Module 6 Main Command-Line and Scripting
Module 6 Main Command-Line and Scripting
and Maintenance
Module 6
Command-Line and
Scripting
• To understand introductory information about the command shell
and command-line tools
• To know the listing of new and deprecated command-line tools
Command-Line Referebce
6.1
Syntax
dsadd contact <ContactDN> [-fn <FirstName>] [-mi <Initial>] [-ln
<LastName>] [-display <DisplayName>] [-desc <Description>] [-office
<Office>] [-tel <PhoneNumber>] [-email <Email>] [-hometel
<HomePhoneNumber>] [-pager <PagerNumber>] [-mobile
<CellPhoneNumber>] [-fax <FaxNumber>] [-iptel <IPPhoneNumber>] [-title
<Title>] [-dept <Department>] [-company <Company>] [{-s <Server> | -d
<Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]
•If you do not supply a target object at the command prompt, dsadd obtains
the target object from standard input (stdin). Dsadd can accept stdin from
the keyboard, from a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a
redirected file, use the end-of-file character (CTRL+Z).
•If the value that you supply contains spaces, use quotation marks around
the text, for example,
"CN=Mike Danseglio,CN=Users,DC=Contoso,DC=Com".
•This command only supports a subset of commonly used object class
attributes.
•dsadd contact cn=MikeDan,cn=users,dc=northwindtraders,dc=com
•Adds a single group to the directory
Syntax
dsadd group <GroupDN> [-secgrp {yes | no}] [-scope {l | g | u}] [-samid
<SAMName>] [-desc <Description>] [-memberof <Group> ...] [-members
<Member> ...] [{-s Server> | -d <Domain>}] [-u <UserName>] [-p
{<Password> | *}] [-q] [{-uc | -uco | -uci}]
•If you do not supply a target object at the command prompt, dsadd obtains the target
object from standard input (stdin). Dsadd can accept stdin from the keyboard, from a
redirected file, or as piped output from another command. To mark the end of stdin data
from the keyboard or in a redirected file, use the end-of-file character (CTRL+Z).
•If a value that you supply contains spaces, use quotation marks around the text, for
example, "CN=Mike Danseglio,CN=Users,DC=Contoso,DC=Com".
•If you supply multiple values for a parameter, use spaces to separate the values, for
example, a list of distinguished names.
•This command only supports a subset of commonly used object class attributes.
To create a group account named Sales in the default Users container of
northwindtraders.com, type:
dsadd group cn=sales,cn=users,dc=northwindtraders,dc=com
Syntax
dsadd ou <OrganizationalUnitDN> [-desc <Description>] [{-s <Server> | -d
<Domain>}][-u <UserName>] [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]
• If you do not supply a target object at the command
prompt, dsadd obtains the target object from standard input
(stdin). Dsadd can accept stdin from the keyboard, from a redirected file, or
as piped output from another command. To mark the end of stdin data from
the keyboard or in a redirected file, use the end-of-file character (CTRL+Z).
•If a value that you supply contains spaces, use quotation marks around the
text, for example, "OU=Domain Controllers,DC=Contoso,DC=Com".
•This command only supports a subset of commonly used object class
attributes.
To create an organizational unit (OU) named Test in the northwindtraders.com, type:
dsadd ou
ou=test,dc=northwindtraders,dc=com
•Adds a single user to the directory
Syntax
dsadd user <UserDN> [-samid <SAMName>] [-upn <UPN>] [-fn <FirstName>] [-mi <Initial>] [-ln <LastName>] [-
display <DisplayName>] [-empid <EmployeeID>] [-pwd {<Password> | *}] [-desc <Description>] [-memberof
<Group> ...] [-office <Office>] [-tel <PhoneNumber>] [-email <Email>] [-hometel <HomePhoneNumber>] [-pager
<PagerNumber>] [-mobile <CellPhoneNumber>] [-fax <FaxNumber>] [-iptel <IPPhoneNumber>] [-webpg
<WebPage>] [-title <Title>] [-dept <Department>] [-company <Company>] [-mgr <Manager>] [-hmdir
<HomeDirectory>] [-hmdrv <DriveLetter>:][-profile <ProfilePath>] [-loscr <ScriptPath>] [-mustchpwd {yes | no}] [-
canchpwd {yes | no}] [-reversiblepwd {yes | no}] [-pwdneverexpires {yes | no}] [-acctexpires <NumberOfDays>] [-
disabled {yes | no}] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]
• If you do not supply a target object at the command
prompt, dsadd obtains the target object from standard input
(stdin). Dsadd can accept stdin from the keyboard, from a redirected file, or
as piped output from another command. To mark the end of stdin data from
the keyboard or in a redirected file, use the end-of-file character (CTRL+Z).
