System Administration

and Maintenance
 Module 6
Command-Line and
Scripting
• To understand introductory information about the command shell
and command-line tools
• To know the listing of new and deprecated command-line tools
 Command-Line Referebce

6.1

System Administration and Maintenance

• Applies to: Windows Server 2003, Windows Vista,
Windows XP, Windows Server 2008, Windows 7, Windows
Server 2003 R2, Windows Server 2008 R2, Windows Server
2000, Windows Server 2012, Windows 8

• documentation resources and other technical information

that you need to learn about the command shell, and to
automate command-line tasks by using scripts or scripting
tools
The information that is contained in this overview applies to:
•Windows Server 2012
•Windows Server 2008 R2
•Windows Server 2008
•Windows Server 2003 R2
•Windows Server 2003
•Windows 8
•Windows 7
•Windows Vista
•Windows XP
New and deprecated functionality
Feature/functionality New or Deprecated? Description
Cluster Deprecated Create a new cluster or
configure an existing cluster.
Dfscmd Deprecated Configure DFS folders and folder
targets in a DFS namespace.
Dirquota Deprecated Creates and manages File Server
Resource Manager quotas.
Filescrn Deprecated Create and manage file groups,
file screens, file screen
exceptions, and file screen
templates that are used to
configure general administrative
options for screening files.
Fondue New Enable optional features in
Windows by downloading required
files from Windows Update or a
source that Group Policy specifies.
PowerShell_Ise New Read, write, run, debug, and test
Windows PowerShell scripts and
modules in a friendly, graphic-
assisted environment.
Servermanagercmd Deprecated Install or remove roles, role
services, and features.
Shadow Deprecated Monitor an RD Session Host
session.
Storrept Deprecated Create and manage storage reports
and storage report tasks, and
configure general administrative
options for File Server Resource
Manager.
command shell
- is a software program that provides direct communication
between the user and the operating system
- The non-graphical, command shell user interface provides
the environment in which you run character-based
applications and utilities
- executes programs and displays their output on the screen
by using individual characters similar to the MS-DOS
command interpreter, Command.com.
Cmd.Exe - loads applications, directs the flow of information
between applications, and translates user input into a form
that the operating system understands.
-use the command shell to create and edit scripts to
automate routine tasks

- Scripts accept all commands that are available at the

command line
- Adds specific types of objects to the directory
- is a command-line tool that is built into Windows
Server 2008. It is available if you have the Active Directory
Domain Services (AD DS) server role installed. To
use dsadd, you must run the dsadd command from an
elevated command prompt. To open an elevated
command prompt, click Start, right-click Command
Prompt, and then click Run as administrator
Command Description
Dsadd computer Adds a single computer to the directory.
Dsadd contact Adds a single contact to the directory.
Dsadd group Adds a single group to the directory.
Dsadd ou Adds a single organizational unit to the directory.
Dsadd user Adds a single user to the directory.
Dsadd quota Adds a quota specification to a directory partition.
- Adds a single computer to the directory
Syntax
dsadd computer <ComputerDN> [-samid <SAMName>] [-
desc <Description>] [-loc <Location>] [-memberof
<GroupDN ...>] [{-s <Server> | -d <Domain>}] [-u
<UserName>] [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]
•If you do not supply a target object at the command prompt, dsadd obtains
the target object from standard input (stdin). Dsadd can accept stdin from
the keyboard, from a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a
redirected file, use the end-of-file character (CTRL+Z).
•If a value that you supply contains spaces, use quotation marks around the
text, for example,
"CN=DC 2,OU=Domain Controllers,DC=Contoso,DC=Com".
•If you supply multiple values for a parameter, use spaces to separate the
values, for example, a list of distinguished names.
•dsadd computer cn=client01,cn=computers,dc=northwindtraders,dc=com
 •Adds a single contact to the directory

