March 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
25262728293031

Categories

March 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
25262728293031

Dsmod

Reset Password and Force Change at Logon for an Entire OU:
dsquery user “OU=Singapore,OU=Staff,DC=rmohan,DC=com” | dsmod user -pwd Password1 -mustchpwd yes

Change “company” AD attribute for all Users in an Entire OU:
dsquery user “OU=Singapore,OU=Staff,DC=rmohan,DC=com” | dsmod user -company “rmohan”

Return the DN of all users in an OU:
dsquery user “OU=Singapore,OU=Staff,DC=rmohan,DC=com”

“CN=User1,OU=Singapore,OU=Staff,DC=rmohan,DC=com”
“CN=User2,OU=Singapore,OU=Staff,DC=rmohan,DC=com”
“CN=User3,OU=Singapore,OU=Staff,DC=rmohan,DC=com”

Return the DN of all users in an OU, then get all the groups the users are a member of:
dsquery user “OU=Singapore,OU=Groups,DC=rmohan,DC=com” | dsget user -memberof

“CN=Group1,OU=Singapore,OU=Groups,DC=rmohan,DC=com”
“CN=Group2,OU=Singapore,OU=Groups,DC=rmohan,DC=com”
“CN=Group3,OU=Singapore,OU=Groups,DC=rmohan,DC=com”

Return the DN of all users in an OU, then get all the groups the users are a member of and use recursion:
dsquery user “OU=Singapore,OU=Staff,DC=rmohan,DC=com” | dsget user -memberof -expand

“CN=Group1,OU=Singapore,OU=Groups,DC=rmohan,DC=com”
“CN=Group2,OU=Singapore,OU=Groups,DC=rmohan,DC=com”
“CN=Group3,OU=Singapore,OU=Groups,DC=rmohan,DC=com”
“CN=Group4,OU=Singapore,OU=Groups,DC=rmohan,DC=com”
“CN=Group5,OU=Singapore,OU=Groups,DC=rmohan,DC=com”

Return the DN of all users in an OU, then get all the groups the users are a member of and use recursion. Then return the name of all the groups:
dsquery user “OU=Singapore,OU=Staff,DC=rmohan,DC=com” | dsget user -memberof -expand | dsget group -samid

samid
Group1
Group2
Group3
Group4
Group5

Get all the groups a user is a member of and use recursion. Then return the name of all the groups:
dsquery user “CN=User3,OU=Singapore,OU=Staff,DC=rmohan,DC=com” | dsget user -memberof -expand | dsget group -samid

samid
Group1
Group2

Create an OU:
dsadd ou “ou=Singapore,dc=rmohan,dc=com”

Create a Group:
dsadd group “cn=Singapore Users,ou=Singapore,dc=rmohan,dc=com”

Create a User:
dsadd user “cn=JoeUser1,ou=Singapore,dc=rmohan,dc=com”

Add a User to a Group:
dsmod group “cn=SingaporeUsers,ou=Singapore,dc=rmohan,dc=com” -addmbr “cn=JoeUser1,ou=Singapore,dc=rmohan,dc=com”

Find User Beggining with “J” and Return Matching Users “samid” and “department” Attributes:
dsquery user rmohanroot -name J* | dsget user -samid -dept

Move an OU:
dsmove “ou=LiverpoolStreetOffice,dc=rmohan,dc=com” -newparent “ou=Singapore,dc=rmohan,dc=com”

Rename and OU:
dsmove “cn=SingaporeUsers,ou=Singapore,dc=rmohan,dc=com” -newname SingaporeStaff

Remove an OU and all its Subtree Without Prompting:
dsrm -noprompt -subtree “ou=deleteme,dc=rmohan,dc=com”

 

 

Command ——————————- Description
Dsadd computer
Dsadd contact
Dsadd group …………………………Adds objects to the directory
Dsadd ou
Dsadd quota
Dsadd user

Dsget computer
Dsget contact
Dsget group
Dsget ou
Dsget partition
Dsget quota ………………………… Displays properties of objects in the directory
Dsget server
Dsget site
Dsget subnet
Dsget user

Dsmod computer
Dsmod contact
Dsmod group
Dsmod ou ………………………… Modifies select attributes of an existing object in the directory
Dsmod partition
Dsmod quota
Dsmod server
Dsmod user

Dsquery *
Dsquery computer
Dsquery contact
Dsquery group
Dsquery ou
Dsquery partition
Dsquery quota …………………………Finds objects in the directory that match a specified search criteria
Dsquery server
Dsquery site
Dsquery subnet
Dsquery user

Dsmove …………………..Moves any object from its current location to a new parent location or renames any object without moving it

Dsrm ………………….. Removes an object, the complete subtree under an object in the directory, or both

****************************************************************************

LDAP attribute tag —————— Description
CN= ………………………………………Common name
……………………………………………..The name given to the object at creation
OU=…………………………………………Organizational unit
…………………………………………….The name of the container
DC=…………………………………………Domain component
………………………………………………The name of the domain

