AD from CLI

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Ok guys,

i do a decent amount of work on AD from my PC (things like password resets, adding users to groups, etc) and want to know how to do these things from the CLI if possible. What im looking at doing from CLI are:

checking current groups of a named user
adding a user to a new group
searching for a group (like you can in the GUI AD)
password resets
searching for a user
unlocking an account

we also have multiple DC's, so i would like to be able to connect to the DC directly before running these commands.

Thanks
Fergal

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

checking current groups of a named user
- dsget user "CN=Ryan Coates,CN=Users,DC=godlike,DC=Com" -memberof
adding a user to a new group
- dsmod group "CN=Domain Admins,CN=Users,DC=godlike,DC=Com" -addmbr "CN=Ryan Coates,CN=Users,DC=godlike,DC=Com"
searching for a group (like you can in the GUI AD)
- dsquery group -name Domain*
password resets
- dsmod user "CN=Ryan Coates,CN=Users,DC=godlike,DC=Com" -pwd l0s3r -mustchpwd yes
searching for a user
- dsquery user -name Ryan*
unlocking an account
- dsmod user "CN=Ryan Coates,CN=Users,DC=godlike,DC=Com" -disabled no

A better way to do all that is pipe it all through the dsquery command so you dont have to use the full DN for most of those
like say changing a passowrd

- dsquery user -name Ryan*
if that returns only one result press UP to get your history back and add to it
- dsquery user -name Ryan* | dsmod user -pwd l0s3r -mustchpwd yes

Check out these links for more detailed use of these tools
DSMod
DSQuery
DSGet

 

cool, thanks - do they need to be run via telnet?

 

sorry forgot to add that part

this assumes you have the Admin pack installed onto your local machine

otherwise you will indeed have to be attached to a machine that does either via telnet, ssh, or just opening up a cmd prompt via a remote desktop process

by far the easiest way is to install the adminpak on your machine

you can also parse these tools into scripts i believe

 

that will be whats stopping me then. no admin pack

 

dammit. ive got adminpack installed, but they dont seem to be working. dsquery just comes back stating that it is an unrecognised command. (sigh)

Fergal

 

Just a thought, but sometimes it makes a difference what directory I'm in whether or not some commands will run. I don't know why that should be but it does work that way sometimes. If I cd to c:\ from something like c:\Documents and Settings\username the commands will run. It's always puzzled me as to why it does that because once something is installed in the system path it should just run from wherever I am in the directory structure.

 

Nope. same error. That is a bit strange though - ive also tried it from the system32 folder (where the dll is kept)

 

Have you checked the system path to see if by some odd chance system32 isn't in the path? If it isn't you might try adding it just to see what happens.

 

but even if it wasnt - shouldnt it run when im sitting in the directory?

 

It should, but I've found that with Windows all things are possible....

 

I did a little research into this and one thing I found that I discounted as very unlikely was that the 2003 admin pack won't run on an XP box that doesn't have at least SP1 installed. It's a very remote possibility, so remote I didn't bring it up at first, but are you running a pre-sp1 version of XP?

 

im currently sitting on win2k

 

There's your problem. The admin pack for server 2003 doesn't run on Win 2K. It only runs on XP and 2003.

 

what a piece of pish! did they never consider that the server might be 2k3, but the users might be on 2k? muppets!

 

You bet they did. It's just another one of Microsoft's "sticks", as opposed to "carrots", in their marketing strategy. They're going to force you to upgrade your desktop just to administer your servers. They do a lot of stuff like this.

 

it just so happens i will being refreshed soon (i hope). but still!

 

err, also could be i made a mistake, it MIGHT be part or the win2k3 support tools which you install from the 2k3 CD, sorry :/ I have both installed and just assumed it was the adminpak

if it HAD installed with the adminpak and just wasnt working due to an OS error, it would spit back an error, not a 'not found'

 

i think it is part of the admin pack - the tech guys here seem to think thats the case.

Dont know.