Syntax
dsadd contact <ContactDN> [-fn <FirstName>] [-mi <Initial>] [-ln
<LastName>] [-display <DisplayName>] [-desc <Description>] [-office
<Office>] [-tel <PhoneNumber>] [-email <Email>] [-hometel
<HomePhoneNumber>] [-pager <PagerNumber>] [-mobile
<CellPhoneNumber>] [-fax <FaxNumber>] [-iptel <IPPhoneNumber>] [-title
<Title>] [-dept <Department>] [-company <Company>] [{-s <Server> | -d
<Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]
•If you do not supply a target object at the command prompt, dsadd obtains
the target object from standard input (stdin). Dsadd can accept stdin from
the keyboard, from a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a
redirected file, use the end-of-file character (CTRL+Z).
•If the value that you supply contains spaces, use quotation marks around
the text, for example,
"CN=Mike Danseglio,CN=Users,DC=Contoso,DC=Com".
•This command only supports a subset of commonly used object class
attributes.
•dsadd contact cn=MikeDan,cn=users,dc=northwindtraders,dc=com
 •Adds a single group to the directory

Syntax
dsadd group <GroupDN> [-secgrp {yes | no}] [-scope {l | g | u}] [-samid
<SAMName>] [-desc <Description>] [-memberof <Group> ...] [-members
<Member> ...] [{-s Server> | -d <Domain>}] [-u <UserName>] [-p
{<Password> | *}] [-q] [{-uc | -uco | -uci}]
•If you do not supply a target object at the command prompt, dsadd obtains the target
object from standard input (stdin). Dsadd can accept stdin from the keyboard, from a
redirected file, or as piped output from another command. To mark the end of stdin data
from the keyboard or in a redirected file, use the end-of-file character (CTRL+Z).
•If a value that you supply contains spaces, use quotation marks around the text, for
example, "CN=Mike Danseglio,CN=Users,DC=Contoso,DC=Com".
•If you supply multiple values for a parameter, use spaces to separate the values, for
example, a list of distinguished names.
•This command only supports a subset of commonly used object class attributes.
To create a group account named Sales in the default Users container of
northwindtraders.com, type:
dsadd group cn=sales,cn=users,dc=northwindtraders,dc=com

To create a universal group named accounting in an organizational unit (OU)

named Departments in a domain named northwindtraders.com, type:
dsadd group
cn=accounting,ou=departments,dc=northwindtraders,dc=com –scope u
 •Adds a single organizational unit (OU) to the directory

Syntax
dsadd ou <OrganizationalUnitDN> [-desc <Description>] [{-s <Server> | -d
<Domain>}][-u <UserName>] [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]
• If you do not supply a target object at the command
prompt, dsadd obtains the target object from standard input
(stdin). Dsadd can accept stdin from the keyboard, from a redirected file, or
as piped output from another command. To mark the end of stdin data from
the keyboard or in a redirected file, use the end-of-file character (CTRL+Z).
•If a value that you supply contains spaces, use quotation marks around the
text, for example, "OU=Domain Controllers,DC=Contoso,DC=Com".
•This command only supports a subset of commonly used object class
attributes.
To create an organizational unit (OU) named Test in the northwindtraders.com, type:
dsadd ou
ou=test,dc=northwindtraders,dc=com
 •Adds a single user to the directory

