Administering Active Directory can be a challenge for a network administrator. The GUI tools are easy to use, but they can be limited in power. Here's how you can do more with Active Directory by using some command-line tools.
In the last article in this series, "Using the Dsget command in Windows Server 2003," I explained how the Dsget command works and showed you several examples of how to use it to obtain information that would be a bit tricky to get out of GUI interface tools. In this article, I'll complete my examination of Windows Server 2003's directory service command-line tools with a look at the remaining commands: Dsadd, Dsmod, Dsmove, and Dsrm.
I've lumped these commands together because each performs a pretty straightforward operation. However, as I discuss them, I'll show you how to create some really cool command-line scripts by combining these commands with the Dsget and Dsquery commands.
As I mentioned, each of the four commands perform fairly straightforward operations. However, Dsadd and Dsmod each have separate subcommands for working with different types of objects, and Dsmove and Dsrm can work with any Active Directory object.
The Dsadd and Dsmod commands
The Dsadd command consists of six subcommands, shown in Table A, and lets you add objects to Active Directory.
|The Dsadd commands|
The Dsmod command, which allows you to modify objects already in Active Directory, consists of the subcommands shown in Table B.
|The Dsmod commands|
The Dsmove and Dsrm commands
Dsmove is a versatile command that serves two functions: It lets you move an object from one location to another in Active Directory and allows you to rename an object without moving it. Dsmove is capable of doing both because, when you rename an object in Active Directory, you're really moving the object from its current distinguished name to a new distinguished name, since the distinguished name actually consists of a common name and a location.
Dsrm is also a pretty powerful command in that it allows you to remove a single object, a complete subtree under an object, or both.
By this point in the series, you're probably familiar with the types of parameters and the syntax of the directory service commands, so I won't go into any more detail in those areas. Instead, let's jump right into some practical examples of how you can use these commands.
Creating multiple user accounts with Dsadd
If you're like most administrators, you're probably thinking that since creating new user accounts in the Active Directory Users and Computers console is so easy, why would anyone revert to the command prompt to do so? Well, like many of the other directory service commands I've discussed, the Dsadd command really shines when you need to perform large operations, such as creating multiple user accounts at one time.
For example, suppose your company is expanding its Customer Service department and just hired 10 new people who will start over the next two weeks. As a result, you need to create 10 new user accounts in the Customer Service organizational unit (OU). Fortunately, you can use the Dsadd command to create these accounts in a flash by way of the batch file shown in Figure A, which uses the simple text file shown in Figure B for input.
|The fifth line is the real workhorse of this batch file.|
|The text file used for input simply contains the first and last name of each user.|
As you look at the batch file, you'll notice that the command on the fifth line is extremely long. I've enabled Word Wrap in Notepad to display it all in the screen shot. This command line, which is built around a For..In..Do structure, is the real workhorse of the batch file; the rest of the commands are literally window dressing. Let's take a closer look.
At the beginning of this line, the first and last name of the user is read into the %%A and %%B variables. Then the Dsadd user command takes over and uses the information stored in the variables to create a basic user account in the Customer Service OU. This account consists of first name, last name, display name, and both user logon namesï¿?standard and pre-Windows 2000. Each account is then assigned a default password and configured such that the user must change the password at the next logon. Each new account is then disabled as a security precaution.
The window dressing commands are designed to let you run the batch file simply by double-clicking it from within Windows Explorer. When you do, you'll see a nicely formatted results windows like the one in Figure C.
|The window dressing commands in the batch file produce an easy-to-read results screen.|
Resetting passwords with Dsmod
Because users often forget their passwords, the process of resetting passwords is something you're probably familiar with. While resetting passwords in the Active Directory Users and Computers console is a pretty easy task, you can make the task even easier by creating a simple batch file that uses the Dsmod and Dsquery commands, as shown in Figure D.
|A batch file that uses Dsmod and Dsquery can simplify the task of resetting passwords.|
The main work in this batch file is done by the fifth and sixth lines; the rest are, again, window dressing. In this case, the set /p DN= command creates a prompt on the command line and assigns your response to an environment variable named DN. The Dsquery command uses the information stored in the DN environment variable to locate the distinguished name of the user account and then pipes it to the Dsmod command. Dsmod resets the password to P@ssw0rd and enables the User Must Change Password At Next Logon check box.
The window dressing commands let you run the batch file simply by double-clicking it from within Windows Explorer. When you do, you'll see a results window like the one in Figure E, which prompts you to enter the name of the user in quotes and then displays the result.
|The window dressing commands in the batch file produce an easy-to-read screen for both input and output.|
Moving users between OUs with the Dsmove command
If your company is in a continuous state of flux, then the term reorganization is one that you're very familiar with. When the company undergoes such a transition, chances are that some people are moving from one department to another. As a result, you need to move user accounts from one OU to another in order to ensure that users get the correct access rights.
For example, suppose 10 people from the Customer Service department are being moved to different positions. Five are going to the secretarial department, and five are going to become executive assistants. To move these user accounts from the Customer Service OU to the appropriate OUs in one fell swoop, you can create a batch file that employs the Dsmove and Dsquery commands, as shown in Figure F. This batch file uses a simple text file, like the one shown in Figure G, for input.
|This batch file employs three For..In..Do structures on one line in order to perform its task.|
|You'll use a simple comma-delimited text file to provide input to the batch file.|
In the batch file, you'll notice that the command on the fifth line is extremely long. I've enabled Word Wrap in Notepad in order to display it all in the screen shot. This command line actually consists of three For..In..Do structures. Two of them are nested inside the Do portion of the other run Dsquery commands, and they're chained together with the Dsmove command. The shell of this command line would look like this:
For..In..Do(For..In (Dsquery) Do.. & For..In (Dsquery) Do.. & Dsmove) &..
Without getting drowned in the details, the first For..In..Do reads the user name and the destination OU from the text file and stores this information in the %%A and %%B variables. The second For..In..Do runs a Dsquery user command to get the user's full distinguished name, and stores it in the %%C variable. The third For..In..Do runs a Dsquery OU command to get the destination OU's distinguished name, and stores it in the %%D variable. Finally, the Dsmove command moves the user account into the destination OU.
The batch file is designed to run from within Windows Explorer. When you run it, you'll see a results window like the one in Figure H.
|As it's running, this batch file provides you with information about each step it performs.|
Deleting objects with the Dsrm command
Using the Dsrm command to delete an object or the complete subtree under an object is easy. While in most cases it's probably simpler to delete single objects from within the Active Directory Users and Computers console, you can speed up the deletion of multiple objects with the Dsrm command.
For example, if you wanted to delete the entire Customer Service OU and all the objects that it contains, you could use the command:
Dsrm "OU=Customer Service,DC=Contoso,DC=com" -subtree
On the other hand, if you wanted to delete all the objects but leave the Customer Service OU intact, you'd use the command
Dsrm "OU=Customer Service,DC=Contoso,DC=com" ï¿?subtree -exclude
When you use the Dsrm command, it will display a prompt and ask you to confirm the operation.
Your wishï¿?Microsoft's command (line)
At this point, you should have a pretty good idea of how Windows Server 2003's directory service command-line tools work and understand how to use them to your advantage. You can learn more about these tools in the Windows Server 2003 Help and Support Center. When you need quick access to this information, you can access the Command Line Reference section of the Help and Support Center. Just open a command prompt and type:
As you continue your exploration of the command-line tools, keep in mind that if you come up with any cool timesaving techniques, take a moment to drop by the Discussion area and let us know what you've discovered.