11 basic tools used to manage Active Directory

Source: Internet
Author: User
Tags ldap windows support samaccountname microsoft website dsquery
Create an object in the command line and Perform Batch operations in the Active Directory to update and maintain the Active Directory.


If you are responsible for processing an Excel spreadsheet containing information about 200 new employees starting from next week, or the user account configuration error is caused by the technical support staff clicking something that should not be clicked, alternatively, you only need to open "user and computer" to manage Active Directory more easily. , There are a large number of free management tools to help. Some tools are built in WindowsIn the operating system, some are in the resource toolkit or Windows support tool, and some are even free third-party tools. What are these convenient tools and where can they be obtained? Let's take a look. First, we will introduce Windows Server2003 built-in command line tools that allow you to create, delete, modify, and search for objects in Active Directory.


The delimiter data exchange tool (csvde) allows you to use CSV source files to import new objects to Active Directory. In addition, the tool also provides the ability to export existing objects to CSV files. Csvde cannot be used to modify existing objects. When using this tool in import mode, you can only create new objects. Using csvde to export the list of existing objects is quite simple. Export the Active Directory object to a file named ad.csv using the following method:
csvde –f ad.csv
-F indicates the name of the output file. However, you must note that, depending on the environment, this basic syntax may generate impractical large output files. To restrict this tool to exporting only objects in a specific organization unit (OU), you can modify the statement to the following format:
csvde –f UsersOU.csv –d ou=Users,dc=contoso,dc=com
It is assumed that you are only interested in exporting User objects to CSV files. In that case, you can add the-r switch and the-l switch. The former allows you to specify the Lightweight Directory Access Protocol (LDAP) filter for search, the latter can limit the number of exported attributes (note that all of the following content is in one row ):
csvde –f UsersOnly.csv –d ou=Users,dc=contoso,dc=com –r 
"(&(objectcategory=person)(objectclass=user))" –l
The-I switch enables you to import objects from the source CSV file to Active Directory. However, using csvde to create user objects has a key constraint: you cannot use csvde to set user passwords. Therefore, you should avoid using csvde to create user objects.


Active Directory also provides another built-in tool for executing batch user operations, called ldifde, which is more powerful and flexible than csvde. In addition to creating new objects, ldifde can also modify and delete existing objects, and even extend the Active Directory architecture. Although ldifde is flexible, to achieve this flexibility, you must use an ldif file with the extension. LDF as the output file. This file is more complex than a simple CSV file. (You can configure the user password with only a few operations. I will introduce it later .) Starting from a simple example, we export users in an ou to the LDF file (note that all of the following content is in one line ):
ldifde -f users.ldf -s DC1.contoso.com -d "ou=UsersOU,dc=contoso,dc=com"
–r "(&(objectcategory=person)(objectclass=user))"
Like most command line tools, you can run ldifde /? Command to find the complete description of the ldifde switch. Figure 1 describes the switches I have used here. (Note that the csvde and ldifde commands are actually the same .) The real function of ldifde is to create and operate objects. However, before performing this operation, you must create an input file. The following statement creates two user accounts named afuller and rking. To create this input file, enter the following text in Notepad (or your favorite plain text editor, save it as newusers. LDF:
dn: CN=afuller, OU=UsersOU, DC=contoso, DC=com 
changetype: add
cn: afuller
objectClass: user
samAccountName: afuller


dn: CN=rking, OU=UsersOU, DC=contoso, DC=com
changetype: add
cn: rking
objectClass: user
samAccountName: rking

After creating the file, run the following command:
ldifde –i –f NewUsers.ldf –s DC1.contoso.com
As you may guess, the only new switch-I used here indicates that this is an import operation rather than an export operation. If you want to modify or delete an existing object, you do not have to change the syntax of the ldifde command. Instead, you should modify the content in the LDF file. To change the description field of the user account, create a text file named modifyusers. LDF, as shown in figure 2.
Figure 2 modifyusers LDF file (click the image to get a smaller view)
Figure 2 modifyusers LDF file (click the image to get a large view) You can import the changes by running the same ldifde command syntax as before and specifying the new LDF file name after the-F switch. The LDF format used to delete objects is simpler. To delete users that are always in use, create a file named deleteusers. LDF and enter the following content:
dn: CN=afuller OU=UsersOU, DC=contoso, DC=com 
changetype: delete


