We already know how to get attributes information of an object in a domain, how to create or modify and finally, how to move it. It’s time to learn a command which deletes objects from the domain.
You need to be careful using it because in very simple way, you can delete many objects by mistake!
The command, which deletes objects from the domain is DSRM. This tool is also contextless as DSMOVE and uses Distinguished Name to locate the object in an environment.
Before we start using DSRM, we will discuss a little bit its parameters, to get deeper knowledge about them. It’s important to understand these parameters because you can delete more objects than you need and, you would fall into troubles.
To see what we can do with DSRM, let’s type in command-line
- -noprompt – this switch is responsible for deleting object(s) without confirmation from administrator. By default, when you do not specify it, you are asked if you really want to delete an object. It’s mostly used in batch mode.
- -subtree – when you want to remove the object containing other objects, you need to specify this switch (i.e OU with users/groups/computers or OU with child OUs)
- -subtree -exclude – it deletes all child objects without the top one from which deletion process was initiated
OK, let’s start using it in real. First of all, DSRM relies on Distinguished Name as it was stated earlier in this post. That’s the most simple command execution to delete an object
dsrm <Distinguished Name of an object>
when you execute this syntax above, you will be asked if you are sure to do it. When you confirm, DSRM deletes an object
We have an empty OU within our Active Directory structure and we want to delete it
confirm that you want to delete this object
Now, let’s remove Ann Polack user from the domain. She is not working in a company anymore. But this time we will use DSQUERY with DSRM together. To be able to use piped value, you need to add -noprompt switch, to remove her account. In case that you run command without any switch at the end, it won’t work. DSRM thinks that it was executed inproperly.
dsquery user -name “Ann Polack” | dsrm -noprompt
Let’s see what will happen, if we try to delete an OU where users exist and we do not use -subtree switch
as you can see, command failed because OU object contains another objects. So, re-try this command but with -subtree and -noprompt switches (we don’t want to confirm each object deletion). This command deletes specified OU and all users within it.
dsrm “OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -noprompt -subtree
refresh ADUC view and you will see that OU and all users were deleted
and the last example for -subtree -exclude switches. We want to delete all sub OUs of “wroc” OU but we don’t want to delete “wroc” OU itself
dsrm “OU=wroc,DC=testenv,DC=local” -noprompt -subtree -exclude
and refresh ADCU once again to see what happened
all sub OUs were deleted but the top one from witch we ran deletion process is still available
Author: Krzysztof Pytko
This time, we will learn the first contextless tool, DSMOVE. It does an operation on object’s Distinguished Name, so there is no matter what kind of object it is. The tool can do one of these 2 operations:
- rename object (its common name)
- move object within a domain
to start using it, you need to give as an input Distinguished Name of an object or redirect it over pipe (|) from another command and specify action to do on the object. When you want to move that object to another place (OU or container) within domain, you also need to specify target Distinguished Name of that location (OU or container)
That’s all about prerequisites for DSMOVE. Let’s check how it works in practice.
In our company, we have Ann Smith user, who got married and changed her surname. We modified all necessary attributes using DSMOD but ADUC console still displays her old name. This is because DSMOD tool is limited and cannot change “common name” attribute. For that we need to use DSMOVE with -newname parameter. This parameter changes “common name” of an object specified in a syntax. Rename operation is being done in-place, object is not moved within a tree structure.
dsmove “CN=Ann Smith,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -newname “Ann Polack”
dsquery user -name “Ann Smith” | dsmove -newname “Ann Polack”
when you refresh view in ADUC console, you see that her name was changed (“common name” attribute was modified)
all you need to change a “common name” of the object is to specify its new name in command’s syntax
The second usage of DSMOVE tool is moving objects within a domain. To be able to move an object from one place to another, you need to specify as the first parameter object’s Distinguished Name, and as the second Distinguished Name of target place.
Let’s check this in a practice.
Our comapany decided to reorganize its OU structure. All IT administrators must be placed within the same OU in whole company, regardless of their office location. So, the old place for administrators in Wroclaw was “it/users/wroc/testenv.local” and now, new OU is created where they need to be moved “all-admins/testenv.local“
to move all users using DSMOVE syntax, you need to use this structure
dsquery user “OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -name * -limit 0 >>c:users.txt
for /f “tokens=* delims=<quote>” %i in (c:users.txt) do dsmove %i -newparent “OU=all-admins,DC=testenv,DC=local”
and all of them will be moved to the new Organizational Unit (OU)
You can also use DSMOVE tool to move object to another place with new name (renaming it)
dsmove “OU=all-admins,DC=testenv,DC=local” -newparent “OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -newname “admins”
refresh domain view in ADUC console and you will see that there is no more “all-admins” OU. When you expand “wroc” OU and its sub OUs, you notice that there is new OU named “admins” under “it”
and one more important thing. When you moved OU to the new location (with changed name or not) all objects from it, were also moved
Author: Krzysztof Pytko
OK, we know, how to query AD for objects and how to get some information from them. We also already know, how to add completely new, non-existing AD object. But what if we want to modify some attributes of the existing objects in our environment? Do we have that possibility? The answer is, YES, we have. For that we need to use DSMOD tool which allows for changing object’s attributes. This tool doesn’t allow to change any attribute but only those predefined in it. How to check what we can modify using this tool? It’s simple, in command-line type
dsmod <context> /?
then we will receive all possible attributes to modify within that particular context.
