DS Commands

Notes and Examples

DS Commands

• Tools that are available to manage Active Directory from the command prompt.

• Use of DS commands requires an understanding of distinguished names.

Distinguished Name (DN)

• Every object in Active Directory has an associated distinguished name, or DN. The DN exactly identifies the location of the object within Active Directory. It uniquely identifies the object by its common name and its location within the domain.

Distinguished Name (DN) (continued)

• Common Name: An object’s common name is the plain-English name given to the object when it’s created. An object’s common name is identified using cn=Name; for example:

“cn=Sponge Bob”

Distinguished Name (DN) (continued)

• Object’s Location: An object’s location is determined by the names of the domain components and the names of the container objects (organizational unit) that contain the object.

• Organizational Units are identified by using ou=– Exception: the system generated users container is identified with cn=

• Domain components are identified by using dc= . • If the Sponge Bob object is in a container (organizational

unit) named Finance and the Finance container is in a domain named marketing.insideis.com, the object’s location would be referenced as:

“ou=finance, dc=marketing, dc=insideis, dc=com” or ou=finance,dc=marketing,dc=insideis,dc=comQuotes are needed in the first example because spaces were included after each comma in the name

.

Distinguished Name (DN) (continued)

• An object’s distinguished name includes it’s common name and the object’s location.

• The distinguished name for the Sponge Bob object that exists inside the Finance container within the Marketing.InsideIS.com domain is:

“cn=Sponge Bob, ou=Finance, dc=marketing, dc=insideis, dc=com” or “cn=Sponge Bob,ou=Finance,dc=marketing,dc=insideis,dc=com”

Quotes are required in both examples because the value of cn includes spaces..

Distinguished Name (DN) (continued)

• Some rules regarding writing a distinguished name include:– CN= precedes the common name of the object– OU= precedes an organizational unit’s name– DC= precedes each part of a domain name– Commas separate each component in the name and

they are required – The space after the comma is optional, if used, the

DN must be enclosed in quotes– If any spaces exist in any part of the name, the DN

must be enclosed in quotes– No portion of the name is case sensitive

Examples of Distinguished Names

The Brian user object’s distinguished name: cn=brian,ou=finance,dc=domainp,dc=bccor “cn=brian, ou=finance, dc=domainp, dc=bcc”Quotes are needed in the second example because spaces were included after each comma in the name.

Examples of Distinguished Names

The John J. Jones user object’s distinguished name: “cn=John J. Jones,ou=Users,ou=Finance,dc=domainp,dc=bcc”

Quotes are required because the value of the cn name contains spaces..

DSADD User

• DSADD can be used to create many different object types, this and the next few slides will concentrate on using DSADD to create user objects.

• Syntax for user account is – DSADD USER distinguished-name switches

• Switches commonly used include– -pwd (password), -samid, -upn, -memberof, -disabled

Sample DSAdd

dsadd user "cn=Wilma Flintstone, ou=finance,dc=domainp,dc=bcc" -pwd Bristol! -upn wflintstone@domainp.bcc -samid wflintstone

The below command would be typed on one line. It adds a user to the Finance container within the domainp.bcc domain. The user’s password will be set at Bristol!, her user object’s common name (cn) will be Wilma Flinstone, her user principal name (upn) will be wflintstone@domainp.bcc and her samid will be wflintstone.

The user could login using wflinstone or wflinstone@domainp.bcc

cn

samidupn

DSADD User (continued)

• It’s important to understand the difference between the different name values: cn, upn & samid

• When entering the command, the only required value is cn.

• But.. what happens if you leave off the upn or samid?– Upn – if omitted, that property is left blank and a user

would not be able to login using a upn name (i.e,. wflinstone@domainp.bcc)

– Samid – if omitted, the first 20 characters of the supplied cn value will be used as the samid

DSADD User (continued)

Example:Dsadd user cn=Jackson,ou=finance,dc=domainp,dc=bcc” –pwd Bristol!

cn value used as object name and

samid. Upn value left blank

User could login using the login name: Jackson

A upn (i.e., Jackson@domainp.bcc) would not be supported)

DSADD User (continued)

Example:Dsadd user “cn=Jackson M. Mortinville, ou=finance,dc=domainp,dc=bcc

–pwd Bristol!

User would have to login using the login name: Jackson M. Mortinvil

This, obviously would not be recommended.

Understanding how DSADD provides values to properties is critical in ensuring that a desired login name is provided.

cn value used as object name and samid Notice, only the first 20 characters of the cn value are used for the samid.

