RE: [ActiveDir] dsget error

[joe]

Yep, the new version of AdMod, in beta testing now, will leverage the info that you get from an adfind query to do what I call partial data attribute updates. That is when there is something in the current value you need to generate the new value. DSMOD has to make a call to the DC for every DN it is passed to get the current useraccountcontrol value in order to enable/disable objects as it is simply clearing the #1 bit which has a value of 2. There is no mechanism to tell AD just clear the second bit, you retrieve the old value, clear the bit, then write the whole value back.   So AdMod, takes the -adcsv output from AdFind which would include the current value of useraccountcontrol with the DN of the object. That means it works like   1 LDAP Query requests to match x objects (done from AdFind) Loop through X objects  {   LDAP Mod requests to update the current object (done from AdMod)  }   Now dsquery/dsmod has to do it this way   1 LDAP Query requests to match x objects (done from dsquery) Loop through X objects  {   LDAP Query requests to get UAC value for the current object   LDAP Mod requests to update the current object (done from dsMod)  }     You could consider it cheating. It is something I always had in mind in doing when I wanted to combine adfind/admod into a single tool. Once I added CSV capability to adfind I realized I could pull it off with the two separate tools now for people.   Maybe I should patent this technology... ;o)     -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm      From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Wednesday, September 13, 2006 4:05 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] dsget error It must be some kind of issue with the DS* tools.  I was using a combination of ADFIND and DSMOD last week to enable ~200,000 user objects (I forgot to set a password in a scrpit that created a bunch of objects and therefore had a shed load of objects with uac of 546) and it would die every time with that error after a couple of thousand objects.  I figured, but didn't look into it, it's something to do with the fact that DSMOD queries the DN you pass it to check for object type, etc. which means there's loads of queries hitting the DC (one for each mod).   This is why Joe's ADMOD (1.7) is going to be loads better, as he only does one extra query which means there's only n + 1 LDAP requests hitting the DC as opposed to n x 2 with DSMOD.     --Paul ----- Original Message ----- From: Brian Desmond To: ActiveDir@mail.activedir.org Sent: Wednesday, September 13, 2006 2:45 AM Subject: RE: [ActiveDir] dsget error The query is probably timing out.   Get Joe’s ADfind and run something like this:   Adfind –default –f “(&(objectCategory=person)(objectClass=user))” displayName samAccountName pwdLastSet   You can tag a –csv on there too   Thanks, Brian Desmond [EMAIL PROTECTED]   c - 312.731.3132   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Tuesday, September 12, 2006 9:29 PM To: activedir@mail.activedir.org Subject: [ActiveDir] dsget error   Any time I try to run a large query using dsquery and dsget where I pipe it to a text file for output, I eventually get a “dsget failed:The server is not operational.” error from dsget. I’ve searched the Internet for this and seen posts from a couple of other people who have had this issue, with no resolution.   Am I doing something wrong? Am I stupid? (yes, I probably am) Am I missing some limitation of stdout?   Here’s the command I was using:   “dsquery user -name * -limit 0 | dsget -display -samid –pwdneverexpires”   Thnx, JC   ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.