Information Technology Reference
In-Depth Information
Account management has been discussed mostly from the standpoint of using Active Directory
Users and Computers to work with accounts. When only a few accounts require action, using a
GUI tool is convenient. When many accounts require action or certain tasks must be repeated
many times, however, a command-line program is often the most efficient tool for the job.
Administrators can take advantage of batch files to handle lengthy and cumbersome command-
line syntax. A batch file is a text file with the .bat extension that's used to enter a command or
series of commands normally typed at the command prompt. Batch files can take arguments to
replace variables in the command. Bulk import/export programs also make account management
faster and easier. These programs can read an input file (import) to create several Active
Directory objects at once or produce an output file (export) from Active Directory objects. In the
following sections, examples and activities walk you through using command-line and bulk
import/export programs to manage accounts.
The GUI interface of Active Directory Users and Computers is convenient for creating a few
accounts or making changes to a few objects. Even with the help of a template, however, quite
a bit of manual entry is still required to create a user. Many administrators prefer a command-
line program, often used with a batch file, to create or change accounts. The following are the
most common command-line tools for managing accounts:
•
DSADD
—Adds objects to Active Directory. Used mainly for adding account objects but
can also be used to create OUs and contacts.
•
DSGET
—Displays an object's properties onscreen by default, but the output can be redi-
rected to a file.
•
DSMOD
—Modifies existing Active Directory objects.
•
DSMOVE
—Moves objects in a domain to another folder or OU or renames the object.
•
DSQUERY
—Finds and displays objects in Active Directory that meet specified criteria.
The output can be displayed onscreen or sent (piped) to other commands. For example,
DSQUERY could find and display a list of all users in an OU, and that list could be piped
to a DSMOD command that adds the users to a group.
•
DSRM
—Removes, or deletes, objects from Active Directory.
You can type all these commands followed by “/?” to get help on syntax and use. For example,
if you need to know more about the DSADD command, type DSADD /? at the command prompt.
You used DSADD in Chapter 3 to create a user. Now take a closer look at its syntax and
how you can use it in a batch file to make account creation easier. The syntax for using DSADD
to create objects is as follows:
DSADD
ObjectType ObjectDN
[
options
]
•
ObjectType
is the type of object you want to create, such as a user or group.
•
ObjectDN
is the object's distinguished name (DN), which includes the full path in Active
Directory where the object should be created. The path is specified by starting with the object
name, followed by each parent container object up to the top-level domain name. Each com-
ponent of the path is separated by a comma. The components of the DN are as follows:
•
CN (common name)
—The name of the object as it will be seen in Active Directory.
•
CN (common name)
—The CN component can be repeated if the object is in a folder,
such as the Users or Computers folder, rather than an OU.
•
OU (organizational unit)
—Use this component if the object is in an OU. It's repeated for
as many levels as necessary, starting with the lowest OU level.
•
DC (domain component)
—Each part of the domain name is specified separately until the
top-level domain name is reached.
Search WWH ::
Custom Search