DSADD User (continued)Example: samid not provided

Dsadd user “cn=Jackson Smith, ou=finance,dc=domainp,dc=bcc

–pwd Bristol! –upn jsmith@domainp.bcc

User could login using: Jackson Smith or Jsmith@domainp.bcc

Jsmith (alone) will not work.

This, obviously would not be recommended.

Here again, understanding how DSADD provides values to properties is critical in ensuring that a desired login name is provided.

cn value is used as object name and because the total characters are less than 20, the entire cn value is used as the samid. Upn value is provided..

DSADD User: Best Practice

• The best practice when creating user accounts with the DSADD command is to always provide all three values– Cn – this is the object’s name and it’s what you see by default

when viewing the database using Active directory Users and Computers. It’s also the name you’ll use whenever referencing the object from the command prompt.

– Samid – this is the name you want the user to use when logging in. (i.e, jjones)

– Upn – should be the same value as the samid, followed by @ and the domain name in which the account is being created. (i.e, jjones@domain.com)

DSMOD User

• DSMOD can be used to modify many different object types, this and the next slide will concentrate on using DSMOD to modify user objects.

• Syntax for modifying user account is – DSMOD USER distinguished-name -switches

• Switches commonly used include– -pwd (password), -mustchpwd –disabled

DSMOD User: Examples

Each of the below examples modifies a user object that exists in either the finance container or the accounting container in the domainp.bcc domain.

Dsmod user “cn=Jackson,ou=Finance,dc=domainp,dc=bcc” -pwd Password! Changes the Jackson user’s password to Password!

Dsmod user “cn=Mary, ou=Accounting, dc=domainp, dc=bcc” –pwd Password! –mustchwd yesChanges the Mary user’s password to Password! and requires that she change her password at next logon.

Dsmod user “cn=John Smith, ou=Accounting, dc=domainp, dc=bcc” –disabled yesDisables the John Smith user account.

Dsmod user “cn=John Smith, ou=Accounting, dc=domainp, dc=bcc” –disabled no –Enables the John Smith user account

DSQuery User

• DSQUERY can be used to query different object types from the command line.

• Syntax for querying a user account is – DSQUERY USER distinguished-name -switches

• Switches commonly used include– -o (controls output’s display) –stalepwd -disabled

DSQuery User: Examples

dsquery userDisplays a list of distinguished names for all users in the domain

dsquery user “ou=Accounting,dc=domainp,dc=bcc”Displays a list of distinguished names for all users in the Accounting container within Domainp.bcc

dsquery user “ou=Accounting,dc=domainp,dc=bcc” –o samidDisplays a list of samids for all users in the Accounting container within Domainp.bcc

dsquery user -name j* Displays a list of distinguished names for all users in the domain who have an object name that begins with the letter j.

DSQuery User: Examples

dsquery user -name j* “ou=Finance,dc=domainp,dc=bcc” Displays a list of distinguished names for all user objects in the Finance Container within Domainp.bcc who have an object name that begins with the letter j.

dsquery user -disabledDisplays a list of distinguished names for all users in the domain that have a disabled account

dsquery user “ou=Finance,dc=domainp,dc=bcc” –disabled –o samidDisplays a list of samids for all users in the Finance container within Domainp.bcc that have a disabled account

dsquery user “ou=Finance,dc=domainp,dc=bcc” –stalepwd 14 Displays a list of distinguished names for all user objects in the Finance Container within Domainp.bcc who have not changed their password in 14 days

DSQuery User: Piping

DSQUERY Output can be used as input to another command (piped)Examples provided have wrapped onto multiple lines. When executed, they would have to be typed on one line.

Dsquery user “ou=finance,dc=domainp,dc=bcc” –stalepwd 72 | dsmod user –disabled yes

This will take the output of the dsquery command (on the left of the pipe (|), and use it as input to the dsmod command on the right of the (|). In this case, it will disable all user accounts in the finance container who have not changed their password in 72 days.

DSQuery User: Piping

Dsquery user “ou=finance,dc=domainp,dc=bcc” | dsmod user –desc “Finance Employees”

This will take the output of the dsquery command (on the left of the pipe (|), and use it as input to the dsmod command on the right of the (|). In this case, it will change the description property for all user accounts in the finance container. The new value will be Finance Employees.

