Friday, 12 November 2010

Useful AD DS Command Line Tools

01. Dsmod computer

Modifies attributes of one or more existing computers in the directory. Dsmod is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use dsmod, you must run the dsmod command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator. 

dsmod computer <ComputerDN> ... [-desc <Description>] [-loc <Location>] [-disabled {yes | no}] [-reset] [{-s Server> | -d Domain>}] [-u <UserName>] [-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}] 
 

Examples

To disable multiple computer accounts, type:

dsmod computer CN=MemberServer1,CN=Computers,DC=Microsoft,DC=Com  CN=MemberServer2,CN=Computers,DC=Microsoft,DC=Com -disabled yes
To reset multiple computer accounts, type:

dsmod computer CN=MemberServer1,CN=Computers,DC=Microsoft,DC=Com  CN=MemberServer2,CN=Computers,DC=Microsoft,DC=Com -reset 

 

02. CSVDE Export - User Accounts

Examples: 

CSVDE -f adusers.csv

Our aim on this page is to export objects out of Active Directory and into a .csv file.  Fortunately, the default action with CSVDE is to export, so all you need is one switch and the filename. For example, CSVDE -f filename.csv. My point is with export, keep it simple, there is no -e switch. It's only later when we explore CSVDE import that we require an extra switch (-i).

03. LDIFDE - Export

Introduction to LDIFDE Export

The purpose of this page is to show you how to export user accounts from Active Directory.  The killer advantage of LDIFDE over CSVDE is that you can modify existing objects with LDIFDE (but not with CSVDE).  The disadvantage of LDIFDE is that it will not sit nicely in my spreadsheet, whereas CSVDE data is made for a table.
In term of learning, the tricky LDIFDE switches, it is much easier to begin with the export commands before moving on to import.

LDIFDE Export Examples

1. Getting started

The situation is, you want to extract user accounts from Active Directory.  Perhaps you are doing this with a view to making changes, then importing them back into Active Directory.  Alternatively, you may just want to practice the export to gain experience because LDIFDE -f filename, is harmless compared with the import command.  Note that export is the default so you do not need a -i switch, all you need is the -f switch and a filename.
ldifde -f export.ldf -s BigServer   (Where BigServer is your domain controller and export.ldf is the filename)
In theory you can export user accounts by just giving the filename, but I find you need the -s switch to connect to the server. (-s BigServer)

Type your ldifde commands in notepad, then save as a .bat file then execute your .bat file from DOS.

2. Adding filters with -r

Use the -r switch to filter your data, for example: the command to export only computer objects on a server called BigServer is:
ldifde -f ExportComputer.ldf -s BigServer -r "(objectclass=computer)"
LDIFDE ExportGradually add to your basic ldifde file, pay attention to the syntax e.g. "speech marks", commas

Exporting only the LDIFDE fields you want with -l (lower case L)

ldifde -f ExportUser.ldf -s BigServer -r "(objectclass=user)" -l "dn, cn, givenName, sn, department"
You can see that ldifde uses LDAP attributes so it worth learning the basics of the names and what they are used for.  See more in my ebook.

Summary of LDIFDE Export

It is best to begin your research into LDIFDE with the Export commands.  Not only are the export switches easier, but also there is no chance of damaging your Active Directory accounts.

Source: http://www.computerperformance.co.uk/Logon/Logon_LDIFDE_Export.htm

04. dsadd computer

How to Manage Users

Creating a New User Account

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:
    dsadd user userdn -samid sam_name
    The following values are used in this command:
    • userdn specifies the distinguished name (also known as the DN) of the user object that you want to add.
    • sam_name specifies the security account manager (SAM) name used as the unique SAM account name for this user (for example, Linda).
  4. To specify the user account password, type the following command, where password is the password that is to be used for the user account:
    dsadd user userdn -pwd password
NOTE: To view the complete syntax for this command, and to obtain more information about entering more user account information, at a command prompt, type dsadd user /?.

Resetting a User Password

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:
    dsmod user user_dn -pwd new_password
    This command uses the following values:
    • user_dn specifies the distinguished name of the user for which the password will be reset.
    • new_password specifies the password that will replace the current user password
  4. If you want to require the user to change this password at the next logon process, type the following command:
    dsmod user user_dn -mustchpwd {yes|no}
NOTE: If a password is not assigned, the first time the user tries to log on (by using a blank password), the following logon message is displayed:
You are required to change your password at first logon
After the user has changed the password, the logon process continues.

