Elemente teoretice certificarea 70-290

-Commands-

1. Dsadd

Adds specific types of objects to the directory.

Dsadd is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use dsadd, you must run the dsadd command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

Command Description Dsadd computer Adds a single computer to the directory.Dsadd contact Adds a single contact to the directory.Dsadd group Adds a single group to the directory.Dsadd ou Adds a single organizational unit to the directory.Dsadd user Adds a single user to the directory.Dsadd quota Adds a quota specification to a directory partition.

2. Dsget

Displays the selected properties of a specific object in the directory.

Dsget is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use dsget, you must run the dsget command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

Command Description Dsget computer

Displays the properties of a computer in the directory.

There are two variations of this command. The first variation allows you to view the properties of multiple computers. The second variation allows you to view the

membership information of a single computer.Dsget contact

Displays the various properties of a contact in the directory.

Dsget group

Displays the various properties of a group including the members of a group in the directory. There are two variations of this command. The first variation allows you to view the properties of multiple groups. The second variation allows you to view the group membership information of a single group.

Dsget ou Displays the various properties of an organizational unit in the directory.

Dsget server

Displays the various properties of a domain controller defined in the directory.

There are three variations of this command. The first variation displays the general properties of a domain controller that you specify. The second variation displays a list of the security principals who own the largest number of directory objects on the domain controller that you specify. The third variation displays the distinguished names of the directory partitions on the server that you specify.

Dsget user

Displays the properties of a user in the directory. There are two variations of this command. The first variation allows you to view the properties of multiple users. The second variation allows you to view the group membership information of a single user.

Dsget subnet

Displays the properties of a subnet that is defined in the directory.

Dsget site Displays the properties of a site that is defined in the directory.

Dsget quotaDisplays the properties of a quota specification that is defined in the directory. A quota specification determines the maximum number of directory objects that a given security principal can own in a specific directory partition.

Dsget partition

Displays the properties of a directory partition.

3. Dsquery

Queries the directory by using search criteria that you specify. Each of the dsquery commands finds objects of a specific object type, with the exception of dsquery *, which can query for any type of object

Dsquery is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use dsquery, you must run the dsquery command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

Command Description Dsquery computer

Finds computers in the directory that match search criteria that you specify.

Dsquery contact

Finds contacts in the directory that match search criteria that you specify.

Dsquery group

Finds groups in the directory that match search criteria that you specify. If the predefined search criteria in this command are insufficient, use the general version of the query command, dsquery *.

Dsquery ouFinds organizational units (OUs) in the directory that match search criteria that you specify. If the predefined search criteria in this command are insufficient, use the more general version of the query command, dsquery *.

Dsquery siteFinds sites in the directory that match search criteria that you specify. If the predefined search criteria in this command are insufficient, use the more general version of the query command, dsquery *.

Dsquery server

Finds domain controllers according to specified search criteria. If the predefined search criteria in this command are insufficient, use the more general version of the query command, dsquery *.

Dsquery userFinds users in the directory that match search criteria that you specify. If the predefined search criteria in this command are insufficient, use the more general version of the query command, dsquery *.

Dsquery quota

Finds quota specifications in the directory that match search criteria that you specify. A quota specification determines the maximum number of directory objects a specified security principal can own in a given directory partition. If the predefined search criteria in this command are insufficient, use the more general version of the query command, dsquery *.

Dsquery partition

Finds partition objects in the directory that match search criteria that you specify. If the predefined search criteria in this command are insufficient, use the more general version of the query command, dsquery *.

Dsquery * Finds any objects in the directory according to criteria using an LDAP query.

4. Dsmove

Moves a single object, within a domain, from its current location in the directory to a new location, or renames a single object without moving it in the directory tree.

Dsmove is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use dsmove, you must run the dsmove command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.

Syntax

dsmove <ObjectDN> [-newname <NewRDN>] [-newparent <ParentDN>] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]

Parameters

Parameter Description

<ObjectDN> Required. Specifies the distinguished name of the object that you want to move or rename. If the value is omitted, it is obtained through standard input (stdin) to support piping of output from another command to input of this command.

-newname <NewRDN>

Renames the object that you specify with a new relative distinguished name.

-newparent <ParentDN>

Specifies a new location for the object that you want to move. To specify the new location, you supply the distinguished name of the object's new parent.

{-s <Server> | -d <Domain>}

Connects a computer to a remote server or domain that you specify. By default, dsmove connects the computer to the domain controller in the logon domain.

-u <UserName>

Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name:

user name (for example, Linda) domain\user name (for example, widgets\Linda)

user principal name (UPN) (for example, Linda@widgets.contoso.com)-p {<Password> | *}

Specifies to use a password or an asterisk (*) to log on to a remote server. If you type *, dsmove prompts you for a password.

-q Suppresses all output to standard output (quiet mode).

{-uc | -uco | -uci}

Specifies that dsmove formats output or input data in Unicode. The following list explains each format.

-uc: Specifies a Unicode format for input from or output to a pipe (|). -uco : Specifies a Unicode format for output to a pipe (|) or a file.

-uci: Specifies a Unicode format for input from a pipe (|) or a file./? Displays help at the command prompt.

Remarks

If a value that you supply contains spaces, use quotation marks around the text, for example, "CN=Mike Danseglio,CN=Users,DC=Contoso,DC=Com".

If you supply multiple values for a parameter, use spaces to separate the values, for example, a list of distinguished names.

Examples

To rename a user object from Kim Akers to Kim Ralls, type:

dsmove "CN=Kim Akers,OU=Sales,DC=Contoso,DC=Com" -newname "Kim Ralls"

5. Dsrm

Deletes an object of a specific type or any general object from the directory.

Dsrm is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use dsrm, you must run the dsrm command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.

Syntax

dsrm <ObjectDN> ... [-subtree [-exclude]] [-noprompt] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}][-c][-q][{-uc | -uco | -uci}]

Parameters

Parameter Description

<ObjectDN> Required. Specifies the distinguished names of objects to delete. If no value is entered at the command prompt, the value will be obtained through standard input.

-subtree [-exclude]

Specifies that both the object and all objects contained in the subtree under that object should be deleted. If you specify the -exclude parameter, you must also specify the -subtree parameter. When you specify both parameters, dsrm excludes from deletion the base object that the <ObjectDN> parameter supplies when it deletes the objects under the subtree. By default, dsrm deletes only the base object specified.

-noprompt Sets the optional silent mode, which prevents prompts that ask you to confirm deletion of each object. By default, dsrm prompts you to confirm each deletion.

{-s <Server> | -d <Domain>}

Connects a computer to a remote server or domain that you specify. By default, dsrm connects the computer to the domain controller in the logon domain.

-u <UserName>

Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name:

user name (for example, Linda) domain\user name (for example, widgets\Linda)

user principal name (UPN) (for example, Linda@widgets.contoso.com)-p {<Password> | *}

Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsrm prompts you for a password.

-c Reports errors, but continues with the next object in the argument list when you specify multiple target objects (continuous operation mode). If you do not supply this parameter, dsrm exits when the first error occurs.

-q Suppresses all output to standard output (quiet mode).

{-uc | -uco | -uci}

Specifies that dsrm formats output or input data in Unicode. The following list explains each format.

-uc: Specifies a Unicode format for input from or output to a pipe (|). -uco : Specifies a Unicode format for output to a pipe (|) or a file.

-uci: Specifies a Unicode format for input from a pipe (|) or a file./? Displays help at the command prompt.

Remarks

If a value that you supply contains spaces, use quotation marks around the text, for example, "CN=Mike Danseglio,CN=Users,DC=Contoso,DC=Com".

If you supply multiple values for a parameter, use spaces to separate the values, for example, a list of distinguished names.

Examples

To remove an organizational unit (OU) named Marketing and all the objects under that OU, type:

dsrm -subtree -noprompt -c OU=Marketing,DC=Contoso,DC=Com

To remove all objects under an OU named Marketing, but leave the OU intact, type:

dsrm -subtree -exclude -noprompt -c "OU=Marketing,DC=Contoso,DC=Com"

6. Dsmod

Modifies an existing object of a specific type in the directory.

