Active Directory Commands ( )

Transcription

1 CSVDE Script Example: Active Directory Commands ( ) 1 Dn, samaccountname, userprincipalname, department, useraccountcontrol, objectclass "CN=Amir Nosrati,OU=IT,DC=Ostadbook,DC=com",Amir-n,[email protected],MCSE,512,user CSVDE Import CSVDE i f users.csv CSVDE i k f users.csv CSVDE Export CSVDE f users.csv r "(&(objectclass=user))" CSVDE f users.csv l "DN,objectclass,samaccountname,useraccountcontrol" CSVDE f users.csv r "(&(objectclass=user))" l "DN,objectclass,samaccountname,useraccountcontrol"

2 DSMOD USER Modify Password DSMOD 2 dsmod user "CN=Behzad Azarmehr,OU=IT,DC=Ostadbook,DC=com" pwd DSADD USER Create user WITH password dsadd user "CN=Mohammad AzadiNaqsh,OU=IT,DC=Ostadbook,DC=com" pwd DSMOD GROUP Examples To add the user Mohammad Saedy to all administrator distribution list groups: dsquery group "OU=Distribution Lists,DC=Ostadbook,DC=com" name adm* dsmod group addmbr "CN=Mohammad Saedy,CN=Users,DC=Ostadbook,DC=com" To add all members of the IT Info Group to the Ostadbook Info group: dsget group "CN=IT info,ou=distribution Lists,DC=Ostadbook,DC=com" members dsmod group "CN=Ostadbook info,ou=distribution Lists,DC=Ostadbook,DC=com" addmbr DSMOD GROUP Examples To convert the group type of several groups from "security" to "non-security": dsmod group "CN= IT info,ou=distribution Lists,DC=Ostadbook,DC=com" "CN=Ostadbook info,ou=distribution Lists,DC=Ostadbook,DC=com" "CN=MCSE info,ou=distribution Lists,DC=Ostadbook,DC=com" secgrp no To add three new members to the IT info group: dsmod group "CN= IT info,ou=distribution Lists,DC=Ostadbook,DC=com" addmbr "CN=Sina Razavi,CN=Users,DC=Ostadbook,DC=com" "CN=Hamed Tadei,OU=Distribution Lists,DC=Ostadbook,DC=com" "CN=Sara Alijani,CN=Users,DC=Ostadbook,DC=com"

3 3 To add all users from the OU "IT" to the current group "IT Staff": dsquery user OU=IT,DC=Ostadbook,DC=com dsmod group "CN=IT Staff,OU=IT,DC=Ostadbook,DC=com" addmbr To delete two members from the ccurren IT Info group: dsmod group "CN=IT Info,OU=Distribution Lists,DC=Ostadbook,DC=com" rmmbr "CN=Sina Razavi,CN=Users,DC=Ostadbook,DC=com" "CN=Sara Alijani,OU=Distribution Lists,DC=Ostadbook,DC=com" DSMOD SERVER Examples To enable the domain controllers OstadbookDC1 and OstadbookDC9 to become Global catalog servers: dsmod server "CN=OstadbookDC1,CN=Servers,CN=site1,CN =sites,cn =configuration,dc=ostadbook,dc=com" "CN=OstadbookDC9,CN=Servers,CN=site2,CN =sites,cn =configuration,dc=ostadbook,dc=com" isgc yes DSMOD COMPUTER Examples To disable multiple computer accounts: dsmod computer CN=MemberServer1,CN=Computers,DC=Ostadbook,DC=com CN=MemberServer2,CN=Computers,DC=Ostadbook,DC=com disabled yes To reset multiple computer accounts: dsmod computer CN=MemberServer1,CN=Computers,DC=Ostadbook,DC=com CN=MemberServer2,CN=Computers,DC=Ostadbook,DC=com reset

4 DSADD Create an Organizational Unit in Windows 2003 dsadd ou "OU=IT,DC=Ostadbook,DC=com" DSADD 4 DSADD Creating Groups scope g Global group -scope L Domain Local group (Could also be scope l. Lower case L) -secgrp yes Security group (not distribution) dsadd group "CN=Ostadbook-users,OU=IT,DC=Ostadbook,DC=com" secgrp yes scope L DSADD Members Perhaps one of the most useful commands would be to add member to a groups as you create the group. Assuming you have already created a user called Tadei you would append this to example: Creating group. -members "CN=Tadei,OU=IT,DC=Ostadbook,DC=com" If there is a snag, you need to remember to add the members when you create the group otherwise dsadd will not work. However, you could try dsmod to modify or add members to an existing group. Dsadd group "CN=Ostadbook-users,OU=IT,DC=Ostadbook,DC=com" secgrp yes scope L -members "CN=Tadei,OU=IT,DC=Ostadbook, DC=com" DSADD Creating a User dsadd user "CN=Jowzi,OU=IT,DC=Ostadbook,DC=com"

