Guy’s Scripting Ezine 29 – DS Commands

Contents for Guy’s Scripting Ezine 29 – DS Commands

• This Week’s Secret
• Example 1 – Creating OUs
• Example 2 – Creating a User
• Example 3 – Reset a Password
• Summary DS Commands
• Update – More Examples of DS Commands

This Week’s Secret

This week I have a change from VBScript, we will investigate the DS family of commands.  Another difference it that in this edition, I am going to request your opinion about DSadd, DSmod and the rest of the commands.

Normally, I welcome new technology with open arms.  Yet occasionally, I wonder if a new feature lives up to all its hype.  The DS family is a case in point.  In the past I have had the same negative feeling when I trawl through the resource kit, while some of the tools are nice, snappy or powerful, others make me scratch my head and think: ‘Will I ever really need this executable?’

What niggles is the feeling that I may be wrong to dismiss the the DS commands.  I must be wary of the Luddite syndrome; if you remember the Luddites smashed new technology just because they did not understand it.  So, please help me. Tell me what you think about the DS family. To help you decide on the value of DS commands, here are three examples.

Guy Recommends: The Free IP Address Tracker (IPAT)

Calculating IP Address ranges is a black art, which many network managers solve by creating custom Excel spreadsheets.  IPAT cracks this problem of allocating IP addresses in networks in two ways:

For Mr Organized there is a nifty subnet calculator, you enter the network address and the subnet mask, then IPAT works out the usable addresses and their ranges. 

For Mr Lazy IPAT discovers and then displays the IP addresses of existing computers. Download the Free IP Address Tracker

Example 1 DSadd.  Create a new OU.

The scenario.  Let us create an OU (Organizational Unit) to house all our test Active Directory objects.  That way the new users or groups will not get mixed up with the existing accounts, and its easy to clear up by deleting a whole OU full of dud experiments.

DS Syntax

Firstly, it’s worth taking time to understand the command structure used by all of the DS family:

Command object  "DN" (as in LDAP distinguished name), for example:
DSadd      OU       "ou=DSguy, dc=cp, dc=com"

Speech marks and spaces

You only really need speech marks if there is a space in any of your DN names.  Therefore:

ou=DSguy, dc=cp, dc=com    would work fine

ou=GUY Space DS, dc=cp, dc=com   fails because of the spaces in the GUY Space DS, name.  In this second example you should type: "ou=GUY Space DS, dc=cp, dc=com"

Preparation:

You really need to be at your domain controller’s console.

Examine the script below.  Edit dc= to reflect YOUR domain.  Change ou= DSguy to yourname if you prefer.

Run, CMD, now copy your script and then paste it into the command window.  Alternatively type it starting with dsadd ou ………

Note 1: dsadd ou.  This command tells Active Directory which object you want to create, in this case an OU (not a user).

Note 2: These DS commands are case insensitive so DSADD OU would work just as well.

So What?

In my heart, I would rather create the OU with Active Directory Users and Computers. O.K calm down Guy, perhaps adding users will be more rewarding?

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM) v11.5

SolarWinds’ Orion performance monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

What I like best is the way NPM suggests solutions to network problems.  Its also has the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.

Download a free trial of Solarwinds’ Network Performance Monitor

Example 2 Creating a User – DSadd user….

Note 1: DSadd requires the complete distinguished name. 

Note 2: Observe that the distinguished name is encased in double "speech marks".   I expect you spotted that this user will be created in the same DSguy organizational unit that was created in Example 1.  Change "cn=guyt to a different user name if you wish.

So What?

Where is the FOR….NEXT loop?  Have I missed the command somewhere? or is the plain truth – there are no looping command in the DS syntax.  To me, this is the crunch, without a bulk import mechanism I cannot see me executing DSadd user or DSadd computer to any significant extent.

I am only impressed in a very minor way.  The best opportunity for DSadd User is if you have to create 1 or 2 new joiners at irregular intervals.  Give it another chance Guy, how about DSMod for passwords?

Example 3 Reset a Password

The situation is that you quickly need to change a user’s password.

Examine the script below.  Decide how cn= or ou= or dc= need editing.

Run, CMD then copy your script and paste into the command window.  Alternatively type it starting with dsmod user ………

Note 1: From technical view point the script is more interesting because it uses a switch -pwd.  The DS family supports a rich set of switches which you can see with DSmod user /? 

Note 2: Help is context sensitive and although the text may look the same, you get subtly different menus as you type different command e.g. DSadd computer give different help answers compared with DSmod user.

So What?

At the tactical level I am impressed with the DS’ s help, also the error messages are meaningful and varied.  However at the strategic level, I am wondering am ever going to remember these darn dn strings so that I could actually master this DS language at the command prompt.

Summary:

When leaning, I feel that one valid response is to say yes I understand how that utility works, but no, I do not need it.  Well that is how I feel about DS commands.  I know how the DS syntax works, but I prefer alternative methods to manipulate Active Directory objects.

See more examples of DS commands here.