Dsmod is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use dsmod, you must run the dsmod command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

Command Description Dsmod computer Modifies attributes of one or more existing computers in the directory.Dsmod contact Modifies attributes of one or more existing contacts in the directory.Dsmod group Modifies attributes of one or more existing groups in the directory.

Dsmod ouModifies attributes of one or more existing organizational units (OUs) in the directory.

Dsmod server Modifies properties of a domain controller.Dsmod user Modifies attributes of one or more existing users in the directory.Dsmod quota Modifies attributes of one or more existing quota specifications in the directory.Dsmod partition Modifies attributes of one or more existing partitions in the directory.

7. Find

Searches for a string of text in a file or files, and displays lines of text that contain the specified string.

For examples of how to use this command, see Examples.

Syntax

find [/v] [/c] [/n] [/i] [/off[line]] "<String>" [[<Drive>:][<Path>]<FileName>[...]]

Parameters

 Parameter Description

/v Displays all lines that do not contain the specified <String>.

/c Counts the lines that contain the specified <String>and displays the total.

/n Precedes each line with the file's line number./i Specifies that the search is not case-sensitive.[/off[line]] Does not skip files that have the offline attribute set.

"<String>" Required. Specifies the group of characters (enclosed in quotation marks) that you want to search for.

[<Drive>:][<Path>]<FileName>Specifies the location and name of the file in which to search for the specified string.

/? Displays help at the command prompt.

Remarks

Specifying a string If you do not use /i, find searches for exactly what you specify for String. For example, the find command treats the characters "a" and "A" differently. If you use /i, however, find is not case sensitive, and it treats "a" and "A" as the same character. If the string you want to search for contains quotation marks, you must use double quotation marks for each quotation mark contained within the string (for example, "This ""string"" contains quotation marks").

Using find as a filter If you omit a file name, find acts as a filter, taking input from the standard input source (usually the keyboard, a pipe (|), or a redirected file) and then displaying any lines that contain String.

Ordering command syntax You can type parameters and command-line options for the find command in any order.

Using wildcards You cannot use wildcards (* and ?) in file names or extensions that you specify with the find command. To search for a string in a set of files that you specify with wildcards, you can use the find command within a for command.

Using /v or /n with /cIf you use /c and /vin the same command line, find displays a count of the lines that do not contain the specified string. If you specify /c and /n in the same command line, find ignores /n.

Using find with carriage returns The find command does not recognize carriage returns. When you use find to search for text in a file that includes carriage returns, you must limit the search string to text that can be found between carriage returns (that is, a string that is not likely to be interrupted by a carriage return). For example, find does not report a match for the string "tax file" if a carriage return occurs between the words "tax" and "file."

Examples

To display all lines from Pencil.ad that contain the string "Pencil Sharpener", type:

find "Pencil Sharpener" pencil.ad

To find a string that contains text within quotation marks, you must enclose the entire string in quotation marks. Then you must use two quotation marks for each quotation mark contained within the string. To find "The scientists labeled their paper "for discussion only." It is not a final report." in Report.doc, type:

find "The scientists labeled their paper ""for discussion only."" It is not a final report." report.doc

If you want to search for a set of files, you can use the find command within the for command. To search the current directory for files that have the extension .bat and that contain the string "PROMPT", type:

for %f in (*.bat) do find "PROMPT" %f

To search your hard disk to find and display the file names on drive C that contain the string "CPU", use the pipe (|) to direct the output of the dir command to the find command as follows:

dir c:\ /s /b | find "CPU"

Because find searches are case-sensitive and dir produces uppercase output, you must either type the string "CPU" in uppercase letters or use the /i command-line option with find.

8. Netsh

Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh also provides a scripting feature that allows you to run a group of commands in batch mode against a specified computer. Netsh can also save a configuration script in a text file for archival purposes or to help you configure other servers.

Netsh contexts

Netsh interacts with other operating system components using dynamic-link library (DLL) files. Each Netsh helper DLL provides an extensive set of features called a context, which is a group of commands specific to a networking component. These contexts extend the functionality of netsh by providing configuration and monitoring support for one or more services, utilities, or protocols. For example, Dhcpmon.dll provides netsh the context and set of commands necessary to configure and manage DHCP servers.

To run a netsh command, you must start netsh from the Cmd.exe prompt and change to the context that contains the command you want to use. The contexts that are available to you depend on which networking components you have installed. For example, if you type dhcp at the Netsh command prompt, you change to the DHCP context, but if you do not have DHCP installed the following message appears:

•Netsh commands for AAAA •Netsh commands for DHCP •Netsh diagnostic (diag) commands •Netsh commands for Interface IP •Netsh commands for RAS •Netsh commands for Routing •Netsh commands for WINS 

Using multiple contexts with netsh command

A context can exist within a context. For example, within the Routing context, you can change to the IP and IPX subcontexts.

To display a list of commands and subcontexts that you can use within a context, at the netsh prompt, type the context name, and then type either /? or help.

For example, to display a list of subcontexts and commands that you can use in the Routing context, at the netsh prompt (that is, netsh>), type either of the following:

routing /?

routing help

To perform tasks in another context without changing from your current context, type the context path of the command you want to use at the netsh prompt.

For example, to add the Local Area Connection interface in the IGMP context without changing to the IGMP context, at the netsh prompt, type:

routing ip igmp add interface "Local Area Connection" startupqueryinterval=21

Running Netsh commands from the Cmd.exe command prompt

When you run Netsh from the Cmd.exe command prompt, netsh uses the following syntax. To run these Netsh commands on a remote Windows 2000 Server, you must first use Remote Desktop Connection to connect to a Windows 2000 Server that is running Terminal Server. There might be functional differences between Netsh context commands on Windows 2000 and Windows XP.

To view the command syntax, click the following command:

netsh 

Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a currently running computer. Used without parameters, netsh opens the Netsh.exe command prompt (that is, netsh>).

Syntax

netsh [-a AliasFile] [-c Context] [-r RemoteComputer] [{NetshCommand|-f ScriptFile}]

Parameters

-a : Returns you to the netsh prompt after running AliasFile. AliasFile : Specifies the name of the text file that contains one or more netsh commands. -c : Changes to the specified netsh context. Context : Specifies the netsh context. The following table lists the available netsh contexts.

Context Description

AAAA Shows and sets the configuration of the authentication, authorization, accounting, and auditing (AAAA) database used by the Internet Authentication Service (IAS) and the Routing and Remote Access service.

DHCP Administers DHCP servers and provides an equivalent alternative to console-based management.

Diag Administers and troubleshoots operating system and network service parameters. InterfaceConfigures the TCP/IP protocol (including addresses, default gateways, DNS servers,

and WINS servers) and displays configuration and statistical information.RAS Administers remote access servers.Routing Administers Routing servers.WINS Administers WINS servers.

-r : Configures a remote computer. RemoteComputer : Specifies the remote computer to configure. NetshCommand : Specifies the netsh command that you want to run. -f : Exits Netsh.exe after running the script. ScriptFile : Specifies the script that you want to run. /?: Displays help at the command prompt.

Remarks

•Using -r 

If you specify -r followed by another command, netsh executes the command on the remote computer and then returns to the Cmd.exe command prompt. If you specify -r without another command, netsh opens in remote mode. The process is similar to using set machine at the Netsh command prompt. When you use -r, you set the target computer for the current instance of netsh only. After you exit and reenter netsh, the target computer is reset as the local computer. You can run netsh commands on a remote computer by specifiying a computer name stored in WINS, a UNC name, an internet name to be resolved by the DNS server, or a numerical IP address.

9. Netstat

Netstat is a useful tool for checking network and Internet connections. Some useful applications for the average PC user are considered, including checking for malware connections.

Syntax and switches

The command syntax is netstat [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-v] [interval] A brief description of the switches is given in Table I below. Note that switches for Netstat use the dash symbol "-" rather than the slash "/".

Table I. Switches for Netstat command

Switch Description

-a Displays all connections and listening ports

-bDisplays the executable involved in creating each connection or listening port. (Added in XP SP2.)