 

dsquery ou dc=mohan,dc=com
This command will produce a listing of all OUs

dsquery user cn=users,dc=mohan,dc.com
It is going to show all the users in the users container.

dsquery servers -hasfsmo schema or (rid, name, infr and pdc.)
It is going to show which server(s) has the schema role

*****************************************

dsadd ou “ou=northwest, dc=mohan, dc=com”
This command tells Active Directory to create an OU called northwest

dsadd user “cn=calvin jay, ou=northwest, dc=mohan, dc=com”
This command will create an user named calvin jay in northwest OU

*****************************************

dsquery server -domain mohan.com | dsget server -dnsname ??“site
Finds all domain controllers for domain mohan.com and display their DNS host name and site name

dsget user “CN=Mike Jay,CN=users,dc=mohan,dc=com”-memberof ??“expand
Shows the list of groups, recursively expanded, to which a given user belongs

*****************************************

dsmod computer CN=Server1,CN=Computers,DC=mohan,DC=Com -disabled yes
To disable computer account

dsmod user “CN=Don Jay,CN=Users,DC=mohan,DC=Com” -pwd A1b2c3d4 -mustchpwd yes
To reset password and force him to change his password the next time he logs on to the network

*****************************************

dsmove “CN=Kim love,OU=Sales,DC=mohan,DC=Com” -newname “Kim Falls”
Renames a user object from Kim Love to Kim Falls

dsmove “CN=Kim Falls,OU=Sales,DC=mohan,DC=Com” -newparent OU=Marketing,DC=mohan,DC=Com
Moves Kim Falls from the Sales organization to the Marketing organization

*****************************************

dsrm -subtree -noprompt -c OU=Marketing,DC=mohan,DC=Com
Removes an organizational unit called “Marketing” and all the objects under that organizational unit

dsrm -subtree -exclude -noprompt -c “OU=Marketing,DC=mohan,DC=Com”
Removes all objects under the organizational unit called “Marketing,” but leaves the organizational unit intact

 

 

Dsquery

Powerfull tools and derivates:

Dsquery – Queries Active Directory according to specified criteria
Dsadd – Adds objects to Active Directory
Dsget – Gets information about the object and displays its properties
Dsmove – Moves objects in Active Directory
Dsmod – Modifies specific from objects in Active Directory
Dsrm – Deletes objects or a portion of them in Active Directory

computer Accounts

The whole syntax is the same you will find in Windows Help, so it doesn’t make sense for me to me to copy the syntax in this blog.

Daily taks in workstations:

a) Create a workstation account:

dsadd computer “computername” -desc “description”

Real case:
dsadd computer “CN=computer2,OU=TORONTO,DC=mohan,DC=com”
-desc “MktPC” -loc “5th Floor”
b) Reset a computer account(reset workstation account):

If the workstations loses the trust to the domain, reset the account, you’ll see an entry in event viewer so you can proceed with this task surely.

dsmod computer “computername” -reset

Real case:

dsmod computer “CN=computer2,OU=TORONTO,DC=mohan,DC=com” –reset

c) You can also test the workstation security channel to the domain controller with this syntax too:

nltest.exe /server:PcMarketing /sc_query:mohan.com

You will have a similar output like this, if the channel is ok:

Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\DomainController02.mohan.com
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

d) Move a workstation account:

dsmove ” computername ” -newparent “NewParentDN”

Real case:

dsmove “CN=PCTEST, OU=LOSTPCs,DC=mohan,DC=com” -newparent “OU=SALES,OU=MKT,OU=BOSTON,DC=mohan,DC=com”

e) Let’s clean the Active Directory from inactive workstations:

If you use:

Dsquery computer –inactive 180

It will only run in Windows 2003 domain functional level and localizes inactive PCs in the last 180 days.

If you use:

Dsquery computer –stalepwd 180

You will have a listing of suspect workstations that did not renew their passwords in the last 180 days against the domain controller. It’s true, it can find some PCs that because of an operating system error, did not renew their passwords, but in most cases these are really few. Once you have have the script, you can delete or disable these workstation accounts.

If you want to list AND move rogue workstations, run this query:

for /F %a in (‘dsquery computer -stalepwd 60’) do @dsmove %a -newparent OU=PCs,OU=Disabled,DC=mohan,DC=com

these query puts these accounts in the OU “Disabled”, next you can modify the script to disable or delete these accounts.
f) Identify PCs in the “computers” container:

Sometimes you check that some PCs have GPO conflicts or problems to download the GPO, it happens oft when they are for the first time added to the domain and not moved to their containers. So, identify and move them !!

dsquery computer cn=computers,DC=mohan,DC=com>c:\PCsOUcomputers.txt

the query puts the result to a txt file, so you can later import it to an Excel.

Tip:
You want to see who is logged on that PCs, so download the tool pslogged from: www.sysinternals.com,
Copy it in your system32 path and execute psloggedon \\PCName then run:

dsquery user -samid username | dsget user -fn -ln -display -office –desc

you identify so the user, location and other useful information to move that PC to the respective OU.