You must reset the services that are authenticated with a user account if the password for the service's user account is changed.

NOTE: To view the complete syntax for this command, and to obtain more information about entering more user account information, at a command prompt, type dsmod user /?.

Disabling or Enabling a User Account

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:
    dsmod user user_dn -disabled {yes|no}
    This command uses the following values:
    • user_dn specifies the distinguished name of the user object to be disabled or enabled.
    • {yes|no}specifies whether the user account is disabled for log on (yes) or not (no).
NOTE: As a security measure, instead of deleting that user's account, you can disable user accounts to prevent a particular user from logging on. If you disable user accounts that have common group memberships, you can use disabled user accounts as account templates to simplify user account creation.

Deleting a User Account

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command, where user_dn specifies the distinguished name of the user object to be deleted:
    dsrm user_dn
After you delete a user account, all of the permissions and memberships that are associated with that user account are permanently deleted. Because the security identifier (SID) for each account is unique, if you create a new user account that has the same name as a previously deleted user account, the new account does not automatically assume the permissions and memberships of the previously deleted account. To duplicate a deleted user account, you must manually re-create all permissions and memberships.

NOTE: To view the complete syntax for this command, and to obtain more information about entering more user account information, at a command prompt, type dsrm /?.

Back to the top

How to Manage Groups

Creating a New Group

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:
    dsadd group group_dn -samid sam_name -secgrp yes | no -scope l | g | u
    This command uses the following values:
    • group_dn specifies the distinguished name of the group object that you want to add.
    • sam_name specifies the SAM name that is the unique SAM account name for this group (for example, operators).
    • yes | no specifies whether the group you want to add is a security group (yes) or a distribution group (no).
    • l | g | u specifies the scope of the group you want to add ( domain local [l], global [g], or universal [u]).
If the domain in which you are creating the group is set to the domain functional level of Windows 2000 mixed, you can select only security groups with domain local scopes or global scopes.

To view the complete syntax for this command, and to obtain more information about entering more group information, at a command prompt, type dsadd group /?.

Adding a Member to a Group

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:
    dsmod group group_dn -addmbr member_dn
    This command uses the following values:
    • group_dn specifies the distinguished name of the group object that you want to add.
    • member_dn specifies the distinguished name of the object that you want to add to the group.
In addition to users and computers, a group can contain contacts and other groups.

To view the complete syntax for this command, and to obtain more information about entering more user account and group information, at a command prompt, type dsmod group /?.

Converting a Group to Another Group Type

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:
    dsmod group group_dn -secgrp {yes|no}
    This command uses the following values:
    • group_dn specifies the distinguished name of the group object for which you want to change the group type.
    • {yes|no} specifies that the group type is set to security group (yes) or distribution group (no).
To convert a group, the domain functionality must be set to Windows 2000 Native or higher. You cannot convert groups when the domain functionality is set to Windows 2000 Mixed.

To view the complete syntax for this command, at a command prompt, type dsmod group /?.

Changing Group Scope

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:
    dsmod group group_dn -scope l|g|u
    This command uses the following values:
    • group_dn specifies the distinguished names of the group object to which the scope will be changed.
    • l|g|u specifies the scope that the group is to be set to (local, global or universal). If the domain is still set to Windows 2000 mixed, the universal scope is not supported. Also, it is not possible to convert a domain local group to global group or vice versa.
    NOTE: You can only change group scopes when the domain functional level is set to Windows 2000 native or higher.

Deleting a Group

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:
    dsrm group_dn
    This command uses the following value:
    • group_dn specifies the distinguished name of the group object to be deleted.
NOTE: If you delete the group, the group is permanently removed.

By default, local groups that are provided automatically in domain controllers that are running Windows Server 2003, such as Administrators and Account Operators, are located in the Builtin folder. By default, common global groups, such as Domain Admins and Domain Users, are located in the Users folder. You can add or move new groups to any folder. Microsoft recommends that you keep groups in an organizational unit folder.

To view the complete syntax for this command, at a command prompt, type dsrm /?.

Finding Groups in Which a User Is a Member

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:
    dsget user user_dn -memberof
    This command uses the following value:
    • user_dn specifies the distinguished name of the user object for which you want to display group membership.
To view the complete syntax for this command, at a command prompt, type dsget user /?.

