Weekly quickTIP
Piping with DSQUERY
Manually typing in FQDNs? Take the shortcut instead.
- By Greg Shields
- 12/18/2006
All these command-line tools for AD modification that I've been telling you about in the last few weeks are great, but ensuring you’ve got the fully-qualified distinguished names for each user or computer object can be a pain to enter.
For some modifications, you can get around this need to enter them all in manually by querying using the DSQUERY command and redirecting the results of that query to an action command. This is also called "piping" because the character used to do the redirection is the "|" or pipe character.
Tech Help—Just An
E-Mail Away |
|
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
at mailto:[email protected];
the best questions get answered in this column and garner
the questioner with a nifty Redmond T-shirt.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.)
|
|
|
For example, what if you need to update the description field for all Research groups in all OU’s to read, "Used for Research Only"? If all your Research groups start with the word "Research", you can query on that word and pipe the results to DSMOD for updating the description field:
dsquery group domainroot -name Research* | dsmod group -desc "Used for Research Only"
An incredibly useful way to use piping is to query for all inactive user accounts and immediately disable them. Want to disable any user account that’s gone inactive for at least half a year? It's done like this:
dsquery user domainroot -inactive 26 | dsmod user -disabled yes
Nearly the same command will work to locate computers that have gone MIA on your network:
dsquery computer domainroot -inactive 26 | dsmod computer -disabled yes
The biggest benefit of any of these command-line tools is the ability to drop them into a batch file and set them to fire on a schedule. Now, you’ve got a verifiable and repeatable process for ensuring that aged users and computers regularly get disabled.
About the Author
Greg Shields is Author Evangelist with PluralSight, and is a globally-recognized expert on systems management, virtualization, and cloud technologies. A multiple-year recipient of the Microsoft MVP, VMware vExpert, and Citrix CTP awards, Greg is a contributing editor for Redmond Magazine and Virtualization Review Magazine, and is a frequent speaker at IT conferences worldwide. Reach him on Twitter at @concentratedgreg.