•If a value that you supply contains spaces, use quotation marks around the
text, for example, "CN=Mike Danseglio,CN=Users,DC=Contoso,DC=Com".
•If you supply multiple values for a parameter, use spaces to separate the
values, for example, a list of distinguished names.
•Using strong passwords on all user accounts helps minimize security risks.
To create an enabled user account named MikeDan in the default Users container of northwindtraders.com, type:
To create an enabled user account named John Smith with a password of C^h3Bdo9# that must be changed at first
logon, in an organizational unit (OU) named SouthEmployees in a domain named northwindtraders.com, type:
To create the same account, with a set it to never expire, and make it a member of the Janitors group in the same
OU, type:
Dsmod contact Modifies attributes of one or more existing contacts in the directory.
Dsmod group Modifies attributes of one or more existing groups in the directory.
Dsmod ou Modifies attributes of one or more existing organizational units (OUs) in the directory.
Dsmod quota Modifies attributes of one or more existing quota specifications in the directory.
Dsmod partition Modifies attributes of one or more existing partitions in the directory.
To disable multiple computer accounts, type:
To add all members of the US Info group to the Canada Info group, type:
dsget group "CN=US INFO,OU=Distribution Lists,DC=contoso,DC=com" -members | dsmod group
"CN=CANADA INFO,OU=Distribution Lists,DC= contoso,DC=com" -addmbr
To convert the group type of several groups from security to nonsecurity, type:
dsmod group "CN=US Info,OU=Distribution Lists,DC=Contoso,DC=Com"
"CN=Canada Info,OU=Distribution Lists,DC=Contoso,DC=Com"
"CN=Mexico Info,OU=Distribution Lists,DC=Contoso,DC=Com" -secgrp no
To add two new members to the group "CN=US Info,OU=Distribution Lists,DC=Contoso,DC=Com", type:
dsmod group "CN=US Info,OU=Distribution Lists,DC=Contoso,DC=Com" -addmbr
"CN=Mike Danseglio,CN=Users,DC=Contoso,DC=Com" "CN=Legal,OU=Distribution Lists,DC=Contoso,DC=Com"
"CN=Denise Smith,CN=Users,DC=Contoso,DC=Com”
To add all users from the Marketing organizational unit (OU) to the existing group Marketing Staff, type:
dsquery user OU=Marketing,DC=Contoso,DC=Com | dsmod group
"CN=Marketing Staff,OU=Marketing,DC=Contoso,DC=Com" –addmbr
To remove users in the Marketing organizational unit (OU) from the existing group Marketing Staff, type:
dsquery user OU=Marketing,DC=Contoso,DC=Com | dsmod group
"CN=Marketing Staff,OU=Marketing,DC=Contoso,DC=Com" –rmmbr
To delete two members from the existing group "CN=US Info,OU=Distribution Lists,DC=Contoso,DC=Com", type:
dsmod group "CN=US Info,OU=Distribution Lists,DC=Contoso,DC=Com" -rmmbr
"CN=Mike Danseglio,CN=Users,DC=Contoso,DC=Com" "CN=Legal,OU=Distribution Lists,DC=Contoso,DC=Com"
To change the description of several OUs at the same time, type:
dsmod ou "OU=Domain Controllers,DC=Contoso,DC=Com" "OU=Resources,DC=Contoso,DC=Com"
"OU=Troubleshooting,DC=Contoso,DC=Com" -desc "This is a test OU”
To enable the domain controllers CORPDC1 and CORPDC9 to become global catalog servers, type:
dsmod server "CN=CORPDC1,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,DC=Microsoft,DC=Com"
"CN=CORPDC9,CN=Servers,CN=Site2,CN=Sites,CN=Configuration,DC=Microsoft,DC=Com" -isgc yes
To reset the password for Don Funk and force him to change his password when he next logs on to the network, type:
dsmod user "CN=Don Funk,CN=Users,DC=Contoso,DC=Com" -pwd A1b2C3d4 -mustchpwd yes
To reset multiple user passwords to a common password and force users to change their passwords when they next log on to the
network, type:
dsmod user "CN=Don Funk,CN=Users,DC=Contoso,DC=Com" "CN=Denise Smith,CN=Users,DC=Contoso,DC=Com" -pwd
