Weekly quickTIP

Piping with DSQUERY

Manually typing in FQDNs? Take the shortcut instead.

All these command-line tools for AD modification that I've been telling you about in the last few weeks are great, but ensuring you’ve got the fully-qualified distinguished names for each user or computer object can be a pain to enter.

For some modifications, you can get around this need to enter them all in manually by querying using the DSQUERY command and redirecting the results of that query to an action command. This is also called "piping" because the character used to do the redirection is the "|" or pipe character.

Tech Help—Just An
E-Mail Away

Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the MCPmag.com editors at mailto:editor@mcpmag.com; the best questions get answered in this column and garner the questioner with a nifty Redmond T-shirt.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

For example, what if you need to update the description field for all Research groups in all OU’s to read, "Used for Research Only"? If all your Research groups start with the word "Research", you can query on that word and pipe the results to DSMOD for updating the description field:

dsquery group domainroot -name Research* | dsmod group -desc "Used for Research Only"

An incredibly useful way to use piping is to query for all inactive user accounts and immediately disable them. Want to disable any user account that’s gone inactive for at least half a year? It's done like this:

dsquery user domainroot -inactive 26 | dsmod user -disabled yes

Nearly the same command will work to locate computers that have gone MIA on your network:

dsquery computer domainroot -inactive 26 | dsmod computer -disabled yes

The biggest benefit of any of these command-line tools is the ability to drop them into a batch file and set them to fire on a schedule. Now, you’ve got a verifiable and repeatable process for ensuring that aged users and computers regularly get disabled.

About the Author

Greg Shields is Author Evangelist with PluralSight, and is a globally-recognized expert on systems management, virtualization, and cloud technologies. A multiple-year recipient of the Microsoft MVP, VMware vExpert, and Citrix CTP awards, Greg is a contributing editor for Redmond Magazine and Virtualization Review Magazine, and is a frequent speaker at IT conferences worldwide. Reach him on Twitter at @concentratedgreg.

comments powered by Disqus

SharePoint Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.