Why we may want to use DSMOD in our environment? I can do all those things in Active Directory Users and Computers console much more simple and faster. Actually, it’s true for single object. But what if we need to modify a hundreds of user/group attributes or we want to add many users into a domain group? Does it still convenient to use ADUC console? In the most cases, yes 🙂 But you also may to wish to do that using command-line tools. Then DSMOD tool comes with its help.
Let’s see what DSMOD offers us to simplify AD objects management.
There is the only one attribute in DSMOD which cannot be modified using ADUC by default. This attribute is “Employee ID“. However, it’s not a big problem to implement solution, allowing employee ID changes using GUI. Please visit Mike’s blog, there is great entry for that (“Add Employee ID field – ADUC“)
but going back to command-line tool, let’s try to modify employee ID for a single user with DSMOD syntax
dsmod user “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -empid “PL1230987”
after executing this command, employee ID of Krzysztof Pytko users in testenv.local domain will be changed to PL1230987
so, what if we don’t want to type whole Distinguished Name of a user? Then we can use DSQUERY with DSMOD together.
dsquery user -name “Krzysztof Pytko” | dsmod user -empid “PL1230987”
Now, it’s time to see if this attribute was really modified. Run this command to verify that
dsquery user -name “Krzysztof Pytko” | dsget user -empid
That was simple, man, we had only one user to modify. What if our HR department gives us a list where a lot of users are inserted? This is not a big problem. We only need to prepare a text file with atrributes separator to tell command-line script how to treat values within a file. The most simle way to achieve that is separate full user’s name with comma character (,) from employee ID. The file can look like
this file can be saved on a C-Drive, named as empIDs.txt and then in command-line use
for /f “tokens=1,2 delims=,” %i in (c:empIDs.txt) do dsquery user -name “%i” | dsmod user -empid %j
OK, but what all of those parameters mean?
We needed to use loop to reapeat command for each user’s object. With /f switch, loop command works with file(s)
in our text file we have two values, user full name and its employee ID. We need to declare how variables will be used in a syntax. We declared to use 2 variables which are separated in a file by comma (,)
this is the first variable from which we start declaration
search values for decalred variabled in a file empIDs.txt located on C-Drive
start executing command in a loop
dsquery user -name “%i”
do AD query for user object named with value of %i variable. %i variable stores full name which contains space, so we need to place it in quotes
redirect DSQUERY output to another command
dsmod user -empid %j
modify user’s employee ID. User’s Distinguished Name was received from pipe (|) of previous command. %j variable stores employee ID value from text file
That’s all about modifying user objects in AD. Other attributes can be changed in similar way or you can use ADUC console for that.
Note: DSMOD is limited tool and you must remember when you change user name in Active Directory, its common name (CN) is not changed during that operation. To change CN you need to use DSMOVE tool.
Now, let’s see how we can add many users into single domain group or one user into many domain groups.
To add user into domain group we can use this syntax
dsmod group “<Distinguished Name of a group>” -addmbr “<Distinguished Name of a user>”
dsmod group “CN=gg-it-wroc-common,OU=groups,OU=wroc,DC=testenv,DC=local” -addmbr “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local”
Now, user Krzysztof Pytko is added into gg-it-wroc-common domain group. OK but we can simplify this in two-ways, using output of DSQUERY command. Let’s see how it would look like
- we will query for a user object and redirect its DN to DSMODcommanddsquery user -name “Krzysztof Pytko” | dsmod group “CN=gg-it-wroc-common,OU=groups,OU=wroc,DC=testenv,DC=local” -addmb
- we will query domain for a group object and redirect its DN to DSMODcommanddsquery group -name gg-it-wroc-common | dsmod group -addmbr “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local”
We can see, that we can replace one “static” DN in a syntax and get its value from pipe output. Basing on that, we can try to prepare a script to get users from a text file and add them to one domain group (gg-it-wroc-common). In this case our users text file will have only logins and it will be located on C-Drive in users.txt file.
for /f %i in (c:users.txt) do dsquery user -samid %i | dsmod group “CN=gg-it-wroc-common,OU=groups,OU=wroc,DC=testenv,DC=local” -addmbr
This time, we don’t need to declare more variables because we will use the only one. As you can see, all users from text file were added to gg-it-wroc-common group
OK, now we will add one users into many domain groups using similar concept. Text file will have domain group names instead of users and it will be saved on C-Drive as groups.txt
for /f %i in (c:groups.txt) do dsquery group -samid “%i” | dsmod group -addmbr “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local”
At the and, I will explain what is the difference between -addmbr and -chmbr switches
When your domain group has members and you only want to add another user(s), preserving existing ones, you need to use this switch
when your group has members and you want to change existing group membership (overwrite) with new members only, then this switch is appropriate to do that
Author: Krzysztof Pytko