Windows Server

At a glance: Creating objects at the command line Performing bulk operations within Active Directory Active Directory updates and maintenance

11 essential tools for managing Active Directory

Laura E Hunter

If youve ever been handed an Excel spreadsheet listing 200 new employees starting next week, or if your user accounts are configured incorrectly because help desk staff clicked something
they shouldnt have, or if you just want an easier way to manage Active Directory besides opening Users and Computers every time, there are a number of free administration tools that can help. Some are built right into the Windows OS, some come in a Resource Kit or the Windows Support Tools, and some are free third-party tools. What are these handy tools and where can you get them? Lets find out. Ill start with the built-in command-line tools in Windows Server 2003 that allow you to create, delete, modify, and search for objects in Active Directory. Directory using a CSV source file; it also provides you with the ability to export existing objects to a CSV file. CSVDE cant be used to modify existing objects; when you are using this tool in import mode you can only create brand new objects. Exporting a list of existing objects with CSVDE is fairly simple. Heres how youd export your Active Directory objects to a file called ad.csv:
csvde f ad.csv

CSVDE
The Comma-Separated Values Data Exchange tool, known as CSVDE, allows you to import new objects into Active
50

The f switch indicates that the name of the output file follows. But you must be aware of the fact that, depending on your environment, this basic syntax could result in a huge and unwieldy output file. To restrict the tool to export

To get your FREE copy of TechNet Magazine subscribe at: www.microsoft.com/uk/technetmagazine

objects only within a particular organisational unit (OU), you could modify the statement as follows:
csvde f UsersOU.csv d ou=Users,dc=contoso,dc=com

Figure 1 LDIFDE switches

Switch Description

-d -f -r -s

Lets further say that youre only interested in exporting user objects into your CSV file. In that case, you can add the r switch, which allows you to specify a Lightweight Directory Access Protocol (LDAP) filter for the search, and the l switch, which restricts the number of attributes that are exported (note that the following is all on one line):
csvde f UsersOnly.csv d ou=Users,dc=contoso,dc=com r (&(objectcategory=person)(objectclass=user)) l DN,objectClass,description

Specifies LDAP path that LDIFDE should connect to for the operation. Indicates the name of the file to be used, in this case to output the results of the export. Specifies the LDAP filter to use for an export. Specifies the domain controller (DC) to connect to that will perform the operation; if you leave this out, LDIFDE will connect to the local DC (or the DC that authenticated you if you are running the tool from a workstation).

The i switch allows you to import objects into Active Directory from a source CSV file. However, creating user objects with CSVDE has one critical limitation: you cant set user passwords with it. Because of this, Id avoid using CSVDE to create user objects.

Once youve finished creating the file, run the following command:
ldifde i f NewUsers.ldf s DC1.contoso.com

LDIFDE
Active Directory provides a second built-in tool for bulk user operations, called LDIFDE, and it is more powerful and flexible than CSVDE. In addition to creating new objects, LDIFDE can also modify and delete existing objects and even extend the Active Directory schema. The tradeoff for LDIFDEs flexibility is that the necessary input file, which is referred to as an LDIF file with the extension .ldf, uses a more complex format than the simple CSV file. (With a little work you can also configure user passwords, but Ill get to that in a moment.) Lets start with a simple example, exporting users in an OU to an LDF file (note that the following is all on one line):
ldifde -f users.ldf -s DC1.contoso.com -d ou=UsersOU,dc=contoso,dc=com r (&(objectcategory=person)(objectclass=user))

The only new switch here is -i, which, you can probably guess for yourself, denotes that this is an import operation instead of an export. When modifying or deleting existing objects, the syntax for the LDIFDE command doesnt change; instead, you modify the contents of the LDF file. To change the description field of the user accounts, create a text file called ModifyUsers.ldf, such as the one shown in Figure 2. You import the changes by running the same LDIFDE command syntax as before, specifying the new LDF file name after the -f switch. The LDF format for deleting objects is even simpler; to delete the users youve been working with, create a file called DeleteUsers.ldf and enter the following:
dn: CN=afuller OU=UsersOU, DC=contoso, DC=com changetype: delete dn: CN=rking, OU=UsersOU, DC=contoso, DC=com changetype: delete

