MCITP 70-640: Active Directory Command Line Tools

Uploaded by itfreetraining on 17.09.2012

In this video from IT Free Training I will look at some of the command line utilities
that are available to perform Active Directory administration. Using these tools effectively
can help to speed up Active Directory administration especially for repetitive tasks.
In this video I will look at the following Active Directory command line utilities. If
you are interested in only a particular tool select the link in the video or in the description.
Although these tools can be used for single administrative actions, a lot of administrators
will use these tools in scripts. Used in scripts effectively a lot of actions can be performed
in seconds that would take a lot longer using GUI based tools like Active Directory Users
and Computers.
The first command line that I want to look at is DSAdd. This command allows you to add
users, computers groups and other Active Directory objects using the command line. To do this,
I will first open a command prompt from the start menu. There are many options for this
command. For a full list of options see the TechNet article links in the description for
this video. DSAdd can be used to add many different object
types to Active Directory. I will firstly add a user to the domain. To do this, enter
in DSAdd, followed by the object that you want to add, which in this case is a user.
The next parameter that you need to add is the distinguished name. The distinguished
name identifies in Active Directory where you want the object to be created in Active
Directory. A lot of the commands that I will look at use the same syntax for the distinguished
name. In fact, you will start to notice that some of the parameters are the same in all
commands. First, I need to specify the username that
I want to create. In this case I want to create a user account called Smith so I will use
the parameter CN=Smith. The next part of the command I need to enter in is the organizational
unit where the user will be created. Since this user account will be created in the default
organizational unit Users, I will use CN equals Users. If this was an organizational unit
that I created I would need to use OU rather than CN.
The next parameter I will add is -FN John. This sets the first name of the user to John.
You will find that there are endless amounts of parameters that can be added with this
command. For example phone numbers, email and office addresses just to name a few.
The next parameter that I will add is -LN Smith. This command sets the last name of
the user to Smith. Following this I will configure a password for the user with the parameter
-PWD and then the parameter -MustCHPWD to ensure the user will be prompted to change
the password when they first login. Once the command is run, a message will be
returned saying that the command was successful. Next I will use the command DSAdd to add a
computer account to the domain. This is done by entering DSAdd, followed by computer.
Like the last command, I need to enter in the distinguished name for the computer account
that I want to create. In this case I will create the computer account under the computers
organizational unit. Like the last command I will once again get
a message saying the command was successful. Next I will use DSAdd to add a group to the
domain by using the parameter group. I will need to enter in the distinguished name but
this time I will create a new group in the Users Organizational unit that is found under
New York. When specifying sub OU's the order of the OU's need to be reversed. In this
case I need to use the syntax OU=Users, OU=New York even though the Users OU is found under
New York organizational unit. The next parameter I will add is -Scope G
to indicate that I want to create a global group. Once I run the command I will be informed
that the object was created successfully. The next command I will look at is DSGet.
This command allows information about the object to be retrieved from Active Directory.
In this case I will use the parameter User to get information about a user. As with the
other commands, the distinguished name needs to be added, to indicate which object in Active
Directory information will be retrieved for. Following this I need to enter in the parameters
for the information that I want to retrieve. In this case I will use the parameters -FN,
-LN and -email. This will retrieve the first name, last name and Email address for that
user. You will start to notice that these are the same parameters that were used in
DSAdd. Once the command runs, notice that the information
that I ask for is displayed in columns with titles above it indicating which type of data
it is. The next command is the DSMod command. This
command allows Active Directory objects to be modified. In this case I will use the
User parameter to indicate I want to change a user account in Active Directory.
Once again the distinguished name for the user that is to be modified needs to be added
to the command line. In this case I will change the password for the user using the -PWD
parameter. As with the User Add command, I will add the -MustCHPWD parameter so the
user will be prompted to change their password the next time they log in.
You can start to see the power of using commands like this. By using a script you can automate
the changing of user passwords. You can see that using commands such as these can be a
lot faster than using a graphical tool like users and computers.
The command will once again run and succeed like the other commands. The next command
I will look at is DSRM. This command will delete objects in Active Directory. Unlike
the other commands, I do not need to indicate the object I am working with, all that needs
to be entered is the distinguished name that indicates which object is to be deleted.
In this case I will delete an OU called Testing. Since this is an OU, I will also add the parameter
-SubTree to indicate that all objects under this OU including other OU's should also
be deleted. When running commands like this there may be errors encountered. For example,
if you do not have permission to an object in the organizational unit the command will
fail. If you want the command to ignore such errors, add the parameter -c.
Once I run the command I will get a prompt asking me to confirm that I want to delete
that object. If you do not want to get prompted like this, you can add the parameter -NoPrompt.
In this case I will enter in N for no and the object will not be deleted.
The last command that I will look at is the DSQuery command. This can be used to find
out information about particular objects in a domain or filtered down to one area. For
example, you could show all the objects in one OU or show all users in the Domain with
surnames starting with A to K. In this example I will use the parameter OU
and enter in distinguished name for the domain. Once I run this command, all the Organizational
Units in the domain will be listed. You can see that using the query command can get you
a lot of information about the objects in your domain very quickly.
That's it for Command Line Utilities for Active Directory. This is just a sample of
some of the parameters and commands that can be used. For more videos for this course and
others, please see our Website or YouTube channel. Thanks for watching.