Syntax
dsadd user <UserDN> [-samid <SAMName>] [-upn <UPN>] [-fn <FirstName>] [-mi <Initial>] [-ln <LastName>] [-
display <DisplayName>] [-empid <EmployeeID>] [-pwd {<Password> | *}] [-desc <Description>] [-memberof
<Group> ...] [-office <Office>] [-tel <PhoneNumber>] [-email <Email>] [-hometel <HomePhoneNumber>] [-pager
<PagerNumber>] [-mobile <CellPhoneNumber>] [-fax <FaxNumber>] [-iptel <IPPhoneNumber>] [-webpg
<WebPage>] [-title <Title>] [-dept <Department>] [-company <Company>] [-mgr <Manager>] [-hmdir
<HomeDirectory>] [-hmdrv <DriveLetter>:][-profile <ProfilePath>] [-loscr <ScriptPath>] [-mustchpwd {yes | no}] [-
canchpwd {yes | no}] [-reversiblepwd {yes | no}] [-pwdneverexpires {yes | no}] [-acctexpires <NumberOfDays>] [-
disabled {yes | no}] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]
• If you do not supply a target object at the command
prompt, dsadd obtains the target object from standard input
(stdin). Dsadd can accept stdin from the keyboard, from a redirected file, or
as piped output from another command. To mark the end of stdin data from
the keyboard or in a redirected file, use the end-of-file character (CTRL+Z).
•If a value that you supply contains spaces, use quotation marks around the
text, for example, "CN=Mike Danseglio,CN=Users,DC=Contoso,DC=Com".
•If you supply multiple values for a parameter, use spaces to separate the
values, for example, a list of distinguished names.
•Using strong passwords on all user accounts helps minimize security risks.
To create an enabled user account named MikeDan in the default Users container of northwindtraders.com, type:

dsadd user cn=MikeDan,cn=users,dc=northwindtraders,dc=com -disabled no

To create an enabled user account named John Smith with a password of C^h3Bdo9# that must be changed at first
logon, in an organizational unit (OU) named SouthEmployees in a domain named northwindtraders.com, type:

dsadd user “cn=John Smith,ou=SouthEmployees,dc=northwindtraders,dc=com” -disabled no –pwd

C^h3Bdo9# -mustchpwd yes

To create the same account, with a set it to never expire, and make it a member of the Janitors group in the same
OU, type:

dsadd user “cn=John Smith,ou=SouthEmployees,dc=northwindtraders,dc=com” -disabled no –pwd

C^h3Bdo9# -mustchpwd yes -memberof cn=janitors,ou=SouthEmployees,dc=northwindtraders,dc=com -
acctexpires never
- Modifies an existing object of a specific type in the
directory
Command Description
Dsmod computer Modifies attributes of one or more existing computers in the directory.

Dsmod contact Modifies attributes of one or more existing contacts in the directory.

Dsmod group Modifies attributes of one or more existing groups in the directory.

Dsmod ou Modifies attributes of one or more existing organizational units (OUs) in the directory.

Dsmod server Modifies properties of a domain controller.

Dsmod user Modifies attributes of one or more existing users in the directory.

Dsmod quota Modifies attributes of one or more existing quota specifications in the directory.

Dsmod partition Modifies attributes of one or more existing partitions in the directory.
To disable multiple computer accounts, type:

dsmod computer CN=MemberServer1,CN=Computers,DC=Microsoft,DC=Com

CN=MemberServer2,CN=Computers,DC=Microsoft,DC=Com -disabled yes

To reset multiple computer accounts, type:

dsmod computer CN=MemberServer1,CN=Computers,DC=Microsoft,DC=Com

CN=MemberServer2,CN=Computers,DC=Microsoft,DC=Com –reset

To set the company information of multiple contacts, type:

dsmod contact "CN=Mike Danseglio,OU=Contacts,DC=Contoso,DC=Com"

"CN=Denise Smith,OU=Contacts,DC=Contoso,DC=Com" -company Contoso
To add the user Mike Danseglio to all administrator distribution list groups, type:
dsquery group "OU=Distribution Lists,DC=contoso,DC=com" -name adm* | dsmod group -addmbr
"CN=Mike Danseglio,CN=Users,DC=contoso,DC=com”

To add all members of the US Info group to the Canada Info group, type:
dsget group "CN=US INFO,OU=Distribution Lists,DC=contoso,DC=com" -members | dsmod group
"CN=CANADA INFO,OU=Distribution Lists,DC= contoso,DC=com" -addmbr