dn: CN=rking, OU=UsersOU, DC=contoso, DC=com
changetype: delete

Note that, unlike csvde, ldifde can be used to configure user passwords. However, before configuring the unicodepwd attribute for a user account, you must configure Secure Socket Layer/Transport Layer Security (SSL/TLS) encryption on the domain controller. Moreover, ldifde can create and modify any type of Active Directory objects, not limited to user accounts. For example, the following LDF file can be used to create a custom architecture extension named "employeeid-Example" in the contoso.com forest architecture:
dn: cn=EmployeeID-example,cn=Schema,
changetype: add
adminDisplayName: EmployeeID-Example
cn: Employee-ID
instanceType: 4
isSingleValued: True
lDAPDisplayName: employeeID-example
Because the ldifde file uses the industrial standard LDAP file format, third-party applications that need to modify the Active Directory architecture often provide LDF files, you can use these files to check and approve changes before applying these changes to the production environment. In addition to tools used to Perform Batch import and export operations, Windows Server 2003 also includes a set of built-in tools that you can use to create, delete, and modify various active directory objects, you can also query objects that meet specific conditions. (Note that Windows 2000 Active Directory does not support these tools, such as dsadd, dsrm, dsget, and dsquery .)


Dsadd is used to create an instance of the Active Directory object class on a specific directory partition. These types include users, computers, contacts, groups, organization units, and quotas. Dsadd has a general syntax consisting of the following:
dsadd <ObjectType> <ObjectDistinguishedName> attributes
Note that each object type you create has a set of specific switches that correspond to the properties of this type. The following command creates a user object filled with various attributes (note that all of the following content is in one row ):
dsadd user cn=afuller,ou=IT,dc=contoso,dc=com 
–samID afuller –fn Andrew –ln Fuller –pwd *
-memberOf cn=IT,ou=Groups,dc=contoso,dc=com "cn=Help Desk,ou=Groups,
–desc "Marketing Director"
-The memberof switch requires you to specify the complete Distinguished Name (DN) for each group of the user to be added. If you want to add the user to multiple groups, you can add multiple DN entries and separate them with spaces. If any element contains spaces (such as the DN of the help desk group), the element should be enclosed in double quotation marks. If an element contains a backslash (for example, it \ EMEA ou), you must enter the backslash (IT \ EMEA) twice. (These requirements apply to all DS * tools .) If you use the-Pwd * switch, the system will prompt you to enter the user password in the command line. You can specify the password (-pwd p @ ssword1) in this command ), however, the password is displayed in plain text on the screen or in any text or script file embedded with the command. Similarly, you can use the following two commands to create group objects and ou:
dsadd computer cn=WKS1,ou=Workstations,dc=contoso,dc=com
dsadd ou "ou=Training OU,dc=contoso,dc=com"


Dsmod is used to modify an existing object. Its usage is very similar to that of dsadd. You need to use different sub menus and syntaxes based on the type of the object to be modified. The following dsmod statement changes the user's password and the user's account. Therefore, the system will prompt the user to change to the new password upon next login:
dsmod user "cn=afuller,ou=IT,dc=contoso,dc=com" –pwd P@ssw0rd1
–mustchpwd yes
To learn how similar these switches are, you can view the dsadd syntax to create this user and configure the same attributes:
dsadd user "cn=afuller,ou=IT,dc=contoso,dc=com" –pwd P@ssw0rd1
–mustchpwd yes
You can clearly see that if you know the switch used to create objects in dsadd, you can use the same switch to modify dsmod users.


Dsrm and dsadd are opposite; as you may think, you can use this tool to delete objects from the command line. The basic dsrm syntax is quite concise: Just enter dsrm and enter the Distinguished Name of the object to be deleted, as shown below:
dsrm cn=WKS1,ou=Workstations,dc=contoso,dc=com
By default, dsrm will prompt "are you sure you want to delete this object ?", Enter y and then press Enter. You can use the-noprompt switch to disable this prompt, but it is obvious that you cannot confirm whether the selected object is correct before deleting the object. If you want to delete a container object (that is, the organizational unit of another object may be included in it), the other two switches may be useful. The following command deletes a trainingou organization unit and all objects contained in it:
dsrm ou=TrainingOU,dc=contoso,dc=com –subtree
The following command deletes all sub-objects contained in trainingou, but retains the organizational unit object itself:
dsrm ou=TrainingOU,dc=contoso,dc=com –subtree 


