Managing Group Accounts | MicrosoftВ® WindowsВ® Command-Line Administrators Pocket Consultant

< Day Day Up >

Managing group accounts from the command line is different from managing them in Active Directory Groups and Computers, chiefly because the command line offers more options and it is easier to work with multiple group accounts at the same time.

Viewing and Finding Group Accounts

When you want to obtain information about group accounts, you can use the DSQUERY GROUP command. This command lets you search by common name, SAM account name, and description. It also accepts wildcards in any of these fields. The output of DSQUERY GROUP contains the distinguished name of groups that match the search criteria and can be piped as input to other commands, including DSGET GROUP.

Typically, you’ll use DSQUERY GROUP and DSGET GROUP together. You start by using DSQUERY GROUP to obtain the distinguished names of one or more groups and then use DSGET GROUP to display the properties for the related accounts. DSGET GROUP parameters that you might find useful include

–Desc Displays the description of matching group accounts in the output
–Dn Displays the distinguished name of matching group accounts in the output
–Samid Displays the SAM account name of matching group accounts in the output
–Scope Displays the scope of matching groups as domain local, global or universal
–Secgrp Displays yes if a group is a security group and no if a group is a distribution group
–Sid Displays the security identifier for matching group accounts in the output

As with the other DSGET commands, DSGET GROUP displays output in table format and you will usually want to include –Dn or –Samid as a parameter to help you make sense of and identify the groups in the output. For example, if you wanted to search for all marketing groups that were available, you could use the command line

dsquery group -name marketing* | dsget group -dn -scope -secgrp

Here, the results display the DN, the scope, and security group information:

  dn                                             scope         secgrp
  CN=MarketingAll,OU=Sales,DC=cpandl,DC=com      universal     no
  CN=Marketing Global,OU=Sales,DC=cpandl,DC=com  global        no
  CN=Marketing Local,OU=Sales,DC=cpandl,DC=com   domain local  no
dsget succeeded

Determining Group Membership

When you want to determine group membership, you use the second syntax for DSGET GROUP, which includes two special parameters: –Members and –Memberof. You use the –Members parameter to determine which users and groups belong to a specific group. You use the –Memberof parameter to determine the groups to which the specified group belongs. How do these parameters work? Let’s suppose that you wanted to see the current members of a group called AllUsers. You could do this by typing

dsquery group -name AllUsers | dsget group -members

Or you could type the group DN directly, such as

dsget group "CN=AllUsers,CN=Users,DC=cpandl,DC=com" -members

Here the group is in the Users container of the cpandl.com domain. Either way, the output would show the DNs for members of this group, such as

"CN=Tech,OU=Tech,DC=cpandl,DC=com"
"CN=Engineering,OU=Eng,DC=cpandl,DC=com"
"CN=Sales,OU=Sales,DC=cpandl,DC=com"
"CN=Domain Users,CN=Users,DC=cpandl,DC=com"

As the listing shows, the AllUsers group has as its members the Tech, Engineering, Sales, and Domain Users groups. The AllUsers group could have also had user accounts as its members.

If you want to determine to which groups a group belongs, you can use the –Memberof parameter. For example, the group DevUsers could be a member of the Domain Administrators group and the Developers group, and you could display this membership information by typing

dsquery group -name devusers | dsget group -memberof

dsget group "CN=devusers,OU=Dev,DC=cpandl,DC=com" -memberof

Both commands work the same. In the first example, you use DSQUERY GROUP to obtain the DN of the group account. In the second example, you specify the DN directly. Either way the output would be a list of groups in which DevUsers is a member.

Note

Both techniques could be used to display the membership information of multiple groups. However, there is no way to display a DN or SAM account name for the associated groups because the second syntax for DSGET GROUP doesn’t allow this.

Changing Group Type or Scope

Sometimes after you create a group you’ll want to change the group type or scope. This isn’t as easy as you might think, because there are a number of controls in place to prevent arbitrary changes that can affect access throughout the organization. First of all, group type or scope cannot be changed in Windows 2000 Mixed or Windows Server 2003 Interim functional levels. In Windows 2000 Native or Windows Server 2003 functional level, the following is true:

Domain Local Groups Can be converted to universal scope, provided it doesn’t have as its member another group having domain local scope
Global Groups Can be converted to universal scope, provided it’s not a member of any other group having global scope
Universal Groups Can be converted to any other group scope. Keep in mind a global group cannot have a universal group as a member and that local groups can only be members of other local groups

With these restrictions in mind, you can use DSMOD GROUP and its –Secgrp parameter to change the group type as follows:

Change a distribution group to a security group by including –secgrp yes
Change a security group to a distribution group by including –secgrp no

