Active Directory How-To

Top Command Line Tools for Managing Active Directory

Let's look at command line tools that will help you manage Active Directory more effectively.

Most of the day-to-day operations of managing an Active Directory environment can be done from the Graphical User Interface (GUI), but the commands available from a command prompt can be very powerful and can save you time. In order to run the commands below, you will want to open an elevated command prompt. To start a command prompt with elevated privilege, click Start, right-click Command Prompt, and then click Run as administrator. Below are a list of commands and a description of what they do.

Adprep.exe is a command-line tool that is available on the Windows Server 2008 R2 installation disk in the \support\adprep folder. Adprep Prepares a Windows forest or domain for installation of Windows Domain Controllers. To prepare a forest or a domain, use:

  • adprep /forestprep
  • adprep /domainprep

You must be a member of all the following groups to run this command:

  • The Enterprise Admins group
  • The Schema Admins group
  • The Domain Admins group of the domain that hosts the schema master

Dsadd.exe adds computers, contacts, groups, organizational units and users to Active Directory. This command is very helpful when used in a batch file to created multiple users or computers at once. The syntax for using this command can be a bit tricky. You have to be careful to use the correct command-line arguments. It is highly recommended that you test the syntax of the command by adding a single user or computer before adding multiple accounts at once. To create multiple accounts, you can paste your text into a Notepad file and save it as a .bat, or batch file. To get command-line help, type dsadd objectname /? at a command prompt to display help information about using the command, such as dsadd user /?. If you use dsadd to create a user account, there are dozens of parameters that can be set, such as DisplayName, FirstName, LastName, HomeDirectory, Password, ability to change password, telephone numbers, Login Script, etc.

Dsacls.exe is the command-line equivalent of the Security tab in the properties dialog box for an Active Directory object in tools such as Active Directory Users and Computers. You can use either tool to view and change permissions to an Active Directory object. Once again, this command is very powerful in a batch file, but test it carefully on a single object first to make sure you will get the desired results.

Dsget.exe displays properties of computers, contacts, groups, organizational units, users, sites, subnets, and servers registered in Active Directory. Type dsget objectname /? at a command prompt to display help information about using the command, such as dsget subnet /?. To show the list of groups, to which the user Brien Posey belongs, type:

dsget user "CN=Brien Posey,CN=users,dc=ms,dc=tld" -memberof –expand

You can use dsget in conjunction with dsquery as shown in the following example. To find all users in an organizational unit (OU) named Contoso whose name starts with "brien" and to show their descriptions, type:

dsquery user OU=Contoso,dc=ms,dc=ltd -name brien* | dsget user -desc

When you use this command, it returns entries from the specified OU as well as all child OUs.

Dsmod.exe Modifies properties of computers, contacts, groups, organizational units, users and servers that exist in Active Directory. Type dsmod objectname /? at a command prompt to display help information about using the command, such as dsmod server /?. Some of the parameters you can change using dsmod are FirstName, LastName, DisplayName, Password, Home Directory and Login Script. To reset the password for Brien Posey and force him to change his password when he next logs on to the network, use the command:

dsmod user "CN=Brien Posey,CN=Users,DC=Contoso,DC=Com" -pwd  123qweAS -mustchpwd yes 

To reset multiple user passwords to a common password and force users to change their passwords when they next log on to the network, use the command:

dsmod user "CN=Brien Posey,CN=Users,DC=Contoso,DC=Com"  "CN=Troy Thompson,CN=Users,DC=Contoso,DC=Com" -pwd 123qweAS  -mustchpwd yes

Dsmove.exe Moves a single object to a new location within a single domain or renames the object without moving it. Type dsmove /? at a command prompt to display help information about using the command.

Dsquery.exe Uses search criteria to find computers, contacts, groups, organizational units, users, sites, subnets and servers in Active Directory. Type dsquery /? at a command prompt to display help information about using the command. As reference above, this command can be used in conjunction with the Dsget command to help refine searches.

Dsrm.exe Removes objects from Active Directory. Type dsrm /? at a command prompt to display help information about using the command. This can be a very powerful tool in terms of destruction. Be sure to use it wisely and test your syntax thoroughly before implementing in an enterprise or forest.

Ntdsutil.exe Allows the user to view site, domain and server information; manage operations masters; and perform database maintenance of Active Directory. Type ntdsutil /? at a command prompt to display help information about using the command.

Although the GUIs provided with Active Directory allow you to manage most of the day-to-day operations, a comprehensive knowledge of the command-line tools is a must for an administrator who wants to be proficient. They can also be a great time saver as you can automate many tasks using batch files.

About the Author

Troy Thompson has worked in network administration for over 25 years, serving as a network engineer and Microsoft Exchange administration in Department of Defense, writing technology articles, tutorials, and white papers and technical edits. Troy is a Cisco Certified Academy Instructor (CCAI), and has numerous other certifications including CCNA, MSCE+I, Network+, A+ and Security+. Troy has also traveled the world playing music as the guitarist for the band Bride. Contact information is [email protected]

Featured

  • How To Configure Windows 10 for Intel Optane Memory

    Intel's Optane memory technology can significantly improve the performance of your Windows 10 system -- provided you enable it correctly. A single mistake can render the system unbootable. Here's how to do it the right way.

  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

comments powered by Disqus