Active Directory How-To
Top Command Line Tools for Managing Active Directory
Let's look at command line tools that will help you manage Active Directory more effectively.
- By Troy Thompson
Most of the day-to-day operations of managing an Active Directory environment can be done from the Graphical User Interface (GUI), but the commands available from a command prompt can be very powerful and can save you time. In order to run the commands below, you will want to open an elevated command prompt. To start a command prompt with elevated privilege, click Start, right-click Command Prompt, and then click Run as administrator. Below are a list of commands and a description of what they do.
Adprep.exe is a command-line tool that is available on the Windows Server 2008 R2 installation disk in the \support\adprep folder. Adprep Prepares a Windows forest or domain for installation of Windows Domain Controllers. To prepare a forest or a domain, use:
- adprep /forestprep
- adprep /domainprep
You must be a member of all the following groups to run this command:
- The Enterprise Admins group
- The Schema Admins group
- The Domain Admins group of the domain that hosts the schema master
Dsadd.exe adds computers, contacts, groups, organizational units and users to Active Directory. This command is very helpful when used in a batch file to created multiple users or computers at once. The syntax for using this command can be a bit tricky. You have to be careful to use the correct command-line arguments. It is highly recommended that you test the syntax of the command by adding a single user or computer before adding multiple accounts at once. To create multiple accounts, you can paste your text into a Notepad file and save it as a .bat, or batch file. To get command-line help, type dsadd objectname /? at a command prompt to display help information about using the command, such as dsadd user /?. If you use dsadd to create a user account, there are dozens of parameters that can be set, such as DisplayName, FirstName, LastName, HomeDirectory, Password, ability to change password, telephone numbers, Login Script, etc.
Dsacls.exe is the command-line equivalent of the Security tab in the properties dialog box for an Active Directory object in tools such as Active Directory Users and Computers. You can use either tool to view and change permissions to an Active Directory object. Once again, this command is very powerful in a batch file, but test it carefully on a single object first to make sure you will get the desired results.
Dsget.exe displays properties of computers, contacts, groups, organizational units, users, sites, subnets, and servers registered in Active Directory. Type dsget objectname /? at a command prompt to display help information about using the command, such as dsget subnet /?. To show the list of groups, to which the user Brien Posey belongs, type:
dsget user "CN=Brien Posey,CN=users,dc=ms,dc=tld" -memberof –expand
You can use dsget in conjunction with dsquery as shown in the following example. To find all users in an organizational unit (OU) named Contoso whose name starts with "brien" and to show their descriptions, type:
dsquery user OU=Contoso,dc=ms,dc=ltd -name brien* | dsget user -desc
When you use this command, it returns entries from the specified OU as well as all child OUs.
Dsmod.exe Modifies properties of computers, contacts, groups, organizational units, users and servers that exist in Active Directory. Type dsmod objectname /? at a command prompt to display help information about using the command, such as dsmod server /?. Some of the parameters you can change using dsmod are FirstName, LastName, DisplayName, Password, Home Directory and Login Script. To reset the password for Brien Posey and force him to change his password when he next logs on to the network, use the command:
dsmod user "CN=Brien Posey,CN=Users,DC=Contoso,DC=Com" -pwd 123qweAS -mustchpwd yes
To reset multiple user passwords to a common password and force users to change their passwords when they next log on to the network, use the command:
dsmod user "CN=Brien Posey,CN=Users,DC=Contoso,DC=Com" "CN=Troy Thompson,CN=Users,DC=Contoso,DC=Com" -pwd 123qweAS -mustchpwd yes
Dsmove.exe Moves a single object to a new location within a single domain or renames the object without moving it. Type dsmove /? at a command prompt to display help information about using the command.
Dsquery.exe Uses search criteria to find computers, contacts, groups, organizational units, users, sites, subnets and servers in Active Directory. Type dsquery /? at a command prompt to display help information about using the command. As reference above, this command can be used in conjunction with the Dsget command to help refine searches.
Dsrm.exe Removes objects from Active Directory. Type dsrm /? at a command prompt to display help information about using the command. This can be a very powerful tool in terms of destruction. Be sure to use it wisely and test your syntax thoroughly before implementing in an enterprise or forest.
Ntdsutil.exe Allows the user to view site, domain and server information; manage operations masters; and perform database maintenance of Active Directory. Type ntdsutil /? at a command prompt to display help information about using the command.
Although the GUIs provided with Active Directory allow you to manage most of the day-to-day operations, a comprehensive knowledge of the command-line tools is a must for an administrator who wants to be proficient. They can also be a great time saver as you can automate many tasks using batch files.
Troy Thompson has worked in network administration for over 25 years, serving as a network engineer and Microsoft Exchange administration in Department of Defense, writing technology articles, tutorials, and white papers and technical edits. Troy is a Cisco Certified Academy Instructor (CCAI), and has numerous other certifications including CCNA, MSCE+I, Network+, A+ and Security+. Troy has also traveled the world playing music as the guitarist for the band Bride. Contact information is firstname.lastname@example.org.