Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications
  3. Marketing

distinguished-name -switches

advertisement 
DS Commands
Notes and Examples
DS Commands
• Tools that are available to manage Active
Directory from the command prompt.
• Use of DS commands requires an
understanding of distinguished names.
Distinguished Name (DN)
• Every object in Active Directory has an
associated distinguished name, or DN.
The DN exactly identifies the location of
the object within Active Directory. It
uniquely identifies the object by its
common name and its location within the
domain.
Distinguished Name (DN) (continued)
• Common Name: An object’s common
name is the plain-English name given to
the object when it’s created. An object’s
common name is identified using
cn=Name; for example:
“cn=Sponge Bob”
Distinguished Name (DN) (continued)
• Object’s Location: An object’s location is determined by
the names of the domain components and the names of
the container objects (organizational unit) that contain the
object.
• Organizational Units are identified by using ou=
– Exception: the system generated users container is identified with
cn=
• Domain components are identified by using dc= .
• If the Sponge Bob object is in a container (organizational
unit) named Finance and the Finance container is in a
domain named marketing.insideis.com, the object’s
location would be referenced as:
“ou=finance, dc=marketing, dc=insideis, dc=com”
or
ou=finance,dc=marketing,dc=insideis,dc=com
Quotes are needed in the first example because spaces were included after each comma in the name
.
Distinguished Name (DN) (continued)
• An object’s distinguished name includes
it’s common name and the object’s
location.
• The distinguished name for the Sponge
Bob object that exists inside the Finance
container within the
Marketing.InsideIS.com domain is:
“cn=Sponge Bob, ou=Finance, dc=marketing, dc=insideis,
dc=com”
or
“cn=Sponge Bob,ou=Finance,dc=marketing,dc=insideis,dc=com”
Quotes are required in both examples because the value of cn includes spaces..
Distinguished Name (DN) (continued)
• Some rules regarding writing a distinguished
name include:
–
–
–
–
CN= precedes the common name of the object
OU= precedes an organizational unit’s name
DC= precedes each part of a domain name
Commas separate each component in the name and
they are required
– The space after the comma is optional, if used, the
DN must be enclosed in quotes
– If any spaces exist in any part of the name, the DN
must be enclosed in quotes
– No portion of the name is case sensitive
Examples of Distinguished Names
The Brian user object’s distinguished name:
cn=brian,ou=finance,dc=domainp,dc=bcc
or
“cn=brian, ou=finance, dc=domainp, dc=bcc”
Quotes are needed in the second example because
spaces were included after each comma in the name.
Examples of Distinguished Names
The John J. Jones user object’s distinguished
name:
“cn=John J. Jones,ou=Users,ou=Finance,dc=domainp,dc=bcc”
Quotes are required because the value of the cn name contains spaces
..
DSADD User
• DSADD can be used to create many different
object types, this and the next few slides will
concentrate on using DSADD to create user
objects.
• Syntax for user account is
– DSADD USER distinguished-name switches
• Switches commonly used include
– -pwd (password), -samid, -upn, -memberof, -disabled
Sample DSAdd
The below command would be
typed on one line. It adds a
user to the Finance container
within the domainp.bcc domain.
The user’s password will be set
at Bristol!, her user object’s
common name (cn) will be
Wilma Flinstone, her user
principal name (upn) will be
wflintstone@domainp.bcc and
her samid will be wflintstone.
The user could login using
upn
wflinstone or
wflinstone@domainp.bcc
cn
samid
dsadd user "cn=Wilma Flintstone, ou=finance,dc=domainp,dc=bcc" pwd Bristol! -upn wflintstone@domainp.bcc -samid wflintstone
DSADD User (continued)
• It’s important to understand the difference
between the different name values: cn, upn &
samid
• When entering the command, the only required
value is cn.
• But.. what happens if you leave off the upn or
samid?
– Upn – if omitted, that property is left blank and a user
would not be able to login using a upn name (i.e,.
wflinstone@domainp.bcc)
– Samid – if omitted, the first 20 characters of the
supplied cn value will be used as the samid
DSADD User (continued)
Example:
Dsadd user cn=Jackson,ou=finance,dc=domainp,dc=bcc” –pwd Bristol!
cn value used as object
name and samid. Upn
value left blank
User could login using the login
name: Jackson
A upn (i.e., Jackson@domainp.bcc)
would not be supported)
DSADD User (continued)
Example:
Dsadd user “cn=Jackson M. Mortinville, ou=finance,dc=domainp,dc=bcc
–pwd Bristol!
cn value used as object name and samid
Notice, only the first 20 characters of
the cn value are used for the samid.
User would have to login using the login name:
Jackson M. Mortinvil
This, obviously would not be recommended.
Understanding how DSADD provides values to
properties is critical in ensuring that a desired
login name is provided.