To move or rename objects in Active Directory, use the dsmove tool, but note that you should only use this tool to move objects in a single domain. To migrate objects between domains and forests, use the Active Directory migration tool (ADMT), which can be downloaded free of charge from the Microsoft website. Dsmove depends on two switches, which can be used independently or together. The following command specifies the new surname for the account of Steve Conn:
dsmove "cn=Conn, Steve,ou=IT,dc=contoso,dc=com" 
–newname "Steve Conn"
Run the following command to move Steve's account from it ou to training ou:
dsmove "cn=Conn, Steve,ou=IT,dc=contoso,dc=com" –newparent 
You can combine renaming and moving into one operation by specifying the two switches at the same time, as shown below:
dsmove "cn=Conn, Steve,ou=IT,dc=contoso,dc=com" –newname 
"Steve Conn" –newparent ou=Training,dc=contoso,dc=com

Dsget and dsquery

The ds * command line tool set also contains two tools used to query information obtained by Active Directory, instead of used to create or modify objects. Dsget uses the object's DN as the input and provides you with the value of one or more attributes you specified. Dsget uses the same sub-menus as dsadd and dsmod-user, computer, contact, group, ou, and quota. To obtain the Sam account name and security identifier (SID) of the user account, enter the following command (note that all the following content is in one line ):
dsget user cn=afuller,ou=IT,dc=contoso,dc=com 
–samAccountName –sid
You will get the output shown in figure 3.
Figure 3 run dsget (click the image to get a smaller view)
Figure 3 run dsget (click the image to get a larger view) dsquery returns a list of Active Directory objects that meet your specified conditions. You can specify the following parameters no matter which sub-menu you are using:
dsquery <ObjectType> <StartNode> -s <Search Scope> -o <OutputFormat>
For objecttype, dsquery can use the following sub-menus. Each sub-menu has its own Syntax: Computer, contact, subnet, group, ou, site, server (please note that, the server sub-menu retrieves information about the domain controller, rather than any member server in the Environment), user, quota, and partition. If one of the query types does not meet the requirements, you can use the * sub-menu, so that you can enter LDAP queries in any format. Startnode specifies the start position of the search in the active directory tree. You can use a specific DN, such as ou = it, Dc = contoso, Dc = com, or one of the following quick notes: domainroot, starting from the root directory of a specific domain; forestroot, start from the root directory of the forest root domain that is searched by using the Global Catalog server. The "search range" option specifies how dsquery searches for the active directory tree. Subtree (default) queries the specified startnode and all its sub-objects. onelevel queries only the direct sub-items of startnode, and base queries only the startnode object. To better understand the search range, assume that there is an ou, which contains the user object and a sub-Ou, and the sub-ou itself contains other objects. Use the subtree range to query the ou, all user objects and sub-ou contained in the ou, and their content. Onelevel only queries the users included in the ou without querying the sub-ou and its content. The base query only searches for ou and does not query any objects contained in it. Finally, you can use output format to control how to set the dsquery result format. By default, dsquery returns the distinguished names of all objects matching the query, as shown below:
To query all user objects in it ou and any sub-Ou, run the following command:
dsquery user ou=IT,dc=contoso,dc=com
You can further refine this query by adding other switches, such as-disabled (only disabled user accounts are returned) ,-inactive X (returns only users that have not logged in for the past X weeks or longer) or-stalepwd X (returns only users whose passwords have not been changed within X days ). Depending on the number of objects in the data directory, you may need to specify the-limit x switch when running the query. By default, dsquery returns up to 100 objects that match the query details. You can specify a larger number (such as-limit 500), or use-limit 0 to indicate that dsquery returns all matching objects. You can also use other sub-menus to perform useful queries on other object types. Consider the following query, which returns each subnet in the 10.1.x.x address space defined in the Active Directory site and service:
dsquery subnet –name 10.1.*
Or use the following command to return each subnet located on the corp site:
dsquery subnet –site Corp
Using another sub-menu, you can quickly determine the number of Domain Controllers configured as Global Catalog servers in the forest:
dsquery server –forest –isgc
You can also use this syntax to determine which domain controller in the domain carries the master Domain Controller (PDC) Simulator flexible single host operation (FSMO) role:
dsquery server –hasfsmo pdc
Like other DS * commands that contain sub-menus, you can go to the command prompt and type dsquery user /? , Dsquery computer /? , Dsquery subnet /? View all the switches available in the specific dsquery sub-menu. Another flexible technique is to use the pipe character (press shift on the American keyboard and then press the backslash) to send dsquery output to other tools (such as dsmod) through the pipe. For example, if your company has renamed the Training Department to internal development, you must change the description field of each user from the old department name to the new one. On a single command line, you can query user objects with a training Description field, and then modify the description field in batches, as shown below:
dsquery user –description "Training" | dsmod 
-description "Internal Development"

