New Photo Gallery - Fall Leaves at Night »Sample Script - Custom Attribute yields easier LDAP searching in ADUC
During a recent Exchange 5.5 to 2003 cross site mailbox migration, I needed a simple way to select a large number of users out of AD, right click and say move mailbox. Sounds pretty simple, right? But what if you use multiple levels of OU's in your AD structure, and the users in question span across multiple OU's / Departments / Etc? I was moving 200 users per night, but they didn't all fit in a single department, or physical location. So, I cheated....
I created a script that modified the CustomAttribute3 field with a known value that an ADUC Saved Query could then find. I run the batch script against a list of user names, add the tag "20060816migrate", then go into a ADUC and get busy.
If it sounds like a lot of work, it isn't. You wouldn't bother with this for a 12 user move, but the 5 minutes it takes from start to finish save hours in a 2500 user move.
Notes:
*I chose customAttribute3 at random, choose whichever you aren't using. Don't blindly overwrite the employee number the HR database syncs in...
*Use a unique string for your search term, something tied to the date is very effective. I don't bother to go back and delete or reset the field afterwards because (1) I'm lazy, and (2) if I was ever curious when a user was migrated I can always go back and look at that field.
The Script, available for download from here.:
::REM ----------------- Begin sample batch script -----------------------------
@echo off
cls
::REM Get Legacy Exchange DN from AD sample script
::REM By John Seaman, www.japan-page.net/batch
::REM (C)Copylefted under terms of the GNU / GPL
::REM This script will take a user name (samAccountName) and add the custom value specified below into the
::REM AD Custom Attribute field #3. A custom LDAP script can then search this field and select all users
::REM for the exchange attributes removal/migration/etc.
::REM Note: to see the field from ADUC, go to Exchange Advanced tab, choose Custom Fields.
::REM This script requires adfind.exe and admod.exe from from Joeware.net (http://www.joeware.net/win/free/tools/adfind.htm).
::REM Big thanks to Joe Richards !!!
::REM Usage call this script and append the user ID after it, updateLdap.cmd
::REM Or run a loop like the following....
::REM for /f %%i in (userlist.txt) do call :processUser %%i
::REM pause
::REM goto :EOF
::REM Be sure to update the _baseDN field for your domain!
::REM Set variables
set _dc=MyDomainController
set _baseDN="OU=MyOuInActiveDirectory,DC=root,DC=MyDomain,DC=com"
::REM Create log file
set _log=updateLdap.log
::REM Set the text to add to the custom field
set _text=20080816migrate
:processUser
::REM Start
echo Now applying update to user $1...
::REM ---------------------
::REM Get username base DN:
::REM Time to get jiggy...
adfind -b %_baseDN% -f "(&(objectcategory=user)(samAccountName=%1))" -dn >_out.txt
type _out.txt | find "dn:" >_userDN.txt
::REM Fix the UserDN by nuking the first 3 characters...
::REM I use textTools32, replace with SED or your favorite text editor
type _userDN.txt | t repl 'dn:' '' >_userDN1.txt
for /f "delims=@" %%i in (_userDN1.txt) do echo User $1 DN is %%i >>%_log%
::REM ----------------------
::REM Call ADmod and fix the field
for /f "delims=@" %%i in (_userDN1.txt) do call admod.exe -h %_dc% -b "%%i" "extensionAttribute3::%_text%" -exterr >>%_log%
echo %errorlevel%
:EOF
::REM ----------------- End sample batch script -----------------------------
Create a Saved Query in ADUC:
Saved queries in ADUC are the slickest thing since instant coffee. Create a new query, choose custom search, then advanced, then paste the following into the Query String window...
(objectCategory=user)(extensionAttribute3=20060816migrate)
After you save the query, execute it and you'll get your entire user list in one window. Have fun !
Search
