Moving Accounts with dsmove
You can move accounts to different OUs or containers with the dsmove command. The difficult part about this task is building the DN, but if you’ve mastered the DN, the command is simple.
Note
You can also move objects with the Active Directory Migration Tool (ADMT) and with the ldifde command.
| dsmove Command | Comments |
|---|
Move an object from one OU to another OU.
Dsmove dn -newparent parentdn
C:\>dsmove "cn=joe,ou=east,ou=sales,dc=pearson,dc=
pub" -newparent "ou=west,ou=sales,dc=pearson,dc=pub"
C:\>dsmove "cn=joe,ou=west,ou=sales,dc=pearson,dc=
pub" -newparent "ou=east,ou=sales,dc=pearson,dc=pub"
| This example moves a user account from the sales\east OU to the sales\west OU and then back. |
Removing Objects with dsrm
Finally, you can remove objects with the dsrm command. The basic syntax is shown in the following table.
| dsrm Command | Comments |
|---|
Delete an object.
Dsmove dn -newparent parentdn [-noprompt]
C:\>dsrm "cn=joe,ou=east,ou=sales,dc=pearson,dc=pub"
C:\>dsrm "cn=joe,ou=east,ou=sales,dc=pearson,dc=pub"
-noprompt
| This
example removes the specified user account. You are prompted to confirm
the removal, but you can suppress the prompt with the -noprompt switch. |
Retrieving Information about Objects with dsquery
You can use the dsquery command to retrieve information about objects in Active Directory (AD). A benefit of dsquery is that you can retrieve multiple objects at the same time by specifying filter criteria. The basic syntax of the dsquery command is
dsquery dn-property property-value
The following table shows some examples of how to use the dsquery command to retrieve multiple objects.
| dsquery Command | Comments |
|---|
Retrieve all the groups in an Organizational Unit (OU).
dsquery group dn
C:\>dsquery group "ou=east,
ou=sales, dc=pearson, dc=pub"
| Retrieves a list of all the groups in the sales\east OU.
Note
The only thing you need to add is the distinguished name (DN).
| Retrieve all the groups in an OU matching a specific name.
dsquery group dn
C:\>dsquery group "ou=east,
ou=sales, dc=pearson, dc=pub" -name
IT*
| You can use the -name switch to identify all the groups with specific names, and you can also use the asterisk (*) wildcard.
This example retrieves a list of all the groups in the sales\east OU that have a name that starts with “IT.” | Retrieve a listing of all users in the domain or in an OU.
dsquery user dn
C:\>dsquery user "dc=pearson,
dc=pub"
C:\>dsquery user
"ou=sales,dc=pearson, dc=pub"
C:\>dsquery user
"ou=sales,dc=pearson, dc=pub"
-scope base
| Retrieves a listing of all objects, such as all users or all computers. The dn
identifies the search range.
The first example lists all users in the domain. The second example
lists all users in the Sales OU and child OUs. The third example limits
the scope to the base OU (Sales) and lists all users in the Sales OU
only (not child OUs). | Identify inactive accounts.
dsquery object-type dn -inactive
number-of-weeks
C:\>dsquery user
"dc=pearson,dc=pub" -inactive 4
C:\>dsquery computer
"dc=pearson,dc=pub" -inactive 4
| The -inactive switch identifies inactive accounts.
These examples retrieve any user accounts and computer accounts that have not been logged on to in the past four weeks. | Identify accounts with stale passwords.
dsquery user dn -stalepwd
number-of-days
C:\>dsquery user
"dc=pearson,dc=pub" -stalepwd 45
| A stale password hasn’t been changed in a specific number of days.
Tip
Use this to locate service accounts that have the Password Never Expires
setting enabled and haven’t had their passwords changed within a given
time.
| Locate disabled accounts.
dsquery user dn -disabled
C:\>dsquery user
"dc=pearson,dc=pub" -disabled
| Locates all disabled accounts. |
An added benefit of the dsquery command is that you can use it to modify multiple objects at the same time. You can pipe the results of the dsquery command to another command such as the dsmod command. The basic format is
dsquery command | dsmod command
Note
Piping or pipelining is done by
adding a pipe character (|) between the commands. The output of the
first command becomes the input of the second command.
The following table shows a few examples where you can pipe the results of a dsquery command to a dsmod command.
| dsquery Command | Comments |
|---|
Disable inactive accounts.
dsquery object-type dn -inactive
number-of-weeks | dsmod user
-disabled yes
C:\>dsquery user
"dc=pearson,dc=pub" -inactive 4 |
dsmod user -disabled yes
| This example (shown in Figure 8-1) uses a query to identify accounts that are inactive, and then passes the list to the dsmod command. The dsmod command then disables all accounts in the list. | Modify a property for a group of users.
dsquery user dn | dsmod user
-office value
C:\>dsquery user "ou=east,
ou=sales,dc=pearson,dc=pub" |
dsmod user -office "East Sales"
| This example first retrieves a list of all users in the sales\east OU and passes this list to the dsmod command. The dsmod command uses the -office switch to change the -office name to Virginia Beach for each of the users.
Note
Because the office name of Virginia Beach has a space, it must be enclosed in quotes.
|
Tip
In Figure 1, the first command is the dsquery command by itself. This is a good practice so that you know what you will modify before actually modifying it.
|
