Tag Archives: DSQuery

Active Directory: Using DSQuery/DSMod to add Service Account to Multiple Groups Based on Description

Due to a regulatory change in our organization, we had to slim down the Domain Admins groups to almost no one, and we were required to remove all service accounts from Domain Admins as well.

Fortunately for us, we had, for quite some time, been creating a specific domain security group for each server and then adding “administrative” user accounts to those groups to assign access to the right people (as not everyone needs to administrate every server).

Unfortunately we didn’t necessarily do the same for service accounts.

One service account, our ePOAgent account for McAfee Anti-Virus, needed to be assigned to all of the server-specific security groups but, for compliance reasons, not be assigned to any other groups.

As we had all of our security groups in one OU, this was a little problematic, but fortunately DSQuery gives us a switch to handle this since we use accurate and consistent descriptions when we create accounts/groups.  Writing a quick command completed the task.

The following DSQuery/DSMod command will do the following:

  • Search a specific OU for security groups that have “Server Administrators:” as the first part of their Description (-desc)
  • Search greater than the default 100 objects (-limit)
  • Continue processing even if one of the groups already has our ePOAgent account in it (-c)
  • Add the ePOAgent account to each group (-addmbr)

Here’s the command:


dsquery group "OU=Security Groups,DC=ad,DC=harness,DC=net" -desc "Server Administrators:*" -limit 1000 | dsmod group -addmbr "CN=ePOAgent,OU=Service Accounts,DC=ad,DC=harness,DC=net" -c

The DS commands in Windows 2008 make life  whole lot easier when working with large collections of objects, particularly if they’re all jumbled together in one OU.  In my case, I had 500+ objects to identify, sort through, and add an account to.  One simple command later I’m done and can move on to something more interesting. : )

Active Directory: Using the Command Line for Group Management

DSGet displays the selected properties of a specific object in the directory, while DSQuery finds groups in the directory that match the search criteria that you specify. You can then use DSMod to modify an existing object of a specific type in the directory.

DSQuery, DSMod, and DSGet are three command-line tools that are built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use them, you must run the commands from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

A couple of quick reminders about using command line tools:

1. If a value that you supply contains spaces, use quotation marks around the text
2. If you enter multiple values, the values must be separated by spaces

While Active Directory Users & Computers works great, there are always some situations in which command line entry is much quicker as you can specify arguments. These are two situations that I have had to consider recently:

Add specific named user to multiple security groups based on defined criteria
As an example, say I want to add a specific user named Jane Doe to all modify- level security groups, which I can identify as I’ve used “- M” in all of the group names. As I have used consistent naming conventions and have a proper OU structure in place, I can do all of this for the username Jane Doe by typing the following command:


dsquery group "OU=Security Groups,DC=domain,DC=net" -name “- M” | dsmod group -addmbr "CN=Jane Doe,CN=Users,DC=domain,DC=net"

This command works as expected because I’ve used “- M” at the end of all of my security groups that have modify rights to the resource they protect. Consistency pays off when managing large Active Directory infrastructures.

To dissect this command a bit, I’m basically saying “Find all groups under the Security Groups OU that have – M in their name. Then (after the ) modify those groups by adding Jane Doe.”

Add members of one security group to another security group
You can also use DSGet in order to get all members of one group, which then allows you to use DSMod to add them to another group. This can be useful if your organization expands and you need to extend the number of security groups you have.


dsget group "CN=US INFOSEC,OU=Security Groups,DC=domain,DC=net" -members | dsmod group "CN=GERMANY INFOSEC,OU=Security Groups,DC=domain,DC=net" –addmbr

Narratively (I think better in the narrative), this command says “Get all of the users in the US INFOSEC security group and the (after the ) add them to the GERMANY INFOSEC security group.”

Add users based on filtered criteria to existing security group
This one came up for me recently. I needed to find all users in our domain based on an Active Directory attribute (in my case, the description field). In this instance, I was looking for the existence of one word (we’ll use ENSIGN in this example) in the description field and I needed to search our entire user OU structure. I used a * at the beginning and end of “ENSIGN” so that it would look for the word anywhere in the description field. Here are the four ways it could have been written:

  • ENSIGN Ensign is the ONLY word in the description field
  • *ENSIGN The description field ENDS with Ensign
  • ENSIGN* The description field STARTS with Ensign
  • *ENSIGN* Ensign APPEARS anywhere in the description field

By specifying the top level OU I wanted to search, DSQuery will automatically search all sub OUs. In my case, I knew it was going to return A LOT of results, so I used the –limit at the end of the command. By default, DSQuery will only return 100 results, I needed thousands.


dsquery user ou=OUR DOMAIN USERS,dc=domain,dc=net –desc *ENSIGN* -limit 10000 | dsmod group "cn=NEWBIE GROUP,ou=OUR DOMAIN GROUPS,dc=domain,dc=net" –addmbr

So, we’re basically saying “Get up to 10,000 users with the word Ensign anywhere in their description field and add them to the Newbie Group security group.”

…Finally
Issues commands from the command line can save you tons of time. In my case, I had to create a scheduled task in Task Scheduler to perform that last example every four hours to make 100% sure any new users were put in to that group if that criteria were met.

I realize it may seem trivial, but when you’re working with thousands and thousands of accounts in a high security environment, using the command line, specifying criteria, and then scheduling it to run on a routine basis can 100% assure you that requirements are being met.