DSADD User (continued)
Example: samid not provided
Dsadd user “cn=Jackson Smith, ou=finance,dc=domainp,dc=bcc
–pwd Bristol! –upn jsmith@domainp.bcc
cn value is used as object name and because the
total characters are less than 20, the entire cn value
is used as the samid. Upn value is provided..
User could login using:
Jackson Smith
or
Jsmith@domainp.bcc
Jsmith (alone) will not work.
This, obviously would not be recommended.
Here again, understanding how DSADD provides
values to properties is critical in ensuring that a desired
login name is provided.
DSADD User: Best Practice
• The best practice when creating user accounts with the
DSADD command is to always provide all three values
– Cn – this is the object’s name and it’s what you see by default
when viewing the database using Active directory Users and
Computers. It’s also the name you’ll use whenever referencing
the object from the command prompt.
– Samid – this is the name you want the user to use when logging
in. (i.e, jjones)
– Upn – should be the same value as the samid, followed by @
and the domain name in which the account is being created. (i.e,
jjones@domain.com)
DSMOD User
• DSMOD can be used to modify many different
object types, this and the next slide will
concentrate on using DSMOD to modify user
objects.
• Syntax for modifying user account is
– DSMOD USER distinguished-name -switches
• Switches commonly used include
– -pwd (password), -mustchpwd –disabled
DSMOD User: Examples
Each of the below examples modifies a user object that exists in either
the finance container or the accounting container in the domainp.bcc
domain.
Dsmod user “cn=Jackson,ou=Finance,dc=domainp,dc=bcc” -pwd Password!
Changes the Jackson user’s password to Password!
Dsmod user “cn=Mary, ou=Accounting, dc=domainp, dc=bcc” –pwd Password! –
mustchwd yes
Changes the Mary user’s password to Password! and requires that she change her
password at next logon.
Dsmod user “cn=John Smith, ou=Accounting, dc=domainp, dc=bcc” –disabled yes
Disables the John Smith user account.
Dsmod user “cn=John Smith, ou=Accounting, dc=domainp, dc=bcc” –disabled no –
Enables the John Smith user account
DSQuery User
• DSQUERY can be used to query different object
types from the command line.
• Syntax for querying a user account is
– DSQUERY USER distinguished-name -switches
• Switches commonly used include
– -o (controls output’s display) –stalepwd -disabled
DSQuery User: Examples
dsquery user
Displays a list of distinguished names for all users in the domain
dsquery user “ou=Accounting,dc=domainp,dc=bcc”
Displays a list of distinguished names for all users in the Accounting
container within Domainp.bcc
dsquery user “ou=Accounting,dc=domainp,dc=bcc” –o samid
Displays a list of samids for all users in the Accounting container
within Domainp.bcc
dsquery user -name j*
Displays a list of distinguished names for all users in the domain
who have an object name that begins with the letter j.
DSQuery User: Examples
dsquery user -name j* “ou=Finance,dc=domainp,dc=bcc”
Displays a list of distinguished names for all user objects in the
Finance Container within Domainp.bcc who have an object name that
begins with the letter j.
dsquery user -disabled
Displays a list of distinguished names for all users in the domain that
have a disabled account
dsquery user “ou=Finance,dc=domainp,dc=bcc” –disabled –o samid
Displays a list of samids for all users in the Finance container within
Domainp.bcc that have a disabled account
dsquery user “ou=Finance,dc=domainp,dc=bcc” –stalepwd 14
Displays a list of distinguished names for all user objects in the
Finance Container within Domainp.bcc who have not changed their
password in 14 days
DSQuery User: Piping
DSQUERY Output can be used as input to
another command (piped)
Examples provided have wrapped onto multiple lines. When executed,
they would have to be typed on one line.
Dsquery user “ou=finance,dc=domainp,dc=bcc”
–stalepwd 72 | dsmod user –disabled yes
This will take the output of the dsquery command (on the left of the
pipe (|), and use it as input to the dsmod command on the right of the
(|). In this case, it will disable all user accounts in the finance
container who have not changed their password in 72 days.
DSQuery User: Piping
Dsquery user “ou=finance,dc=domainp,dc=bcc” | dsmod
user –desc “Finance Employees”
This will take the output of the dsquery command (on the left of the pipe (|),
and use it as input to the dsmod command on the right of the (|). In this
case, it will change the description property for all user accounts in the
finance container. The new value will be Finance Employees.
Dsquery user “ou=Sales,dc=domainp,dc=bcc” | dsmod user
–dept “Sales” –title “Customer Sales” –Company “Action Lights”
This will take the output of the dsquery command (on the left of the pipe (|),
and use it as input to the dsmod command on the right of the (|). In this
case, it will change the department, title and company properties for all users
in the sales container.
DSMove
• DSMOVE
– can be used to move an object from one container to
another from the command line.
