TechRepublic Article Template

If you’ve been working with Active Directory for any length
of time, chances are good that at some point you’ve wished there were a way to
quickly and easily automate certain operations. Of course, you could tap into
Active Directory Services Interface (ADSI) via Windows Script Host and VBScript
and create or download scripts to automate those operations. However, if
programming really isn’t your strong point, you could end up spending more time
figuring out the ADSI scripting environment than actually accomplishing your

Fortunately, with Windows Server 2003, Microsoft has brought
the task of automating Active Directory operations within the grasp of every
system administrator by including a complete suite of directory service command-line
tools. Now you won’t have to delve into the advanced intricacies of ADSI when
you can use something that’s as easy to create and use as a batch file.

Author’s note

In this article, I’ll introduce you to Windows Server 2003’s
directory service command-line tools and then get you started on the ground
floor. In future articles, I’ll take an in-depth look at each tool and show you
how to use them to your advantage when you need to automate certain operations.

Why use the command line?

If you’re using Windows Server 2003, you already know that
its Active Directory GUI tools offer several new and improved features over
those in Windows 2000 Server. For example, you now have drag-and-drop
capabilities, multiple-object selection, and the ability to save and reuse
queries. So why would you even want to use the directory service command-line

To answer this question, let’s begin by looking at a list of
the available tools in the directory service command-line suite, as shown in Table A. As you look at the list, keep
in mind that there are really only six main tools in the suite, but in this
particular arrangement, I’ve expanded the list to show the first four main
commands, along with the target object on which the command is designed to
operate. The last two commands are designed to work on any target object.

Table A

Command Description
Dsadd contact
Dsadd group
Dsadd ou
Dsadd quota
Dsadd user
objects to the directory
Dsget contact
Dsget group
Dsget ou
Dsget partition
Dsget quota
Dsget server
Dsget site
Dsget subnet
Dsget user
properties of objects in the directory
Dsmod contact
Dsmod group
Dsmod ou
Dsmod partition
Dsmod quota
Dsmod server
Dsmod user
select attributes of an existing object in the directory
Dsquery computer
Dsquery contact
Dsquery group
Dsquery ou
Dsquery partition
Dsquery quota
Dsquery server
Dsquery site
Dsquery subnet
Dsquery user
objects in the directory that match a specified search criterion
Dsmove Moves
any object from its current location to a new parent location or
renames any object without moving it
Dsrm Removes
an object, the complete subtree under an object in the directory,
or both
Windows Server 2003’s directory service command-line tools

We’ll examine each tool later in this series, but the point
of showing you the complete list now is to highlight the magnitude of the tools
in the suite and to help you get a feel for the types of operations you can
perform with them. Each tool is accompanied by a complete set of general and
command-specific parameters that allow you to further define the type of
operation you want to conduct.

Now, on first glance, you’ll immediately see that there are
command-line tools for just about every operation you can execute from within
the Active Directory GUI tools. However, once you begin to delve deeper, you’ll
discover that, in some cases, it’s easier to carry out certain types of operations
from the command line than from the GUI. Dig even further, and you’ll discover
that there are some tasks you can accomplish with the command-line tools that
just aren’t possible with the GUI tools. Furthermore, once you have a better
understanding of how these tools work, you’ll discover that you can indeed
automate many common operations quite easily.

You won’t want to completely abandon the GUI tools in favor
of the command-line tools. Rather, you’ll use the command-line tools to complement
the GUI tools.

The ground floor

To take advantage of directory service command-line tools,
you must have a good grasp of the underlying structure of Active Directory.
More specifically, you need to understand that every object in Active Directory
can be referenced by several names, and that the command-line tools rely on one
of those names — the distinguished name — to
locate and work with objects. The other two names are the relative distinguished name and the canonical name.

When you create an object in Active Directory, the process
creates the relative distinguished name and the canonical name. The
distinguished name is then based on the relative distinguished name and the
names of that object’s parent containers, including the domains. The
distinguished name identifies the object as well as its location in a tree.

To specify this location, the distinguished name uses the
Lightweight Directory Access Protocol (LDAP) attribute tags listed in Table
. For example, the distinguished name for my user account, which exists in
the Writers organizational unit in the domain, would be

CN=Greg Shultz,OU=Writers,DC=gcs,DC=com

Table B

attribute tag
CN= Common

The name given to the object at creation
OU= Organizational

The name of the container
DC= Domain

The name of the domain
The LDAP attribute tags used in distinguished name

As you can see, the LDAP attribute tags are used to identify
each component in the distinguished name; they are separated by commas, and the
order in which the components appear goes from the lowest level in the tree to
the highest level. The distinguished name tells you exactly where to find the
object in the Active Directory data store.

There are a few rules you need to observe when working with
the distinguished name on the command line:

  1. You
    should get into the habit of enclosing the distinguished name in quotes.
    (This is really necessary only if any of the names include spaces;
    however, making it a habit will save you time and frustration if you
  2. Do not
    put spaces between the commas and the object names.
  3. While
    using uppercase letters for the LDAP attribute tags isnï¿?t necessary, it
    does help delineate the components and make for easier reading.
  4. The
    default Active Directory containers, such as Computers or Users, are essentially
    organizational units but are referred to as a common name.

Using Dsquery to reveal distinguished names

Now that you understand how to use the distinguished name to
identify the location of the object you want to work with, you can use the
directory service command-line tools to automate your most common Active
Directory management operations. You needn’t worry about having to figure out
all the distinguished names on your own — you can ask the Dsquery command for

While I’ll get into more detail on the more powerful
features of the Dsquery command in a future article, it’s a good place to start
becoming more familiar with the distinguished names in your Active Directory
structure. For example, to see the distinguished names for the user accounts in
Active Directory, open the command prompt and type

Dsquery user

To see the distinguished names for the organizational units
in Active Directory, type the command

Dsquery ou

You can try other basic Dsquery commands using the list of
target objects shown in Table A. However, as you do, keep in mind that by
default the Dsquery command will display only 100 items. You can expand the
number of items displayed by adding the -limit ### parameter and specifying an
upper limit.

A closer look

You should now have a pretty good handle on how Windows
Server 2003’s directory service command-line tools use the distinguished name.
In the next article, I’ll continue examining the tools with a more detailed
look at the Dsquery command.