To convert the group type of several groups from security to nonsecurity, type:
dsmod group "CN=US Info,OU=Distribution Lists,DC=Contoso,DC=Com"
"CN=Canada Info,OU=Distribution Lists,DC=Contoso,DC=Com"
"CN=Mexico Info,OU=Distribution Lists,DC=Contoso,DC=Com" -secgrp no

To add two new members to the group "CN=US Info,OU=Distribution Lists,DC=Contoso,DC=Com", type:
dsmod group "CN=US Info,OU=Distribution Lists,DC=Contoso,DC=Com" -addmbr
"CN=Mike Danseglio,CN=Users,DC=Contoso,DC=Com" "CN=Legal,OU=Distribution Lists,DC=Contoso,DC=Com"
"CN=Denise Smith,CN=Users,DC=Contoso,DC=Com”
To add all users from the Marketing organizational unit (OU) to the existing group Marketing Staff, type:
dsquery user OU=Marketing,DC=Contoso,DC=Com | dsmod group
"CN=Marketing Staff,OU=Marketing,DC=Contoso,DC=Com" –addmbr

To remove users in the Marketing organizational unit (OU) from the existing group Marketing Staff, type:
dsquery user OU=Marketing,DC=Contoso,DC=Com | dsmod group
"CN=Marketing Staff,OU=Marketing,DC=Contoso,DC=Com" –rmmbr

To delete two members from the existing group "CN=US Info,OU=Distribution Lists,DC=Contoso,DC=Com", type:
dsmod group "CN=US Info,OU=Distribution Lists,DC=Contoso,DC=Com" -rmmbr
"CN=Mike Danseglio,CN=Users,DC=Contoso,DC=Com" "CN=Legal,OU=Distribution Lists,DC=Contoso,DC=Com"
To change the description of several OUs at the same time, type:
dsmod ou "OU=Domain Controllers,DC=Contoso,DC=Com" "OU=Resources,DC=Contoso,DC=Com"
"OU=Troubleshooting,DC=Contoso,DC=Com" -desc "This is a test OU”

To enable the domain controllers CORPDC1 and CORPDC9 to become global catalog servers, type:
dsmod server "CN=CORPDC1,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,DC=Microsoft,DC=Com"
"CN=CORPDC9,CN=Servers,CN=Site2,CN=Sites,CN=Configuration,DC=Microsoft,DC=Com" -isgc yes

To reset the password for Don Funk and force him to change his password when he next logs on to the network, type:
dsmod user "CN=Don Funk,CN=Users,DC=Contoso,DC=Com" -pwd A1b2C3d4 -mustchpwd yes

To reset multiple user passwords to a common password and force users to change their passwords when they next log on to the
network, type:
dsmod user "CN=Don Funk,CN=Users,DC=Contoso,DC=Com" "CN=Denise Smith,CN=Users,DC=Contoso,DC=Com" -pwd
A1b2C3d4 -mustchpwd yes
To disable multiple user accounts at the same time, type:
dsmod user "CN=Don Funk,CN=Users,DC=Contoso,DC=Com" "CN=Denise Smith,CN=Users,DC=Contoso,DC=Com" -
disabled yes

To modify the profile path of multiple users to a common path using the $username$ token, type:
dsmod user "CN=Don Funk,CN=Users,DC=Contoso,DC=Com" "CN=Denise Smith,CN=Users,DC=Contoso,DC=Com" -profile
\users\$username$\profile
 Scripting

6.2

System Administration and Maintenance

• To understand the use of LDIFDE, CSVDE, and
WSCRIPT
• Creates, modifies, and deletes directory objects
• You can also use ldifde to extend the schema, export Active Directory user
and group information to other applications or services, and populate
Active Directory Domain Services (AD DS) with data from other directory
services.