– Can be used to rename an object from the command
line
• Syntax - for moving
– DSmove distinguished-name –newparent newcontainer
• Syntax – for renaming
– DSmove distinguished-name –newname new-name
DSMove: Move Examples
Dsmove “cn=sue,ou=finance,dc=domainp,dc=bcc” –
newparent
“ou=sales,dc=domainp,dc=bcc”
This moves the user with an object name of Sue from the finance
container in domainp.bcc to the sales container in domainp.bcc
Dsmove “ou=users,ou=accounting,dc=domainp,dcc=bcc”
–newparent “ou=finance,dc=domainp,dc=bcc”
This moves the container named users from the Accounting container
within domainp.bcc to the finance container within domainp.bcc.
DSMove: Rename Examples
Dsmove “cn=sue,ou=finance,dc=domainp,dc=bcc” –
newname suzy
This renames the user object with an object name of Sue in the
finance container to suzy
Dsmove “ou=users,ou=accounting,dc=domainp,dcc=bcc”
–newname Acc_Users
This renames the container named users that exists in the
Accounting container in domainp.bcc to Acc_Users.
DSRM
• Allows objects to be deleted from directory
• Can delete single object or entire subtree
• Syntax - for removing a single object
– DSRM distinguished-name
• Syntax – for removing an entire subtree
– DSRM distinguished-name –subtree
DSRM: Examples
Dsrm “cn=sally,ou=finance,dc=domain16,dc=bcc” –
noprompt
Deletes the Sally user from the Finance container in Domain16.bcc
without prompting for confirmation.
Dsrm “ou=Accounting,dc=domainp,dc=bcc” -subtree
Deletes the Accounting container from domainp.bcc. Does prompt
for confirmation
Dsrm “ou=Users,ou=Finance,dc=domainp,dc=bcc” –
subtree –noprompt -c
Deletes the Users container within the finance container in
domainp.bcc without prompting for confirmation and, if there are
errors, don’t stop the process - continue deleting.
DSADD Group
• DSADD can be used to create many different
object types, this and the next few slides will
concentrate on using DSADD to create group
objects.
• Syntax for group account is
– DSADD Group distinguished-name switches
• Switches commonly used include
– -scope –secgrp –memberof
DSAdd Group: Examples
Dsadd group “cn=Finance-G,ou=Finance,dc=domainp,dc=bcc”
Creates a group named Finance-G in the Finance container of
Domainp.bcc. Since no scope or security type have been defined in
the command, the group’s scope will be global and the group’s type
will be security
Dsadd group “cn=Finance-L,ou=Finance,dc=domainp,dc=bcc” -scope
L
Creates a group named Finance-L in the Finance container of
Domainp.bcc. The group’s scope will be domain local and, since
the security type has not been defined the group’s type will be
security
DSAdd Group: Examples
Dsadd group “cn=Sales-G,ou=Sales,dc=domainp,dc=bcc” -scope G –
members “cn=sally,ou=sales,dc=domainp,dc=bcc”
“cn=joe,ou=sales,dc=domainp,dc=bcc”
“cn=bob,ou=sales,dc=domainp,dc=bcc”
Creates a group named Sales-G in the Sales container of
Domainp.bcc. The group’s scope will be global; it’s type is security.
Three users have been added to the group’s member list; Joe, Sally
and Bob, each of which are user object’s that exist in the Sales
container within domainp.bcc
Dsadd group “cn=Sales-L,ou=Sales,dc=domainp,dc=bcc” -scope L –
members “ou=Sales-G,ou=sales,dc=domainp,dc=bcc”
Creates a group named Sales-L in the Sales container of
Domainp.bcc. The group’s scope will be Domain Local; it’s type is
security. The Sales-G global group which also exists in the Sales
container of Domainp.bcc, is made a member of this group.
DSMOD Group
• DSMOD can be used to modify many different
object types, this and the next slide will
concentrate on using DSMOD to modify group
objects.
• Syntax for modifying group account is
– DSMOD Group distinguished-name -switches
• Switches commonly used include
– -rmmbr -addmbr
DSMOD Group: Examples
Each of the below examples modifies a group object that exists in
either the Sales container or the accounting container in the
domainp.bcc domain.
Dsmod group “cn=Sales-G,ou=Sales,dc=domainp,dc=bcc” -addmbr
“cn=JSmith,ou=sales,dc=domainp,dc=bcc”
Makes the JSmith user a member of the Sales-G group
Dsmod group “cn=Accounting-L, ou=Accounting, dc=domainp, dc=bcc” –addmbr
“cn=Accounting-G,ou=Accounting,dc=domainp,dc=bcc”
Makes the Accounting-L group a member of the Accounting-G group.
Dsmod group “cn=Accounting-G, ou=Accounting, dc=domainp, dc=bcc” –rmmbr
“cn=JSmith,ou=Accounting,dc=domainp,dc=bcc”
Removes the JSmith user from the member list of the Accounting-G group.