Consider the following examples:

Convert the Engineering security group to a distribution group:

dsquery group -name Engineering | dsmod group =secgrp no

Convert the AllMarketing distribution group to a security group:

dsmod group "CN=AllMarketing,OU=Marketing,DC=cpandl,DC=com" =secgrp 
yes

You change the group scope using the –Scope parameter of DSMOD GROUP as follows:

Set the scope as domain local by including –scope l
Set the scope as global by including –scope g
Set the scope as universal by including –scope u

Consider the following examples:

Set the scope of the Marketing group to domain local:

dsquery group -name Marketing | dsmod group -scope l

Set the scope of the Sales group to global:

dsmod group "CN=Sales,CN=Users,DC=cpandl,DC=com" -scope g

Adding, Removing, or Replacing Group Members

Using the command line, it is easy to change the membership of any group. As with the GUI, you can easily add or remove users, groups, or computers as members of a group. But the command-line utilities take this a step further in making it easy to add or remove multiple members. You can also replace the existing membership list entirely.

Adding Members to a Group

You can, for example, use a single command line to add all 100 users in the Sales organizational unit to the AllSales group. To do this, you would use DSQUERY USER to obtain a list of user accounts that you want to work with and then pass this list as input to DSMOD GROUP. The parameter for adding group members is –Addmbr so the command would look like this:

dsquery user "OU=Sales,DC=ny,DC=cpandl,DC=com" | dsmod group 
"CN=AllSales,OU=Sales,DC=ny,DC=cpandl,DC=com" -addmbr

Here, you obtain a list of all user accounts in the Sales OU of the ny.cpandl.com domain and pass this as input to DSMOD GROUP. DSMOD GROUP then adds these users as members to the AllSales group, which is located in the Sales container of the ny.cpandl.com domain.

Another way to use –Addmbr is to specify the DNs of the objects you want to add. So for example, if you wanted to add the SalesLocal and SalesGlobal groups to the AllSales group, you could do this with the following command- line entry:

dsquery group -name AllSales | dsmod group -addmbr 
"CN=SalesLocal,OU=Sales,DC=ny,DC=cpandl,DC=com" 
"CN=SalesGlobal,OU=Sales,DC=ny,DC=cpandl,DC=com"

Note

Remember, the object DNs could include user and group accounts as well as computer accounts.

Removing Members from a Group

The counterpart to –Addmbr is –Rmmbr, which is used to remove members from groups. As with –Addmbr, –rmmbr accepts object DNs from input or in a space- separated list. So if you wanted to remove all marketing and customer support users from the AllSales group, one way to do this is to use the following commands:

dsquery user "OU=Marketing,DC=ny,DC=cpandl,DC=com" | dsmod group 
"CN=AllSales,OU=Sales,DC=ny,DC=cpandl,DC=com" -rmmbr
 
dsquery user "OU=CustSupport,DC=ny,DC=cpandl,DC=com" | dsmod group 
"CN=AllSales,OU=Sales,DC=ny,DC=cpandl,DC=com" –rmmbr

Here, the first command obtains a list of all users in the Marketing OU and then passes this as input to DSMOD GROUP so that these users can be removed from the AllSales group. The second command obtains a list of all users in the CustSupport OU and then passes this as input to DSMOD GROUP so that these users can be removed from the AllSales group.

Tip

A problem is introduced if the two lists of users don’t match exactly to the current membership for the AllSales group. For example, if new marketing users have started working and they’ve been added to the Marketing OU but not been granted access to Sales information, they wouldn’t be in the AllSales group. In this case, when the DSMOD GROUP command finds the first mismatch, it will exit and report an error. But you don’t want that to happen because of a slight mismatch, so, to prevent this, add the –C parameter. This parameter says to report errors but continue processing changes.

As with –Addmbr, you can also specify the DNs of the objects you want to remove directly. Say you wanted to remove the SalesLocal and SalesGlobal groups from the AllSales group, you could do this with the following command- line entry:

dsquery group -name AllSales | dsmod group -rmmbr 
"CN=SalesLocal,OU=Sales,DC=ny,DC=cpandl,DC=com" 
"CN=SalesGlobal,OU=Sales,DC=ny,DC=cpandl,DC=com"

Note

With the formatting of the page, you might not notice it but there is a space between each of the group DNs. The space is necessary so that each group DN is interpreted correctly.

Replacing All Members in a Group

The command line takes the notion of adding and removing group members a step further than the GUI by allowing you to replace the entire membership list of a group. For example, if the group membership for the AllUsers group wasn’t up to date and it would be hard to add and remove members manually, you might want to replace the existing membership and start over.