-e Displays Ethernet statistics

-n Displays addresses and port numbers in numerical form

-o Displays the owning process ID associated with each connection

-p protoShows connections for the protocol specified by proto; proto may be any of: TCP, UDP, TCPv6, or UDPv6.

-r Displays the routing table

-s Displays per-protocol statistics

-vWhen used in conjunction with -b, will display sequence of components involved in creating the connection or listening port for all executables

[interval] An integer used to display results multiple times with specified number of

seconds between displays. Continues until stopped by command ctrl+c. Default setting is to display once,

Applications of Netstat

Netstat is one of a number of command-line tools available to check the functioning of a network. It provides a way to check if various aspects of TCP/IP are working and what connections are present. In Windows XP SP2, a new switch "-B" was added that allows the actual executable file that has opened a connection to be displayed. This newer capability provides a chance to catch malware that may be phoning home or using your computer in unwanted ways on the Internet. There are various ways that a system administrator might use the assortment of switches but I will give two examples that might be useful to home PC users.

Checking TCP/IP connections

TCP and UDP connections and their IP and port addresses can be seen by entering a command combining two switches: netstat -an An example of the output that is obtained is shown in Figure 1.

Figure 1. Example output for command "netstat -an"

The information that is displayed includes the protocol, the local address, the remote (foreign) address, and the connection state. Note that the various IP addresses include port information as well.

10. Logman

Logman creates and manages Event Trace Session and Performance logs and supports many functions of Performance Monitor from the command line.

Syntax

logman [create | query | start | stop | delete| update | import | export | /?] [options]

Actions

Action Description logman create Create a counter, trace, configuration data collector, or API.logman query Query data collector properties.logman start | stop Start or stop data collection.logman delete Delete an existing data collector.logman update Update the properties of an existing data collector.logman import | export

Import a data collector set from an XML file or export a data collector set to an XML file.

11. Schtasks

Windows XP includes powerful commandline admin utilities including schtasks which replaces Windows NT and Windows 2000 commandline scheduler AT.exe. Schtasks allows an administrator to create, delete, query, change, run and end scheduled tasks on a local or remote system. Parameter List: /Create : Creates a new scheduled task.

/Delete : Deletes the scheduled task(s).

/Query : Displays all scheduled tasks.

/Change : Changes the properties of scheduled task.

/Run : Runs the scheduled task immediately.

/End : Stops the currently running scheduled task.

/? Displays this help/usage.

Examples: SCHTASKS SCHTASKS /? SCHTASKS /Run /? SCHTASKS /End /? SCHTASKS /Create /? SCHTASKS /Delete /? SCHTASKS /Query /? SCHTASKS /Change /?

12. Csvde

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2008

Imports and exports data from Active Directory Domain Services (AD DS) using files that store data in the comma-separated value (CSV) format. You can also support batch operations based on the CSV file format standard.

Csvde is a command-line tool that is built into Windows Server 2008 in the %windir%/system32 folder. It is available if you have the AD DS or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use csvde, you must run the csvde command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.

Syntax

Csvde [-i] [-f <FileName>] [-s <ServerName>] [-c <String1> <String2>] [-v] [-j <Path>] [-t <PortNumber>] [-d <BaseDN>] [-r <LDAPFilter>] [-p <Scope] [-l <LDAPAttributeList>] [-o <LDAPAttributeList>] [-g] [-m] [-n] [-k] [-a <UserDistinguishedName> {<Password> | *}] [-b <UserName> <Domain> {<Password> | *}]

Parameters

Parameter Description

-i Specifies import mode. If not specified, the default mode is export.

-f <FileName> Identifies the import or export file name.

-s <ServerName> Specifies the domain controller to perform the import or export operation.

-c <String1> <String2>

Replaces all occurrences of String1 with String2. You use this parameter when you import data from one domain to another and you want to replace the distinguished name of the export domain (String1) with the distinguished name of the import domain (String2).

-v Sets verbose mode.-j <Path> Sets the log file location. The default is the current path.

-t <PortNumber> Specifies an LDAP port. The default LDAP port is 389. The global catalog port is 3268.

-u Specifies Unicode format.-d <BaseDN> Sets the distinguished name of the search base for data export.-r <LDAPFilter> Creates an LDAP search filter for data export.

-p <Scope> Sets the search scope. Search scope options are Base, OneLevel, or SubTree.

-l <LDAPAttributeList>

Sets the list of attributes to return in the results of an export query. LDAP can return attributes in any order, and csvde does not attempt to impose any order on the columns. If you omit this parameter, AD DS returns all attributes.

-o <LDAPAttributeList>

Specifies the list of attributes to omit from the results of an export query. You use this parameter if you need to export objects from AD DS, and then import them into another LDAP-compliant directory. If the other directory does not support certain attributes, you can use this parameter to omit those attributes from the result set.

-g Omits paged searches.

-m Omits attributes that apply only to Active Directory objects, such as the ObjectGUID, objectSID, pwdLastSet, and samAccountType attributes.

-n Omits the export of binary values.-k Ignores errors during an import operation and continues

processing. The following is a complete list of ignored errors:

Object already exists

Constraint violation

Attribute or value already exists

-a [<UserDistinguishedName> {<Password> | *}]

Performs a simple LDAP bind with the user name and password. Sets the command to run using the supplied UserDistinguishedName and Password. By default, the command runs using the credentials of the user who is currently logged on to the network.

-b [<UserName> <Domain> {<Password> | *}]

Performs a secure LDAP bind with the NEGOTIATE authentication method. Sets the command to run using the supplied Username, Domain, and Password. By default, the command will run using the credentials of the user who is currently logged on to the network.

/? Displays Help at the command prompt.

Remarks

You cannot import user passwords by using csvde because passwords must be sent over an encrypted channel. Csvde does not support Secure Sockets Layer (SSL) or encrypted LDAP communication. The previous references to passwords relate to the credentials of the user who is running csvde. They are not related to setting passwords for users.

Applications such as Microsoft Excel spreadsheet software are capable of reading and saving data in the CSV format. You can also create CSV files using Notepad; separate the values that you add to your file with commas. In addition, the Microsoft Exchange Server administration tools are capable of importing and exporting data using the CSV format, as are many other from software developers other than Microsoft.

The CSV format consists of one or more lines of data with each value separated by a comma and no spaces between the comma and the next entry. The first line (sometimes referred to as the header) of the CSV file must contain the names of each attribute in the same order as the data in any line following the first line. For example:

objectClass,dn,givenName,sn,samAccountName,Description user,distinguishedName,1stUserFirstName,1stUserSurname,FirstUserLogonNam

e,Manageruser,distinguishedName,2ndUserFirstName,2ndUserSurname,SecondUserLogonName,President

To see a list of properties that csvde can update, see the appropriate supported interfaces in ADSI Objects of LDAP ( http://go.microsoft.com/fwlink/?LinkId=91123). For

example, to see the properties that can be set for Active Directory user objects, see IADsUser Interface ( http://go.microsoft.com/fwlink/?LinkId=91124), and then view Properties.

You can use csvde -r to create an LDAP search filter for data export. For example, the following filter exports all users with a particular surname:

csvde -r (&(objectClass=User)(sn=Surname))

Examples

The following sample file contents are for a domain named Cpandl.com that has organizational units (OUs) named SW Dev, Acct, and AP. The AP OU is subordinate to the Acct OU. The first line of the file defines the Active Directory object properties for user accounts to be created by the entries in the rest of the file. The remaining lines are used to create the user accounts. The first user account is created in the default Users container, and the rest of the user accounts are created in the SW Dev, Acct, and AP OUs, respectively:

objectClass,dn,sAMAccountName,userPrincipalName,userAccountControluser,"CN=KMyer,CN=Users,DC=cpandl,DC=com",KenM,KenM@cpandl.com,514user,"CN=WYu,OU=SW Dev,DC=cpandl,DC=com",WeiY,WeiY@cpandl.com,514user,"CN=JMorris,OU=Acct,DC=cpandl,DC=com",JonM,JonM@cpandl.com,514user,"CN=YXu,OU=AP,OU=Acct,DC=cpandl,DC=com",YeX,YeX@cpandl.com,514Note

Setting userAccountControl to 514 disables the user account. This is recommended because csvde cannot set passwords.