5 DSGET COMPUTER DSGET 5 To find all computers in a given OU whose name starts with "tst" and show their descriptions. Dsquery computer OU=Test,DC=Ostadbook,DC=com name tst* dsget computer desc To show the list of groups, recursively expanded, to which a given computer "MyDBServer" belongs: dsget computer CN=MyDBServer,CN=computers,DC=Ostadbook,DC=com memberof expand To display the effective quota and quota used of a given computer "MyDBServer" on a given partition "CN=domain1,DC=Ostadbook,DC=com", type: dsget computer CN=MyDBServer,CN=computers,DC=Ostadbook,DC=com part CN=domain1,DC=Ostadbook,DC=com qlimit qused DSGET GROUP To find all groups in a given OU whose names start with "adm" and display their descriptions. Dsquery group OU=Test,DC=Ostadbook,DC=com name adm* dsget group desc To display the list of members, recursively expanded, of the group "Backup Operators": dsget group "CN=Backup Operators,OU=Test,DC=Ostadbook,DC=com" members expand To display the effective quota and quota used for a group on a specified partition, type: dsget group "CN=Backup Operators,OU=Test,DC=Ostadbook,DC=com" part "CN=domain1,DC=Ostadbook,DC=Com" qlimit qused

6 DSGET SERVER To find all domain controllers for domain IT.ostadbook.com and display their DNS host name and site name: 6 dsquery server domain IT.ostadbook.com dsget server dnsname site To show if a domain controller with the name DC1 is also a Global Catalog server: dsget server CN=DC1,CN=Servers,CN=Site10,CN=Sites,CN=Configuration,DC=Ostadbook,DC=com isgc To show the distinguished names of the directory partitions on a domain controller with the name DC1, type: dsget server CN=DC1,CN=Servers,CN=Site10,CN=Sites,CN=Configuration,DC=Ostadbook,DC=com part To show the security principals that own the largest total number of directory objects on the directory partitions of a domain controller with the name DC1, and limiting the list to the top 5 owners, type: dsget server CN=DC1,CN=Servers,CN=Site10,CN=Sites,CN=Configuration,DC=Ostadbook,DC=com topobjowner 5 DSGET USER To find all users in a given OU whose names start with "rez" and display their descriptions, type: dsquery user OU=Test,DC=Ostadbook,DC=com name rez* dsget user desc To display the list of groups, recursively expanded, to which a given user "Afshin Tavvahin" belongs, type: dsget user "CN=afshin tavvahin,cn=users,dc=ostadbook,dc=com" memberof expand To display the effective quota and quota used for a given user "Afshin Tavvahin" on a given partition "CN=domain,DC=Ostadbook,DC=com", type: dsget user "CN=Afshin tavvahin,cn=users,dc=ostadbook,dc=com" part "CN=domain,DC=Ostadbook,DC=com" qlimit qused

7 DSMOVE Examples DSMOVE 7 The user object for the user Tadei can be renamed to Tadei with the following command: dsmove "CN=Tadei,OU=sales,DC=Ostadbook,DC=com" newname "Tadei" The same user can be moved from the Sales organization to the Marketing organization with the following command: dsmove "CN=Tadei,OU=sales,DC=Ostadbook,DC=com" newparent OU=Marketing,DC=Ostadbook,DC=com The rename and move operations for the user can be combined with the following command: dsmove "CN=Tadei,OU=sales,DC=Ostadbook,DC=com" newparent OU=Marketing,DC=Ostadbook,DC=com newname "Tadei" DSQUERY DSQUERY Examples To find all computers those have been inactive for the last four weeks and remove them from the directory: dsquery computer inactive 4 dsrm To find all users in the organizational unit "OU=Marketing,DC=Ostadbook,DC=com" and add them to the Marketing Staff group: dsquery user OU=Marketing,DC=Ostadbook,DC=com dsmod group "CN=Marketing Staff,OU=Marketing,DC=Ostadbook,dc=com" addmbr To find all users with names starting with "amir" and display his office number: dsquery user name Amir* dsget user office To display an arbitrary set of attributes of any given object in the directory use the dsquery * command. For example, to display the samaccountname, userprincipalname and department attributes of the object whose DN is OU=Test,DC=Ostadbook,dc=com: dsquery * OU=Test,DC=Ostadbook,DC=com scope base attr samaccountname userprincipalname department To read all attributes of the object whose DN is OU=Test,DC=Ostadbook,DC=com: dsquery * OU=Test,DC=Ostadbook,DC=com scope base attr *

