Share via


New command line tools for W2K3 Active Directory

These aren't really that new, but they were newly added when Windows Server 2003 was released.  Windows had some AD command line tools like ldifde and csvde, but the new tools can be very handy.  In fact, there are actually tons of new command line tools in Windows 2003 worth taking a look at.

Article on the AD tools:  https://support.microsoft.com/default.aspx?scid=kb;en-us;298882

You can use dsquery.exe in order to query for objects in the AD.  It will return objects from anywhere in the hierarchy.  Example:
c:\> dsquery user -name bab*      (... returns)
”CN=babadul,CN=Accounting,DC=company,DC=com”
”CN=babceder,CN=Accounting,DC=company,DC=com”
”CN=babderts,CN=IT,DC=company,DC=com”
”CN=babterk,CN=Admins,CN=IT,DC=company,DC=com”

If you are working with a large result set, you may need to use the -limit parameter to allow you to return more than 100 objects.  The dsget tool allows you to get properties of a particular object.

The other tools such as dsmove, dsmod, dsadd, dsrm allow you to make modifications to the AD objects.

You can also combine commands to perform two functions at once; this is really handy.  Example:
c:\> dsquery user -name Abel* | dsget user -display       (... returns)
display
Abel, Jim
Abelson, Robert

I find it annoying that the dsget function doesn't use the official AD property names.  Instead of “displayName” it uses “display.”  To get the proper wording, run a command like:  
c:\> dsget user /?

These tools don't eliminate the need for things like ldifde and csvde, but they help with scripting common functions with Active Directory.  You can also use ADSI scripting and such, but often IT operations people are more comfortable with tools.  I know people like to criticize Windows compared to linux for GUI tools, but Windows has more and more functions available in command line these days.

Have fun!