Microsoft DS Tools – part 6
This time, we will learn the first contextless tool, DSMOVE. It does an operation on object’s Distinguished Name, so there is no matter what kind of object it is. The tool can do one of these 2 operations:
- rename object (its common name)
- move object within a domain
to start using it, you need to give as an input Distinguished Name of an object or redirect it over pipe (|) from another command and specify action to do on the object. When you want to move that object to another place (OU or container) within domain, you also need to specify target Distinguished Name of that location (OU or container)
That’s all about prerequisites for DSMOVE. Let’s check how it works in practice.
In our company, we have Ann Smith user, who got married and changed her surname. We modified all necessary attributes using DSMOD but ADUC console still displays her old name. This is because DSMOD tool is limited and cannot change “common name” attribute. For that we need to use DSMOVE with -newname parameter. This parameter changes “common name” of an object specified in a syntax. Rename operation is being done in-place, object is not moved within a tree structure.
dsmove “CN=Ann Smith,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -newname “Ann Polack”
dsquery user -name “Ann Smith” | dsmove -newname “Ann Polack”
when you refresh view in ADUC console, you see that her name was changed (“common name” attribute was modified)
all you need to change a “common name” of the object is to specify its new name in command’s syntax
The second usage of DSMOVE tool is moving objects within a domain. To be able to move an object from one place to another, you need to specify as the first parameter object’s Distinguished Name, and as the second Distinguished Name of target place.
Let’s check this in a practice.
Our comapany decided to reorganize its OU structure. All IT administrators must be placed within the same OU in whole company, regardless of their office location. So, the old place for administrators in Wroclaw was “it/users/wroc/testenv.local” and now, new OU is created where they need to be moved “all-admins/testenv.local“
to move all users using DSMOVE syntax, you need to use this structure
dsquery user “OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -name * -limit 0 >>c:users.txt
for /f “tokens=* delims=<quote>” %i in (c:users.txt) do dsmove %i -newparent “OU=all-admins,DC=testenv,DC=local”
and all of them will be moved to the new Organizational Unit (OU)
You can also use DSMOVE tool to move object to another place with new name (renaming it)
dsmove “OU=all-admins,DC=testenv,DC=local” -newparent “OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -newname “admins”
refresh domain view in ADUC console and you will see that there is no more “all-admins” OU. When you expand “wroc” OU and its sub OUs, you notice that there is new OU named “admins” under “it”
and one more important thing. When you moved OU to the new location (with changed name or not) all objects from it, were also moved
Author: Krzysztof Pytko