As with most command-line tools, you can find a full explanation of the LDIFDE switches by running the LDIFDE /? command. Figure 1 describes the ones Ive used here. (Note that the switches are actually the same for both the CSVDE and LDIFDE commands.) The real power of LDIFDE is in creating and manipulating objects. Before doing this, however, you first need to create an input file. The following creates two new user accounts called afuller and rking; to create the input file, enter the text in Notepad (or your favourite plain-text editor) and save it as NewUsers.ldf:
dn: CN=afuller, OU=UsersOU, DC=contoso, DC=com changetype: add cn: afuller objectClass: user samAccountName: afuller dn: CN=rking, OU=UsersOU, DC=contoso, DC=com changetype: add cn: rking objectClass: user samAccountName: rking

Note that unlike CSVDE, LDIFDE is capable of configuring user passwords. Before you can configure the unicodePWD attribute for a user account, however, you must configure secure sockets layer/transport layer security (SSL/ TLS) encryption on your domain controllers.

Figure 2 The ModifyUsers LDF file

TechNet Magazine November 2007

51

Windows Server
Moreover, LDIFDE can create and modify any type of Active Directory object, not just user accounts. The following LDF file, for example, will create a custom schema extension called EmployeeID-example in the schema of the contoso.com forest:
dn: cn=EmployeeID-example,cn=Schema, cn=Configuration,dc=contoso,dc=com changetype: add adminDisplayName: EmployeeID-Example attributeID: 1.2.3.4.5.6.6.6.7 attributeSyntax: 2.5.5.6 cn: Employee-ID instanceType: 4 isSingleValued: True lDAPDisplayName: employeeID-example

Because LDIFDE files use the industry-standard LDAP file format, third-party applications that need to modify the

LDIFDE can create and modify any type of Active Directory object, not just user accounts
Active Directory schema will often supply LDF files you can use to examine and approve the changes before applying them to your production environment. In addition to tools for bulk import and export operations, Windows Server 2003 also includes a built-in toolset that lets you create, delete and modify various Active Directory objects as well as perform queries for objects that meet certain criteria. (Note that these tools, dsadd, dsrm, dsget and dsquery, are not supported under Windows 2000 Active Directory.)

The memberOf switch requires the full distinguished name (DN) of each group the user should be added to; if you want to add the user to multiple groups you can add multiple DNs separated by spaces. If any element contains a space, such as the DN of the Help Desk group, it needs to be enclosed in double quotes. If an element contains a backslash, like an OU called IT\ EMEA, the backslash must be entered twice: IT\\EMEA. (These requirements apply to all of the ds* tools.) When you use the -pwd * switch, youll be prompted to enter a password for the user at the command line. You can specify the password within the command itself (-pwd P@ssword1), but this will display the password in plain text on the screen or in any text or script file that youve embedded the command into. Similarly, you can create a group object and an OU using the following two commands:
dsadd computer cn=WKS1,ou=Workstations,dc=contoso,dc=com dsadd ou ou=Training OU,dc=contoso,dc=com

Dsmod
Dsmod is used to modify an existing object, and you work with it much as with dsadd, using different submenus and syntax depending on the type of object youre modifying. The following dsmod statement changes a users password and modifies his account so he will be prompted to change to a new password on next logon:
dsmod user cn=afuller,ou=IT,dc=contoso,dc=com pwd P@ssw0rd1 mustchpwd yes

To see how similar these switches are, look at the dsadd syntax you would use to create this user with the same attributes configured:
dsadd user cn=afuller,ou=IT,dc=contoso,dc=com pwd P@ssw0rd1 mustchpwd yes

Dsadd
Dsadd is used to create an instance of an Active Directory object class on a particular directory partition. These classes include users, computers, contacts, groups, organisational units and quotas. Dsadd has a generic syntax that consists of the following:
dsadd <ObjectType> <ObjectDistinguishedName> attributes

As you can clearly see, if you know the switches to create objects in dsadd, you can use those same switches to modify users with dsmod.