Note: Don´t forget that for most scripts deployed to the domain and PCs, you should have the necessary admin rights.

g) Get a listing on the fly from the workstations in the domain:

dsquery computer –limit 600

or the import to version:

dsquery computer –limit 600>c:\domainPCs.txt

Note: Limit 600 refers to the quantity of workstations in the domain.

User Accounts

 

Daily “User Tasks”:

a) Adding users as a batch creation:

for /L %d in (1,1,50) do dsadd user cn=user%d,ou=OUTEST,dc=mohan,dc=com -pwd 12345678910 -office “BOSTON” -title “Operator” -dept Ingen -mustchpwd yes -canchpwd yes -disabled yes

you get 50 dummy users to work in mohan environments or modify them to production users.

The individual creation is simpler, here you get the syntax plus a login script option:

dsadd user cn=dummyuser,ou=OUTEST,dc=mohan,dc=com -display DUMMY -pwd mypassword -office “BOSTON” -title “Operator” -dept Ingen -loscr scriptlogin.vbs -mustchpwd yes -canchpwd yes -disabled yes
b) User queries in the Active Directory_

dsquery user and dsget user are veru useful together:

Check the SAM account name, irst and last name:

dsquery user | dsget user –samid –fn –ln

The same query in a specific OU:

dsquery user “OU=Users,OU=Consulting,OU=BOSTON,OU=USA,DC=mohan,DC=com” | dsget user -display –samid

Move a user from one OU to another:

dsquery user -name “USER1” | dsmove –newparent “OU=BOSTON,DC=mohan,DC=com”

Check which user accounts expire soon:

dsquery user OU=BOSTON,DC=mohan,DC=com | dsget user -samid -fn -ln -acctexpires

with this you work in a proactive environment and don´t bother to receive calls over the weekend.

With this you get inactive users or suspected from inactivity(output to txt).

dsquery user -stalepwd 90 –limit 1000>c:\users.txt

Note: 1000 is the object quantity and you can import the txt to Excel for better manipulation.

Find the group membership of a user:

dsquery user -samid John | dsget user -memberof –expand

or with a better output, in a double piping:

dsquery user -samid John | dsget user -memberof -expand | dsget group -samid

Reset the user password:

dsquery user -samid Cocoliso | dsmod user -pwd nuevopassword

Check which users don´t have a login script assigned:

dsquery * domainroot -filter “(&(objectCategory=Person)(objectClass=User)(!scriptPath=*))” -limit 0 -attr sAMAccountName sn givenName pwdLast Set distinguishedName

Check which user names begin with z:

dsquery user -name z*

GROUPS

For the next scripts, please refer to the Microsoft Help if you have doubts in terms of groups in Active Directory:
Let’s practice some more and see more examples:

a) Creating groups:

Creating a security group with domain local scope:

dsadd group “cn=DL_ING, ou=ULM, dc=mohan, dc=com” -secgrp yes -scope L

Creating a security group with universal scope:

dsadd group “CN=INGES,OU=Caracas,DC=mohan,DC=com” -samid “ING” -secgrp no -scope u

b) Group membership

Check which users belong to the Consulting Group:

dsquery group -name Consulting | dsget group –members
Check which groups begin with g_, which scope they have and if they are security groups:

dsquery group -name g_* | dsget group -dn -scope –secgrp

Or check the membership of a group itself:

dsquery group -name G_Internet | dsget group -memberof
c) Changing Group membership

Change the group membership from the domain users group to a specific group, G_DomainUsers:

dsquery user -name * | dsmod group “CN=G_DomainUsers,CN=Users,DC=seattle,DC=cpandl,DC=com” – chmbr

d) Move the members of a group to another group:

dsget group “CN=GG_SALES,OU=OFC,DC=mohan,DC=com” -members | dsmod group “CN=G_INGES,OU=La Habana,DC=mohan,DC=com” -addmbr

e) Mantaining Groups:

Check the groups withouth members:

dsquery * -filter “&(objectCategory=group)(!member=*)” -limit 0 -attr whenCreated whenChanged groupType sAMAccountName distinguishedName memberOf
Check which users don´t belong to any group:

dsquery * domainroot -filter “(&(objectcategory=person)(Objectclass=user)(!memberof=*))”
SERVERS

Dsquery server

To find all domain controllers in the domain mohan.com that are global catalog servers:
dsquery server –domain mohan.com -isgc

Finds all DCs and display their relative distinguished names, type:

dsquery server -o rdn -forest

Finds all DCs in the site BOLIVIA and display their relative distinguished names, type:

dsquery server -o rdn -site BOLIVIA

Finds the DC in the forest that holds the schema operations master role:

dsquery server –forest –hasfsmo schema

Finds all DCS for mohan.com and display their DNS host name and site name

dsquery server -domain mohan.com | dsget server -dnsname –site

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>