Sunday, August 7, 2011

Users Groups Computers

Three ways to manage objects in AD, GUI CMD PowerShell and VBScript, I summarized creation new objects, modification, enquiry, deletions etc maintains.

·         Dsadd Creates an object in the directory.

·         Dsget Returns specified attributes of an object.

·         Dsmod Modifies specified attributes of an object.

·          Dsmove Moves an object to a new container or OU.

·         Dsrm Removes an object, all objects in the subtree beneath a container object, or both.

·         Dsquery Performs a query based on parameters provided at the command line and returns a list of matching objects. By default, the result set is presented as the distinguished names (DNs) of each object, but you can use the –o parameter with modifiers such as dn, rdn, upn, or samid to receive the results as DNs, relative DNs, user principal names (UPNs), or pre-Windows 2000 logon names (security accounts manager [SAM] IDs).

Create New Objects

GUI: ‘Active Directory Users and computers’
·  dsadd computer - adds a computer to the directory.
·  dsadd contact - adds a contact to the directory.
·  dsadd group - adds a group to the directory.
·  dsadd ou - adds an organizational unit to the directory.
·  dsadd user - adds a user to the directory.
·  dsadd quota - adds a quota specification to a directory partition.

If you do not supply a target object at the command prompt, the target object is obtained from standard input (stdin). Stdin data can be accepted from the keyboard, a redirected file, or as piped output from another command. To mark the end of stdin data from the keyboard or in a redirected file, use Control+Z, for End of File (EOF).

If a value that you supply contains spaces, use quotation marks around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").

If you enter multiple values, the values must be separated by spaces (for example, a list of distinguished names).

The special token $username$ (case insensitive) may be used to place the SAM account name in the value of a parameter. For example, if the target user DN is CN=Jane Doe,CN=users,CN=microsoft,CN=com and the SAM account name attribute is "janed," the -hmdir parameter can have
the following substitution:

-hmdir \users\$username$\home

The value of the -hmdir parameter is modified to the following value:

- hmdir \users\janed\home

dsadd user "User DN" Ðsamid pre-Windows 2000 logon name -pwd {Password | *} Ðmustchpwd yes

Importing Users with CSVDE
csvde [-i] [-f Filename] [-k]


 $objUser=$objOU.Create("user","CN=Mary North")


Inquiry and search

GUI: ‘Active Directory Users and Computers’ , we are all familiar with this tool, easy to use. But if the organisation has 10,000 username, to find what you want is not easy anymore. So ‘Saved Queries’ comes in to play.

  Saved Queries

This is quite handy, for instance you can save a query for all disabled and non expiring account, it will help you to find all disabled accounts very quickly.

It’s not displayed in ‘Server Manager’, it will show up in ‘Active Directory Users and Computers’.

Using the Select Users, Contacts, Computers, Or Groups Dialog Box

·      Multiple names can be entered, separated by semicolons

CMD: dsquery

·       dsquery computer -   finds computers in the directory.
·       dsquery contact - finds contacts in the directory.
·       dsquery subnet - finds subnets in the directory.
·       dsquery group - finds groups in the directory.
·       dsquery ou - finds organizational units in the directory.
·       dsquery site - finds sites in the directory.
·       dsquery server - finds AD DCs/LDS instances in the directory.
·       dsquery user - finds users in the directory.
·       dsquery quota - finds quota specifications in the directory.
·       dsquery partition - finds partitions in the directory.
·       dsquery * - finds any object in the directory by using a generic LDAP query.

To find all users in a given organizational unit (OU) whose name starts with "jon" and whose account has been disabled for logon and display their user principal names (UPNs):

    dsquery user ou=Test,dc=microsoft,dc=com -o upn -name jon* -disabled

To find all users in only the current domain, whose names end with "smith" and who have been inactive for 3 weeks or more, and display their DNs:

    dsquery user domainroot -name *smith -inactive 3

To find all users in the OU given by ou=sales,dc=microsoft,dc=com and display their UPNs:

    dsquery user ou=sales,dc=microsoft,dc=com -o upn

PS/VB Script:


Permission  ACL