Dsrm
The converse of dsadd is dsrm; as you might imagine, this tool lets you delete an object from the command line. The basic dsrm syntax is pretty straightforward: simply enter dsrm followed by the distinguished name of the object you want to delete, like so:
dsrm cn=WKS1,ou=Workstations,dc=contoso,dc=com

Note that each object type you create takes a specific set of switches corresponding to the attributes available for that type. This command creates a single user object with various attributes populated (note that the following is all on one line):
dsadd user cn=afuller,ou=IT,dc=contoso,dc=com samID afuller fn Andrew ln Fuller pwd * -memberOf cn=IT,ou=Groups,dc=contoso,dc=com cn=Help Desk,ou=Groups, dc=contoso,dc=com desc Marketing Director

By default, dsrm will prompt Are you sure you want to delete this object? Type Y, then press Enter. You can suppress this prompt using the noprompt switch, but, obviously, you then get no chance to confirm that youve selected the correct object before deleting it. Two additional switches can be helpful if you are deleting a container object, that is, an organisational unit that could potentially

52

To get your FREE copy of TechNet Magazine subscribe at: www.microsoft.com/uk/technetmagazine

TechNet Magazine November 2007

53

Windows Server

Figure 3 Running dsget

contain other objects within it. The following command deletes the TrainingOU organisational unit and all objects contained within it:
dsrm ou=TrainingOU,dc=contoso,dc=com subtree

Dsquery returns a list of Active Directory objects that meet criteria you specify. You can specify the following parameters no matter which submenu youre using:
dsquery <ObjectType> <StartNode> -s <Search Scope> -o <OutputFormat>

This one deletes all child objects contained within TrainingOU but leaves the organisational unit object itself in place:
dsrm ou=TrainingOU,dc=contoso,dc=com subtree exclude

Dsmove
To move or rename an object in Active Directory, you use the dsmove tool, but note that you should use it to move an object only within a single domain. To migrate objects between domains or forests, use the Active Directory Migration Tool (ADMT), a free download from the Microsoft Web site. Dsmove relies on two switches that can be used separately or in combination. This command gives Steve Conns account a new last name:
dsmove cn=Conn, Steve,ou=IT,dc=contoso,dc=com newname Steve Conn

This command moves Steves account from the IT OU to the Training OU:
dsmove cn=Conn, Steve,ou=IT,dc=contoso,dc=com newparent ou=Training,dc=contoso,dc=com

For ObjectType, dsquery can use the following submenus, each of which has its own syntax: computer, contact, subnet, group, OU, site, server (note that the server submenu retrieves information about domain controllers, not any member servers in your environment), user, quota and partition. And if one of these query types doesnt fit the bill, you can use the * submenu, which lets you enter a free-form LDAP query. StartNode specifies the location in the Active Directory tree where the search will start. You can use a specific DN such as ou=IT,dc=contoso,dc=com, or one of the following shortcut specifiers: domainroot, which begins at the root of a particular domain, or forestroot, which begins at the root of the forest root domain using a Global Catalog server to perform the search. Finally, the Search Scope option specifies how dsquery should search the Active Directory tree. Subtree (the default) queries the specified StartNode and all of its child

You can combine a rename and a move into a single operation by specifying both switches at once, like this:
dsmove cn=Conn, Steve,ou=IT,dc=contoso,dc=com newname Steve Conn newparent ou=Training,dc=contoso,dc=com

Dsget and Dsquery

The ds* command-line toolset also includes two tools used to query Active Directory for information rather than for creating or modifying objects. Dsget takes an objects DN as input and provides you with the value of the attribute or attributes you specify. Dsget uses the same submenus as dsadd and dsmod user, computer, contact, group, OU and quota. To obtain the SAM Account Name and Security Identifier (SID) of a user account, enter the following command (note that the following is all on one line):
dsget user cn=afuller,ou=IT,dc=contoso,dc=com samAccountName sid

Dsget takes an objects DN as input and provides you with the value of the attributes you specify
objects, onelevel queries only the immediate children of the StartNode, and base queries the StartNode object only. To better understand search scopes, consider an OU that contains both user objects and a child OU that itself contains additional objects. Using the subtree scope will query the OU, all of the user objects contained within it, and the child OU and its contents. The onelevel scope will query only the users contained within the OU and will not query the child OU or its contents. A base query will search only the OU itself without querying any of the objects contained within it.

