Managing User Accounts

Previous page
Table of content
Next page

  < Day Day Up > 


Managing user accounts from the command line is different from managing them in the Active Directory Users And Computers administrative tool, chiefly because you have more options and it is easier to work with multiple user accounts at the same time.

Viewing and Finding User Accounts

You can use the DSQUERY USER command to search for users. Not only can you search by common name, SAM account name, and description, but you can also use wildcards in any of these fields to facilitate matches. The output of DSQUERY USER contains the DNs of users that match the search criteria and can be piped as input to other commands, including DSGET USER, which you can use in turn to display user account properties.

DSQUERY USER and DSGET USER are best used together. Here, you use DSQUERY USER to obtain the DNs for one or more users, and then use DSGET USER to display the properties for the related accounts. Using DSGET USER, properties you can display are specified by using parameters, including

  • display Displays the full name attribute of matching user accounts in the output

  • desc Displays the description of matching user accounts in the output

  • dn Displays the distinguished name of matching user accounts in the output

  • empid Displays the employee ID attribute of matching user accounts in the output

  • fn Displays the first name attribute of matching user accounts in the output

  • mi Displays the middle initial attribute of matching user accounts in the output

  • samid Displays the SAM account name of matching user accounts in the output

  • sid Displays the security identifier for matching user accounts in the output

  • disabled Displays a Yes/No value indicating whether the user account is disabled

DSGET USER displays output in table format. Generally speaking, you will always want to use –Dn, –Samid or –Display as a parameter to help you make sense of and identify the users in the output. For example, if you wanted to search for all engineering users that were disabled, you can use the command line

dsquery user "OU=Eng,DC=cpandl,DC=com" | dsget user -dn -disabled

Here, you list the disabled status of each user in the Engineering OU of the cpandl.com domain, such as

  dn                                         disabled
  CN=edwardh,OU=Eng,DC=cpandl,DC=com         yes
  CN=jacobl,OU=Eng,DC=cpandl,DC=com          yes
  CN=maryk,OU=Eng,DC=cpandl,DC=com           yes
  CN=ellene,OU=Eng,DC=cpandl,DC=com          yes
  CN=williams,OU=Eng,DC=cpandl,DC=com        yes
dsget succeeded

You could also display the SAM account name as shown in this example:

dsquery user -name william* | dsget user -samid -disabled
  samid                                      disabled
  williamb                                   yes
  williamd                                   yes
  williams                                   no
dsget succeeded

Here, you search for all user accounts whose common name begins with William, then display the SAM account name and disabled status of each.

Determining Group Membership for Individual User Accounts

You can use the second syntax for DSGET USER to obtain the group membership of individual user accounts. For example, if you wanted to see what groups WilliamS is a member of, you could type the command

dsquery user -name williams | dsget user -memberof

or

dsget user "CN=William Stanek,OU=Eng,DC=cpandl,DC=com" -memberof

Both commands work the same. In the first example, you use DSQUERY USER to obtain the DN of the user account. In the second example, you specify the DN directly. Either way, the output would show the group memberships, such as

"CN=Tech,CN=Users,DC=cpandl,DC=com"
"CN=Engineering,OU=Eng,DC=cpandl,DC=com"
"CN=Domain Users,CN=Users,DC=cpandl,DC=com"

Here, the user is a member of the Tech, Engineering, and Domain Users groups.

While this technique could be used to display the membership of multiple users, there is no way to display a DN or SAM account name for the associated users. Thus, you get a list of group memberships and the only indicator that the memberships are for different users are the blank lines in the listing. For example, if you used the query

dsquery user -name bill* | dsget user -memberof

the output might look like this: 

"CN=Tech,CN=Users,DC=cpandl,DC=com"
"CN=Engineering,OU=Eng,DC=cpandl,DC=com"
"CN=Domain Users,CN=Users,DC=cpandl,DC=com"
 
"CN=Domain Users,CN=Users,DC=cpandl,DC=com"
 
"CN=Tech,CN=Users,DC=cpandl,DC=com"
"CN=Engineering,OU=Eng,DC=cpandl,DC=com"
"CN=Domain Users,CN=Users,DC=cpandl,DC=com"
 
"CN=Engineering,OU=Eng,DC=cpandl,DC=com"
"CN=Domain Users,CN=Users,DC=cpandl,DC=com"
 
"CN=Tech,CN=Users,DC=cpandl,DC=com"
"CN=Engineering,OU=Eng,DC=cpandl,DC=com"
"CN=Domain Users,CN=Users,DC=cpandl,DC=com"
 
"CN=Domain Users,CN=Users,DC=cpandl,DC=com"
 
"CN=Domain Users,CN=Users,DC=cpandl,DC=com"

Here, you have output for seven user accounts. You can tell this because of the blank lines separating each group membership listing. But you have no indication of which user accounts the entries specifically relate.