A1b2C3d4 -mustchpwd yes
To disable multiple user accounts at the same time, type:
dsmod user "CN=Don Funk,CN=Users,DC=Contoso,DC=Com" "CN=Denise Smith,CN=Users,DC=Contoso,DC=Com" -
disabled yes
To modify the profile path of multiple users to a common path using the $username$ token, type:
dsmod user "CN=Don Funk,CN=Users,DC=Contoso,DC=Com" "CN=Denise Smith,CN=Users,DC=Contoso,DC=Com" -profile
\users\$username$\profile
Scripting
6.2
Syntax
Ldifde [-i] [-f <FileName>] [-s <ServerName>] [-c <String1>
<String2>] [-v] [-j <Path>] [-t <PortNumber>] [-d <BaseDN>] [-r
<LDAPFilter>] [-p <Scope>] [-l <LDAPAttributeList>] [-o
<LDAPAttributeList>] [-g] [-m] [-n] [-k] [-a <UserDistinguishedName>
<Password>] [-b <UserName> <Domain> <Password>] [-?]
When you create the import file to use with the ldifde command, use
a changeType value to define the type of changes that the import file will
contain. The following table shows the changeType values that you can use.
Value Description
add Specifies that new content is contained in the
import file.
modify Specifies that existing content has been
modified in the import file.
delete Specifies that content has been deleted in the
import file.
The following example shows an LDAP Data Interchange Format (LDIF)
import file format that uses the add value.
DN: CN=SampleUser,DC=DomainName
changetype: add
CN: SampleUser
description: DescriptionOfFile
objectClass: User
sAMAccountName: SampleUser
To retrieve only the distinguished name, common name, first name, surname,
and telephone number for user objects in the fabrikam.com domain to a file
named ldifde.txt in the c:\ldifde folder, run the following command:
To selectively omit the object creation date and time and the object globally
unique identifier (GUID), run the following command:
Syntax
Csvde [-i] [-f <FileName>] [-s <ServerName>] [-c <String1> <String2>]
[-v] [-j <Path>] [-t <PortNumber>] [-d <BaseDN>] [-r <LDAPFilter>] [-
p <Scope] [-l <LDAPAttributeList>] [-o <LDAPAttributeList>] [-g] [-m]
[-n] [-k] [-a <UserDistinguishedName> {<Password> | *}] [-b
<UserName> <Domain> {<Password> | *}]
•You cannot import user passwords by using csvde because passwords must
be sent over an encrypted channel. Csvde does not support Secure Sockets
Layer (SSL) or encrypted LDAP communication. The previous references to
passwords relate to the credentials of the user who is running csvde. They
are not related to setting passwords for users.
• Applications such as Microsoft Excel spreadsheet software are capable of
reading and saving data in the CSV format. You can also create CSV files
using Notepad; separate the values that you add to your file with commas.
In addition, the Microsoft Exchange Server administration tools are
capable of importing and exporting data using the CSV format, as are
many other from software developers other than Microsoft.
The CSV format consists of one or more lines of data with each value
separated by a comma and no spaces between the comma and the next
entry. The first line (sometimes referred to as the header) of the CSV file must
contain the names of each attribute in the same order as the data in any line
following the first line. For example:
objectClass,dn,givenName,sn,samAccountName,Description
user,distinguishedName,1stUserFirstName,1stUserSurname,FirstUserLog
onName,Manager
user,distinguishedName,2ndUserFirstName,2ndUserSurname,SecondUse
rLogonName,President
You can use csvde -r to create an LDAP search filter for data export. For
example, the following filter exports all users with a particular surname:
csvde -r (&(objectClass=User)(sn=Surname))
The following example shows an LDAP Data Interchange Format (LDIF)
import file format that uses the add value.
