The first part of this series covered some advanced commands to perform specific tasks in Active Directory Domain Services, available since Windows 2000 Server. Thanks to some great feedback on that first post, in this second part I’ll cover some more basic commands.
Granted, these commands will not make you look like a rocked scientist, but will make (the sysadmin part of) your life easier: These dedicated Directory Services ds* commands can be used to automate most of the object-related tasks.
The first command I’ll show you is dsget.exe.
This command can be used to retrieve information on objects (like users, computers, groups, but also quota, partitions and Domain Controllers).
Another good example of using dsget.exe is to get a list of all members of the Domain Admins group:
dsget group “CN=Domain Admins,CN=users,DC=domain,DC=tld”
Without this command and only the right and left mouse button of the mouse, compiling a list of all the group memberships would take you a lot of time within the Active Directory Users and Computers Snap-In (dsa.msc)… Now try that in Active Directory Users and Computers under 1 minute! [H]
Another command-line gem is dsquery.exe. This command is the command-line equivalent of the search functionality within the Active Directory Users and Computers Snap-In (dsa.msc), but is much more powerful!
While you can search on certain types of objects within a domain or forest, with dsquery.exe you can actually filter on certain values for the object. Let me give you some examples to show you why I use dsquery.exe a lot:
dsquery server -isgc
This command will return a list of all Domain Controllers (Directory “server”s within the context of all the ds* commands) that are Global Catalogs.
dsquery user -inactive 4
The above command will output a list of all user objects in the domain that have not been used to logon in at least four weeks.
The third member in the ds* family is dsmod.exe. This is not a command tool to find or read objects in Active Directory, but actually a tool to modify objects. Now, stuff gets interesting! Not when you need to modify settings for one object… but:
- when you need to address certain issues with multiple objects
- when you need to change an attribute not found in the graphical User Interface (GUI)
- when you’re managing Active Directory on the console of a Server Core Domain Controller
Let’s look at some examples:
dsquery user “OU=Test,dc=domain,dc=tld” | dsmod user
This command will annoy all the users in the Test OU, because the command will force them to change their passwords at next logon.
Also, another nice command is to empty the Schema Admins group, which I regard as a first line of defense to prevent Active Directory schema fusterclucks:
dsget group “CN=Schema Admins,DC=domain,DC=tld” -members | dsmod group “CN=Schema Admins,DC=domain,DC=tld” -rmmbr
With dsmod.exe several attributes can be changed for objects, but you cannot use it to change it’s Distinguished Name (DN). In normal English: you cannot move or rename it. Using the dsmove.exe account you can move objects around in Active Directory and rename them by specifying a new (relative) Distinguished Name.
For moving objects between forests you can’t use dsmove.exe. For this purpose use the Active Directory Migration Tool (admt.exe)
To move an object, specify a new parent:
dsmove “CN=Jos Haarbos,OU=Employees, DC=domain,DC=tld”
To rename an object, for instance when someone changes gender or marries, specify a new name:
dsmove “CN=Vera Alouha,OU=Admins, DC=domain,DC=tld”
-newname “Vera Haarbos”
Why not expand your Active Directory rainforest a bit? Trees are being torn down all over the globe, so let’s compensate. Dsadd.exe doesn’t allow just that (Active Directory forests and trees are made using the dcpromo.exe command), but it does allow you to add stuff.
I use it a lot to pre-stage computers in Active Directory. For instance, the following command will pre-stage a computer account:
dsadd computer “CN=Computer,CN=computers,DC=domain,DC=tld”
The command above might come in handy when you want delegated admins to be able to create computer accounts in certain Organizational Units, do not want them to use the Active Directory Users and Computers MMC Snap-in (dsa.msc) and are too lazy to produce a taskpad. (aren’t we all)
While there is a user, computer, group, contact, quota and ou context for dsadd.exe, there is no server context. This means you cannot add (Read-only) Domain Controllers using this command. Use dcpromo.exe /CreateAccount for this purpose.
When working with Active Directory Domain Services, most competent admins will have come across the Directory Services Restore Mode. (DSRM) The dsrm.exe command has nothing to do with this startup mode, unless you’ve used the command to dish too many objects and need them back exactly as they were. (and don’t have access to the Windows Server 2008 R2 Active Directory Recycle Bin feature or any comparable 3rd party solution)
Using dsrm.exe you can delete objects from Active Directory. For instance, when my good friend Jos Haarbos left a company in a hurry I used the following command line to delete his account:
dsrm user “CN=Jos Haarbos, OU=Admins, DC=domain,DC=tld”
Of course, in real life scenarios you would first disable an account, fix all dependencies.
For all you know, an inexperienced admin like Jos, would run business-critical backups with his account credentials specified.
Overview of the New Active Directory Tools in Windows Server 2003
How to Manage Active Directory from command line
What are the DS commands?
Help for Directory Service command line tools
Using DS Commands to manage objects in Microsoft’s Active Directory
DS family of Command Line Tools for Windows 2003
Manage Shadow Groups in Windows Server 2008
Windows Server 2003 Commands
Windows Server 2003 Administration
11 Essential Tools for Managing Active Directory
Active Directory – Get All User Objects on Domain
Command-line tools for Windows Server 2008 Server Core Directory Service