Setting or Changing User Account Attributes

From the command line, it is a swift and easy matter to set or change user account attributes using the DSMOD USER command. You can, in fact, set attributes for one or many users at the same time. Suppose that you want all 150 users in the Sales OU to have their department attribute set as “Sales & Marketing,” their company attribute set as “City Power and Light,” and their title set to “Customer Sales.” You can do this with a single command-line entry:

dsquery user "OU=Sales,DC=cpandl,DC=com" | dsmod user -dept "Sales & 
Marketing" -company "City Power and Light" -title "Customer Sales"

The DSMOD USER command would then report the individual success or failure of each change:

dsmod succeeded:CN=edwardh,OU=Sales,DC=cpandl,DC=com   no
dsmod succeeded:CN=erinp,OU=Sales,DC=cpandl,DC=com     no
dsmod succeeded:CN=jayo,OU=Sales,DC=cpandl,DC=com      no
dsmod succeeded:CN=johng,OU=Sales,DC=cpandl,DC=com     yes
...
dsmod succeeded:CN=williams,OU=Sales,DC=cpandl,DC=com  yes

Although changing these values in the GUI could take you hours, the entire process from the command line takes only a few minutes. You simply type the command-line entry and let DSMOD USER do the work for you.

Other parameters that you’ll work with frequently include

  • webpg Sets an intranet or Internet address that will appear in the directory listing for the associated user, such as \\Intranet\Sales.

  • profile Sets the path to the user’s profile, which provides the environment settings for user accounts, such as \\Gamma\Profiles\wrstanek.

  • hmdrv Sets the drive letter of the user’s home directory, such as X:. The user’s home directory will be mapped to this drive letter.

  • hmdir Sets the home directory for the user, such as \\Gamma\Users
    \wrstanek.

Caution

Generally, you don’t want to change user profile paths, home drives, or home directories when users are logged on, because this might cause problems. So you might want to update this information after hours or ask the user to log off for a few minutes and then log back on.
Tip

By default, if an error occurs when processing changes, DSMOD USER will halt execution and report the error. Generally, this is the behavior you want, because you don’t want to make improper changes. You can, however, use the –C parameter to tell DSMOD USER to report the error but continue.

These parameters accept the special value $username$. This value lets you assign paths and filenames that are based on individual user names. For example, if you assign the home directory path as \\Gamma\Users\$username$\ or C:\Home\$username$, Windows replaces the $username$ value with the actual user name—and it does so for each user you’re managing. This would mean if you are working with the accounts for erinb, sandyr, miked and kyler, they would all be assigned unique home directories—either \\Gama\Users\erinb, \\Gama\Users\sandyr, \\Gama\Users\miked and \\Gama\Users\kyler or C:\Home\erinb, C:\Home\sandyr, C:\Home\miked and C:\Home\kyler. In these examples, \\Gama\Users is a path to a network share and C:\Home represents a directory on the user’s computer.

Following this, you could set the Web page, profile, home drive, and home directory for all users in the Sales OU by typing

dsquery user "OU=Sales,DC=cpandl,DC=com" | dsmod user -webpg 
\\Intranet\Sales\$username$ - profile "\\corpdc02\sales\$username$"
-hmdrv "X:" -hmdir "\\corpserver01\users\$username$"

Real World

With The Active Directory Users And Computers administrative tool, you enter the value %username% to get paths and filename based on individual user names. Don’t use this value with the special parameters discussed here. %username% is an environment variable and the GUI knows to replace the environment variable on a per-user basis. The command line interprets this and other environment variables based on the current logged on user, however. So in this case the value of %username% is the SAM account name of the user account under which you run the command.

Disabling and Enabling User Accounts

You can enable or disable users accounts from the command line using the DSMOD USER command and the –Disabled parameter. Use –disabled yes to disable the user account and –disabled no to enable the user account.