Back to the top

How to Manage Computers

Creating a New Computer Account

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:
    dsadd computer computer_dn
    This command uses the following value:
    • computer_dn specifies the distinguished name of the computer you want to add. The distinguished name indicates the folder location.
To view the complete syntax for this command, at a command prompt, type dsadd computer /?.

To modify the properties of a computer account, use the dsmod computer command.

Adding a Computer Account to a Group

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:
    dsmod group group_dn -addmbr computer_dn
    This command uses the following values:
    • group_dn specifies the distinguished name of the group object to which you want to add the computer object.
    • computer_dn specifies the distinguished name of the computer object to be added to the group. The distinguished name indicates the folder location.
When you add a computer to a group, you can assign permissions to all of the computer accounts in that group, and then filter Group Policy settings on all accounts in that group.

To view the complete syntax for this command, at a command prompt, type dsmod group /?.

Resetting a Computer Account

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:
    dsmod computer computer_dn -reset
    This command uses the following value:
    • computer_dn specifies the distinguished names of one or more computer objects that you want to reset.
NOTE: When you reset a computer account, you break the computer's connection to the domain. You must rejoin computer account to the domain computer account after you reset it.

To view the complete syntax for this command, at a command prompt, type dsmod computer /?.

Disabling or Enabling a Computer Account

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:
    dsmod computer computer_dn -disabled {yes|no}
    This command uses the following values:
    • computer_dn specifies the distinguished name of the computer object that you want to disable or enable.
    • {yes|no} specifies whether the computer is disabled for log on (yes) or not (no).
When you disable a computer account, you break the computer's connection with the domain and the computer cannot authenticate to the domain.

To view the complete syntax for this command, at a command prompt, type dsmod computer /?.

Back to the top

How to Manage Organizational Units

Creating a New Organizational Unit

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:
    dsadd ou organizational_unit_dn
    This command uses the following value:
    • organizational_unit_dn specifies the distinguished name of the organizational unit to be added.
To view the complete syntax for this command, at a command prompt, type dsadd ou /?.

NOTE: To modify the properties of an organizational unit, use the dsmod ou command.

Deleting an Organizational Unit

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:
    dsrm organizational_unit_dn
    This command uses the following value:
    • organizational_unit_dn specifies the distinguished name of the organizational unit to be deleted.
    To view the complete syntax for this command, at a command prompt, type dsrm /?.

    NOTE: If you delete an organizational unit, all of the objects that it contains are deleted.
Back to the top

How to Search Active Directory

Finding a User Account

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:
    dsquery user parameter
    This command uses the following value:
    • parameter specifies the parameter to use. For the list of parameters, see the online help for the dsquery user command.
To view the complete syntax for this command, at a command prompt, type dsquery user /?.

Finding a Contact

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:
    dsquery contact parameter
    This command uses the following values:
    • parameter specifies the parameter to use. For the list of parameters, see the online help for the dsquery user command.

Finding a Group

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:
    dsquery group parameter
    This command uses the following values:
    • parameter specifies the parameter to use. For the list of parameters, see the online help for the dsquery user command.
By default, local groups that are provided automatically in domain controllers that are running Windows Server 2003, such as Administrators and Account Operators, are located in the Builtin folder. By default, common global groups, such as Domain Admins and Domain Users, are located in the Users folder. You can add or move new groups to any folder. Microsoft recommends that you keep groups in an organizational unit folder.

Finding a Computer Account

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:
    dsquery computer -name name
    This command uses the following value:
    • name specifies the computer name that the command searches for. This command searches for computers whose name attributes (value of CN attribute) matches name.
To view the complete syntax for this command, at a command prompt, type dsquery computer /?.

Finding an Organizational Unit

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:
    dsquery ou parameter
    This command uses the following value:
    • parameter specifies the parameter to use. For the list of parameters, see the online help for dsquery ou.
To view the complete syntax for this command, at a command prompt, type dsquery ou /?.

Finding a Domain Controller

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:
    dsquery server parameter
    This command uses the following values:
    • parameter specifies the parameter to use. There are several attributes of a server that you can search by using this command. For the list of parameters, see online help for dsquery server.

Performing a Custom Search

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:
    dsquery * parameter
 http://support.microsoft.com/kb/322684

 











Posted by



at







































No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)