The Dsmod Utility
The Dsmod utility modifies existing AD users, computers, groups, OUs, and contacts. For example, you can change a group's membership or scope. Dsmod's OU option isn't as useful as the other options; you can't do much other than to change the description. To reset Jim Bob's password and force him to change it at the next logon, type
dsmod user "CN=James Robert,
CN=Users,DC=bigtex,DC=net"
-pwd Uf@tfingeredIt
-mustchpwd yes
If Jim Bob has just been too much trouble, you can disable his account by typing
dsmod user "CN=James Robert,
CN=Users,DC=bigtex,DC=net"
-disabled yes
To reset a computer account, type
dsmod computer CN=JimBobsPC,
CN=goodolboys,CN=roughnecks,
DC=bigtex,DC=net -reset
To change the GoodOlBoys group's scope from global to universal, type
dsmod group CN=GoodOlBoys,
CN=roughnecks,DC=bigtex,
DC=net -scope u
The Dsmod server command can make the task of creating a Global Catalog (GC) server easier than picking and clicking your way through the Active Directory Sites and Services console, as the following command shows:
dsmod server CN=firstdomcont,
CN=servers,
CN=default-first-site-name,
CN=configuration,DC=bigtex,
DC=net -isgc yes
Note that the DN of the server you want to make a GC server isn't the name you'd see in the MMC Active Directory Users and Computers console; instead, the name you need to type is the DC's representation in the Configuration naming context. (The Sites portion of the Active Directory Sites and Services console is really a view of the sites container in the Configuration naming context.)
The Dsmove Utility
The Dsmove utility moves an object within a domain. (You must use Movetree, in Support Tools on the Windows 2003 CD-ROM, to move objects between domains.)
Dsmove has two options: -newname and -newparent. You use -newname when you want to rename an object, as in
dsmove CN=sdeuby,CN=users,
CN=bigtex,CN=com
-newname "CN=Sean Deuby"
Note that to rename an object, you need to specify in the -newname option only the relative distinguished name (RDN) of the object, not the complete DN. If you wanted to relocate the SDeuby object within the domain to the Roughnecks OU we created earlier, you'd use the -newparent option, as in
dsmove CN=sdeuby,CN=users,
CN=bigtex,CN=com
-newparent OU=roughnecks,
DC=bigtex,DC=net
In this case, you must tell the target object (SDeuby) exactly where to go by specifying the full DN of the destination parent object (the Roughnecks OU in Bigtex.net).
The Dsrm Utility
In contrast to the other Ds utilities, Dsrm is quite simple: It deletes an AD object whose DN you specify. Other than the options for alternate credentials and server connections that all these tools share, Dsrm has only two options. The -subtree option specifies that you want to delete both the object and all objects under it. If you don't use the -subtree option, Dsrm deletes only the object. The -subtree option's -exclude parameter ensures that you keep the target object while deleting everything under it. The -noprompt option stops the utility from asking you to confirm the deletion. For example, the command
dsrm OU=roughnecks,DC=bigtex,
DC=net -subtree -exclude
-noprompt
deletes everything in the Roughnecks OU but leaves the OU intact.
The Shutdown Utility
Win2K and Windows NT originally didn't have a command-line utility to shut down the system. To address this omission, the Microsoft Windows 2000 Server Resource Kit added a Shutdown utility to perform some basic shutdown functions such as rebooting, forcing running applications to close, providing a simple GUI, and setting a countdown-to-shutdown timer. This Shutdown utility also has an abort switch (/a) to stop the countdown timer—which can be exciting to try to remember when you have less than 30 seconds before the system shuts down.
In Windows 2003, Shutdown has moved from the resource kit to %windir%\system32. You can now do practically anything related to shutdowns and restarts right from the command line: shut down (/s), restart (/r), power down (/p), hibernate (/h), force-close applications (/f), and abort (/a). You can also use the /l switch to log off without shutting down.
An improved GUI, which Figure 5 shows, lets you shut down multiple computers with one command and specify the reason you're shutting down or restarting the computers. You open the Shutdown GUI by typing
shutdown /i
The new Shutdown Event Tracker tries to collect the reason for every operator-initiated shutdown. If the system has shut down unexpectedly, a reason-collection dialog box pops up the first time an administrator logs on after rebooting the system. The command-line Shutdown also lets you document the shutdown reason by using the /d switch and one of 23 reasons. For example, the command
shutdown /r /t 30 /f
/d p:02:04 /c:"This is a test
of the SHUTDOWN
command line utility"
reboots the computer after 30 seconds, forcing applications to close, leaving a message in the System event log, and specifying the reboot reason as "Operating System: Reconfiguration (planned)". The new Shutdown has a thorough Help file, which you open by clicking Help on the Shutdown GUI.
)
)
For instance: adding an ou as in your first example of the DSADD utility, dsadd failed, A referrel was returned from the server.
What does this mean? I certainly don't know.
Brian April 11, 2004