In the following example, you disable all users in the OffsiteUsers OU:

dsquery user "OU=OffsiteUsers,DC=cpandl,DC=com" | dsmod user -disabled  yes

The DSMOD USER command would then report the individual success or failure of each change.

Resetting Expired User Accounts

Domain user accounts can be set with a specific expiration date. You can check the account expiration date using DSGET USER with the –Acctexpires parameter. For example, if you wanted to check the expiration date of all user accounts in the Sales OU, you can type

dsquery user "OU=Sales,DC=cpandl,DC=com" | dsget user -dn -acctexpires

The resulting output would show you the account expiration dates of each account in the Sales OU according to the distinguished name of the account, such as

  dn                                               acctexpires
  CN=Mary Baker,OU=Sales,DC=cpandl,DC=com          never
  CN=Bradley Beck,OU=Sales,DC=cpandl,DC=com        11/15/2006
  CN=Ann Bebbe,OU=Sales,DC=cpandl,DC=com           never
  CN=Max Benson,OU=Sales,DC=cpandl,DC=com          12/31/2006
dsget succeeded

Here, accounts without expiration dates have an account expires value of “never” and other accounts have a specific expiration date, such as 11/15/2006.

If you need to extend or change the account expiration date to allow a user to log on to the domain, you can do this with DSMOD USER. Set the –Acctexpires parameter to the number of days for which the account should be valid. For example, if an account should be valid for the next 60 days, you would type –acctexpires 60, such as

dsquery user -name johnw | dsmod user -acctexpires 60

or

dsmod user "CN=John Wood,OU=Sales,DC=cpandl,DC=com" -acctexpires 60

In these examples you change the account expiration for John Wood.

If you want to remove an account expiration date, use a value of 0 to specify that the account never expires, such as

dsquery user -name johnw | dsmod user -acctexpires 0
Note

To set an account so that it is past the expiration date, you can type a negative value, such as –acctexpires -1.

Controlling and Resetting User Passwords

Using DSGET USER, you can check the password settings on user accounts. Typically, you’ll want to know if a user can change their password, whether the password expires and whether the password uses reversible encryption. You can check for these settings using the –Canchpwd, –Pwdneverexpires, and –Reversiblepwd parameters respectively. You might also want to know if the account is set so the user must change his or her password on next logon. To do this, you can use the –Mustchpwd parameter. For example, if you wanted to check these values all user accounts in the Users container, you can type

dsquery user "CN=Users,DC=cpandl,DC=com" | dsget user -samid -canchpwd 
-pwdneverexpires - reversiblepwd -mustchpwd

The resulting output would show you the related password settings of each account in the Users container according to the SAM account name, such as

  Samid     mustchpwd     canchpwd    reversiblepwd    pwdneverexpires
  andya     no            yes         no               no
  billg     no            yes         no               no
  bobh      yes           yes         no               no
  brianw    no            yes         no               no
  conniej   no            yes         yes              yes
dsget succeeded

DSMOD USER provides several parameters for controlling these and other password settings. You can use the –Pwd parameter to set the password for a particular user account. You can then configure how the password is used as follows:

  • Use –mustchpwd yes to force users to change the password after their next logon.

  • Use –canchpwd no to set the account so users can’t change the password for their account.

  • Use –pwdneverexpires no to set the account so that the password never expires, which overrides Group Policy settings.

The wonderful thing about the command line is that you can control passwords for many user accounts as easily as for one user. Say you wanted to change the password for every user in the TempEmployee OU to Time2ChangeMe and force these users to change their passwords on next logon, you can do this by typing the command

dsquery user "OU=TempEmployee,DC=cpandl,DC=com" | dsmod user -pwd 
Time2ChangeMe - mustchpwd yes

Moving User Accounts

User accounts are normally placed in the Users container or in OUs. You can move a user account to a different container or OU within its current domain using DSMOVE. Specify the user account’s current DN and then use the –Newparent parameter to specify the new location or parent DN of the user account. For instance if you wanted to move the William Stanek user account from the Tech OU to the Engineering OU, you would specify the user account’s DN, such as “CN=William Stanek,OU=Tech,DC=cpandl,DC=com”, and provide the parent DN for the new location, such as “OU=Engineering,DC=cpandl, DC=com”. The related command would look like this:

dsmove "CN=William Stanek,OU=Tech,DC=cpandl,DC=com" -newparent 
"OU=Engineering,DC=cpandl,DC=com"

You could have also obtained the user account DN using the DSQUERY USER command. To do this, you simply pipe the output of DSQUERY USER to DSMOVE, as shown in this example:

dsquery user -name "William Stanek" | dsmove -newparent 
"OU=Engineering,DC=cpandl,DC=com"

Here, the user account DN, “CN=William Stanek,OU=Tech,DC=cpandl, DC=com”, is obtained from DSQUERY USER and used as input to DSMOVE.

