only be +
Group: SID or friendly name of security principal to set as Group
x should only be +
FLAGS: Optional ACE Flags such as AI (aka Inherit) or PAI (Protected)
EX: {+D=AI()}
EX: {+S=PAI()}
EX: {+D=PAI(DENY;;[DEL CHILD][DEL TREE][DEL];;;Everyone)}
DACL: DACL ACE to add or remove.
SACL: SACL ACE to add or remove.
DACL/SACL ACE FORMATS:
type;flags;rights;objectguid;inhobjectguid;secprinsid
You can find details on all of these fields at:
https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings
AdMod will help you a little in that if you use the standard decode format
output by AdFind it will convert those to the proper SDDL ACE string formats.
Some common decodes include:
type:
A - ALLOW
D - DENY
OA - OBJ ALLOW
OD - OBJ DENY
AU - AUDIT
OU - OBJ AUDIT
* - For REMOVE operations match on anything.
flags:
CI - [CONT INHERIT]
OI - [OJB INHERIT]
NP - [NO PROPAGATE]
IO - [INHERIT ONLY]
ID - [INHERITED]
SA - [SUCCESS]
FA - [FAILURE]
* - For REMOVE operations match on anything.
rights:
GA - [FC]
GR - [GEN READ]
GW - [GEN WRT]
GX - [GEN EXE]
RC - [READ PERMS]
WD - [WRT PERMS]
WO - [WRT OWNER]
RP - [READ PROP]
WP - [WRT PROP]
CC - [CR CHILD]
DC - [DEL CHILD]
LC - [LIST CHILDREN]
SD - [DEL]
SW - [SELF WRT]
LO - [LIST OBJ]
DT - [DEL TREE]
CR - [CTL]
* - For REMOVE operations match on anything.
objectguid:
inhobjectguid:
AdMod will look the GUIDs up in AD for classes, attributes,
property sets, etc as needed.
* - For REMOVE operations match on anything.
secprinsid:
AdMod will look the SIDs up in AD for secprins as necessary.
* - For REMOVE operations match on anything.
{{*domaindns*}} - replaces {{*domaindns*}} with domain DNS value of domain of object.
{{*rootdns*}} - replaces {{*rootdns*}} with domain DNS value of root domain of object.
You can stack the operations as needed with adds and removes. Some basic examples:
SD##ntsecuritydescriptor::"{GETSD}{+O=[ForestDNSName]\Enterprise Admins}{-D=(*;*;*;*;*;AO)}"
SD##ntsecuritydescriptor::"{GETSD}{+D=(OA;CIIO;RPWP;member;group;S-1-1-0)}{-D=(*;*;*;*;*;SO)}"
SD##ntsecuritydescriptor::"{GETSD}{-D=(*;*;*;member;group;*)}{-D=(*;*;*;*;*;BUILTIN)}"
You can shortcut the commands by using -sd xx where -sd will replace SD##ntsecuritydescriptor::{GETSD}
and xx is the ACE modifications to apply to the security descriptor.
While the default of {GETSD} is to pull the security descriptor of the current
object, you can override it and specify the DN of a specific object:
{GETSD}=DN
EX: SD##ntsecuritydescriptor::{GETSD}=CN=SomeObject,OU=SomeOU,DC=Dom,DC=com
There are also special aliases that can be used as part of the DN parameter:
{{*DN*}} - Current DN, this is default and not required.
{{*CONFIGNC*}} - Configuration NC DN.
{{*DEFAULTNC*}} - Default NC DN.
{{*ROOTNC*}} - Root NC DN. Alias {{*FORESTNC*}}
{{*SYSTEM*}} - CN=System,{{*DEFAULTNC*}}.
{{*ADMINSDHOLDER*}} - CN=AdminSDHolder,{{*SYSTEM*}}.
EX: SD##ntsecuritydescriptor::{GETSD}={{*ADMINSDHOLDER*}}
There are a few other {GETSD} related options that work the same way but gives you
a different starting base SD to work from:
{GETPSD} - like {GETSD} but the DACL is Protected from inheritance.
{GETISD} - like {GETSD} but the DACL allows inheritance.
If you need to reset an object back to the objectClass default there is an option
to dynamically pull the defaultSecurityDescriptor for an objectclass and use that
as the base SD to work with:
{GETDSD} - retrieve defaultSecurityDescriptor for class of object to be updated.
{GETPDSD} - like {GETDSD} but sets DACL to be Protected from inheritance.
{GETDSD}=X - retrieve defaultSecurityDescriptor for class with ldapDisplayName X.
If you would like to set up some template objects and want some shortcuts for using them
there is an option for pulling a template object's nTSecurityDescriptor similar to the
adminSDHolder mode. Of course this can also be done with {GETSD}=DN but this gives a
nice little shortcut model as well as opportunity for some default template objects:
{GETTSD}=X - retrieve SD from template object named X in default NC.
{GETTSD} - retrieve SD from joeware-default-<objectclass> object from
default NC and if that object doesn't exist retrieve the SD from
joeware-default object.
Ex1: Remove Account Operators ACEs from object.
admod -b cn=someuser,ou=someou,dc=domain,dc=com SD##ntsecuritydescriptor::{GETSD}{-D=(*;*;*;*;*;AO)}
Ex2: Reset object to default Security Descriptor
admod -b cn=someuser,ou=someou,dc=domain,dc=com SD##ntsecuritydescriptor::{GETDSD}
Ex3: Apply AdminSDHolder Security Descriptor to object
admod -b cn=someuser,ou=someou,dc=domain,dc=com SD##ntsecuritydescriptor::{GETTSD}=ADMINSDHOLDER
Ex4: Set owner of object to Enterprise Admins (Need to specify actual ForestDomainName)
admod -b cn=someuser,ou=someou,dc=domain,dc=com "SD##ntsecuritydescriptor::{GETSD}{+O=ForestDomainName\Enterprise Admins}"
Ex5: Set owner of object to Enterprise Admins (auto determine forest domain name)
admod -b cn=someuser,ou=someou,dc=domain,dc=com "SD##ntsecuritydescriptor::{GETSD}{+O={{*rootdns*}}\Enterprise Admins}"
Ex6: Protect object from deletion.
admod -b cn=someuser,ou=someou,dc=domain,dc=com SD##ntsecuritydescriptor::{GETSD}{+D=(D;;SDDCDT;;;WD)}
Ex7: Delegate modify member on group.
admod -b cn=somegroup,ou=someou,dc=domain,dc=com SD##ntsecuritydescriptor::{GETSD}{+D=(A;;WP;member;;domain\secprin)}
Ex8: Delegate modify member for all groups under an OU.
admod -b ou=someou,dc=domain,dc=com SD##ntsecuritydescriptor::{GETSD}{+D=(OA;CIIO;WP;member;group;domain\secprin)}
Ex9: Clear account operators access on all objects from a specific OU down.
adfind -b ou=someou,dc=domain,dc=com -dsq | admod SD##ntsecuritydescriptor::{GETSD}{-D=(*;*;*;*;*;AO)}
This software is Freeware. Use at your own risk.
I do not warrant this software to be fit for any purpose or use and
I do not guarantee that it will not damage or destroy your system.
Contact support@joeware.net via email for licensing information to package
this utility in commercial products.
See full Warranty documentation or download the latest version
on http://www.joeware.net.
If you have improvement ideas, bugs, or just wish to say Hi, I
receive email 24x7 and read it in a semi-regular timeframe.
You can usually find me at support@joeware.net