Windows CLI Tricks Part 1
Introduction
Windows Server comes with a suite of command line utilities that can be used to manipulate objects in Active Directory. Although in most cases it would be easier to use the Active Directory Users and Computers GUI, there're a couple commands that could either save you some time or just make you look impressive.
Adding Objects
The dsadd command can be used to add any type of Active Directory object from the command line. The following would add a user:
c:> dsadd user -fn Moe -ln Bopjian -upn mbopjian@hemingway.com -pwd * \
cn=mbopjian,ou=employees,dc=hemingway,dc=com
fn and ln are for First Name and Last Name, respectively. upn assigns the Windows 2000+ username and pwd with the asterisks will prompt for the password. The final argument is the Distinguished Name.
dsadd can also be used to create groups. With no arguments, a global security group will be created:
c:\> dsadd group cn=Employees,ou=employees,dc=hemingway,dc=com
Searching for Objects
The dsquery and dsget commands can be used for retrieving information in Active Directory. dsquery searches for objects based on specified criteria. Here's an example that finds all objects with the string ian contained in the name:
c:\> dsquery user -name *ian* dc=hemingway,dc=com
"CN=mbopjian,OU=Employees,DC=hemingway,DC=com"</p>
Unlike the results that the Active Directory Users and Computers GUI will give you, dsquery will show what OU (or OUs) the object belongs to.
dsget displays property information about an object -- similar to the properties window, but in text.
c:\> dsget user "CN=mbopjian,OU=Employees,DC=hemingway,DC=com"
dn desc samid
CN=mbopjian,OU=Employees,DC=hemingway,DC=com Joe's Alternate Ego mbopjian
dsget succeeded
It can also be used to get individual property entries:
c:\> dsget user "CN=mbopjian,OU=Employees,DC=hemingway,DC=com" -tel
tel
0118 999 881 999 119 7253
dsget succeeded
Piping Output
Similar to piping output in Unix and Linux, the ds* commands can also work this way. In the last example, dsget was used with with a distinguished name to retrieve information about that object. However, instead of specifying the distinguished name, dsquery can be used to search for the object first:
c:\> dsquery user -name *ian* dc=hemingway,dc=com | dsget user
dn desc samid
CN=mbopjian,OU=Employees,DC=hemingway,DC=com Joe's Alternate Ego mbopjian
This technique can also be used with the dsmod command to add users to a group:
c:\> dsquery user -name *ian* dc=hemingway,dc=com |
dsmod group cn=Employees,ou=employees,dc=hemingway,dc=com -addmbr
Another example of dsmod is to disable a list of accounts:
c:\> dsquery user -name *ian* dc=hemingway,dc=com | dsmod user -disabled yes
Conclusion
These example, although useful, are only the basics of what can be accomplished with the ds* utilities. Any type of Active Directory object -- as well as its properties -- can be added, queried, and modified. Similarly, but not covered in this article, objects can be moved and deleted with the dsrm and dsmove commands.
As mentioned in the beginning, using the Active Directory Users and Computers GUI will accomplish most of these tasks faster than on the command line. However, there might be a time when you have a complex query result that you need to act on and the CLI's flexibility will prove to be quicker and more efficient.
Tags: cli, active directory, scripting, windows 2003