Syntax
Ldifde [-i] [-f <FileName>] [-s <ServerName>] [-c <String1>
<String2>] [-v] [-j <Path>] [-t <PortNumber>] [-d <BaseDN>] [-r
<LDAPFilter>] [-p <Scope>] [-l <LDAPAttributeList>] [-o
<LDAPAttributeList>] [-g] [-m] [-n] [-k] [-a <UserDistinguishedName>
<Password>] [-b <UserName> <Domain> <Password>] [-?]
When you create the import file to use with the ldifde command, use
a changeType value to define the type of changes that the import file will
contain. The following table shows the changeType values that you can use.
Value Description
add Specifies that new content is contained in the
import file.
modify Specifies that existing content has been
modified in the import file.
delete Specifies that content has been deleted in the
import file.
The following example shows an LDAP Data Interchange Format (LDIF)
import file format that uses the add value.

DN: CN=SampleUser,DC=DomainName
changetype: add
CN: SampleUser
description: DescriptionOfFile
objectClass: User
sAMAccountName: SampleUser
To retrieve only the distinguished name, common name, first name, surname,
and telephone number for user objects in the fabrikam.com domain to a file
named ldifde.txt in the c:\ldifde folder, run the following command:

Ldifde -d dc=fabrikam,dc=com -r (objectClass=User) -l

distinguishedname,cn,givenname,sn,telephone –f ldifde.txt

To selectively omit the object creation date and time and the object globally
unique identifier (GUID), run the following command:

Ldifde -d dc=fabrikam,dc=com -r (objectClass=User) -o

whenCreated,objectGUID –f ldifde.txt
Imports and exports data from Active Directory Domain Services (AD DS)
using files that store data in the comma-separated value (CSV) format. You
can also support batch operations based on the CSV file format standard.

Syntax
Csvde [-i] [-f <FileName>] [-s <ServerName>] [-c <String1> <String2>]
[-v] [-j <Path>] [-t <PortNumber>] [-d <BaseDN>] [-r <LDAPFilter>] [-
p <Scope] [-l <LDAPAttributeList>] [-o <LDAPAttributeList>] [-g] [-m]
[-n] [-k] [-a <UserDistinguishedName> {<Password> | *}] [-b
<UserName> <Domain> {<Password> | *}]
•You cannot import user passwords by using csvde because passwords must
be sent over an encrypted channel. Csvde does not support Secure Sockets
Layer (SSL) or encrypted LDAP communication. The previous references to
passwords relate to the credentials of the user who is running csvde. They
are not related to setting passwords for users.
• Applications such as Microsoft Excel spreadsheet software are capable of
reading and saving data in the CSV format. You can also create CSV files
using Notepad; separate the values that you add to your file with commas.
In addition, the Microsoft Exchange Server administration tools are
capable of importing and exporting data using the CSV format, as are
many other from software developers other than Microsoft.
The CSV format consists of one or more lines of data with each value
separated by a comma and no spaces between the comma and the next
entry. The first line (sometimes referred to as the header) of the CSV file must
contain the names of each attribute in the same order as the data in any line
following the first line. For example:

objectClass,dn,givenName,sn,samAccountName,Description
user,distinguishedName,1stUserFirstName,1stUserSurname,FirstUserLog
onName,Manager
user,distinguishedName,2ndUserFirstName,2ndUserSurname,SecondUse
rLogonName,President
You can use csvde -r to create an LDAP search filter for data export. For
example, the following filter exports all users with a particular surname:

csvde -r (&(objectClass=User)(sn=Surname))
The following example shows an LDAP Data Interchange Format (LDIF)
import file format that uses the add value.

