Microsoft DS Tools – part 7



We already know how to get attributes information of an object in a domain, how to create or modify and finally, how to move it. It’s time to learn a command which deletes objects from the domain.

You need to be careful using it because in very simple way, you can delete many objects by mistake!

The command, which deletes objects from the domain is DSRM. This tool is also contextless as DSMOVE and uses Distinguished Name to locate the object in an environment.

Before we start using DSRM, we will discuss a little bit its parameters, to get deeper knowledge about them. It’s important to understand these parameters because you can delete more objects than you need and, you would fall into troubles.

To see what we can do with DSRM, let’s type in command-line

dsrm /?

DSRM command switches

  • -noprompt – this switch is responsible for deleting object(s) without confirmation from administrator. By default, when you do not specify it, you are asked if you really want to delete an object. It’s mostly used in batch mode.
  • -subtree – when you want to remove the object containing other objects, you need to specify this switch (i.e OU with users/groups/computers or OU with child OUs)
  • -subtree -exclude – it deletes all child objects without the top one from which deletion process was initiated

OK, let’s start using it in real. First of all, DSRM relies on Distinguished Name as it was stated earlier in this post. That’s the most simple command execution to delete an object

dsrm <Distinguished Name of an object>

when you execute this syntax above, you will be asked if you are sure to do it. When you confirm, DSRM deletes an object

We have an empty OU within our Active Directory structure and we want to delete it

OU to delete

dsrm “OU=admins,OU=it,OU=users,OU=wroc,DC=testenv,DC=local”

confirm that you want to delete this object

Command execution output

Now, let’s remove Ann Polack user from the domain. She is not working in a company anymore. But this time we will use DSQUERY with DSRM together. To be able to use piped value, you need to add -noprompt switch, to remove her account. In case that you run command without any switch at the end, it won’t work. DSRM thinks that it was executed inproperly.

dsquery user -name “Ann Polack” | dsrm -noprompt

Command execution output

Let’s see what will happen, if we try to delete an OU where users exist and we do not use -subtree switch

dsrm “OU=it,OU=users,OU=wroc,DC=testenv,DC=local”

Command execution output

as you can see, command failed because OU object contains another objects. So, re-try this command but with -subtree and -noprompt switches (we don’t want to confirm each object deletion). This command deletes specified OU and all users within it.

dsrm “OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -noprompt -subtree

Command execution output

refresh ADUC view and you will see that OU and all users were deleted

Refreshed OU structure

and the last example for -subtree -exclude switches. We want to delete all sub OUs of “wroc” OU but we don’t want to delete “wroc” OU itself

dsrm “OU=wroc,DC=testenv,DC=local” -noprompt -subtree -exclude

Command execution output

and refresh ADCU once again to see what happened

Refreshed OU structure

all sub OUs were deleted but the top one from witch we ran deletion process is still available

That’s all!

<<< Previous part

Author: Krzysztof Pytko


3 responses to “Microsoft DS Tools – part 7”

  1. kros :) says :

    Widzę, że nie odpuszczasz bloga 🙂 Nie wyrabiam za Twoim zapałem w czytaniu 😀


Leave a Reply

Your email address will not be published. Required fields are marked *