DN: CN=SampleUser,DC=DomainName
changetype: add
CN: SampleUser
description: DescriptionOfFile
objectClass: User
sAMAccountName: SampleUser
The following sample file contents are for a domain named Cpandl.com that has organizational units
(OUs) named SW Dev, Acct, and AP. The AP OU is subordinate to the Acct OU. The first line of the file
defines the Active Directory object properties for user accounts to be created by the entries in the rest
of the file. The remaining lines are used to create the user accounts. The first user account is created in
the default Users container, and the rest of the user accounts are created in the SW Dev, Acct, and AP
OUs, respectively:
objectClass,dn,sAMAccountName,userPrincipalName,userAccountControl
user,"CN=KMyer,CN=Users,DC=cpandl,DC=com",KenM,[email protected],514
user,"CN=WYu,OU=SW Dev,DC=cpandl,DC=com",WeiY,[email protected],514
user,"CN=JMorris,OU=Acct,DC=cpandl,DC=com",JonM,[email protected],514
user,"CN=YXu,OU=AP,OU=Acct,DC=cpandl,DC=com",YeX,[email protected],514
The -d switch indicates the root (top) of a particular query. For example, if
you want to export all the objects in the Marketing top-level OU of the
Contoso.com domain to a file named marketingobjects.csv, you can use the
following command:
The -r switch is a filter for exporting information from the directory. This
switch filters the output that an export request produces. For example, if you
want to export only the user account object attributes from a domain to a
file named usersonly.csv, you can use the following command:
csvde -r objectClass=user -f usersonly.csv
The following example exports Active Directory data to a file named
search.txt, sets the search scope to subtree, and lists
the sAMAccountName, CN, and distinguished name attributes for each
object that is found in the search:
csvde -f search.txt -p subtree -l SamAccountName,CN,Distinguishname
The following example imports the data from the current domain (the
domain that you are logged on to) from a file named input.csv:
csvde -i -f input.csv
The following example exports the data from the current domain (the
domain that you are logged on to) to a file named output.csv:
csvde -f output.csv
Windows Script Host provides an environment in which users can execute scripts in a variety of languages, languages that use a
variety of object models to perform tasks.
Syntax
wscript[<scriptname>] [/b] [/d] [/e:<engine>] [{/h:cscript|/h:wscript}]
[/i] [/job:<identifier>] [{/logo|/nologo}] [/s] [/t:<number>] [/x] [/?]
[<ScriptArguments>]
•Performing this task does not require you to have administrative credentials.
Therefore, as a security best practice, consider performing this task as a user
without administrative credentials.
•To open a command prompt, on the Start screen, type cmd, and then
click command prompt.
•Each parameter is optional; however, you cannot specify script arguments
without specifying a script. If you do not specify a script or any script
arguments, wscript.exe displays the Windows Script Host Settings dialog
box, which you can use to set global scripting properties for all scripts
that wscript.exe runs on the local computer.
•The /t parameter prevents excessive running of scripts by setting a timer. When the time
exceeds the specified value, wscript interrupts the script engine and ends the process.
•Windows script files usually have one of the following file name extensions: .wsf, .vbs, .js.
•If you double-click a script file with an extension that has no association, the Open
With dialog box appears. Select wscript or cscript, and then select Always use this
program to open this file type. This registers wscript.exe or cscript as the default script
host for files of this file type.
•You can set properties for individual scripts. See Windows Script Host overview for more
information.
•Windows Script Host can use .wsf script files. Each .wsf file can use multiple scripting
engines and perform multiple jobs.
Blokdyk, Gerardus (2018). Information security management system A Clear and Concise Reference. 5STARCooks.
Blokdyk, Gerardus (2018). Security Management Information System A Complete Guide. 5STARCooks.
Francis, Dishan (2017). Mastering Active Directory: Understand the Core Functionalities of Active Directory Services Using
Microsoft Server 2016 and PowerShell. Packt
Kim, David, Solomon, Michael (2016). Fundamentals of Information Systems Security 3rd Edition. Jones and Barnet
Learning.
Limoncelli, Thomas;Hogan, Christina; Chalup, Srata (2016). The Practice of System and Network Administration: Volume 1:
DevOps and other Best Practices for Enterprise IT (3rd Edition) 3rd Edition. Addison-Wesley