Youll get output such as that in Figure 3.

54

To get your FREE copy of TechNet Magazine subscribe at: www.microsoft.com/uk/technetmagazine

Finally, you can use Output Format to control how the results of dsquery are formatted. By default, dsquery returns the distinguished names of any objects that match the query, like this:
cn=afuller,ou=Training,dc=contoso,dc=com cn=rking,ou=ITTraining,ou=Training,dc=contoso,dc=com

To query for all user objects contained within the IT OU and any child OUs, use the following:
dsquery user ou=IT,dc=contoso,dc=com

You can further refine this query by adding extra switches such as -disabled, which returns only disabled user accounts; -inactive x, which returns only users who havent logged on in the past x weeks or more; or -stalepwd x, which will return only users who have not changed their passwords in x days or more. Depending on the number of objects in your directory, you may need to specify the -limit x switch when running your query. By default, dsquery will return up to 100 objects that match the specifics of your query; you can specify a larger number such as -limit 500, or use -limit 0 to instruct dsquery to return all matching objects.

you can view all of the switches available within a particular dsquery submenu by going to the command prompt and typing dsquery user /?, dsquery computer /?, dsquery subnet /?, and so forth. An additional slick trick is to pipe the output of dsquery into another tool such as dsmod using the | character (shiftbackslash on US keyboards). For example, lets say your company has renamed a department from Training to Internal Development and now you have to update the description field of each relevant user from the old department name to the new. On a single command line, you can query for user objects that have a description field of Training and then modify that description field in bulk, as follows:
dsquery user description Training | dsmod -description Internal Development

Some third-party gems

Because Active Directory is based on LDAP standards, you can query and modify it using any tool that can speak LDAP. Many third-party vendors have released fee-based tools to assist you in administering Active Directory, but sometimes you find a treasure that has been made available to the community at no charge. Such is the case with a collection created by Directory Services MVP Joe Richards, available for download from: joeware.net/freetools. There youll find numerous tools to serve many different functions. Three that I turn to again and again are adfind, admod and oldcmp.

Because Active Directory is based on LDAP standards, you can query and modify it using any tool that can speak LDAP
You can use the other submenus to perform useful queries for other object types as well. Consider the following query, which returns every subnet defined in Active Directory Sites and Services thats in the 10.1.x.x address space:
dsquery subnet name 10.1.*

Adfind and Admod

Adfind and admod are similar to dsquery and dsmod; adfind is a command-line query tool for Active Directory, and admod can create, delete or modify one or more Active Directory objects. Unlike the ds* tools that have multiple submenus and different switches depending on the type of object, adfind and admod have a consistent syntax regardless of the type of query or modification youre trying to perform. The basic syntax for adfind is:
adfind b <Search Base> -s <Search Scope> -f <Search Filter> attributesDesired

Or use the following to return every subnet located in the Corp site:
dsquery subnet site Corp

With another submenu, you can quickly determine how many domain controllers in your forest are configured as Global Catalog servers:
dsquery server forest isgc

So a query for the DN and description of all computer objects within your domain would be:
adfind b dc=contoso,dc=com s subtree f (objectclass=computer) dn description

A query for all user objects would look like this:

adfind b dc=contoso,dc=com s subtree f (&(objectcategory=person) (objectclass=user)) dn description

You can also use this syntax to help you determine which domain controller in your domain hosts the Primary Domain Controller (PDC) Emulator Flexible Single Master Operations (FSMO) role:
dsquery server hasfsmo pdc

