1. Obtaining a
User's Logon Name
Sometimes you'll
receive a help desk ticket where the user expects that you'll know their
logon name, despite the fact that you have several thousand users to
track. In many cases, without the logon name, you can't do much for the
user. Of course, you could always track down the user and ask them for
the information, but there's an easier way to obtain the information for
Active Directory users. The following script displays the logon name
for a user based on the last name that you pass.
DSQUERY USER -name %1 | DSGET USER -samid -display
In this case, the input
you provide is the user's last name. The DSQuery User object sends the
user information to the DSGet User object using a pipe (|). The DSGet
utility, in turn, looks up the user's SAM identifier and provides it as
output on the command line. (When more than one user has the same last
name, you'll see a list of all of the associated logon names, but at
least the list is shorter than starting from scratch.)
2. Obtaining a
User's Full Name
Sometimes a user will
provide you with their email address and a logon name and that's it.
What you really want is the user's full name so that you can understand
their needs better by looking up their association with the company.
When this problem occurs, you can still look up the user information
using Active Directory. Simply use the script shown here.
DSQUERY USER -samid %1 | DSGET USER -samid -display
In this case, the input
you provide is the user's logon name. The DSQuery User object sends the
user information, based on a SAM identifier search, to the DSGet User
object using a pipe (|). The DSGet utility outputs the user's full name.
Note that there's normally more than one way to accomplish a task. If
you're using an older version of Windows or a system that doesn't have
Active Directory installed, you can achieve the same results using this
script.
NET USER %1 | FIND /I " name "
In this case, you pass
the user's logon name to the Net utility. This utility outputs all of
the information about the user to the Find utility using a pipe (|). The
Find utility, in turn, locates just the name entries.
3.
Discovering User Group Membership
Many support problems
revolve around security. One of the most common security problems is a
lack of group membership. The user attempts to perform a task that is
under the purview of a specific group and the user doesn't belong to
that particular group. Unfortunately, all that the user has told you is
that the task is impossible to perform and the boss really needs the
task completed today. Rather than play 20 questions trying to discover
the user's group membership, you can use this simple script to obtain
the information from Active Directory.
DSQUERY USER -samid %1 | DSGET USER -memberof -expand
In this case, you pass the
user's logon name to the DSQuery User object. The DSGet utility
receives the output from DSQuery through a pipe (|). The DSGet User
object then displays the group membership for the user and expands the
information so you get all of the details.
4. Resetting a
User's Password
One of the tasks that
administrators love least, yet perform most often, is resetting a user's
password. Those users who don't keep their password recorded on a
sticky note next to their monitor are prone to forgetting them. After a
long weekend or a holiday, the administrator's office suddenly fills
with users who have no clue as to what their password is. You could use a
graphical utility to reset those passwords one at a time (wasting an
entire morning as a result) or you can use this simple script to reset
the password based on the user's logon name.
DSQUERY USER -samid %1 | DSMOD USER -pwd "newpassword"
In this case, the
DSQuery User object obtains the user's information based on the logon
name and passes it to the DSMod utility through a pipe (|). The DSMod
User object uses the -pwd command line
switch to change the user's password to newpassword. You could extend this script by passing a second
argument to the batch file, but it really isn't necessary because the
reader will need to change the password anyway.
NOTE
Make sure you
turn off echo when working with scripts that will reveal password
information, even when this information is a default setting as shown
here. You don't want someone peering over your shoulder to see a
password that should remain private. As an alternative, you can always
replace the password string with an asterisk (*). The utility will
prompt you to provide a password at the appropriate time. Anything you
type will appear as a series of asterisks on screen.
5. Displaying
a List of Hostnames
Anyone working on a
large network will attest to the difficulty of remembering all of the
hostnames. Even if you work on the network every day, you'll run into a
server that you don't work with very often and find yourself scratching
your head to remember the hostname. Rather than look up the name using a
graphical utility, where you could spend more than a few minutes trying
to find the hostname you need, you can obtain a quick list from Active
Directory using the following script.
FOR /F "tokens=2 delims==," %%H IN ('DSQUERY Server') DO @ECHO.%%H
The focus of this
script is the DSQuery Server command,
which outputs a list of all of the domain controllers. The rest of the
script simply processes the output of the DSQuery Server command so that you see the hostnames. Notice how
the script uses an at (@) sign in front of the Echo command so that all you see is the hostnames.
It's important to include the @ sign as needed to keep the output of
your scripts readable.