Renaming User Accounts

Although moving user accounts is fairly straightforward, you don’t want to rename user accounts without some planning. When you rename a user account, you give the account a new common name. You’ll find that you might have to rename accounts in cases of marriage, divorce, or adoption. For example, if Nancy Anderson (nancya) gets married, she might want her user name to be changed to Nancy Buchanan (nancyb). When you rename her account, all associated privileges and permissions will reflect the name change. Thus, if you view the permissions on a file that nancya had access to, nancyb will now have access (and nancya will no longer be listed).

You rename user accounts using the DSMOVE command. Specify the user’s DN and then use the –Newname parameter to specify the new common name. You can rename a user object from Nancy Anderson to Nancy Buchanan by typing

dsmove "CN=Nancy Anderson,OU=Marketing,DC=cpandl,DC=com" -newname 
"Nancy Buchanan"

You could obtain the user DN by means of DSQUERY USER as well. Consider the following example:

dsquery user -name N*Anderson | dsmove -newname "Nancy Buchanan"

Here you use DSQUERY USER to find an account that begins with the letters “N” and ends with “Anderson.” You then use DSMOVE to rename this account.

Renaming the user account doesn’t change any of the other account properties. Because some properties may reflect the old last name, you will need to update these properties to reflect the name change using DSMOD USER. The parameters you might want to modify include

  • Ln Used to change the last name for the user account.

  • Display Used to change the user account’s Display Name.

  • Samid Used to change the SAM account name.

  • Profile Used to change the profile path for the account. Afterward, you’ll need to rename the corresponding directory on disk.

  • Loscr If you use individual logon scripts for each user, you can use –Loscr to change the logon script name property. Afterward, you’ll need to rename the logon script on disk.

  • Hmdir Used to change the home directory path. Afterward, you’ll need to rename the corresponding directory on disk.

Note

In most cases, you won’t want to modify this information while a user is logged on because this might cause problems. Instead, update this information after hours or ask the user to log off for a few minutes and then log back on.

Consider the following example:

dsquery user -name N*Buchanan | dsmod -samid nancyb -ln Buchanan 
-display Nancy Buchanan

Here, you change the SAM account name, last name and display name to match the previous name change for the user Nancy Buchanan.

Real World

User names are used to make managing and using accounts easier. Behind the scenes, Windows Server 2003 actually uses the account’s security identifier (SID) to identify, track, and handle the account independently from the user name. SIDs are unique identifiers that are generated when accounts are created. Because SIDs are mapped to account names internally, you don’t need to change the privileges or permissions on renamed accounts. Windows Server 2003 simply maps the SID to the new account name as necessary.

Deleting User Accounts

If you no longer need a user account, you can delete it permanently from Active Directory using the DSRM command. In most cases, you’ll want to delete only a specific user account, such as the account for Mary Baker. If this is the case, you remove the account by passing DSRM the DN of the user account, such as

dsrm "CN=Mary Baker,OU=Sales,DC=cpandl,DC=com"

By default, DSRM prompts you to confirm the deletion. If you don’t want to see the prompt use the –Noprompt parameter, such as

dsrm "CN=Mary Baker,OU=Sales,DC=cpandl,DC=com" -noprompt
Note

Even though you delete a user’s account, Windows Server 2003 won’t delete the user’s profile, personal files, or home directory. If you want to delete these files and directories, you’ll have to do it manually. If this is a task you perform routinely, you might want to create a script that performs the necessary tasks for you. Keep in mind you should back up files or data that might be needed before you do this.


 < Day Day Up > 


Previous page
Table of content
Next page
Microsoft Windows Command-Line Administrator's Pocket Consultant
MicrosoftВ® WindowsВ® Command-Line Administrators Pocket Consultant
ISBN: 0735620385
EAN: 2147483647
Year: 2004
Pages: 114
Authors: William R. Stanek
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
FileMaker Pro 8: The Missing Manual
C++ How to Program (5th Edition)
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
Ruby Cookbook (Cookbooks (OReilly))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy