Introduction to ADModify.net
Topic Last Modified: 2010-01-08
by Marc Nivens and Dan Winter
This article is an introduction to the ADModify (ADModify.net) tool, which can be useful when troubleshooting Microsoft® Exchange Server.
- Feature Overview
- Terminal Server Attributes
- Mailbox Rights
- Naming Attributes
- Using Variables
- Undo Feature
- ADModify in a Command Line
- Tips for Exchange Administrators
- For More Information
ADModify is written using Microsoft Visual C#® .NET 2003. Version 2.0 is improved to make the same modifications in less than half the time of the previous version. Its feature set allows administrators to bulk modify any Active Directory® directory service attribute from any Active Directory partition with almost limitless flexibility. Administrators are no longer restricted by the attributes hard coded into the tool, because ADModify contains the ability to modify any attribute using its name and value. ADModify is also no longer restricted to literal values. It is now possible to dynamically build values based on current Active Directory attributes.
All logging is done using XML, making it easy for administrators to manipulate and store the data and even take advantage of features such as Undo. Keeping with the Microsoft Windows Server™ 2003 initiative that everything that can be done in the GUI should be available through the command line, a command-line version of the tool that contains all of the same features is included.
ADModify requires the .NET Framework. It will not run across a network drive.
To obtain the ADModify tool, contact Microsoft Product Support Services. For more information about how to contact Product Support Services, see the Microsoft Support and Help Web site.
You can also obtain the ADModify tool from the GotDotNet Web site. For more information about obtaining this tool, see ADModify.NET: Workspace Home.
|The third-party Web site information in this topic is provided to help you find the technical information you need. The URLs are subject to change without notice.|
It is now possible to modify Windows Server 2003 Terminal Server attributes using ADModify. All Terminal Server attributes available in the Windows Server 2003 Active Directory Users and Computers Users property page are available. ADModify uses the TSUserExLib library, so Windows Server 2003 is required to make Terminal Server setting modifications. Although you do not have to be running a Windows Server 2003 domain, you will need to run the program from a server running Windows Server 2003 for this specific functionality.
Mailbox rights are also now available for bulk modification. There are four options when dealing with mailbox rights:
|Because CDOEXM is used, Exchange Server 2003 or Exchange 2000 Server Exchange System Manager must be installed on the computer that ADModify is run on.|
- Dump Mailbox Rights This option exports all of the access control entries (ACEs) in a user's mailbox rights to an .xml file, separated by inherited and non-inherited rights. This file can be used as a way for administrators to track mailbox rights and can also be used to import. Undo is not supported when using this option, because it is a read-only operation.
- Import Mailbox Rights As long as a valid export of mailbox rights has been completed, the Import Mailbox Rights option can be used to import them. All that is required is a valid Mbxrights.xml file. Undo is not supported when using this option.
- Bulk Add a User to Mailbox Rights With this option, it is possible to add a user with specific rights to multiple mailboxes at the same time. For example, you could grant the user DOM\user1 Full Mailbox Access to a specific subset of users. Undo is supported when using this option.
- Bulk Remove a User From Mailbox Rights Similar to the Bulk Add a User to Mailbox Rights option, except this option will remove the specified user from mailbox rights. Undo is supported when using this option.
Possibly the most robust feature of ADModify is the flexibility to name the attribute you want to modify. Any attribute that contains a string, Boolean (true/false) value, or integer value can be modified. Attributes that contain data types such as security identifiers (SIDs) and Long Integer are not supported.
Consider the following screenshot.
In the appropriate fields in the screenshot, fill in the attribute name and value. For operations with multiple values, be sure to choose Multivalued Append or Multivalued Remove. The reason this needs to be done is that if you modify an attribute with multiple values and do not choose the Multivalued Append or Multivalued Remove option, the attribute will be overwritten with the new value, and not appended with the new value.
Administrators are no longer restricted to using literal values when bulk modifying users. ADModify supports the use of variables. Variables allow you to build a value for an attribute based on one or more current attributes. Enclose the value in single straight quotation marks (') to treat it as a variable. If you want to build an attribute using both variables and literal values, remember that variables need to be separated from literal values using the percent sign (%). You can also take the first x number of characters from an attribute and use that.
Examples of variables:
Syntax for using the description attribute as your value:
Syntax for using two attributes, givenName and sn (separated by a space):
Syntax for using multiple attributes and literal values:
Syntax for taking the first character of an attribute:
If you need to use the actual percent sign (%) or single straight quotation mark (') characters in an attribute value, use a preceding forward slash as an escape character. You can mix variables with literal values, including the % and ' characters, as long as the correct syntax is used.
