DSQUERY user (-o rdn|samid) //lists users in ad, dsquery returns an object, the first step for later cmds dsquery forestroot user dsquery user -name t* dsquery user -inactive 4 //user inactive for 4 weeks dsquery user -stalepwd 30 //user that has not changed their password in 30 days dsquery user -disabled
dsquery group -name * //lists all groups
dsquery * //finds any obj in the AD using a generic LDAP query
Both dsquery & dsadd can use -s server | -d domain, -u username, -p password for the DC where they will run & with what credentials
DSGET {computer | contact | group | ou | server | user | subnet | site | quota | partition}
dsget computer "CN=server01,OU=Domain Controllers,DC=Microsoft,DC=Com"
//gets the groups that the DN belongs to, dsget returns properties of an object - useful for creating specific cmds
dsget computer CN=server01,CN=computers,DC=Microsoft,DC=Com -memberof -expand
//dsget uses the object from a dsquery to return more info dsquery computer -name s | dsget computer -memberof -expand dsquery user -name smith | dsget user -dn -desc
DSADD computer | contact | group | ou | quota | user /? //for help on adding a particular object
dsadd user -samid samname -upn upn -fn firstname -mi middleinitial -ln lastname -display displayname -empid employeeid -pwd password (or blank will be prompted) -desc description -memberof groupdn -office office -tel phone -email email -hometel homephone -pager pager -mobile cellphone -fax fax -iptel ipphone -webpg webpage -title title(mr) -dept department -company company -mgr manager -hmdir homedir -hmdrv driveletter -profile profilepath -loscr scriptpath -mustchpwd yes|no -canchpwd yes|no -reversiblepwd yes|no -pwdneverexpires yes|no -acctexpires #ofdays -disabled yes|no
$username$ may replace the SAM account name for -email, -hmdir,-profile and -webpg
-hmdir\users\Denise\home -hmdir\users\$username$\home
dsadd ou OrganizationalUnitDN [-desc Description] [{-s Server | -d Domain}][-u UserName] [-p {Password | *}] [-q] [{-uc | -uco | -uci}]
dsadd group GroupDN [-secgrp {yes | no}] [-scope {l | g | u}] [-samid SAMName] [-desc Description] [-memberof Group ...] [-members Member ...] [{-s Server | -d Domain}] [-u UserName] [-p {Password | *}] [-q] [{-uc | -uco | -uci}]
DSMOD user UserDN ... //dsmod uses the same properties as dsadd, but modifies also uses -c mode which reports errors but continues to modify objects default is without -c which stops at the first error
dsquery user "OU=Sales,OU=New York,dc=internal,dc=AcmeCorp,dc=com" -limit 300 | dsmod user -mustchpwd yes //force users (300 of them?) to change their passwords at next logon
dsquery user -name FiredUser* | dsmod user -disabled yes //exmaple of piping & modifying
FULL EXAMPLE:
dsadd ou "ou=cmdline,dc=williamscollege,dc=local"
dsquery ou -name *
dsadd group "cn=marketing,ou=cmdline,dc=williamscollege,dc=local" -secgrp no -scope g //creage a global distribution group "marketing" group in OU "commandline"
dsquery group -name marke*