8 8 DSQUERY COMPUTER To find all computers in the current domain whose name starts with "re" and whose description starts with "desktop", and display their DNs: dsquery computer domainroot name re* -desc desktop* To find all computers in the organizational unit (OU) given by OU=sales,DC=Ostadbook,DC=com and display their DNs: dsquery computer OU=sales,DC=Ostadbook,DC=com DSQUERY Group To find all groups in the current domain whose name starts with "re" and whose description starts with "admin", and display their DNs: dsquery group domainroot name re* -desc admin* Find all groups in the domain given by DC=Ostadbook,DC=com and display their DNs: dsquery group DC=Ostadbook,DC=com DSQUERY Server To find all DCs in the current domain: dsquery server To find all DCs in the forest and display their Relative Distinguished Names: dsquery server o rdn forest To find all DCs in the site whose name is "Teh-Ostadbookgaran", and display their Relative Distinguished Names: dsquery server o rdn site Teh-Ostadbookgaran Find the DC in the forest that holds the schema FSMO role: dsquery server forest hasfsmo schema Find all DCs in the domain example.ostadbookt.com that are global catalog servers: dsquery server domain example.ostadbook.com isgc Find all DCs in the current domain that hold a copy of a given directory partition called "ApplicationSales": dsquery server part "Application*"

9 DSQUERY User 9 To find all users in a given organizational unit (OU) whose name starts with "rez" and whose account has been disabled for logon and display their user principal names (UPNs): dsquery user OU=Test,DC=Ostadbook,DC=com o upn name rez* -disabled To find all users in only the current domain, whose names end with "Jowzi" and who have been inactive for 3 weeks or more, and display their DNs: dsquery user domainroot name *Jowzi inactive 3 To find all users in the OU given by OU=sales,DC=Ostadbook,DC=com and display their UPNs: dsquery user OU=sales,DC=Microsfot,DC=com o upn DSQUERY OU To find all Ous in the current domain whose name starts with "se" and whose description starts with "sales", and display their DNs: dsquery ou domainroot name se* -desc sales* To find all Ous in the domain given by DC=Ostadbook,DC=com and display their DNs: dsquery ou DC=Ostadbook,DC=com DSQUERY Site To find all sites in West-Teh with name starting with "west" and display their DNs: dsquery site name west* To list the distinguished names (RDNs) of all sites defined in the directory: dsquery site o rdn

10 11 DSQUERY Subnet To find all subnets with the network IP address starting with : dsquery subnet name * To find all subnets in the site whose name is "Site-Teh", and display their names as Relative Distinguished Names (RDNs): dsquery subnet o rdn site Site-teh To list the names (RDNs) of all subnets defined in the directory: dsquery subnet o rdn dsquery failed:the parameter is incorrect. DSRM Examples DSRM To remove an organizational unit (OU) called "Marketing" and all the objects under that OU, use the following command: dsrm subtree noprompt c OU=Marketing,DC=Ostadbook,DC=com To remove all objects under the OU called "Marketing" but leave the OU intact, use the following command with the exclude parameter: dsrm subtree exclude noprompt c "OU=Marketing,DC=Ostadbook,DC=com"

11 General Parameters -i Turn on Import Mode (The default is Export) -f filename Input or Output filename LDIFDE -s servername The server to bind to (Default to DC of computer's domain) -c FromDN ToDN Replace ccurrences of FromDN to ToDN -v Turn on Verbose Mode -t port Port Number (default = 389) -u Use Unicode format -w timeout Terminate execution if the server takes longer than the specified number of seconds to respond to an operation(default = no timeout specified) -h Enable SASL layer encryption -j path og File Location Export Specific -d RootDN The root of the LDAP search (Default to Naming Context) -r Filter LDAP search filter (Default to "(objectclass=*)") -p SearchScope Search Scope (Base/OneLevel/Subtree) -l list List of attributes (comma separated) to look for in an LDAP search -o list List of attributes (comma separated) to omit from input. -g Disable Paged Search. -m Enable the SAM logic on export. -n Do not export binary values Import -k The import will go on ignoring 'Constraint Violation' and 'Object Already Exists' errors -y The import will use lazy commit for better performance (enabled by default) -e The import will not use lazy commit -q threads The import will use the specified number of threads (default is 1) 11

