If you've been working with Active Directory for any length of time, chances are good that at some point you've wished there were a way to quickly and easily automate certain operations. Of course, you could tap into Active Directory Services Interface (ADSI) via Windows Script Host and VBScript and create or download scripts to automate those operations. However, if programming really isn't your strong point, you could end up spending more time figuring out the ADSI scripting environment than actually accomplishing your goals.

Fortunately, with Windows Server 2003, Microsoft has brought the task of automating Active Directory operations within the grasp of every system administrator by including a complete suite of directory service command-line tools. Now you won't have to delve into the advanced intricacies of ADSI when you can use something that's as easy to create and use as a batch file.

---

Author's note

In this article, I'll introduce you to Windows Server 2003's directory service command-line tools and then get you started on the ground floor. In future articles, I'll take an in-depth look at each tool and show you how to use them to your advantage when you need to automate certain operations.

---

Why use the command line?

If you're using Windows Server 2003, you already know that its Active Directory GUI tools offer several new and improved features over those in Windows 2000 Server. For example, you now have drag-and-drop capabilities, multiple-object selection, and the ability to save and reuse queries. So why would you even want to use the directory service command-line tools?

To answer this question, let's begin by looking at a list of the available tools in the directory service command-line suite, as shown in Table A. As you look at the list, keep in mind that there are really only six main tools in the suite, but in this particular arrangement, I've expanded the list to show the first four main commands, along with the target object on which the command is designed to operate. The last two commands are designed to work on any target object.

Table A

Command Description Dsadd computer Dsadd contact Dsadd group Dsadd ou Dsadd quota Dsadd user Adds objects to the directory Dsget computer Dsget contact Dsget group Dsget ou Dsget partition Dsget quota Dsget server Dsget site Dsget subnet Dsget user Displays properties of objects in the directory Dsmod computer Dsmod contact Dsmod group Dsmod ou Dsmod partition Dsmod quota Dsmod server Dsmod user Modifies select attributes of an existing object in the directory Dsquery * Dsquery computer Dsquery contact Dsquery group Dsquery ou Dsquery partition Dsquery quota Dsquery server Dsquery site Dsquery subnet Dsquery user Finds objects in the directory that match a specified search criterion Dsmove Moves any object from its current location to a new parent location or renames any object without moving it Dsrm Removes an object, the complete subtree under an object in the directory, or both

Windows Server 2003's directory service command-line tools

We'll examine each tool later in this series, but the point of showing you the complete list now is to highlight the magnitude of the tools in the suite and to help you get a feel for the types of operations you can perform with them. Each tool is accompanied by a complete set of general and command-specific parameters that allow you to further define the type of operation you want to conduct.

Now, on first glance, you'll immediately see that there are command-line tools for just about every operation you can execute from within the Active Directory GUI tools. However, once you begin to delve deeper, you'll discover that, in some cases, it's easier to carry out certain types of operations from the command line than from the GUI. Dig even further, and you'll discover that there are some tasks you can accomplish with the command-line tools that just aren't possible with the GUI tools. Furthermore, once you have a better understanding of how these tools work, you'll discover that you can indeed automate many common operations quite easily.

You won't want to completely abandon the GUI tools in favor of the command-line tools. Rather, you'll use the command-line tools to complement the GUI tools.

The ground floor

To take advantage of directory service command-line tools, you must have a good grasp of the underlying structure of Active Directory. More specifically, you need to understand that every object in Active Directory can be referenced by several names, and that the command-line tools rely on one of those names -- the distinguished name -- to locate and work with objects. The other two names are the relative distinguished name and the canonical name.

When you create an object in Active Directory, the process creates the relative distinguished name and the canonical name. The distinguished name is then based on the relative distinguished name and the names of that object's parent containers, including the domains. The distinguished name identifies the object as well as its location in a tree.

To specify this location, the distinguished name uses the Lightweight Directory Access Protocol (LDAP) attribute tags listed in Table B. For example, the distinguished name for my user account, which exists in the Writers organizational unit in the gcs.com domain, would be

CN=Greg Shultz,OU=Writers,DC=gcs,DC=com

Table B

LDAP attribute tag Description CN= Common name The name given to the object at creation OU= Organizational unit The name of the container DC= Domain component The name of the domain

The LDAP attribute tags used in distinguished name

As you can see, the LDAP attribute tags are used to identify each component in the distinguished name; they are separated by commas, and the order in which the components appear goes from the lowest level in the tree to the highest level. The distinguished name tells you exactly where to find the object in the Active Directory data store.

There are a few rules you need to observe when working with the distinguished name on the command line:

1. You should get into the habit of enclosing the distinguished name in quotes. (This is really necessary only if any of the names include spaces; however, making it a habit will save you time and frustration if you forget.)
2. Do not put spaces between the commas and the object names.
3. While using uppercase letters for the LDAP attribute tags isnï¿?t necessary, it does help delineate the components and make for easier reading.
4. The default Active Directory containers, such as Computers or Users, are essentially organizational units but are referred to as a common name.

Using Dsquery to reveal distinguished names

Now that you understand how to use the distinguished name to identify the location of the object you want to work with, you can use the directory service command-line tools to automate your most common Active Directory management operations. You needn't worry about having to figure out all the distinguished names on your own -- you can ask the Dsquery command for assistance.

While I'll get into more detail on the more powerful features of the Dsquery command in a future article, it's a good place to start becoming more familiar with the distinguished names in your Active Directory structure. For example, to see the distinguished names for the user accounts in Active Directory, open the command prompt and type

Dsquery user

To see the distinguished names for the organizational units in Active Directory, type the command

Dsquery ou

You can try other basic Dsquery commands using the list of target objects shown in Table A. However, as you do, keep in mind that by default the Dsquery command will display only 100 items. You can expand the number of items displayed by adding the -limit ### parameter and specifying an upper limit.

A closer look

You should now have a pretty good handle on how Windows Server 2003's directory service command-line tools use the distinguished name. In the next article, I'll continue examining the tools with a more detailed look at the Dsquery command.