I just had the pleasure of figuring out how to mass clear the logon hours attribute on a couple hundred users since one of my 650 OU admins took the liberty of setting them (by hand presumably). Given he didn’t bother to se the force logout option in AD, this led to a real nice load of kerb errors/traffic at the local DC. You can follow this procedure to set the logonhours to anything you want – the value I use sets them to 24/7.
There are two tools for this job, both Joeware (www.joeware.net). Grab adfind and admod and extract them to the same directory. I have a folder c:\tools on my management station and my workstation that I just keep all this sort of thing in. It’s especially useful when you want to pipe output from one to the next as we’re going to do here.
The first task is to get the logonhours attribute value you want to set. The easiest way is to set it by hand in ADUC on one user, and then use adfind to dump the value, with a command like this:
adfind -b “OU=Staff,OU=Users,DC=BigTire,DC=local“ -h “my-dc01” -f “(&(objectCategory=person)(objectClass=user)(samaccountname=templateusername))” logonhours
Copy and paste that somewhere, you’ll need it later. If you just want to set it to 24/7 as I’m going to do, the value is “FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FF“.
That done, we can whack all the users we want to modify. We’ll pipe the output from adfind over to admod.
adfind -b “OU=Staff,OU=Users,DC=BigTire,DC=local“ -h “my-dc01” -f “(&(objectCategory=person)(objectClass=user))” -dsq | admod -h my-dc01 -safety 100 bin##logonhours::”FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FF”
Note that we added a -dsq switch which tells adfind to just pipe the dn’s of the users matching our filter (everybody in the staff ou in this case). the bin## is a special instruction for admod so it knows to do a binary attribute update. Finally, -safety 100 tells admod only to modify the first 100 objects passed to it. You can replace this with -unsafe to do every object, or increase the safety. My recommendation is that unless you know very well what the hell you’re doing when you use admod you use the safety switch. It’s quite easy to mess with every object in your domain if you’re not careful.