The scope g parameter tells the tool to create a global group. Next, we use the Dsquery and Dsmod combination to add all the MyOU members to the new group:
dsquery user -scope onelevel
"ou=MyOU,DC=LissWare,DC=Net"
| dsmod group "cn=MyGroup,
ou=MyOU,DC=LissWare,DC=Net"
-addmbr
Moving Users with Dsmove
Now imagine that you want to move certain users to a specific OU or container. For instance, to move user John Conner from MyOU to the Users container, the command would be:
dsmove "cn=Connor John,OU=MyOU,
DC=LissWare,DC=Net"
-newparent "cn=Users,
DC=LissWare,DC=Net"
But what if we wanted to move all the users whose first name starts with J? We can do this by combining the Dsquery and Dsmove tools. To find all the users whose first name starts with J, you might try the command
dsquery user -name J*
Unfortunately, this command doesn't return the expected results because the -name switch performs a match on the relative DN of the user (i.e., the common name, or cn,) and we built the DN with the last name in the first position and the first name in the last position. Therefore, we can't use the standard Dsquery switches; rather, we must explicitly express the LDAP query filter that we want to use. To locate all users that have a first name that starts with J, we need to use the command
dsquery * "ou=MyOU,DC=LissWare,
DC=Net"
-filter "(&(objectClass=user)
(givenName=J*))"
This filter returns three DNs: Jane, John, and Juliet. To carry out the move operation, we combine the above query with the appropriate Dsmove command, as follows:
For /f "delims=*" %i in
('dsquery * "ou=MyOU,
DC=LissWare,DC=Net"
-filter "(&(objectClass=user)
(givenName=J*))"') do
dsmove -newparent "cn=users,
DC=LissWare,DC=Net" %i
Here, we need to use a For /f statement instead of a pipe redirection because Dsmove accepts the redirection of only one DN at a time. Dsadd has the same limitation.
Deleting Users with Dsrm
The Dsrm directory service tool removes AD objects. Dsrm requires only the DN of the object to be removed. For example, to delete the user objects we created earlier, we can use the command
dsquery user "ou=MyOU,
DC=LissWare,DC=Net" |
dsrm -noprompt
When you specify the -noprompt switch, Dsrm doesn't request a confirmation. To delete the group we created earlier, we can use the command
dsrm "cn=MyGroup,ou=MyOU,
DC=LissWare,DC=Net" -noprompt
To delete the OU, we use the command
dsrm "ou=MyOU,DC=LissWare,
DC=Net" -noprompt
To remove the three users we moved to the Users container (Jane, John, and Juliet), we use the command
dsquery * "cn=Users,
DC=LissWare,DC=Net"
-filter "(&(objectClass=user)
(|(givenName=Jane)
(givenName=John)
(givenName=Juliet)))"
| dsrm -noprompt
This command ensures that only users with the name Jane, John, or Juliet are deleted. We've now removed everything we created in AD.
Tool Notes
The directory service tools are especially beneficial when combined with command-shell statements such as For /f. This combination lets the directory service tools benefit from command-shell automation and lets us leverage traditional command-shell commands to carry out AD operations.
Although the directory service tools are useful, they have some limitations. You can pipe through the standard input only the DN of the object that you want to manipulate. You must specify all other parameters by using the command-line switches. It would be nice to be able to pipe the complete command line through the standard input.
The six directory service tools handle more than 80 percent of a typical shop's AD management needs, but they don't eliminate the need for WSH and ADSI scripting. Actually, "traditional" scripting is probably better than using the directory service tools when robust code-logic execution is required because the command shell offers poor error-handling features.
Bear in mind that you can call the directory service tools directly from a WSH script, so they can complement WSH and ADSI scripting. WSH 5.6 provides access to the standard I/O streams, or pipes, enabling the tools to receive input (i.e., the DN of the object you want them to work with) from a WSH script and letting a WSH script parse the execution results. For instance, a WSH script can "delegate" an AD query to Dsquery instead of using ADSI and ADO. The WSH script can receive the result of the search via the standard input stream and parse the result.
Listing 1 shows a short sample script. The script first creates the WshShell object that's used to execute the process that's passed as a parameter of the WshShell.Exec method. After checking for the successful execution of the method, the script shows the Dsquery process ID and output. The script captures the output generated by Dsquery by reading the standard output stream in a loop. The loop ends when the output stream terminates.
The directory service tools help you perform typical AD operations, such as adding, moving, and removing objects, from the command line. Combining directory service tool statements with WSH is a great way to simplify your scripting code while leveraging the features that this great set of tools provides.