Command-line tools for AD modification require that you have the fully-qualified distinguished names for each user or computer object, which can be a pain to enter. For some modifications, you can get around this need to enter them all in manually by querying using the DSQUERY command and redirecting the results of that query to an action command. This is also called “piping” because the character used to do the redirection is the “” or pipe character.
For example, what if you need to update the description field for all Research groups in all OUs to read, “Used for Research Only”? If all your Research groups start with the word “Research,” you canquery on that word and pipe the results to DSMOD for updating the description field:
dsquery group domainroot -name Research* dsmod group -desc “Used for Research Only”
A useful way to use piping is to query for all inactive user accounts and immediately disable them. Want to disable any user account that’s gone inactive for at least half a year? It’s done like this:
dsquery user domainroot -inactive 26 dsmod user -disabled yes
Nearly the same command will work to locate computers that have gone MIA on your network:
dsquery computer domainroot -inactive 26 dsmod computer -disabled yes
The biggest benefit of any of these command-line tools is the ability to drop them into a batch file and set them to fire on a schedule. Now, you’ve got a verifiable and repeatable process for ensuring that aged users and computers regularly get disabled.