In the last article in this series, “Using the Dsget
command in Windows Server 2003,”
I explained how the Dsget command
works and showed you several examples of how to use it to obtain information
that would be a bit tricky to get out of GUI interface tools. In this article,
I’ll complete my examination of Windows Server 2003’s directory service
command-line tools with a look at the remaining commands: Dsadd, Dsmod, Dsmove,
and Dsrm.

I’ve lumped these commands together because each performs a
pretty straightforward operation. However, as I discuss them, I’ll show you how
to create some really cool command-line scripts by combining these commands
with the Dsget and Dsquery commands.

The commands

As I mentioned, each of the four commands perform fairly straightforward
operations. However, Dsadd and Dsmod each have separate subcommands for working
with different types of objects, and Dsmove and Dsrm can work with any Active
Directory object.

The Dsadd and Dsmod commands

The Dsadd command consists of six subcommands, shown in Table A, and lets you add objects to Active
Directory.

Table A

Command Description
Dsadd
computer
Adds
a single computer to the directory
Dsadd
contact
Adds
a single contact to the directory
Dsadd
group
Adds
a single group to the directory
Dsadd
ou
Adds
a single organizational unit to the directory
Dsadd
user
Adds
a single user to the directory
Dsadd
quota
Adds
a quota specification to a directory partition
The Dsadd commands

The Dsmod command, which allows you to modify objects already
in Active Directory, consists of the subcommands shown in Table B.

Table B

Command Description
Dsmod
computer
Modifies
attributes of one or more existing computers in the directory
Dsmod
contact
Modifies
attributes of one or more existing contacts in the directory
Dsmod
group
Modifies
attributes of one or more existing groups
in the directory
Dsmod
ou
Modifies
attributes of one or more existing organizational units in the directory
Dsmod
server
Modifies
properties of a domain controller
Dsmod
user
Modifies
attributes of one or more existing users in the directory
The Dsmod commands

The Dsmove and Dsrm commands

Dsmove is a versatile command that serves two functions: It lets
you move an object from one location to another in Active Directory and allows
you to rename an object without moving it. Dsmove is capable of doing both because,
when you rename an object in Active Directory, you’re really moving the object
from its current distinguished name to a new distinguished name, since the
distinguished name actually consists of a common name and a location.

Dsrm is also a pretty powerful command in that it allows you
to remove a single object, a complete subtree under an object, or both.

Some examples

By this point in the series, you’re probably familiar with
the types of parameters and the syntax of the directory service commands, so I
won’t go into any more detail in those areas. Instead, let’s jump right into
some practical examples of how you can use these commands.

Creating multiple user accounts with Dsadd

If you’re like most administrators, you’re probably thinking
that since creating new user accounts in the Active Directory Users and
Computers console is so easy, why would anyone revert to the command prompt to
do so? Well, like many of the other directory service commands I’ve discussed,
the Dsadd command really shines when you need to perform large operations, such
as creating multiple user accounts at one time.

For example, suppose your company is expanding its Customer
Service department and just hired 10 new people who will start over the next
two weeks. As a result, you need to create 10 new user accounts in the Customer
Service organizational unit (OU). Fortunately, you can use the Dsadd command to
create these accounts in a flash by way of the batch file shown in Figure A, which uses the simple text
file shown in Figure B for input.

Figure A

The fifth line is the real workhorse of this batch file.

Figure B

The text file used for input simply contains the first and last name of
each user.

As you look at the batch file, you’ll notice that the
command on the fifth line is extremely long. I’ve enabled Word Wrap in Notepad to display it all in the screen shot. This command line, which is
built around a For..In..Do structure, is the real workhorse of the batch file;
the rest of the commands are literally window dressing. Let’s take a closer
look.

At the beginning of this line, the first and last name of
the user is read into the %%A and %%B variables. Then the Dsadd user command
takes over and uses the information stored in the variables to create a basic
user account in the Customer Service OU. This account consists of first name,
last name, display name, and both user logon namesï¿?standard and pre-Windows
2000. Each account is then assigned a default password and configured such that
the user must change the password at the next logon. Each new account is then
disabled as a security precaution.

The window dressing commands are designed to let you run the
batch file simply by double-clicking it from within Windows Explorer. When you
do, you’ll see a nicely formatted results windows like the one in Figure C.

Figure C

The window dressing commands in the batch file produce an easy-to-read
results screen.

