28/02/2016

TopCommandLineToolsforManagingActiveDirectoryRedmondmag.com

ACTIVEDIRECTORYHOWTO

TopCommandLineToolsforManagingActiveDirectory
Let'slookatcommandlinetoolsthatwillhelpyoumanageActiveDirectorymoreeffectively.
ByTroyThompson

04/15/2015

MostofthedaytodayoperationsofmanaginganActiveDirectoryenvironmentcanbedone
fromtheGraphicalUserInterface(GUI),butthecommandsavailablefromacommand
promptcanbeverypowerfulandcansaveyoutime.Inordertorunthecommandsbelow,
youwillwanttoopenanelevatedcommandprompt.Tostartacommandpromptwith
elevatedprivilege,clickStart,rightclickCommandPrompt,andthenclickRunas
administrator.Belowarealistofcommandsandadescriptionofwhattheydo.
Adprep.exeisacommandlinetoolthatisavailableontheWindowsServer2008R2
installationdiskinthe\support\adprepfolder.AdprepPreparesaWindowsforestordomain
forinstallationofWindowsDomainControllers.Toprepareaforestoradomain,use:
adprep/forestprep
adprep/domainprep
Youmustbeamemberofallthefollowinggroupstorunthiscommand:
TheEnterpriseAdminsgroup
TheSchemaAdminsgroup
TheDomainAdminsgroupofthedomainthathoststheschemamaster
Dsadd.exeaddscomputers,contacts,groups,organizationalunitsanduserstoActive
Directory.Thiscommandisveryhelpfulwhenusedinabatchfiletocreatedmultipleusersor
computersatonce.Thesyntaxforusingthiscommandcanbeabittricky.Youhavetobe
carefultousethecorrectcommandlinearguments.Itishighlyrecommendedthatyoutest
thesyntaxofthecommandbyaddingasingleuserorcomputerbeforeaddingmultiple
accountsatonce.Tocreatemultipleaccounts,youcanpasteyourtextintoaNotepadfile
andsaveitasa.bat,orbatchfile.Togetcommandlinehelp,typedsaddobjectname/?ata
commandprompttodisplayhelpinformationaboutusingthecommand,suchasdsadduser
/?.Ifyouusedsaddtocreateauseraccount,therearedozensofparametersthatcanbe
set,suchasDisplayName,FirstName,LastName,HomeDirectory,Password,abilityto
changepassword,telephonenumbers,LoginScript,etc.
Dsacls.exeisthecommandlineequivalentoftheSecuritytabinthepropertiesdialogbox
foranActiveDirectoryobjectintoolssuchasActiveDirectoryUsersandComputers.You
canuseeithertooltoviewandchangepermissionstoanActiveDirectoryobject.Once
again,thiscommandisverypowerfulinabatchfile,buttestitcarefullyonasingleobjectfirst
tomakesureyouwillgetthedesiredresults.
Dsget.exedisplayspropertiesofcomputers,contacts,groups,organizationalunits,users,
sites,subnets,andserversregisteredinActiveDirectory.Typedsgetobjectname/?ata
commandprompttodisplayhelpinformationaboutusingthecommand,suchasdsget
subnet/?.Toshowthelistofgroups,towhichtheuserBrienPoseybelongs,type:
dsgetuser"CN=BrienPosey,CN=users,dc=ms,dc=tld"memberofexpand

Youcanusedsgetinconjunctionwithdsqueryasshowninthefollowingexample.Tofindall
usersinanorganizationalunit(OU)namedContosowhosenamestartswith"brien"andto
showtheirdescriptions,type:
dsqueryuserOU=Contoso,dc=ms,dc=ltdnamebrien*|dsgetuserdesc

Whenyouusethiscommand,itreturnsentriesfromthespecifiedOUaswellasallchild
OUs.
Dsmod.exeModifiespropertiesofcomputers,contacts,groups,organizationalunits,users
andserversthatexistinActiveDirectory.Typedsmodobjectname/?atacommandprompt
todisplayhelpinformationaboutusingthecommand,suchasdsmodserver/?.Someofthe
parametersyoucanchangeusingdsmodareFirstName,LastName,DisplayName,
https://redmondmag.com/Articles/2015/04/15/CommandLineTools.aspx?p=1

1/2

28/02/2016

TopCommandLineToolsforManagingActiveDirectoryRedmondmag.com

Password,HomeDirectoryandLoginScript.ToresetthepasswordforBrienPoseyand
forcehimtochangehispasswordwhenhenextlogsontothenetwork,usethecommand:
dsmoduser"CN=BrienPosey,CN=Users,DC=Contoso,DC=Com"pwd123qweASmustchpwdyes

Toresetmultipleuserpasswordstoacommonpasswordandforceuserstochangetheir
passwordswhentheynextlogontothenetwork,usethecommand:

dsmoduser"CN=BrienPosey,CN=Users,DC=Contoso,DC=Com""CN=TroyThompson,CN=Users,DC=Contoso,DC=Com"pwd123qweASmu

Dsmove.exeMovesasingleobjecttoanewlocationwithinasingledomainorrenamesthe
objectwithoutmovingit.Typedsmove/?atacommandprompttodisplayhelpinformation
aboutusingthecommand.
Dsquery.exeUsessearchcriteriatofindcomputers,contacts,groups,organizationalunits,
users,sites,subnetsandserversinActiveDirectory.Typedsquery/?atacommandprompt
todisplayhelpinformationaboutusingthecommand.Asreferenceabove,thiscommand
canbeusedinconjunctionwiththeDsgetcommandtohelprefinesearches.
Dsrm.exeRemovesobjectsfromActiveDirectory.Typedsrm/?atacommandpromptto
displayhelpinformationaboutusingthecommand.Thiscanbeaverypowerfultoolinterms
ofdestruction.Besuretouseitwiselyandtestyoursyntaxthoroughlybeforeimplementing
inanenterpriseorforest.
Ntdsutil.exeAllowstheusertoviewsite,domainandserverinformationmanageoperations
mastersandperformdatabasemaintenanceofActiveDirectory.Typentdsutil/?ata
commandprompttodisplayhelpinformationaboutusingthecommand.
AlthoughtheGUIsprovidedwithActiveDirectoryallowyoutomanagemostofthedayto
dayoperations,acomprehensiveknowledgeofthecommandlinetoolsisamustforan
administratorwhowantstobeproficient.Theycanalsobeagreattimesaverasyoucan
automatemanytasksusingbatchfiles.
AbouttheAuthor
TroyThompsonhasworkedinnetworkadministrationforover25years,servingasanetwork
engineerandMicrosoftExchangeadministrationinDepartmentofDefense,writing
technologyarticles,tutorials,andwhitepapersandtechnicaledits.TroyisaCiscoCertified
AcademyInstructor(CCAI),andhasnumerousothercertificationsincludingCCNA,MSCE+I,
Network+,A+andSecurity+.Troyhasalsotraveledtheworldplayingmusicastheguitarist
forthebandBride.Contactinformationisbriderocks@gmail.com.

https://redmondmag.com/Articles/2015/04/15/CommandLineTools.aspx?p=1

2/2