Some third-party products

Because Active Directory is based on LDAP standards, you can use any LDAP-supported tool to query and modify it. Many third-party vendors have released paid tools to help you manage Active Directory, but sometimes you will find valuable tools free of charge for the community. This is the case for the set created by Directory Service MVP Joe Richard. You can download it from joeware.net/frew.ls. You will find a large number of tools with different functions. I have repeatedly used three tools: adfind, admod, and oldcmp.

Adfind and admod

Adfind and admod are similar to dsquery and dsmod. adfind is a command line query tool for Active Directory. admod can create, delete, or modify one or more active directory objects. Unlike the DS * tool with multiple sub-menus and different switch types based on the object type, adfind and admod have the same syntax and are independent of the query or modification type to be executed. The basic syntax of adfind is:
adfind –b <Search Base> -s <Search Scope> -f <Search Filter>
Therefore, the query for the DN and description of all computer objects in the domain should be:
adfind –b dc=contoso,dc=com –s subtree –f (objectclass=computer) dn 
Query all user objects as follows:
adfind –b dc=contoso,dc=com –s subtree –f "(&(objectcategory=person)
(objectclass=user))" dn description
Note that the syntax is not changed except for the LDAP query. When using adfind, you will find many shortcut operators that can reduce the number of input content. For example, the-default switch can replace-B Dc = contoso, Dc = COM in the previous example and search the entire domain;-GC search for garbage collection (GC) and return all users in the Active Directory forest. You can also use the-Rb switch to set the relative Search Library. To search for a training ou in the phl.east.us.contoso.com domain, you can specify-default-Rb ou = training, instead of-B ou = training, Dc = PHL, Dc = east, Dc = us, Dc = contoso, Dc = COM, which reduces a lot of work. In addition, adfind can execute many advanced search functions that cannot be easily managed in the command line, as shown in figure 4. The following example shows how to enable the-asq function to display the group membership of a helpdesk member:
adfind –default –rb cn=HelpDesk,ou=IT –asq member memberOf
As the name suggests, admod is used to modify objects in Active Directory. Like adfind, you do not need to remember the special sub-menu with special syntax. admod uses the same syntax at all times, regardless of the object type to be processed. You can also use admod to add, move, rename, delete, or even restore objects by adding corresponding switches (such as-add,-rm,-move, and-undel. Like dsquery and dsmod, you can also use the | character to transmit the adfind query results to admod through a pipeline. Note that you can only use admod to perform logical Delete and restore operations. In this operation, most object attributes have been deleted. To completely restore an object and all its attributes, you still need to perform the authorization restoration of the object.


There is also a joeware tool, which I think is an essential part of the automated Toolkit: oldcmp, Which scans the Active Directory database to find computer accounts that are not used within a specified week, you can also perform the following operations:
  • Create an account report without any operations
  • Disable unused computer accounts
  • Move the computer account to another specified ou
  • Delete computer account completely
Note that since oldcmp may seriously damage your directory, it has many built-in security features. It does not delete any account that has not been disabled (you do not need to manually specify "No really, I mean it !" Command line switch ). You do not need to specify a similar "No really, I mean it !" Switch. No more than 10 objects will be modified each time, and no operation will be performed on the computer account of the domain controller. Although the Tool Name is easy to mislead, Joe has updated oldcmp so that similar functions can be executed for user accounts that are not used for a specific period of time.

Gui tools (such as Active Directory users and computers) may be sufficient for a small Active Directory environment or an environment that only executes one or two add or modify operations at a time. However, if you want to add and modify a large number of objects every day, or you just need to simplify the task management solution, using the command line can greatly accelerate the process of creating, modifying, and deleting objects in Active Directory. You have learned that many flexible and powerful tools are available for free. They are either built into windows or can be downloaded from Active Directory community members. Any one of these tools can greatly improve the efficiency of Active Directory administrators, at the same time, they become more necessary in your daily work

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.