Active Directory: Using the Command Line for Group Management

DSGet displays the selected properties of a specific object in the directory, while DSQuery finds groups in the directory that match the search criteria that you specify. You can then use DSMod to modify an existing object of a specific type in the directory.

DSQuery, DSMod, and DSGet are three command-line tools that are built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use them, you must run the commands from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

A couple of quick reminders about using command line tools:

1. If a value that you supply contains spaces, use quotation marks around the text
2. If you enter multiple values, the values must be separated by spaces

While Active Directory Users & Computers works great, there are always some situations in which command line entry is much quicker as you can specify arguments. These are two situations that I have had to consider recently:

Add specific named user to multiple security groups based on defined criteria
As an example, say I want to add a specific user named Jane Doe to all modify- level security groups, which I can identify as I’ve used “- M” in all of the group names. As I have used consistent naming conventions and have a proper OU structure in place, I can do all of this for the username Jane Doe by typing the following command:

dsquery group "OU=Security Groups,DC=domain,DC=net" -name “- M” | dsmod group -addmbr "CN=Jane Doe,CN=Users,DC=domain,DC=net"

This command works as expected because I’ve used “- M” at the end of all of my security groups that have modify rights to the resource they protect. Consistency pays off when managing large Active Directory infrastructures.

To dissect this command a bit, I’m basically saying “Find all groups under the Security Groups OU that have – M in their name. Then (after the ) modify those groups by adding Jane Doe.”

Add members of one security group to another security group
You can also use DSGet in order to get all members of one group, which then allows you to use DSMod to add them to another group. This can be useful if your organization expands and you need to extend the number of security groups you have.

dsget group "CN=US INFOSEC,OU=Security Groups,DC=domain,DC=net" -members | dsmod group "CN=GERMANY INFOSEC,OU=Security Groups,DC=domain,DC=net" –addmbr

Narratively (I think better in the narrative), this command says “Get all of the users in the US INFOSEC security group and the (after the ) add them to the GERMANY INFOSEC security group.”

Add users based on filtered criteria to existing security group
This one came up for me recently. I needed to find all users in our domain based on an Active Directory attribute (in my case, the description field). In this instance, I was looking for the existence of one word (we’ll use ENSIGN in this example) in the description field and I needed to search our entire user OU structure. I used a * at the beginning and end of “ENSIGN” so that it would look for the word anywhere in the description field. Here are the four ways it could have been written:

  • ENSIGN Ensign is the ONLY word in the description field
  • *ENSIGN The description field ENDS with Ensign
  • ENSIGN* The description field STARTS with Ensign
  • *ENSIGN* Ensign APPEARS anywhere in the description field

By specifying the top level OU I wanted to search, DSQuery will automatically search all sub OUs. In my case, I knew it was going to return A LOT of results, so I used the –limit at the end of the command. By default, DSQuery will only return 100 results, I needed thousands.

dsquery user ou=OUR DOMAIN USERS,dc=domain,dc=net –desc *ENSIGN* -limit 10000 | dsmod group "cn=NEWBIE GROUP,ou=OUR DOMAIN GROUPS,dc=domain,dc=net" –addmbr

So, we’re basically saying “Get up to 10,000 users with the word Ensign anywhere in their description field and add them to the Newbie Group security group.”

Issues commands from the command line can save you tons of time. In my case, I had to create a scheduled task in Task Scheduler to perform that last example every four hours to make 100% sure any new users were put in to that group if that criteria were met.

I realize it may seem trivial, but when you’re working with thousands and thousands of accounts in a high security environment, using the command line, specifying criteria, and then scheduling it to run on a routine basis can 100% assure you that requirements are being met.

No comments yet... Be the first to leave a reply!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s