Examples include the following:
To assign the value "This is a percent sign: %", use this:
This is a percent sign: /%
To assign the value "My username is 'username' " (where username is the sAMAccountName), use this:
My username is /'%'sAMAccountName'%/'
Administrators no longer need to be concerned about making massive bulk updates to Active Directory users. With the exception of the Remove Exchange Attributes and Import Mailbox Rights options, every modification can be undone. All modifications are written to a log file named after the current date and time, in MMDDYYYYHHMMSS.xml format. All modifications log the new value and the user’s previous value. As long as the log file is intact, ADModify can parse it and undo the changes that were previously made. In addition to logging the changes in the .xml file, there is also an Undo.log file. This file contains all users processed by the undo feature, logs users who were skipped, includes the reason why users were skipped, and includes a summary of changes.
The command-line syntax is:
admodcmd -undo filename.xml
The admodcmd.exe tool is a fully functional command-line version of ADModify. Syntax can be obtained using admodcmd -?. Examples for common administrative tasks follow:
Add a secondary Simple Mail Transfer Protocol (SMTP) address of firstname.lastname@example.org:
admodcmd -dn OU=MyOU,DC=domain,DC=com -addsmtp %1'givenNameemail@example.com
Name the attribute you want to modify, and modify the description field to contain the value "My legacyExchangeDN is (legacyExchangeDN)", where (legacyExchangeDN) is the user's legacyExchangeDN:
admodcmd -dn OU=MyOU,DC=domain,DC=com -custom description "My legacyExchangeDN is %'legacyExchangeDN'%"
Modify the display name to read last name, first name:
admodcmd -dn OU=MyOU,DC=domain,DC=com -custom displayName "%'sn'%, %'givenName'%"
Modify the user's relative distinguished name from first name last name to last name, first name:
admodcmd -dn OU=MyOU,DC=domain,DC=com -modrdn "%'sn'%, %'givenName'%"
For more sample usage for admodcmd, consult the ADModify Help file.
The following are some common tasks that Exchange administrators may need to know.
The Extension Attributes tab has been removed in ADModify. Modification of extensionAttribute1 ~ 15 is now done on the Custom tab.To modify extensionAttribute1 ~ 15
Run ADModify, and then click Modify Attributes.
In the Domain List box, select the domain.
In the Domain Controller List box, select the domain controller.
Go to the Users container and expand it, choose the users to modify by selecting the user objects, and then click Add To List.
In the right pane, select the user object and click Next
On the Custom tab, select the Make a custom modification box.
In the Attribute Name box, enter extensionAttributex, where x is the number of the extension attribute to modify.
In the Attribute Value box, type the new value of the extension attribute.
Because ADModify can browse and modify the configuration container, you can run bulk modifications against the Exchange organization hierarchy. One useful function for Exchange administrators is the ability to ensure that the inheritance bit is set properly on all items in the Exchange hierarchy.To bulk modify the inheritance bit on all Exchange objects in a hierarchy
Run ADModify, and click Modify Attributes.
In the Domain List box, select the configuration partition.
Type a domain controller name in the Domain Controller List box and click Go.
Click Custom LDAP Query. Type the filter (objectClass=*) and click OK.
Select the Traverse Subcontainers box.
Move from Configuration to Services and select Microsoft Exchange.
Click Add to list.
Select all objects in the right pane and click Next.
Click the Account tab, and select both boxes next to the Allow Inheritable Permissions setting.
Some environments contain proxyAddresses that were manually entered or otherwise not stamped by the Recipient Update Service. In these scenarios, removing Exchange attributes without first saving these addresses can cause problems. To save the proxyAddresses, do the following.To save proxyAddresses
Run ADModify, and click Modify Attributes.
Select the domain and domain controller from the drop-down list.
Add the users, and click Next.
Click the Custom tab. In Attribute Name, enter proxyAddresses, and under Attribute Value, type null.
The preceding procedure will clear the proxyAddresses attribute, but it will first log all current proxyAddresses to the ADModify .xml log file. When you have this, you can remove attributes. When the attributes have been restored, run ADModify in undo mode and select the log file listed previously. The undo mode will replace the current set of proxyAddresses with the ones in the log file.
For more information about using the ADModify tool, see the ADModify Help file.