Dsquery user “ou=Sales,dc=domainp,dc=bcc” | dsmod user –dept “Sales” –title “Customer Sales” –Company “Action Lights”

This will take the output of the dsquery command (on the left of the pipe (|), and use it as input to the dsmod command on the right of the (|). In this case, it will change the department, title and company properties for all users in the sales container.

DSMove

• DSMOVE – can be used to move an object from one container to

another from the command line. – Can be used to rename an object from the command line

• Syntax - for moving– DSmove distinguished-name –newparent new-container

• Syntax – for renaming– DSmove distinguished-name –newname new-name

DSMove: Move Examples

Dsmove “cn=sue,ou=finance,dc=domainp,dc=bcc” –newparent

“ou=sales,dc=domainp,dc=bcc”

This moves the user with an object name of Sue from the finance container in domainp.bcc to the sales container in domainp.bcc

Dsmove “ou=users,ou=accounting,dc=domainp,dcc=bcc” –newparent “ou=finance,dc=domainp,dc=bcc”

This moves the container named users from the Accounting container within domainp.bcc to the finance container within domainp.bcc.

DSMove: Rename Examples

Dsmove “cn=sue,ou=finance,dc=domainp,dc=bcc” –newname suzy

This renames the user object with an object name of Sue in the finance container to suzy

Dsmove “ou=users,ou=accounting,dc=domainp,dcc=bcc” –newname Acc_Users

This renames the container named users that exists in the Accounting container in domainp.bcc to Acc_Users.

DSRM

• Allows objects to be deleted from directory• Can delete single object or entire subtree• Syntax - for removing a single object

– DSRM distinguished-name

• Syntax – for removing an entire subtree– DSRM distinguished-name –subtree

DSRM: Examples

Dsrm “cn=sally,ou=finance,dc=domain16,dc=bcc” –nopromptDeletes the Sally user from the Finance container in Domain16.bcc without prompting for confirmation.

Dsrm “ou=Accounting,dc=domainp,dc=bcc” -subtreeDeletes the Accounting container from domainp.bcc. Does prompt for confirmation

Dsrm “ou=Users,ou=Finance,dc=domainp,dc=bcc” –subtree –noprompt -cDeletes the Users container within the finance container in domainp.bcc without prompting for confirmation and, if there are errors, don’t stop the process - continue deleting.

DSADD Group

• DSADD can be used to create many different object types, this and the next few slides will concentrate on using DSADD to create group objects.

• Syntax for group account is – DSADD Group distinguished-name switches

• Switches commonly used include– -scope –secgrp –memberof

DSAdd Group: Examples

Dsadd group “cn=Finance-G,ou=Finance,dc=domainp,dc=bcc”

Creates a group named Finance-G in the Finance container of Domainp.bcc. Since no scope or security type have been defined in the command, the group’s scope will be global and the group’s type will be security

Dsadd group “cn=Finance-L,ou=Finance,dc=domainp,dc=bcc” -scope L

Creates a group named Finance-L in the Finance container of Domainp.bcc. The group’s scope will be domain local and, since the security type has not been defined the group’s type will be security

DSAdd Group: ExamplesDsadd group “cn=Sales-G,ou=Sales,dc=domainp,dc=bcc” -scope G –

members “cn=sally,ou=sales,dc=domainp,dc=bcc” “cn=joe,ou=sales,dc=domainp,dc=bcc” “cn=bob,ou=sales,dc=domainp,dc=bcc”

Creates a group named Sales-G in the Sales container of Domainp.bcc. The group’s scope will be global; it’s type is security. Three users have been added to the group’s member list; Joe, Sally and Bob, each of which are user object’s that exist in the Sales container within domainp.bcc

Dsadd group “cn=Sales-L,ou=Sales,dc=domainp,dc=bcc” -scope L –members “ou=Sales-G,ou=sales,dc=domainp,dc=bcc”

Creates a group named Sales-L in the Sales container of Domainp.bcc. The group’s scope will be Domain Local; it’s type is security. The Sales-G global group which also exists in the Sales container of Domainp.bcc, is made a member of this group.

DSMOD Group

• DSMOD can be used to modify many different object types, this and the next slide will concentrate on using DSMOD to modify group objects.

• Syntax for modifying group account is – DSMOD Group distinguished-name -switches

• Switches commonly used include– -rmmbr -addmbr

DSMOD Group: Examples

Each of the below examples modifies a group object that exists in either the Sales container or the accounting container in the domainp.bcc domain.

