Microsoft DS Tools – part 5



OK, we know, how to query AD for objects and how to get some information from them. We also already know, how to add completely new, non-existing AD object. But what if we want to modify some attributes of the existing objects in our environment? Do we have that possibility? The answer is, YES, we have. For that we need to use DSMOD tool which allows for changing object’s attributes. This tool doesn’t allow to change any attribute but only those predefined in it. How to check what we can modify using this tool? It’s simple, in command-line type

dsmod <context> /?

User’s attributes to modify

then we will receive all possible attributes to modify within that particular context.

Why we may want to use DSMOD in our environment? I can do all those things in Active Directory Users and Computers console much more simple and faster. Actually, it’s true for single object. But what if we need to modify a hundreds of user/group attributes or we want to add many users into a domain group? Does it still convenient to use ADUC console? In the most cases, yes 🙂 But you also may to wish to do that using command-line tools. Then DSMOD tool comes with its help.

Let’s see what DSMOD offers us to simplify AD objects management.

There is the only one attribute in DSMOD which cannot be modified using ADUC by default. This attribute is “Employee ID“. However, it’s not a big problem to implement solution, allowing employee ID changes using GUI. Please visit Mike’s blog, there is great entry for that (“Add Employee ID field – ADUC“)

but going back to command-line tool, let’s try to modify employee ID for a single user with DSMOD syntax

dsmod user “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -empid “PL1230987”

after executing this command, employee ID of Krzysztof Pytko users in testenv.local domain will be changed to PL1230987

so, what if we don’t want to type whole Distinguished Name of a user? Then we can use DSQUERY with DSMOD together.

dsquery user -name “Krzysztof Pytko” | dsmod user -empid “PL1230987”

Now, it’s time to see if this attribute was really modified. Run this command to verify that

dsquery user -name “Krzysztof Pytko” | dsget user -empid

Employee ID

That was simple, man, we had only one user to modify. What if our HR department gives us a list where a lot of users are inserted? This is not a big problem. We only need to prepare a text file with atrributes separator to tell command-line script how to treat values within a file. The most simle way to achieve that is separate full user’s name with comma character (,) from employee ID. The file can look like

Ann Smith,PL4320654
First NewUser,PL1235863
Second OldUser,PL2985999
Thirt User,PL1110777
Fourth AnotherUser,PL6420231
John Doe,PL0006722

this file can be saved on a C-Drive, named as empIDs.txt and then in command-line use

for /f “tokens=1,2 delims=,” %i in (c:empIDs.txt) do dsquery user -name “%i” | dsmod user -empid %j

OK, but what all of those parameters mean?

We needed to use loop to reapeat command for each user’s object. With /f switch, loop command works with file(s)

“tokens=1,2 delims=,”
in our text file we have two values, user full name and its employee ID. We need to declare how variables will be used in a syntax. We declared to use 2 variables which are separated in a file by comma (,)

this is the first variable from which we start declaration

in (c:empIDs.txt)
search values for decalred variabled in a file empIDs.txt located on C-Drive

start executing command in a loop

dsquery user -name “%i”
do AD query for user object named with value of %i variable. %i variable stores full name which contains space, so we need to place it in quotes

redirect DSQUERY output to another command

dsmod user -empid %j
modify user’s employee ID. User’s Distinguished Name was received from pipe (|) of previous command. %j variable stores employee ID value from text file

That’s all about modifying user objects in AD. Other attributes can be changed in similar way or you can use ADUC console for that.

Note: DSMOD  is limited tool and you must remember when you change user name in Active Directory, its common name (CN) is not changed during that operation. To change CN you need to use DSMOVE tool.

Now, let’s see how we can add many users into single domain group or one user into many domain groups.

To add user into domain group we can use this syntax

dsmod group “<Distinguished Name of a group>” -addmbr “<Distinguished Name of a user>”

dsmod group “CN=gg-it-wroc-common,OU=groups,OU=wroc,DC=testenv,DC=local” -addmbr “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local”

Command execution output

User added into domain group

Now, user Krzysztof Pytko is added into gg-it-wroc-common domain group. OK but we can simplify this in two-ways, using output of DSQUERY command. Let’s see how it would look like

  1. we will query for a user object and redirect its DN to DSMODcommanddsquery user -name “Krzysztof Pytko” | dsmod group “CN=gg-it-wroc-common,OU=groups,OU=wroc,DC=testenv,DC=local” -addmb

    Command execution output

  2. we will query domain for a group object and redirect its DN to DSMODcommanddsquery group -name gg-it-wroc-common | dsmod group -addmbr “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local”

    Command execution output

We can see, that we can replace one “static” DN in a syntax and get its value from pipe output. Basing on that, we can try to prepare a script to get users from a text file and add them to one domain group (gg-it-wroc-common). In this case our users text file will have only logins and it will be located on C-Drive in users.txt file.


for /f %i in (c:users.txt) do dsquery user -samid %i | dsmod group “CN=gg-it-wroc-common,OU=groups,OU=wroc,DC=testenv,DC=local” -addmbr

Command execution output

This time, we don’t need to declare more variables because we will use the only one. As you can see, all users from text file were added to gg-it-wroc-common group

OK, now we will add one users into many domain groups using similar concept. Text file will have domain group names instead of users and it will be saved on C-Drive as groups.txt


for /f %i in (c:groups.txt) do dsquery group -samid “%i” | dsmod group -addmbr “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local”

Command execution output

At the and, I will explain what is the difference between -addmbr and -chmbr switches

When your domain group has members and you only want to add another user(s), preserving existing ones, you need to use this switch

when your group has members and you want to change existing group membership (overwrite) with new members only, then this switch is appropriate to do that

That’s all.

<<< Previous part

Next part >>>

Author: Krzysztof Pytko


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.