DS built-in tools for Windows Server 2003/8
The DS (Directory Service) group of commands are split into two families. In one branch are DSadd, DSmod, DSrm and DSMove and in the other branch are DSQuery and DSGet.
When it comes to choosing a scripting tool for Active Directory objects, you really are spoilt for choice. The the DS family of built-in command line executables offer alternative strategies to CSVDE, LDIFDE and VBScript.
Let me introduce you to the members of the DS family:
- DSadd – add Active Directory users and groups
- DSmod – modify Active Directory objects
- DSrm – to delete Active Directory objects
- DSmove – to relocate objects
- DSQuery – to find objects that match your query attributes
- DSget – list the properties of an object
These DS tools have their own command structure which you can split into five parts:
1 2 3 4 5
Tool object "DN" (as in LDAP distinguished name) -switch value For example:
DSadd user "cn=billy, ou=managers, dc=cp, dc=com" -pwd cX49pQba
This will add a user called Billy to the Managers OU and set the password to cx49Qba
Here are some of the common DS switches which work with DSadd and DSmod
-pwd (password) -upn (userPrincipalName) -fn (FirstName) -samid (Sam account name).
The best way to learn about this DS family is to logon at a domain controller and experiment from the command line. I have prepared examples of the two most common programs. Try some sample commands for DSadd.
Import users from a spreadsheet. Just provide a list of the users with their fields in the top row, and save as .csv file. Then launch this FREE utility and match your fields with AD’s attributes, click and import the users.
Optionally, you can provide the name of the OU where the new accounts will be born. Download your FREE bulk import tool.
If you need more comprehensive software, download a free trial of SAM (Server & Application Monitor)
Two most useful Tools: DSQuery and DSGet
The DSQuery and DSGet remind me of UNIX commands in that they operate at the command line, use powerful verbs, and produce plenty of action. One pre-requisite for getting the most from this DS family is a working knowledge of LDAP.
If you need to query users or computers from a range of OU’s and then return information, for example, office, department manager. Then DSQuery and DSGet would be your tools of choice. Moreover, you can export the information into a text file.
How have these DS tools been received?
These DS tools are new in Windows Server 2003/8. My own view is that if you regularly need to add, or modify a FEW users, groups or computers, then the DS commands are an alternative to the Active Directory Users and Computers snap-in. As yet, I have not found a way of using DS commands to bulk import users. In this respect DS suffers from the same weakness as LDIFDE, there seems to be no mechanism to use a For…. Next loop. Now if you know different, you have a bulk import solution for DS, then please let me know.
On my travels, I have found mixed reactions to DS commands, while some say there are better ways of creating users, others tell me: ‘DSmod is great little utility for a quick change to a user’. If you like command line utilities then you will like the DS family. If you prefer menu driven programs then stick with Active Directory Users and Computers.
I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT. When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource. Give this permissions monitor a try – it’s free!
If you like this page then please share it with your friends
See more of the DS family of built-in Active Directory utilities