12 Credentials Establishment Note that if no credentials are specified, LDIFDE will bind as the currently logged on user, using SSPI. -a UserDN [Password *] Simple authentication -b UserName Domain [Password *] SSPI bind method 12 Examples Simple import of current domain ldifde i f INPUT.LDF Simple export of current domain ldifde f OUTPUT.LDF Export of specific domain with credentials ldifde m f OUTPUT.LDF -b USERNAME DOMAINNAME * -s SERVERNAME -d "cn=users,dc=ostadbook,dc=com" -r "(objectclass=user)" No log files were written. In order to generate a log file, please specify the log file path via the j option. LDIFDE Import The key switch is i without this tiny i switch (Lower case ) LDIFDE will just export information or raise an error message To master importing user accounts, you must understand the LDAP attributes Also you need 'Active Directory Users and Computer' available for inspecting the users' properties Once you have written all the data in your.ldf file then just import the data with a command like this : ldifde i f accounts.ldf s bigserve

13 Using LDIFDE to Add a New User In this example, you use LDIFDE to add a new user named Sina Razavi to the Training organizational unit. 13 Start Notepad, and create a new file called Newuser.ldf. (Save the file as with an.ldf extension.) (Note you will need to substitute the information for your domain!) dn: CN=GuyThomas, OU=Training, DC=Ostadbook, DC=com changetype: add cn: Sina Razavi objectclass: user samaccountname: Sina givenname: Sina sn: Razavi Save the LDIF file. Edit the LDIF file Newuser.ldf, and add the following text : Run LDIFDE to import the new user into active directory. Open a 'dos box', start run, CMD, then type the following command, and then press Enter. Ldifde i f newuser.ldf s bigserve To confirm that the new user has been created, check your active directory users and computers snap-in. Modify a User's attributes Once you have mastered adding users, then experiment with modifying existing attributes, this is the main advantage of LDIFDE over CSVDE. The key is the 'changetype: ' command in the data file. The three possible commands are add, modify, and delete. Changing the password is very difficult. Below is an example but you really needing more details from your ebook to master the 'unicodepwd' syntax. Dn: CN=Behzad Azarmehr, OU=IT, DC=Ostadbook,DC=com changetype: modify replace: unicodepwd unicodepwd::igbzag8adqbyae4azqb3afaadwbkacia

14 14 Deleting a user When you need to delete objects, firstly you need their dn: attributes. Secondly, on the next line, write a statement for changetype: delete. Example: If you saved these entries into a file called leavers.ldf dn: CN=Sara Alijani,CN=Users,DC=Ostadbook changetype: delete dn: CN=Azadinaqsh,CN=Users,DC=Ostadbook changetype: delete dn: CN=Sina Jowzi=Users,DC=Ostadbook changetype: delete LDIFDE Export The situation is, you want to extract user accounts from active directory. Perhaps you are doing this with a view to making changes, then importing them back into active directory. Alternatively, you may just want to practice the export to gain experience because LDIFDE f filename, is harmless compared with the import command. Note that export is the default so you do not need a i switch, all you need is the f switch and a filename. Ldifde f export.ldf s ostadbook (Where ostadbook is your domain controller and export.ldf is the filename) In theory you can export user accounts by just giving the filename, but I find you need the s switch to connect to the server. (-s ostadbook) Type your ldifde commands in notepad, then save as a.bat file then execute your.bat file from DOS. Adding filters with r Use the r switch to filter your data, for example: the command to export only computer objects on a server called ostadbook is: ldifde f ExportComputer.ldf s ostadbook r "(objectclass=computer)" Gradually add to your basic ldifde file, pay attention to the syntax e.g. "speech marks", commas Exporting only the fields you want with l (lower case L) ldifde f ExportUser.ldf s ostadbook r "(objectclass=user)" l "dn, cn, givenname, sn, department"