Dsmod Group “cn=Sales-G,ou=sales,dc=domainp,dc=bcc” –addmbr
“cn=mbrown,ou=sales,dc=domainp,dc=bcc” –rmmbr
“cn=sally,ou=sales,dc=domainp,dc=bcc”
Makes mbrown a member of the Sales-G group and removes Sally from the
members list of the Sales-G group.
DSQuery Group
• DSQUERY can be used to query different object
types from the command line.
• Syntax for querying a Group
– DSQUERY Group distinguished-name -switches
• Switches commonly used include
– -o (controls output’s display) –name -desc
DSQuery Group: Examples
dsquery group
Displays a list of distinguished names for all groups in the domain
dsquery group “ou=Accounting,dc=domainp,dc=bcc”
Displays a list of distinguished names for all groups in the
Accounting container within Domainp.bcc
dsquery group “ou=Accounting,dc=domainp,dc=bcc” –o
samid
Displays a list of samids for all groups in the Accounting container
within Domainp.bcc
dsquery group -name sale*
Displays a list of distinguished names for all groups in the domain
who have an object name that begins with the letters sale.
DSGET
• DSGET displays properties of Active Directory
Objects.
• Syntax
– DSGET GROUP distinguished-name –switches
– DSGET USER distinguished-name –switches
DSGET Group: Examples
Each of the below examples gets properties values of group objects
that exist in either the Sales container or the Accounting container in
the domainp.bcc domain.
DSGET GROUP “cn=Sales-G,ou=Sales,dc=domainp,dc=bcc” -members
Displays the members list for the Sales-G group
DSGET GROUP “cn=Accounting-L, ou=Accounting, dc=domainp, dc=bcc”
–memberof
Displays the member of list for the Accounting-L group. This identifies in
which groups this group is a member.
DSGET GROUP “cn=Accounting-G, ou=Accounting, dc=domainp, dc=bcc” –
desc
Displays the description property for the Accounting-G group.
DSGET Group: Examples
Dsget group “cn=Finance-L,ou=finance,dc=domainp,dc=bcc”
–members -expand
Displays the members list of the Finance-L group and, if any of the
members are groups, it displays the members list of those groups.
For example, if the Finance-G group is a member of the Finance-L
group, the above command would display the members list from both
groups.
DSGET User: Examples
Each of the below examples gets properties values
of user objects that exist in either the Sales
container or the Accounting container in the
domainp.bcc domain.
DSGET USER “cn=Mary,ou=Sales,dc=domainp,dc=bcc”
-memberof
Displays a list of groups in which Mary is a member
DSGET USER “cn=Susan,ou=Accounting, dc=domainp,
dc=bcc” -profile –samid –desc
Displays Susan’s profile, description and samid property
values.
DSGET User: Examples with Piping
Dsquery user –name Susan |dsget user -memberof
This will query the domain for a user object named Susan.
Dsquery’s output (in this case, the user’s name) will be used as input
to the DSGET command. The DSGet command will display the list
of groups in which Susan is a member.
Dsquery user –name Susan |dsget user –samid desc
This will query the domain for a user object named Susan.
Dsquery’s output (in this case, the user’s name) will be used as input
to the DSGET command. The DSGet command will display the
samid and description property values of the susan user object.
DSGET User: Examples with Piping
Dsquery user “ou=finance,dc=domainp,dc=bcc” | dsget user
–samid
-desc -display
This will list all user accounts that exist in the finance container. It will use
that list as input to the dsget command on the right side of the pipe. Dsget
will display the samid, display name and description property values for each
user in the Finance container.
Dsget user “cn=susan,ou=sales,dc=domain16,dc=bcc”
–memberof | dsget group -members
This will use the member of list of the Susan user as input to the dsget
command on the right of the pipe. It will then display the members list of
each group. In essence, it displays a list of group members for all groups
that Susan belongs to.
Related documents
Tony Mahon-AJM Insurance, Amy Webb-Saratoga Benefits
Tony Mahon-AJM Insurance, Amy Webb-Saratoga Benefits
Professional Communication in the Workplace
Professional Communication in the Workplace
07 Nov 2013 - Health, Population and Nutrition Sector Development
07 Nov 2013 - Health, Population and Nutrition Sector Development
to - click here
to - click here
The BCC Assessment Committee Welcomes You
The BCC Assessment Committee Welcomes You
CVTE Orientation. - Greater New Bedford Regional Vocational
CVTE Orientation. - Greater New Bedford Regional Vocational
Letters and E-mail
Letters and E-mail
Example 5 - ClassZone
Example 5 - ClassZone
2007 to 2012: Breast Cancer Campaign Scientific Fellowship
2007 to 2012: Breast Cancer Campaign Scientific Fellowship
Download
advertisement