As with the other ds* commands that include submenus,

Notice that except for the contents of the LDAP query, the syntax has not changed. As you work with adfind, youll find a number of shortcut operators that can save you a lot of typing. For example, the -default switch can replace -b dc=contoso,dc=com in the
TechNet Magazine November 2007

55

Windows Server
previous example and search your entire domain; -gc searches against a Garbage Collection (GC) and returns all users in your Active Directory forest. You can also use the -rb switch to set a relative base for your search; if you want to search the Training OU in the phl.east.us.contoso.com domain, you can save yourself quite a bit of effort by simply specifying default rb ou=Training rather than b ou=Training, dc=phl,dc=east,dc=us,dc=contoso,dc=com. Adfind can also perform a number of advanced search functions that cant be easily managed at the command line otherwise, including those shown in Figure 4. An example using the asq switch would be Show me the group memberships of the members of the HelpDesk, like this:
adfind default rb cn=HelpDesk,ou=IT asq member memberOf

Figure 4 Adfind switches

Switch Description

-showdel -bit -asq

Queries the Deleted Objects container for tombstone objects. Queries against bitwise operators such as the userAccountControl attribute. Performs an attribute-scoped query. This function (which cant be replicated in dsquery) can retrieve an attribute of a particular object and then perform a query against it. Pipes the output of an adfind query into dsmod or one of the other ds* tools.

-dsq

Admod, as its name suggests, is used to modify objects within Active Directory. As with adfind, there are no specialised submenus with particular syntaxes to remember; admod uses the same syntax regardless of the type of object youre working with. You can also use admod to add, move, rename, delete and even undelete objects simply by adding the appropriate switch, such as -add, -rm, -move, -undel. And just as with dsquery and dsmod, you can also use the | character to pipe the results of an adfind query into admod. Note that performing an undelete with admod simply performs a tombstone reanimation operation, in which most of the objects attributes have been removed. To fully restore an object and all of its attributes, youll still need to perform an authoritative restore of the object.

updated oldcmp so that it will perform similar functions for user accounts that have not been used for a certain amount of time as well. For a small Active Directory environment or one where youre only working with one or two additions or changes at a time, the GUI tools such as Active Directory Users and Computers might be sufficient for day-to-day administration. But if youre adding and modifying large numbers

Oldcmp
Theres one additional joeware tool I consider an indispensable part of my automation toolkit: oldcmp, which scans your Active Directory database for computer accounts that have not been used in a specified number of weeks and can do the following: Create a report of accounts without taking any action against them Disable the unused computer accounts Move the computer accounts to a different OU that you designate Delete the computer accounts outright Note that because oldcmp has the potential to wreak serious havoc on your directory, it has a number of built-in safety features. It will not delete any account that has not already been disabled (and without manually specifying a No really, I mean it! command-line switch). It will not modify more than 10 objects at a time without a similar No really, I mean it! switch, and it absolutely will not do anything to the computer account for a domain controller. Despite the now misleading name of the tool, Joe has
56

When modifying large numbers of objects on a daily basis, moving to the command line can greatly speed up the process
of objects on a daily basis or simply want a more streamlined solution for your administrative tasks, moving to the command line can greatly speed up the process of creating, modifying and deleting objects within Active Directory. As youve seen, there are a number of flexible and powerful tools available free of charge, both built right into Windows and downloadable from members of the Active Directory community. Any of these tools has the ability to greatly enhance your productivity as an Active Directory administrator, and together they become even more essential to your daily work life. Laura E Hunter is a four-time recipient of the Microsoft MVP award in the area of Windows Server Networking. She is the author of the Active Directory Cookbook, Second Edition (OReilly, 2006). A 10-year veteran of the IT industry, Laura currently works as the Active Directory architect for a global engineering firm. She holds multiple industry certifications and is a frequent speaker at user group meetings and industry conferences.

To get your FREE copy of TechNet Magazine subscribe at: www.microsoft.com/uk/technetmagazine