Sunday, July 3, 2011

WS Lesson-13


 Using Automation to Manage Group Accounts

  • Active Directory Users And Computers MMC is a convenient way to create and modify groups individually, it is not the most efficient method for creating large numbers of security principals.
  • A tool included with Windows Server 2003, Ldifde.exe, facilitates the importing and exporting of larger numbers of security principals, including groups.
LDIFDE
LDIFDE is a command-line utility .LDIFDE can be used to export and import accounts using Lightweight Directory Access Protocol (LDAP) file formats .It is explained in the windows help and support center (search for “ldifde”)Figure 4-3 lists the primary commands used with LDIFDE displayed by typing ldifde /? at the command prompt.

Creating Groups with DSADD
To add a group, use the syntax
dsadd group GroupDN…

The GroupDN… parameter is one or more distinguished names for the new user objects. If a DN includes a space, surround the entire DN with quotation marks. The GroupDN… parameter can be entered one of the following ways:

■ By piping a list of DNs from another command, such as dsquery.
■ By typing each DN on the command line, separated by spaces.
■ By leaving the DN parameter empty, at which point you can type the DNs, one at a time, at the keyboard console of the command prompt. Press ENTER after each DN. Press CTRL+Z and ENTER after the last DN.

Modifying Groups with DSMOD
The DSMOD command, introduced in Chapter 2, is used to modify objects in Active Directory. To modify a group, use the syntax
dsmod group GroupDN…

The command takes many of the same switches as DSADD, including -samid, -desc, -secgrp, and -scope. Typically, though, you won't be changing those attributes of an existing group. Rather, the most useful switches are those that let you modify the membership of a group, specifically

-addmbr Member... adds members to the group specified in Group
-rmmbr Member... removes members from the group specified in Group
where, as with all directory service commands, the DN is the full, distinguished name of another Active Directory object, surrounded by quotes if there are any spaces in the DN.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)