Hack 31 Modify User Properties for All Users in a Particular OU

figs/moderate.gif figs/hack31.gif

Changing the logon script for all users in an organizational unit (OU) is a chore if you're working from the GUI, so try this script instead.

The ability to quickly change the logon script that members of a particular OU are running is quick and easy though VBScript. To change the properties of objects located in a specific OU, you must first bind to that OU using ADSI. To do this, you must list all the parent OUs of the OUs you are trying to bind to, as shown in the script in this hack. Then you must gather all the usernames in the OU you are modifying and check to make sure they are indeed just users and not some other object. If they are users, change the path of the logon script property in their account to Network/NewLogon.cmd and set the changes in place. Then notify the person running the script that the changes have been completed.

This script comes in handy when you need to modify common properties of many user accounts in a particular OU all at once in an Active Directory domain. In Windows 2000, unlike in NT4, you cannot just highlight the users you want to change, click on Properties and change a common property (e.g., Logon Script) for the users you have selected.

The Code

To use this script, type it into Notepad (with Word Wrap disabled) and save it with a .vbs extension as ModifyUsersOU.vbs:


'Modify all users in a specific OU in Active Directory at once. This script

'will change the logon script path For all users of the 

'"Network/Services/Users/Test" OU To "Network/newlogon.cmd".


'This is the actual LDAP. If the OU is a sub-OU, you must enter ALL of them.

Set OU = GetObject("LDAP://DCServerName.MY.Domain.COM/OU=Test,OU=Users,OU=Services,OU=


'Setup to get all the users in the specified OU from above.

'Gather each username.

For Each oUser In OU

'Make sure they are only USER class.

If oUser.Class = "user" Then

'Set the name of the login script itself here.

oUser.Put "scriptpath", "Network\newlogon.cmd"

'Set these settings.


End If


Wscript.echo "The Network/Services/Users/Test OU has been updated!"


Change the following line to specify the appropriate OU in your own network environment:

Set OU = GetObject("LDAP://DCServerName.MY.Domain.COM/OU=Test,OU=Users,OU=Services,


For example, if your OU is named Boston and your domain is mtit.com, then this line should be changed to:

Set OU = GetObject("LDAP://DCServerName.MY.Domain.COM/OU=Boston, DC=mtit,DC=com")

Specify the new logon script, like so:

oUser.Put "scriptpath", "Network\newlogon.cmd"

Finally, specify the output for the ECHO by modifying this line as required:

Wscript.echo "The Network/Services/Users/Test OU has been updated!"

In our example, this line should be changed to:

Wscript.echo "The Boston OU has been updated!"

Hacking the Hack

This script can easily be modified to change any of the User Object properties in a particular OU, such as:

Profile Path
Home Directory
Home Drive Letter

The script can of course be customized to modify virtually any other displayed properties of user objects.

?Hans Schefske