The -d switch indicates the root (top) of a particular query. For example, if you want to export all the objects in the Marketing top-level OU of the Contoso.com domain to a file named marketingobjects.csv, you can use the following command:

csvde -d "ou=marketing,dc=contoso,dc=com" -f marketingobjects.csv

The -r switch is a filter for exporting information from the directory. This switch filters the output that an export request produces. For example, if you want to export only the user account object attributes from a domain to a file named usersonly.csv, you can use the following command:

csvde -r objectClass=user -f usersonly.csv

The following example exports Active Directory data to a file named search.txt, sets the search scope to subtree, and lists the sAMAccountName, CN, and distinguished name attributes for each object that is found in the search:

csvde -f search.txt -p subtree -l SamAccountName,CN,Distinguishname

The following example imports the data from the current domain (the domain that you are logged on to) from a file named input.csv:

csvde -i -f input.csv

The following example exports the data from the current domain (the domain that you are logged on to) to a file named output.csv:

csvde -f output.csv

13. Ldifde

Creates, modifies, and deletes directory objects. You can also use ldifde to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory Domain Services (AD DS) with data from other directory services.

Ldifde is a command-line tool that is built into Windows Server 2008. It is available if you have the AD DS or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use ldifde, you must run the ldifde command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.

Syntax

Ldifde [-i] [-f <FileName>] [-s <ServerName>] [-c <String1> <String2>] [-v] [-j <Path>] [-t <PortNumber>] [-d <BaseDN>] [-r <LDAPFilter>] [-p <Scope>] [-l <LDAPAttributeList>] [-o <LDAPAttributeList>] [-g] [-m] [-n] [-k] [-a <UserDistinguishedName> <Password>] [-b <UserName> <Domain> <Password>] [-?]

Parameters

 

Parameter Description

-i Specifies to use the import mode. The default mode is export.

-f <FileName> Identifies the import or export file name.

-s <ServerName> Specifies the domain controller to perform the import or export operation. By default, ldifde runs on the domain controller on which ldifde is installed.

-c <String1> <String2>

Replaces all occurrences of <String1> with <String2>. Generally, you use this parameter when you import data from one domain to another and you must replace the distinguished name of the export domain (<String1>) with the distinguished name of the import domain (<String2>).

-v Sets verbose mode.

-j <Path> Sets the log file location. The default location is the current path.

-t <PortNumber> Specifies a Lightweight Directory Access Protocol (LDAP) port number. The default LDAP port number is 389. The global catalog port number is 3268.

-d <BaseDN> Sets the distinguished name of the search base for data export.

-r <LDAPFilter>

Creates an LDAP search filter for data export. For example, to export all users with a surname that you specify, you can use the following filter:

-r (and(objectClass=User)(sn=Surname))

-p <Scope> Sets the search scope. The search scope options are Base, OneLevel, or SubTree.

-l <LDAPAttributeList> Sets the list of attributes to return in the results of an export query. If you do not specify this parameter, the search returns all attributes.

-o <LDAPAttributeList>

Sets the list of attributes to omit from the results of an export query. This is typically used when exporting objects from AD DS and then importing them into another LDAP-compliant directory. If attributes are not supported by another directory, you can omit the attributes from the result set using this option.

-g Omits paged searches.

-m Omits attributes that apply only to Active Directory objects, such as the ObjectGUID, objectSID, pwdLastSet and samAccountType attributes.

-n Omits the export of binary values.

-k

Ignores errors during an import operation and continues processing. This parameter ignores all of the following errors:

The object is already a member of the group The operation has an object class violation

This violation means that the specified object class does not exist, if the object being imported has no other attributes.

The object already exists

The operation has a constraint violation

The attribute or value already exists

The operation found no such object

-a <UserDistinguishedName> <Password>

Sets the command to run using the distinguished name (<UserDistinguishedName>) and password (<Password>) that you supply. By default, the command uses the credentials of the user who is currently logged on to the network.

-b <UserName> <Domain> <Password>

Sets the command to run using the supplied <UserName> <Domain> <Password>. By default, the command will run using the credentials of the user currently logged on to the network.

/? Displays help at the command menu.

Remarks

When you create the import file to use with the ldifde command, use a changeType value to define the type of changes that the import file will contain. The following table shows the changeType values that you can use.

 

Value Description

add Specifies that new content is contained in the import file.

modify Specifies that existing content has been modified in the import file.

delete Specifies that content has been deleted in the import file.

The following example shows an LDAP Data Interchange Format (LDIF) import file format that uses the add value.

DN: CN=SampleUser,DC=DomainNamechangetype: addCN: SampleUserdescription: DescriptionOfFileobjectClass: UsersAMAccountName: SampleUser

Examples

To retrieve only the distinguished name, common name, first name, surname, and telephone number of the returned objects, type:

-l <DistinguishedName>, CN, <GivenName>, SN, <Telephone>

To omit the object globally unique identifier (GUID), type:

-o <whenCreated>, <whenChanged>, <objectGUID>

14. Netdom

Enables administrators to manage Active Directory domains and trust relationships from the command prompt.

Netdom is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use netdom, you must run the netdom command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

You can use netdom to:

Join a computer that runs Windows XP Professional or Windows Vista to a Windows Server 2008 or Windows Server 2003 or Windows 2000 or Windows NT 4.0 domain.

o Provide an option to specify the organizational unit (OU) for the computer account.

o Generate a random computer password for an initial Join operation.

Manage computer accounts for domain member workstations and member servers. Management operations include:

o Add, Remove, Query.

o An option to specify the OU for the computer account.

o An option to move an existing computer account for a member workstation from one domain to another while maintaining the security descriptor on the computer account.

Establish one-way or two-way trust relationships between domains, including the following kinds of trust relationships:

o From a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain to a Windows NT 4.0 domain.

o From a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain to a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain in another enterprise.

o Between two Windows 2000 or Windows Server 2003 or Windows Server 2008 domains in an enterprise (a shortcut trust).

o The Windows Server 2008 or Windows Server 2003 or Windows 2000 Server half of an interoperable Kerberos protocol realm.

Verify or reset the secure channel for the following configurations:

o Member workstations and servers.

o Backup domain controllers (BDCs) in a Windows NT 4.0 domain.

o Specific Windows Server 2008 or Windows Server 2003 or Windows 2000 replicas.

Manage trust relationships between domains, including the following operations:

o Enumerate trust relationships (direct and indirect).

o View and change some attributes on a trust.

Note

You must run netdom from an elevated command prompt.

Syntax

Netdom uses the following general syntaxes:

NetDom <Operation> [<Computer>] [{/d: | /domain:} <Domain>] [<Options>]NetDom help <Operation>

Commands

 

Command Description

Netdom add Adds a workstation or server account to the domain.

Netdom computername

Manages the primary and alternate names for a computer. This command can safely rename Active Directory domain controllers as well as member servers.

Netdom joinJoins a workstation or member server to a domain. The act of joining a computer to a domain creates an account for the computer on the domain, if it does not already exist.

Netdom moveMoves a workstation or member server to a new domain. The act of moving a computer to a new domain creates an account for the computer on the domain, if it does not already exist.

Netdom query Queries the domain for information such as membership and trust.

Netdom remove Removes a workstation or server from the domain.

Netdom movent4bdc

Renames a Windows NT 4.0 backup domain controller to reflect a domain name change. This can assist in Windows NT 4.0 domain renaming efforts.

Netdom renamecomputer

Renames a domain computer and its corresponding domain account. Use this command to rename domain workstations and member servers only. To

rename domain controllers, use the netdom computername command.

Netdom reset Resets the secure connection between a workstation and a domain controller.

Netdom resetpwd Resets the computer account password for a domain controller.

Netdom trust Establishes, verifies, or resets a trust relationship between domains.

Netdom verifyVerifies the secure connection between a workstation and a domain controller.

Remarks

A trust relationship is a defined affiliation between domains that enables pass-through authentication.

A one-way trust relationship between two domains means that one domain (the trusting domain) allows users who have accounts on the other domain (the trusted domain), access to its resources.