Resetting passwords with Dsmod

Because users often forget their passwords, the process of
resetting passwords is something you’re probably familiar with. While resetting
passwords in the Active Directory Users and Computers console is a pretty easy task,
you can make the task even easier by creating a simple batch file that uses the
Dsmod and Dsquery commands, as shown in Figure
D
.

Figure D

A batch file that uses Dsmod and Dsquery can simplify the task of
resetting passwords.

The main work in this batch file is done by the fifth and
sixth lines; the rest are, again, window dressing. In this case, the set /p DN=
command creates a prompt on the command line and assigns your response to an
environment variable named DN. The Dsquery command uses the information stored
in the DN environment variable to locate the distinguished name of the user
account and then pipes it to the Dsmod command. Dsmod resets the password to
P@ssw0rd and enables the User Must Change Password At Next Logon check box.

The window dressing commands let you run the batch file simply
by double-clicking it from within Windows Explorer. When you do, you’ll see a results
window like the one in Figure E,
which prompts you to enter the name of the user in quotes and then displays the
result.

Figure E

The window dressing commands in the batch file produce an easy-to-read
screen for both input and output.

Moving users between OUs with the Dsmove command

If your company is in a continuous state of flux, then the
term reorganization is one that you’re
very familiar with. When the company undergoes such a transition, chances are
that some people are moving from one department to another. As a result, you
need to move user accounts from one OU to another in order to ensure that users
get the correct access rights.

For example, suppose 10 people from the Customer Service
department are being moved to different positions. Five are going to the secretarial
department, and five are going to become executive assistants. To move these
user accounts from the Customer Service OU to the appropriate OUs in one fell
swoop, you can create a batch file that employs the Dsmove and Dsquery
commands, as shown in Figure F. This
batch file uses a simple text file, like the one shown in Figure G, for input.

Figure F

This batch file employs three For..In..Do structures on one line in order
to perform its task.

Figure G

You’ll use a simple comma-delimited text file to provide input to the batch
file.

In the batch file, you’ll notice that the command on the
fifth line is extremely long. I’ve enabled Word Wrap in Notepad in order to
display it all in the screen shot. This command line actually consists of three
For..In..Do structures. Two of them are nested inside the Do portion of the other
run Dsquery commands, and they’re chained together with the Dsmove command. The
shell of this command line would look like this:

For..In..Do(For..In (Dsquery) Do.. & For..In (Dsquery) Do.. & Dsmove) &.. 

Without getting drowned in the details, the first For..In..Do
reads the user name and the destination OU from the text file and stores this
information in the %%A and %%B variables. The second For..In..Do runs a Dsquery
user command to get the user’s full distinguished name, and stores it in the
%%C variable. The third For..In..Do runs a Dsquery OU command to get the
destination OU’s distinguished name, and stores it in the %%D variable.
Finally, the Dsmove command moves the user account into the destination OU.

The batch file is designed to run from within Windows
Explorer. When you run it, you’ll see a results window like the one in Figure H.

Figure H

As it’s running, this batch file provides you with information about each
step it performs.

Deleting objects with the Dsrm command

Using the Dsrm command to delete an object or the complete
subtree under an object is easy. While in most cases it’s probably simpler to
delete single objects from within the Active Directory Users and Computers
console, you can speed up the deletion of multiple objects with the Dsrm
command.

For example, if you wanted to delete the entire Customer
Service OU and all the objects that it contains, you could use the command:

Dsrm "OU=Customer Service,DC=Contoso,DC=com" -subtree

On the other hand, if you wanted to delete all the objects
but leave the Customer Service OU intact, you’d use the command

Dsrm "OU=Customer Service,DC=Contoso,DC=com" ï¿?subtree -exclude 

When you use the Dsrm command, it will display a prompt and
ask you to confirm the operation.

Your wishï¿?Microsoft’s command (line)

At this point, you should have a pretty good idea of how Windows
Server 2003’s directory service command-line tools work and understand how to use
them to your advantage. You can learn more about these tools in the Windows
Server 2003 Help and Support Center. When you need quick access to this
information, you can access the Command Line Reference section of the Help and
Support Center. Just open a command prompt and type:

HH ntcmds.chm 

As you continue your exploration of the command-line tools,
keep in mind that if you come up with any cool timesaving techniques, take a
moment to drop by the Discussion
area and let us know what you’ve discovered.