You replace the existing group members with a list of your choosing with the –Chmbr parameter of the DSMOD GROUP command. This parameter accepts input that is passed from DSQUERY USER or a space-separated list of DNs. So one way to replace the existing membership list and add all users in the organization to the AllUsers group is to type the following command:

dsquery user -name * | dsmod group 
"CN=AllUsers,CN=Users,DC=seattle,DC=cpandl,DC=com" - chmbr

Here, DSMOD GROUP first removes all the existing objects that are members and then adds the objects passed as input. If any error occurs in either part of the processing the command will fail and no changes will occur.

Note

Although you can use the –C parameter to ensure the operation continues even if there are errors, this can result in the group having an empty membership. What happens is that the DSMOD GROUP command removes the current members without any problems but fails when trying to add members. The removal of members requires only the proper administrative permissions. The addition of members, however, depends on the input you provide.

Moving Group Accounts

As with user accounts, you can easily move a group account to a different container or OU within its current domain. To do this, you use the DSMOVE command to specify the group account’s current DN and then use the –Newparent parameter to specify the new location or parent DN of the group account. For instance, if you wanted to move the ProdDev group from the Users container to the Developers organizational unit, you would specify the group account’s DN, such as "CN=ProdDev,CN=Users,DC=cpandl,DC=com", and provide the parent DN for the new location, such as "OU=Developers,DC=cpandl,DC=com". The related command would look like this:

dsmove "CN=ProdDev,CN=Users,DC=cpandl,DC=com" -newparent 
"OU=Developers,DC=cpandl,DC=com"

DSQUERY GROUP can also save you some typing by sending the group DN to DSMOVE as input, as shown in this example:

dsquery group -name "ProdDev" | dsmove -newparent 
"OU=Developers,DC=cpandl,DC=com"

Here, the group account DN, “CN=ProdDev,CN=Users,DC=cpandl,DC=com”, is obtained from DSQUERY GROUP and used as input to DSMOVE.

Renaming Group Accounts

As with users, groups have security identifiers. This allows you to change a group name without having to change the access permissions later on individual resources, such as files and folders. When you rename a group, you change its common name.

You rename groups using the DSMOVE command. Specify the group’s DN and then use the –Newname parameter to specify the new common name. You can rename a group object from ProdDevs to TechDevs by typing

dsmove "CN=ProdDevs,OU=Developers,DC=cpandl,DC=com" -newname 
"TechDevs"

As when moving groups, you can also obtain the group DN from DSQUERY GROUP. Consider the following example:

dsquery group -name ProdDevs | dsmove -newname "TechDevs"

Here you use DSQUERY GROUP to obtain the DN for the ProdDevs group, and then use DSMOVE to rename the group.

As renaming a group doesn’t change the pre–Windows 2000 group name or description associated with the group, you’ll need to change these properties next. To do this, use the DSMOD GROUP command. The –Samid parameter sets the pre–Windows 2000 group name and the –Desc parameter sets the description. Consider the following example:

dsquery group -name TechDevs | dsmod -samid techdevs -desc "Technical 
Developers Group"

Here, you change the pre–Windows 2000 group name to techdevs and the description to “Technical Developers Group.”

Deleting Group Accounts

To delete a group permanently from Active Directory, you can use the DSRM command. In most cases, you’ll want to delete only a named group rather than say all groups whose names start with “M.” If this is the case, you remove the group by passing DSRM the DN of the group account, such as:

dsrm "CN=AllSales,OU=Sales,DC=chicago,DC=cpandl,DC=com"

By default, DSRM prompts you to confirm the deletion. If you don’t want to see the prompt, use the -Noprompt parameter, such as

dsrm "CN=AllSales,OU=Sales,DC=chicago,DC=cpandl,DC=com" -noprompt

In some limited situations, you might want to remove several groups at once. For example, if there is a companywide reorganization and the marketing department is outsourced as a result of this, you might find that you no longer need marketing-related groups. If the group names begin with the keyword Marketing, you could delete them by typing

dsquery group -name Marketing* | dsrm -c

Here, you pass as input to DSRM the group DNs for all groups that begin with the keyword Marketing. The –C parameter is added to allow the operation to continue if an error occurs.

Caution

Even though input is passed to the command from DSQUERY GROUP, you can’t use DSRM by itself. For example, you couldn’t type dsquery group –name Marketing* | dsrm. The reason for this is that the command line still expects the DN of the object or a parameter to follow the DSRM command. Because of this you would have to use some parameter and –C is the safest as it only tells DSRM to continue in the event of an error. –Noprompt, on the other hand, tells DSRM go ahead and delete everything without prompting the user, which could lead to many more groups than expected being deleted and no way to cancel the operation.

< Day Day Up >