The one-way trust relationship described here is helpful in master domain models, but it is not the only kind of trust relationship. When two one-way trusts are established between domains, it is known as a two-way trust. In two-way trusts, each domain treats the users from the trusted (and trusting) domain as its own users.

By default, only the result of an operation is reported. For example, if you use the Join operation, you see output similar to the following:

success: mywksta joined to mycompany domain If you specify the /verbose parameter, the output lists the success or failure of each transaction

that is necessary to perform the operation. For example, this time when you use the Join operation, you see output similar to the following:

success: adding machine account for mywksta to mycompany domain success: configuring lsa on mywksta

success: mywksta joined to mycompany domain The /reboot parameter specifies that the computer being acted upon by the specified netdom

operation is shut down and automatically rebooted after the completion of the operation. When you specify the /reboot parameter, the following message and a countdown timer display on the workstation screen, prior to the Restart operation:

The system is shutting down. Please save all work in progress and logoff. Any unsaved changes will be lost. This shutdown was initiated because the domain which this machine belongs to was changed by

nnn.

For nnn, netdom substitutes the name of the administrator that you enter by using the /uo parameter.

The default delay before the computer restarts is 20 seconds.

15. Dsrm

Deletes an object of a specific type or any general object from the directory.

Dsrm is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use dsrm, you must run the dsrm command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.

Syntax

dsrm <ObjectDN> ... [-subtree [-exclude]] [-noprompt] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}][-c][-q][{-uc | -uco | -uci}]

Parameters

 

Parameter Description

<ObjectDN> Required. Specifies the distinguished names of objects to delete. If no value is entered at the command prompt, the value will be obtained through standard input.

-subtree [-exclude]

Specifies that both the object and all objects contained in the subtree under that object should be deleted. If you specify the -exclude parameter, you must also specify the -subtree parameter. When you specify both parameters, dsrm

excludes from deletion the base object that the <ObjectDN> parameter supplies when it deletes the objects under the subtree. By default, dsrm deletes only the base object specified.

-noprompt Sets the optional silent mode, which prevents prompts that ask you to confirm deletion of each object. By default, dsrm prompts you to confirm each deletion.

{-s <Server> | -d <Domain>}

Connects a computer to a remote server or domain that you specify. By default, dsrm connects the computer to the domain controller in the logon domain.

-u <UserName>

Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name:

user name (for example, Linda) domain\user name (for example, widgets\Linda)

user principal name (UPN) (for example, Linda@widgets.contoso.com)

-p {<Password> | *}

Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsrm prompts you for a password.

-c Reports errors, but continues with the next object in the argument list when you specify multiple target objects (continuous operation mode). If you do not supply this parameter, dsrm exits when the first error occurs.

-q Suppresses all output to standard output (quiet mode).

{-uc | -uco | -uci}

Specifies that dsrm formats output or input data in Unicode. The following list explains each format.

-uc: Specifies a Unicode format for input from or output to a pipe (|). -uco : Specifies a Unicode format for output to a pipe (|) or a file.

-uci: Specifies a Unicode format for input from a pipe (|) or a file.

/? Displays help at the command prompt.

Remarks

If a value that you supply contains spaces, use quotation marks around the text, for example, "CN=Mike Danseglio,CN=Users,DC=Contoso,DC=Com".

If you supply multiple values for a parameter, use spaces to separate the values, for example, a list of distinguished names.

Examples

To remove an organizational unit (OU) named Marketing and all the objects under that OU, type:

dsrm -subtree -noprompt -c OU=Marketing,DC=Contoso,DC=Com

To remove all objects under an OU named Marketing, but leave the OU intact, type:

dsrm -subtree -exclude -noprompt -c "OU=Marketing,DC=Contoso,DC=Com"

16. Xcopy

This command has been deprecated. Please use Robocopy instead.

Robocopy:

Copies file data.

Syntax

robocopy <Source> <Destination> [<File>[ ...]] [<Options>]

Parameters

 

Parameter Description

<Source> Specifies the path to the source directory.

<Destination> Specifies the path to the destination directory.

<File> Specifies the file or files to be copied. You can use wildcard characters (* or ?), if

you want. If the File parameter is not specified, *.* is used as the default value.

<Options> Specifies options to be used with the robocopy command.

Copy options

 

Option Description

/s Copies subdirectories. Note that this option excludes empty directories.

/e Copies subdirectories. Note that this option includes empty directories.

/lev:<N> Copies only the top N levels of the source directory tree.

/z Copies files in Restart mode.

/b Copies files in Backup mode.

/zb Uses Restart mode. If access is denied, this option uses Backup mode.

/efsraw Copies all encrypted files in EFS RAW mode.

/copy:<CopyFlags>

Specifies the file properties to be copied. The following are the valid values for this option:

D Data

A Attributes

T Time stamps

S NTFS access control list (ACL)

O Owner information

U Auditing information

The default value for CopyFlags is DAT (data, attributes, and time stamps).

/dcopy:T Copies directory time stamps.

/sec Copies files with security (equivalent to /copy:DAT).

/copyall Copies all file information (equivalent to /copy:DATSOU).

/nocopy Copies no file information (useful with /purge).

/secfix Fixes file security on all files, even skipped ones.

/timfix Fixes file times on all files, even skipped ones.

/purge Deletes destination files and directories that no longer exist in the source.

/mir Mirrors a directory tree (equivalent to /e plus /purge).

/mov Moves files, and deletes them from the source after they are copied.

/moveMoves files and directories, and deletes them from the source after they are copied.

/a+:[RASHCNET] Adds the specified attributes to copied files.

/a-:[RASHCNET] Removes the specified attributes from copied files.

/create Creates a directory tree and zero-length files only.

/fat Creates destination files by using 8.3 character-length FAT file names only.

/256 Turns off support for very long paths (longer than 256 characters).

/mon:<N> Monitors the source, and runs again when more than N changes are detected.

/mot:<M> Monitors source, and runs again in M minutes if changes are detected.

/rh:hhmm-hhmm Specifies run times when new copies may be started.

/pf Checks run times on a per-file (not per-pass) basis.

/ipg:n Specifies the inter-packet gap to free bandwidth on slow lines.

/sl Copies the symbolic link instead of the target.

File selection options

 

Option Description

/a Copies only files for which the Archive attribute is set.

/mCopies only files for which the Archive attribute is set, and resets the Archive attribute.

/ia:[RASHCNETO] Includes only files for which any of the specified attributes are set.

/xa:[RASHCNETO] Excludes files for which any of the specified attributes are set.

/xf <FileName>[ ...]Excludes files that match the specified names or paths. Note that FileName can include wildcard characters (* and ?).

/xd <Directory>[ ...] Excludes directories that match the specified names and paths.

/xct Excludes changed files.

/xn Excludes newer files.

/xo Excludes older files.

/xx Excludes extra files and directories.

/xl Excludes "lonely" files and directories.

/is Includes the same files.

/it Includes "tweaked" files.

/max:<N> Specifies the maximum file size (to exclude files bigger than N bytes).

/min:<N> Specifies the minimum file size (to exclude files smaller than N bytes).

/maxage:<N> Specifies the maximum file age (to exclude files older than N days or date).

/minage:<N> Specifies the minimum file age (exclude files newer than N days or date).

/maxlad:<N> Specifies the maximum last access date (excludes files unused since N).

/minlad:<N>Specifies the minimum last access date (excludes files used since N) If N is less than 1900, N specifies the number of days. Otherwise, N specifies a date in the format YYYYMMDD.

/xj Excludes junction points, which are normally included by default.

/fft Assumes FAT file times (two-second granularity).

/dst Compensates for one-hour DST time differences.

/xjd Excludes junction points for directories.

/xjf Excludes junction points for files.

Retry options

 

Option Description

/r:<N>Specifies the number of retries on failed copies. The default value of N is 1,000,000 (one million retries).

/w:<N>Specifies the wait time between retries, in seconds. The default value of N is 30 (wait time 30 seconds).

/reg Saves the values specified in the /r and /w options as default settings in the registry.

/tbd Specifies that the system will wait for share names to be defined (retry error 67).

Logging options

 

Option Description

/l Specifies that files are to be listed only (and not copied, deleted, or time stamped).

/x Reports all extra files, not just those that are selected.

/v Produces verbose output, and shows all skipped files.

/ts Includes source file time stamps in the output.

/fp Includes the full path names of the files in the output.

/bytes Prints sizes, as bytes.

/ns Specifies that file sizes are not to be logged.

/nc Specifies that file classes are not to be logged.

/nfl Specifies that file names are not to be logged.

/ndl Specifies that directory names are not to be logged.

/npSpecifies that the progress of the copying operation (the number of files or directories copied so far) will not be displayed.

/eta Shows the estimated time of arrival (ETA) of the copied files.

/log:<LogFile> Writes the status output to the log file (overwrites the existing log file).

/log+:<LogFile>Writes the status output to the log file (appends the output to the existing log file).

/unicode Displays the status output as Unicode text.

/unilog:<LogFile>Writes the status output to the log file as Unicode text (overwrites the existing log file).

/unilog+:<LogFile>Writes the status output to the log file as Unicode text (appends the output to the existing log file).

/tee Writes the status output to the console window, as well as to the log file.

/njh Specifies that there is no job header.

/njs Specifies that there is no job summary.

Job options

 

Option Description

/job:<JobName> Specifies that parameters are to be derived from the named job file.

/save:<JobName> Specifies that parameters are to be saved to the named job file.

/quit Quits after processing command line (to view parameters)./nosd:

/nodd Indicates that no destination directory is specified.

/if Includes the specified files.

17. Cacls

This command has been deprecated. Please use Icacls instead.

Icacls

Displays or modifies discretionary access control lists (DACLs) on specified files, and applies stored DACLs to files in specified directories.

Syntax

icacls <FileName> [/grant[:r] <Sid>:<Perm>[...]] [/deny <Sid>:<Perm>[...]] [/remove[:g|:d]] <Sid>[...]] [/t] [/c] [/l] [/q] [/setintegritylevel <Level>:<Policy>[...]]icacls <Directory> [/substitute <SidOld> <SidNew> [...]] [/restore <ACLfile> [/c] [/l] [/q]]

Parameters 

Parameter Description

<FileName> Specifies the file for which to display DACLs.

<Directory> Specifies the directory for which to display DACLs.

/t Performs the operation on all specified files in the current directory and its subdirectories.

/c Continues the operation despite any file errors. Error messages will still be displayed.

/lPerforms the operation on a symbolic link versus its destination.

/q Suppresses success messages.

[/save <ACLfile> [/t] [/c] [/l] [/q]]Stores DACLs for all matching files into ACLfile for later use with /restore.

[/setowner <Username> [/t] [/c] [/l] [/q]]

Changes the owner of all matching files to the specified user.

[/findSID <Sid> [/t] [/c] [/l] [/q]]Finds all matching files that contain a DACL explicitly mentioning the specified security identifier (SID).

[/verify [/t] [/c] [/l] [/q]]Finds all files with ACLs that are not canonical or have lengths inconsistent with ACE (access control entry) counts.

[/reset [/t] [/c] [/l] [/q]]Replaces ACLs with default inherited ACLs for all matching files.

[/grant[:r] <Sid>:<Perm>[...]]

Grants specified user access rights. Permissions replace previously granted explicit permissions.

Without :r, permissions are added to any previously granted explicit permissions.

[/deny <Sid>:<Perm>[...]]Explicitly denies specified user access rights. An explicit deny ACE is added for the stated permissions and the same permissions in any explicit grant are removed.

[/remove[:g|:d]] <Sid>[...]] [/t] [/c] Removes all occurrences of the specified SID from the

[/l] [/q]

DACL.

:g removes all occurrences of granted rights to the specified SID.

:d removes all occurrences of denied rights to the specified SID.

[/setintegritylevel [(CI)(OI)]<Level>:<Policy>[...]]

Explicitly adds an integrity ACE to all matching files. Level is specified as:

L[ow] M[edium]

H[igh]

Inheritance options for the integrity ACE may precede the level and are applied only to directories.

[/substitute <SidOld> <SidNew> [...]]Replaces an existing SID (SidOld) with a new SID (SidNew). Requires the Directory parameter.

/restore <ACLfile> [/c] [/l] [/q]Applies stored DACLs from ACLfile to files in the specified directory. Requires the Directory parameter.

Remarks

SIDs may be in either numerical or friendly name form. If you use a numerical form, affix the wildcard character * to the beginning of the SID.

icacls preserves the canonical order of ACE entries as:

o Explicit denials

o Explicit grants

o Inherited denials

o Inherited grants

Perm is a permission mask that can be specified in one of the following forms:

o A sequence of simple rights:F (full access)M (modify access)RX (read and execute access)R (read-only access)W (write-only access)

o A comma-separated list in parenthesis of specific rights:D (delete)RC (read control)WDAC (write DAC)WO (write owner)S (synchronize)AS (access system security)MA (maximum allowed)GR (generic read)GW (generic write)GE (generic execute)GA (generic all)RD (read data/list directory)WD (write data/add file)AD (append data/add subdirectory)REA (read extended attributes)WEA (write extended attributes)X (execute/traverse)DC (delete child)RA (read attributes)WA (write attributes)

Inheritance rights may precede either Perm form, and they are applied only to directories:(OI): object inherit(CI): container inherit(IO): inherit only(NP): do not propagate inherit

Examples

To save the DACLs for all files in the C:\Windows directory and its subdirectories to the ACLFile file, type:

icacls c:\windows\* /save aclfile /t

To restore the DACLs for every file within ACLFile that exists in the C:\Windows directory and its subdirectories, type:

icacls c:\windows\ /restore aclfile

To grant the user User1 Delete and Write DAC permissions to a file named "Test1", type:

icacls test1 /grant User1:(d,wdac)

To grant the user defined by SID S-1-1-0 Delete and Write DAC permissions to a file, named "Test2", type:

icacls test2 /grant *S-1-1-0:(d,wdac)

18. Dsacls

Displays and changes permissions (access control entries) in the access control list (ACL) of objects in Active Directory Domain Services (AD DS).

Dsacls is a command-line tool that is built into Windows Server 2008. It is available if you have the AD DS server role installed. To use dsacls, you must run the dsacls command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.

Dsacls is the command-line equivalent of the Security tab in the properties dialog box for an Active Directory object in tools such as Active Directory Users and Computers. You can use either tool to view and change permissions to an Active Directory object.

Note

The access control entries (ACEs) that you add by using dsacls must be object-specific permissions that override the default permissions that are defined in the Active Directory schema for that object type. Do not add ACEs unless you are well-informed about security for Active Directory objects.

To view an ACL, the user must have Read permissions on Active Directory objects. To change an ACL, the user must have Write permissions on the Active Directory object.

Syntax

dsacls "[\\<Computer>\]<ObjectDN>" [/A] [/D <PermissionStatement> [<PermissionStatement>]...] [/G <PermissionStatement> [<PermissionStatement>]...] [/I:{T | S | P}] [/N] [/P:{Y | N}] [/R {<User> | <Group>} [{<User> | <Group>}]...] [/S [/T]] [/?]

Parameters

If you specify an object without additional parameters, Dsacls displays the ACEs in the ACL.

 

Parameter Description

"[\\<Computer>\]<ObjectDN>"

Identifies the Active Directory object to investigate. Type the distinguished name of the object. To specify an object on a remote computer, type that computer name followed by the distinguished name. This parameter must be enclosed in quotation marks. For example:

"CN=Jeff Akers,CN=Users,DC=domain,DC=test,DC=contoso,DC=com" 

or

"\\Server01\CN=Jeff Akers,CN=Users,DC=domain,DC=test,DC=contoso,DC=com"

/A Adds ownership and auditing information to the results.

/D

Denies the permissions that you specify to the user or group.

You can deny permissions to multiple users in each /D command, for example:

/D Domain1\User1:CCDC Domain1\User2:DC;computer

For more information, see PermissionStatement[PermissionStatement]

/G

Grants the permissions that you specify to the user or group.

You can grant permissions to multiple users in each /G command, for example:

/G Domain1\User1:CCDC Domain1\User2:DC;computer

For more information, see PermissionStatement[PermissionStatement]

/I:{T | S | P}

Specifies the objects to which you are applying the permissions. This parameter determines whether the permissions are inheritable. T is the default.

T: The object and its child objects S: The child objects only

P: The object and child objects down to one level only (propagate inheritable permissions to one level only)

/N Provides that the specified ACE replaces the current ACEs in the ACL. By default, dsacls adds the ACE to the ACL.

/P:{Y | N}

Determines whether the object can inherit permissions from its parent objects. If you omit this parameter, the inheritance properties of the object do not change.

Y: The object is protected and cannot inherit permissions. N: The object is not protected and can inherit permissions.

Note

This parameter changes a property of the object, not of an ACE. To specify whether an ACE is inheritable, use the /I parameter.

/R {<User> | <Group>} [{<User> | <Group>}].

Deletes all ACEs for the users or groups that you specify. You can specify User as User@Domain or as Domain\User. You can specify Group as Group@Domain or as Domain\Group.

You can delete ACEs for multiple users and groups in a single /R parameter, for example:

/R Domain1\User1 Domain1\User2

/S Restores the security on the object to the default for that object class as defined in the Active Directory schema.

/T Restores the security on the tree of objects to the default for each object class. This parameter is valid only with the /S parameter.

/? Displays help at the command prompt.

Syntax for PermissionStatement

{<User> | <Group>}:<Permissions>[;{<ObjectType> | <Property>}][;<InheritedObjectType>]

Parameters

 

Parameter Description

{<User> | <Group>} Specifies the user or group to whom the rights apply. You can specify User as User@Domain or Domain\User. You can specify Group as Group@Domain or Domain\Group.

<Permissions> Specifies the type of permissions that you are applying. You can specify one or more of the following values (without spaces).

Generic permissions

GR: Generic Read GE: Generic Execute

GW: Generic Write

GA: Generic All

Specific permissions

SD: Delete an object. DT: Delete an object and all of its child objects.

RC: Read security information.

WD: Change security information.

WO: Change owner information.

LC: List the child objects of the object.

CC: Create a child object.If you do not specify {ObjectType | Property} to define a specific child object type, this permission applies to all types of child objects; otherwise, it applies only to the child object type that you specify.

DC: Delete a child object.If you do not specify {ObjectType | Property} to define a specific child object type, this permission applies to all types of child objects; otherwise, it applies only to the child object type that you specify.

WS: Write to a self object. This is meaningful only on group objects and when {ObjectType | Property} is a "member."

RP: Read a property. If you do not specify {ObjectType | Property} to define a specific property, this permission applies to all properties of the object; otherwise, it applies only to the property of the object that you specify.

WP: Write to a property. If you do not specify {ObjectType | Property} to define a specific property, this permission applies to all properties of the object; otherwise, it applies only to the property of the object that you

specify.

CA: Control access.If you do not specify {ObjectType | Property} to define the specific extended right for control access, this permission applies to all meaningful control accesses on the object; otherwise, it applies only to the specific extended right for that object.

LO: List the object access.You can use this permission to grant list access to a specific object if List Children (LC) is not also granted to the parent object. You can also use this permission to deny access to list an object to hide an object if the user or group has LC permission on the parent object.

Note

AD DS does not enforce this permission by default. You must configure AD DS to check for this permission.

{<ObjectType> | <Property>}

Limits the permission to the specified object type or property. Enter the display name of the object type or the property. If you do not specify an object type or property, the permission applies to all object types and properties.

For example, the following command permits the user to create all types of child objects:

/G Domain\User:CC

In contrast, the following command permits the user to create only child computer objects:

/G Domain\User:CC;computer

<InheritedObjectType> Limits inheritance of the permission to the specified object type. Enter the display name of the object type. If you do not specify an object type, all object types can inherit the permission. You can use this parameter only when permissions are inheritable.

For example, the following command permits all objects types to inherit the permission:

/G Domain\User:CC

In contrast, the following command permits only User objects to inherit the permission:

/G Domain\User:CC;;user

Examples

To grant the permission to delete, read security information, change security information, and change ownership permissions on a User object, type:

SDRCWDWO;;user

To grant permission to create child objects and delete child objects of a Group object, type:

CCDC;group;

To grant permissions to read property and write property values on a Telephonenumber property, type:

RPWP;telephonenumber;

19. Wuauclt

Manipulate Automatic Updates Behavior Using Command-line Options

There are two documented command-line options used for manipulating Automatic Updates behavior. These options are meant to be run from a command prompt. They are helpful for testing and troubleshooting client computers. For comprehensive troubleshooting information for problems with both the WSUS server and client computers, see "Microsoft Windows Server Update Services Operations Guide."

Detectnow Option

Because waiting for detection to start can be a time-consuming process, an option has been added to allow you to initiate detection right away. On one of the computers with the new Automatic Update client installed, run the following command at the command prompt:

wuauclt.exe /detectnow

Resetauthorization Option

WSUS uses a cookie on client computers to store various types of information, including computer group membership when client-side targeting is used. By default this cookie expires an hour after WSUS creates it. If you are using client-side targeting and change group membership, use this option in combination with detectnow to expire the cookie, initiate detection, and have WSUS update computer group membership.

Note that when combining parameters, you can use them only in the order specified as follows:

wuauclt.exe /resetauthorization /detectnow

20. Wsusutil

Managing WSUS from the Command Line

This topic does the following

Summarizes the purpose and functionality of WSUSutil.exe and its parameters. Provides and defines the syntax you would use to run specific tasks.

Links to "Deploying Microsoft Windows Server Update Services" where more information (for example, scenarios) is available.

Running WSUSutil.exe

WSUSutil.exe is a tool that you can use to manage your WSUS server from the command line. WSUSutil.exe is located in the %drive%\Program Files\Update Services\Tools folder on your WSUS server. You can run specific commands with WSUSutil.exe to perform specific functions, as summarized in the following table. The syntax you would use to run WSUSutil.exe with specific commands follows the table.

Summary of Commands You Can Use with WSUSutil

Command What it enables you to do When you might use it

export

The first of the two parts that make up the export / import process.

The export command enables you to export update metadata to an export package file. You cannot use this parameter to export update files, update approvals, or server settings.

On an ongoing basis, if you are running a network with limited or restricted Internet connectivity

import

The second of the two parts that make up the export/import process.

The import command imports update metadata to a server from an export package file created on another WSUS server. This synchronizes the destination WSUS server without using a network connection.

On an ongoing basis, if you are running a network with limited or restricted connectivity

migratesus

This command migrates update approvals from a SUS 1.0 server to a WSUS server.

If you are upgrading your implementation SUS 1.0 to WSUS.

movecontent Changes the file system location where the WSUS server stores

Hard drive is full

Disk fails

update files, and optionally copies any update files from the old location to the new location

reset

Checks that every update metadata row in the database has corresponding update files stored in the file system. If update files are missing or have been corrupted, WSUS downloads the update files again.

After restoring the WSUS database.

When troubleshooting

deleteunneededrevisions

Purges the update metadata for unnecessary update revisions from the database.

To free up space when an MSDE is full

listinactiveapprovals

Returns a list of update titles with approvals that are in a permanently inactive state because of a change in server language settings.

When you change language settings on an upstream server (that is the parent to a replica server) and want to see which updates are no longer active because they are not in the new languages you have specified. You can run this command if you want to see a list of inactive approvals (for example, to help you decide if you want to remove the inactive approvals). You do not have to run this command before running the removeinactiveapprovals command.

removeinactiveapprovals Removes approvals for updates that are in a permanently inactive state because of a change in WSUS server language settings.

When you change language settings on an upstream server (that is the parent to a replica server) and want to remove updates that are no longer active because they are not in the new languages you have specified. This would fix the resulting mismatch in the number of updates displayed on the parent and replica servers in this scenario. You do not have to run the

listinactiveapprovals command before running this command.

Export

For background and procedural information about exporting and importing updates, see "Set Up a Disconnected Network (Import and Export Updates)" in Deploying Microsoft Windows Server Update Services at http://go.microsoft.com/fwlink/?linkid=41777.

Syntax

At the command line %drive%\Program Files\Update Services\Tools>, type:

wsusutil export package logfile

The parameters are defined in the following table.

 

Parameter Definition

package The path and file name of the package .cab to create.

logfile The path and file name of the log file to create.

/help or /? Displays command-line help for export command.

Import

For background and procedural information about exporting and importing updates, see "Set Up a Disconnected Network (Import and Export Updates)" in Deploying Microsoft Windows Server Update Services at http://go.microsoft.com/fwlink/?linkid=41777.

Syntax

At the command line %drive%\Program Files\Update Services\Tools>, type:

wsusutil import package logfile

The parameters are defined in the following table:

 

Parameter Definition

package The path and file name of the package .cab to import.

logfile The path and file name of the log file to create.

/help or /? Displays command-line help for import command.

Migratesus

SUS 1.0 to WSUS migration scenarios and related procedures are covered extensively in the "Migrate from a SUS Server to a WSUS Server" topic in Deploying Microsoft Windows Update Services at http://go.microsoft.com/fwlink/?LinkID=41777.

Syntax

At the command line %drive%\Program Files\Update Services\Tools>, type:

wsusutil migratesus [/content contentshare] [/approvals servername [computergroup]] [/log logfile] [/?]

The parameters are defined in the following table:

 

Parameter Definition

/content contentshareMigrates content from a SUS 1.0, where contentshare is the path to the folder that contains SUS 1.0 content.

/approvals servernameMigrates approvals from the SUS 1.0 server, where servername is the name of the SUS 1.0 server.

computergroup Computer group for which you want to apply the approvals.

/help or /? Displays command-line help for the migratesus parameter.

/log logfile File in which migration activities are logged.

Movecontent

When you run this command, WSUSutil.exe does the following:

Copies the update files from the old location into the new location. Updates the WSUS database to refer to the new location of the update files.

The destination folder where update files are moved to must be on an NTFS partition. The content move tool will not try to copy update files if they already exist in the destination folder. WSUSutil.exe sets the same permissions on the destination folder that were set on the original folder.

Note

You can use xcopy, the Backup utility, or other non-WSUS specific methods to copy update files from the old location into the new one. If you copy the files by using a method other than WSUSutil.exe, you still need to run WSUSutil.exe to perform the second part of the move. In this case you would use the skipcopy parameter when running WSUSutil.exe. See "Syntax" below for more information.

There are two scenarios in which you might move update files from one WSUS drive to another:

If the drive is full If the hard disk fails

If the drive is full

If the drive where WSUS stores update files is full, you can do one of the following:

Add more space to your current drive by using NTFS functionality. This is done without using WSUSutil.exe. This method does not affect WSUS configuration or operation.

Install a new drive, and then move the update files from the old drive to the new location by using Wsusutil.exe.

If the hard disk fails

If the hard disk that stores update files fails, you must do the following:

1. Install the new disk on your computer, and then restore the update files from your backup files. Note: If you have not backed up your update files, WSUSutil.exe downloads the missing files at the end of the content move operation.

2. Run the content move operation, specifying the location for the new disk. In addition, you specify the skipcopy parameter, because you are either putting the files in the new folder through the Backup utility or the source folder does not exist; the update files will be downloaded at the end of this process.

3. When the move operation is complete, all the missing files are downloaded.

Syntax

At the command line %drive%\Program Files\Update Services\Tools>, type:

wsusutil movecontent contentpath logfile -skipcopy [/?]

The parameters are defined in the following table.

 

Parameter Definition

contentpath The new root for content files. The path must exist.

logfile The path and file name of the log file to create.

-skipcopyIndicates that only the server configuration should be changed, and that the content files should not be copied.

/help or /? Displays command-line help for movecontent command.

Reset

You use this command if you store updates locally on your WSUS server and want to ensure that the metadata information stored in your WSUS database is accurate. With this command, you verify that every update metadata row in the WSUS database corresponds to update files stored in the local update file storage location on your WSUS server. If update files are missing or have been corrupted, WSUS downloads the update files again. This command might be useful to run after you restore your database, or as a first step when troubleshooting update approvals.

Syntax

At the command line %drive%\Program Files\Update Services\Tools>, type:

wsusutil reset

Deleteunneededrevisions

If you use an MSDE database in your WSUS implementation (for example, if you are using WSUS on a server running Windows 2000), you might need to run this command periodically when the database reaches its 2-GB limit because once the database is full, you cannot synchronize new updates to your server, add new computers, or import events from existing client computers.

With regular use, it is possible that the 2 GB will be reached quickly, as updates can be very large, and update publishers typically create multiple revisions of each update, which your server will synchronize automatically for the products and update classifications you specify. In addition, event information for client computers also populates the database. When your MSDE database is close to reaching its limit, you will receive a notification on the WSUS console Home page alerting you to run this command soon. When you run this command, unneeded revisions and the events associated with those revisions are deleted from the database.

Unneeded revisions are revisions to software or drivers updates that have not been deployed to a computer group in at least one month; they are also the latest revisions to expired driver updates that have not been deployed to a computer group for at least one month. The one-month time period in both of these cases can be changed, indirectly. It automatically gets reduced by 7 to 15 days if you reduce the size of a database that is larger than 1 GB by less than 25 percent in the process of running this command.

Note

For more information about the databases you can use with WSUS, see the "Choose the Database Used for WSUS" topic in Deploying Microsoft Windows Update Services at http://go.microsoft.com/fwlink/?LinkID=41777.

Syntax

At the command line %drive%\Program Files\Update Services\Tools>, type:

wsusutil deleteunneededrevisions

Important

Before running this command, you must stop the World Wide Web publishing service in IIS. You must restart it only after you have finished running this command. To stop or start the IIS service, open IIS, navigate to and then right-click the Web site where WSUS is is installed (by default this is the Default Web Site), and then click Stop or Start.

Listinactiveapprovals

If you change language options on an upstream WSUS server, you can create a situation where the number of updates approved on a parent upstream server does not match the number of approved updates on a replica server.

Here is a scenario where this might occur:

You have configured your upstream parent server to synchronize from Microsoft Update and have left the language setting set to All Languages (the default). You then run synchronization and approve 300 updates, of which 50 are not English language updates. You then change the language setting on the server to English only. After this, a replica server synchronizes from the parent upstream server and downloads only the "active" approvals, which now are only the English language ones (replica servers always only synchronize active approvals). At this point, if you look on the WSUS console on the parent server, you will see that 300 updates are approved. If you do the same on the replica server, you will see that only 250 are approved. You would use listinactiveapprovals to see a list of the updates on the parent upstream server that are permanently inactive—in this case, you would see the 50 updates that are not English. You

can run this command if you want to see a list of the inactive approvals (for example, to help you decide if you want to remove the inactive approvals). You do not have to run this command before running the removeinactiveapprovals command.  

Syntax

At the command line %drive%\Program Files\Update Services\Tools>, type:

wsusutil listinactiveapprovals

Removeinactiveapprovals

The scenario in which you would use this command is the same as the one described for listinactiveapprovals. However, while you use listinactiveapprovals to list the inactive approvals on the parent upstream server, you use removeinactiveapprovals to remove them. You do not have to run the listinactiveapprovals command before running this command.

Syntax

At the command line %drive%\Program Files\Update Services\Tools>, type:

wsusutil removeinactiveapprovals

21. Logoff

About logoff

The logoff command is an external command that allows a user to quickly logoff their computer from the command line or within a batch file.

Availability

The logon command is an external command that is available in the below Microsoft operating systems.

Windows 2000Windows XP

Syntax

Terminates a session.

LOGOFF [sessionname | sessionid] [/SERVER:servername] [/V]

sessionname The name of the session.

sessionid The ID of the session.

/SERVER:servernameSpecifies the Terminal server containing the user session to log off (default is current).

/V Displays information about the actions performed.

Examples

logoff

Would immediately log off the profile currently logged into Windows.

Note: Running this command does not prompt you if you're sure you want to logoff.