AD from CLI

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I'm unsure on this one too. I've installed some 2003 tools to see if they would work on my Win2K box and all I remember getting was command not found, not a system error message about the tools not working. It seems it has something to do some .dll's that have been changed in 2003 and post sp1 in XP.

The KB also just says they won't run pre XP sp1. It doesn't say they won't install so I'm inclined to think the "not found" error is the one that will show up.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

interesting freddy
guess im just used to getting different errors when things are working as opposed to not there, good old MS simplify thier error reporting process again

 

remote desktop onto the server and run it from there ?

 

in a production environment, always try to avoid working directly on the server. your servers, especially your domain controllers, are the backbone of your windows ad network. keep in mind that you can control almost everything (ad, dhcp, dns, wins, gpo's, etc. etc.) from your workstation. so there's no immediate need to connect to the servers. only connect to servers when you need to do server maintenance or in case of server issues.

 

Aye
and learning to do everything only via rdp is a rather narrow view of things
the power is within the command line, with the ability to pipe commands through each other and form complex scripts that could generate an entire incomong school yeargroup for instance

the GUI is fine, but its not the most powerful or intuitive way of doing things in a microsoft network

and as D said, connecting to your production servers is not always an option

 

Dont worry. us lowly service desk lakeys dont get permission to remote onto the server (good thing really, considering).

 

ok. been refreshed. got me xp running admin tools, and can run this stuff from the command line. one question: can i specify which DC is want the system to check (so if i do a password reset it works off the local server to them)


Thanks
Fergal

 

As I recall most AD tools let you connect to specific DC's. To see what the syntax is the tools will show you the help files by just "toolname /?". I don't remember if the admin pack installs additional help files or not, but when the Support Tools and Resource Kit packages are installed they install help files specifically for those tools, and they give very detailed help files for the tools that are in each package.

 

found it, theres a switch in the command, -d which allows you to specify the DC.

gah, this is annoying though: last night whilst playing around, i discovered a command that would allow you to check if an account was locked out, but i cant find it any more. i was sure it was a dsget switch, but ive scoured the dsget help list and cant find it any more.

Fergal

 

You're probably thinking of "net user username".

 

Nope, that would only display possible users on this particular PC. in one of the ds commands somewhere there was an option to display if the account was locked out or not. similar to the -disabled switch, but im pretty sure it wasnt that i was looking at.

Also, the switch for connecting to a specific DC is actually -s servnername

 

Some of the other tools I have found to be very useful in troubleshooting, and fixing problems are: netdom, nltest, netdiag, dcdiag, gpotool, gpresult, net time, global, local, runas, net config, acldiag, secedit, dfscmd, dfsutil, dnscmd, net session, net statistics, netstat, ntdsutil, and a few more. I haven't even begun to have a comprehensive knowledge of all the command line tools available, but the ones I have used I find to be very useful. They allow you to do many tasks that are impossible to do from the gui.

 

LOL. Sorry, I only had one Windows machine up at the time and I ran "net user username" on my dc. When run using that syntax on a dc "net user" will list out the user details for any user in the domain. If you run it as just "net user" it will list out all users in the domain.

When "net user username" is run from a workstation you must add the /domain switch and either use "runas" to to run the command with the permissions of a domain admin, be logged in as a domain admin, or use the appropriate syntax to add the user name and password that can query a dc. Note that /domain must be typed as it is written. Do not use the domain name. It will query the current domain.

Exact syntax is "net user /domain username".

 

aha. thats interesting to note. however is doesnt state if the account is locked out or not. what im looking to do in this instance is to query up to 25 specific dc's in order to identify which server an account it locked out on (since the lockout time is 15 mins, by the time it goes to replicate to another server, its unlocked itself), so that i can access that server specifically and unlock it.

Fergal