Microsoft DS Tools – part 7
We already know how to get attributes information of an object in a domain, how to create or modify and finally, how to move it. It’s time to learn a command which deletes objects from the domain.
You need to be careful using it because in very simple way, you can delete many objects by mistake!
The command, which deletes objects from the domain is DSRM. This tool is also contextless as DSMOVE and uses Distinguished Name to locate the object in an environment.
Before we start using DSRM, we will discuss a little bit its parameters, to get deeper knowledge about them. It’s important to understand these parameters because you can delete more objects than you need and, you would fall into troubles.
To see what we can do with DSRM, let’s type in command-line
- -noprompt – this switch is responsible for deleting object(s) without confirmation from administrator. By default, when you do not specify it, you are asked if you really want to delete an object. It’s mostly used in batch mode.
- -subtree – when you want to remove the object containing other objects, you need to specify this switch (i.e OU with users/groups/computers or OU with child OUs)
- -subtree -exclude – it deletes all child objects without the top one from which deletion process was initiated
OK, let’s start using it in real. First of all, DSRM relies on Distinguished Name as it was stated earlier in this post. That’s the most simple command execution to delete an object
dsrm <Distinguished Name of an object>
when you execute this syntax above, you will be asked if you are sure to do it. When you confirm, DSRM deletes an object
We have an empty OU within our Active Directory structure and we want to delete it
confirm that you want to delete this object
Now, let’s remove Ann Polack user from the domain. She is not working in a company anymore. But this time we will use DSQUERY with DSRM together. To be able to use piped value, you need to add -noprompt switch, to remove her account. In case that you run command without any switch at the end, it won’t work. DSRM thinks that it was executed inproperly.
dsquery user -name “Ann Polack” | dsrm -noprompt
Let’s see what will happen, if we try to delete an OU where users exist and we do not use -subtree switch
as you can see, command failed because OU object contains another objects. So, re-try this command but with -subtree and -noprompt switches (we don’t want to confirm each object deletion). This command deletes specified OU and all users within it.
dsrm “OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -noprompt -subtree
refresh ADUC view and you will see that OU and all users were deleted
and the last example for -subtree -exclude switches. We want to delete all sub OUs of “wroc” OU but we don’t want to delete “wroc” OU itself
dsrm “OU=wroc,DC=testenv,DC=local” -noprompt -subtree -exclude
and refresh ADCU once again to see what happened
all sub OUs were deleted but the top one from witch we ran deletion process is still available
Author: Krzysztof Pytko