Managing and Maintaining Active Directory from the command line

This article is a Help Guide (IN PROGRESS) for scripting in Active Directory. It is a basic guide. For advanced information on the subject, please checkout:

• How To Directory Service Command Line Tools
• Windows Script Center
• Windows Script Center Repository
• Windows 2000 Scripting Guide
• Windows Command Line A-Z

for friendly down to earth articles on command line and batch files, refer to

• this friendly Windows Command Guide
• this simply worded Batch File Guide

for the future-is-now of Windows Scripting checkout PowerShell

• PowerShell

HERE WE GO…

Active Directory command line tools offer help. HELP! can be displayed by typing a command (into the command window) and adding the slash questionmark at the end (like so): dsadd /?

TIPS

• type start at the command prompt to open a second command window (and a third, fourth, etc…)
• Help commands can be opened (and left open) in other windows. Use the second window and type a your command and /? . Keep this window open and you can review the Help as you type commands in the first window.
• all commands are written on a single line
• after typing your command in the command window, press Enter to execute it

Active Directory has a suite of command line tools for scripting in AD. These tried and true commands will soon *not be the latest thing* as PowerShell comes into the fore with Windows Server 2008 RTM. However, there will be many environments, many circumstances and many Windows 2003 and Windows 2000 Active Directory installs in which having knowledge of and practical experience with these commands will benefit the administrator.

This page hopes to keep some *handy notes* around for those who need them. It will be improved over time.

Active Directory Command Line Tools

• dsadd.exe
• dsget.exe
• dsmod.exe
• dsmove.exe
• dsquery.exe

more identity tools

• gpresult
• whoami.exe
• cmdkey.exe

EXAMPLE: dsadd (adds objects into Active Directory)

::ADDING USERS - adding users is achieved with the following syntax
dsadd user UserDN [-UPN UPN] [-samid SAMName] -pwd {Password|*}
::EXAMPLE
dsadd user "CN=Joe User,CN=User,DC=wigital,DC=net" -upn joe@wigital.net -samid joeuser -pwd *


PIPELINING

Pipelining allows you to put together commands in Active Directory scripting. Understanding the pipelining abilities natively available in Active Directory will help make the best use of these tools. Experienced shell users can move to advanced pipelining in Windows scripting (with PowerShell),

Pipelining takes the output of one command and pipes it into the input of the next command. This enables all sorts of options such as querying directory objects (using the first command) and returning a set of objects to be output in bulk and piped as input to the next command. This output set of objects) could then be processed in some way such as modifying the objects (dsmod), displaying the objects (dsget), moving the objects (dsmove) or otherwise manipulating the objects. The pipe symbol is  |

Examples of using pipes

 To find all users with the name of Joe in their Full Name and get the email addresses for all Joe’s

dsquery user -name JOE* | dsget user -email

To find all users in the Blogging Organizational Unit and modify their description to bloggers

dsquery user "ou=BLOGGING,dc=wigital,dc=net" | dsmod user -desc BLOGGERS

NAMING and RENAMING USER ACCOUNTS

One of the more confusing areas of Active Directory Scripting is Names. There are multiple ways of naming a user and changing the multiple names of a user. Naming includes:

• <CN> Common Name (the LDAP name stored in Active Directory)
  • ADD: dsadd user “cn=Joe User,cn=Users,dc=wigital,dc=net”
  • RENAME: dsmove “cn=Joe User,cn=Users,dc=wigital,dc=net” -newname “Joe SuperUser”
• -upn <UPN> User logon name – - in the form user user@mydomain.com 
  • dsmod user “cn=Joe User,cn=Users,dc=wigital,dc=net” -upn joesuperuser@wigital.net
• -samid<SAMName> User logon name Pre-Windows 2000 (NetBIOS type logon name) - - in the form of myusername 
• -display<Display Name> – - in the form Joe User -OR- Joe L User, etc…
  • dsmod user “cn=Joe User,cn=Users,dc=wigital,dc=net” -name Joseph SuperUser

Note that users can logon using their username or User Principal Name. For further information, read this articles

• How to Rename User Accounts Windows 2000 (GUI)
• Rename a User Account Windows 2003 (GUI and command line)

Group Policy Command Line

No discussion of Users would be complete without a discussion of Policy. There are a number of tools available to manipulate and determine policy. One of the best ways to start looking at policy is to understand what policy is applied currently to a User, Group, Computer.

GPRESULT

gpresult is one of the most needed tools in the Policy/Active Directory command line environment. gpresult.exe displays the Resultant Set of Policy (RSoP) for a USER or COMPUTER.

gpresult is good for discovering

• the current policy applied to a User -OR- Computer
• what the policy would be [after applying projected policy changes]. This can be determined prior to making those changes - this is very useful for planning purposes

Redirect Command Line Output to File

SAVING TO A FILE

So you’ve just worked up a bunch of information using these tools and you find yourself wishing you had written it all down!

You can do that . Some of the most useful commands in Active Directory and Policy scripting are from the DOS command line in general. These commands provide methods to save the output of your work to a file. Consider these as a way to save notes, information, command output etc… to files on your hard drive for later review.

the copy con command provides a method to copy the console (the text you are typing in the window). Copying what you are typing and then saving it to a file allows you to take NOTES. This is useful for saving your thoughts while you are working as well as well as creating a file to use as your notepad. You can then append (add more stuff to the file) by using append redirect >> (explained next) as a means to output the results of the scripts discussed earlier. In other words save your work.

copy con

copy con c:\mynotes.txt
::type your notes here and as the text appears -- copy con -- is copying every word
::press enter as many times as needed
::after the last line is typed press Control plus Z and Enter one more time
CTRL+Z (press Enter)


The copy con sets up the window to copy what the user is typing. The CTRL+Z command is used to then save write the data.

REDIRECT (the > symbol) 

You can save the output of a command to a file using the > symbol. This redirects the output to a filename and type of your choosing. Example

gpresult /r /z > c:\thisUsersPolicy.txt

You can also append output from mutliple commands into the same file using the same symbol twice ( >> ). This would build upon the previous work. Each append adds the output to the bottom of the text file. You could start a notepad (mynotes.txt) using copy con, then append >> (two greater than symbols) different outputs using Active Directory scripts. An append example

dsquery user -desc "Temporary Employees" >> c:\thisUsersPolicy.txt

clip.exe is another handy tool (included in Windows 2003 and can be copied from %SYSTEM%\System32\ into Windows XP). clip.exe provides the ability to output the result of a command to the clipboard. From here, you can paste it ( CTRL+V ) anywhere.

systeminfo | clip
dsquery user | clip
ipconfig /all | clip

more to follow (2008-2-18 is today) ….