Dsmod group “cn=Sales-G,ou=Sales,dc=domainp,dc=bcc” -addmbr “cn=JSmith,ou=sales,dc=domainp,dc=bcc” Makes the JSmith user a member of the Sales-G group

Dsmod group “cn=Accounting-L, ou=Accounting, dc=domainp, dc=bcc” –addmbr “cn=Accounting-G,ou=Accounting,dc=domainp,dc=bcc”Makes the Accounting-L group a member of the Accounting-G group.

Dsmod group “cn=Accounting-G, ou=Accounting, dc=domainp, dc=bcc” –rmmbr “cn=JSmith,ou=Accounting,dc=domainp,dc=bcc”Removes the JSmith user from the member list of the Accounting-G group.

Dsmod Group “cn=Sales-G,ou=sales,dc=domainp,dc=bcc” –addmbr “cn=mbrown,ou=sales,dc=domainp,dc=bcc” –rmmbr “cn=sally,ou=sales,dc=domainp,dc=bcc”Makes mbrown a member of the Sales-G group and removes Sally from the members list of the Sales-G group.

DSQuery Group

• DSQUERY can be used to query different object types from the command line.

• Syntax for querying a Group– DSQUERY Group distinguished-name -switches

• Switches commonly used include– -o (controls output’s display) –name -desc

DSQuery Group: Examples

dsquery groupDisplays a list of distinguished names for all groups in the domain

dsquery group “ou=Accounting,dc=domainp,dc=bcc”Displays a list of distinguished names for all groups in the Accounting container within Domainp.bcc

dsquery group “ou=Accounting,dc=domainp,dc=bcc” –o samidDisplays a list of samids for all groups in the Accounting container within Domainp.bcc

dsquery group -name sale* Displays a list of distinguished names for all groups in the domain who have an object name that begins with the letters sale.

DSGET

• DSGET displays properties of Active Directory Objects.

• Syntax– DSGET GROUP distinguished-name –switches– DSGET USER distinguished-name –switches

DSGET Group: Examples

Each of the below examples gets properties values of group objects that exist in either the Sales container or the Accounting container in the domainp.bcc domain.

DSGET GROUP “cn=Sales-G,ou=Sales,dc=domainp,dc=bcc” -members Displays the members list for the Sales-G group

DSGET GROUP “cn=Accounting-L, ou=Accounting, dc=domainp, dc=bcc” –memberof Displays the member of list for the Accounting-L group. This identifies in

which groups this group is a member.

DSGET GROUP “cn=Accounting-G, ou=Accounting, dc=domainp, dc=bcc” –descDisplays the description property for the Accounting-G group.

DSGET Group: Examples

Dsget group “cn=Finance-L,ou=finance,dc=domainp,dc=bcc” –members -expand

Displays the members list of the Finance-L group and, if any of the members are groups, it displays the members list of those groups. For example, if the Finance-G group is a member of the Finance-L group, the above command would display the members list from both groups.

DSGET User: Examples

Each of the below examples gets properties values of user objects that exist in either the Sales container or the Accounting container in the domainp.bcc domain.

DSGET USER “cn=Mary,ou=Sales,dc=domainp,dc=bcc” -memberof Displays a list of groups in which Mary is a member

DSGET USER “cn=Susan,ou=Accounting, dc=domainp, dc=bcc” -profile –samid –desc

Displays Susan’s profile, description and samid property values.

DSGET User: Examples with Piping

Dsquery user –name Susan |dsget user -memberof

This will query the domain for a user object named Susan. Dsquery’s output (in this case, the user’s name) will be used as input to the DSGET command. The DSGet command will display the list of groups in which Susan is a member.

Dsquery user –name Susan |dsget user –samid -desc

This will query the domain for a user object named Susan. Dsquery’s output (in this case, the user’s name) will be used as input to the DSGET command. The DSGet command will display the samid and description property values of the susan user object.

DSGET User: Examples with Piping

Dsquery user “ou=finance,dc=domainp,dc=bcc” | dsget user –samid -desc -display

This will list all user accounts that exist in the finance container. It will use that list as input to the dsget command on the right side of the pipe. Dsget will display the samid, display name and description property values for each user in the Finance container.

Dsget user “cn=susan,ou=sales,dc=domain16,dc=bcc” –memberof | dsget group -members

This will use the member of list of the Susan user as input to the dsget command on the right of the pipe. It will then display the members list of each group. In essence, it displays a list of group members for all groups that Susan belongs to.