DN: CN=SampleUser,DC=DomainName
changetype: add
CN: SampleUser
description: DescriptionOfFile
objectClass: User
sAMAccountName: SampleUser
The following sample file contents are for a domain named Cpandl.com that has organizational units
(OUs) named SW Dev, Acct, and AP. The AP OU is subordinate to the Acct OU. The first line of the file
defines the Active Directory object properties for user accounts to be created by the entries in the rest
of the file. The remaining lines are used to create the user accounts. The first user account is created in
the default Users container, and the rest of the user accounts are created in the SW Dev, Acct, and AP
OUs, respectively:

objectClass,dn,sAMAccountName,userPrincipalName,userAccountControl
user,"CN=KMyer,CN=Users,DC=cpandl,DC=com",KenM,[email protected],514
user,"CN=WYu,OU=SW Dev,DC=cpandl,DC=com",WeiY,[email protected],514
user,"CN=JMorris,OU=Acct,DC=cpandl,DC=com",JonM,[email protected],514
user,"CN=YXu,OU=AP,OU=Acct,DC=cpandl,DC=com",YeX,[email protected],514
The -d switch indicates the root (top) of a particular query. For example, if
you want to export all the objects in the Marketing top-level OU of the
Contoso.com domain to a file named marketingobjects.csv, you can use the
following command:

csvde -d "ou=marketing,dc=contoso,dc=com" -f marketingobjects.csv

The -r switch is a filter for exporting information from the directory. This
switch filters the output that an export request produces. For example, if you
want to export only the user account object attributes from a domain to a
file named usersonly.csv, you can use the following command:
csvde -r objectClass=user -f usersonly.csv
The following example exports Active Directory data to a file named
search.txt, sets the search scope to subtree, and lists
the sAMAccountName, CN, and distinguished name attributes for each
object that is found in the search:
csvde -f search.txt -p subtree -l SamAccountName,CN,Distinguishname

The following example imports the data from the current domain (the
domain that you are logged on to) from a file named input.csv:
csvde -i -f input.csv

The following example exports the data from the current domain (the
domain that you are logged on to) to a file named output.csv:
csvde -f output.csv
Windows Script Host provides an environment in which users can execute scripts in a variety of languages, languages that use a
variety of object models to perform tasks.

Syntax
wscript[<scriptname>] [/b] [/d] [/e:<engine>] [{/h:cscript|/h:wscript}]
[/i] [/job:<identifier>] [{/logo|/nologo}] [/s] [/t:<number>] [/x] [/?]
[<ScriptArguments>]
•Performing this task does not require you to have administrative credentials.
Therefore, as a security best practice, consider performing this task as a user
without administrative credentials.
•To open a command prompt, on the Start screen, type cmd, and then
click command prompt.
•Each parameter is optional; however, you cannot specify script arguments
without specifying a script. If you do not specify a script or any script
arguments, wscript.exe displays the Windows Script Host Settings dialog
box, which you can use to set global scripting properties for all scripts
that wscript.exe runs on the local computer.
•The /t parameter prevents excessive running of scripts by setting a timer. When the time
exceeds the specified value, wscript interrupts the script engine and ends the process.
•Windows script files usually have one of the following file name extensions: .wsf, .vbs, .js.
•If you double-click a script file with an extension that has no association, the Open
With dialog box appears. Select wscript or cscript, and then select Always use this
program to open this file type. This registers wscript.exe or cscript as the default script
host for files of this file type.
•You can set properties for individual scripts. See Windows Script Host overview for more
information.
•Windows Script Host can use .wsf script files. Each .wsf file can use multiple scripting
engines and perform multiple jobs.
Blokdyk, Gerardus (2018). Information security management system A Clear and Concise Reference. 5STARCooks.
Blokdyk, Gerardus (2018). Security Management Information System A Complete Guide. 5STARCooks.
Francis, Dishan (2017). Mastering Active Directory: Understand the Core Functionalities of Active Directory Services Using
Microsoft Server 2016 and PowerShell. Packt
Kim, David, Solomon, Michael (2016). Fundamentals of Information Systems Security 3rd Edition. Jones and Barnet
Learning.
Limoncelli, Thomas;Hogan, Christina; Chalup, Srata (2016). The Practice of System and Network Administration: Volume 1:
DevOps and other Best Practices for Enterprise IT (3rd Edition) 3rd Edition. Addison-Wesley