The following sections provide details about each of the CLI commands, including the following:
Required powers and permissions
Syntax statements
Supported options
Several usage examples
The AA command creates a custom Assistant Admin Group with the name, comment, and description you provide. The AA command allows you to create user and group rules with the ADD verb.
You must associate AAs with roles and ActiveViews to ensure AAs manage objects included in ActiveViews. This association is called delegation. Through delegation, you specify the tasks AAs can perform on the managed objects. To assign roles to AAs and ActiveViews, you must have the appropriate powers, such as those included in the Manage Security Model role.
To manage assigned roles and ActiveViews, you must have the appropriate powers, such as those included in the DRA Administration and Manage Security Model roles.
EA [/DOMAIN:domain [/SERVER:computername|/MASTER]] AA target CREATE [fields] EA [/DOMAIN:domain [/SERVER:computername|/MASTER]] AA target DELETE [mode:{I|B}] EA [/DOMAIN:domain [/SERVER:computername|/MASTER]] AA target UPDATE [NAME:newname] [mode:{I|B}] [fields] EA [/DOMAIN:domain [/SERVER:computername|/MASTER]] AA target DISPLAY [fields] EA [/DOMAIN:domain [/SERVER:computername|/MASTER]] AA target ADD ruleName [OU:] {TYPE:ruleType} {MATCH:matchString} [MEMBERS:] [RECURSIVE:] [SELECTBASE:] [ACTION:{include|exclude}] [RESTRICTION:] [GROUPSCOPE:] [GROUPTYPE:][MODE:{I|B}] EA [/DOMAIN:domain [/SERVER:computername|/MASTER]] AA target REMOVE rulename [MODE:{I|B}] EA [/DOMAIN:domain [/SERVER:computername|/MASTER]] AA target DISPLAYRULES ruleTarget [ruleFields] EA [/DOMAIN:domain [/SERVER:computername|/MASTER]] AA target UPDATERULES ruleTarget [ruleFields] [NAME:newname] [MODE:{I|B}]
NOTE:It is not possible to create an Assistant Admin Group of type "principal".
|
CREATE |
Creates a custom Assistant Admin Group with the given name, comment, and description. It is not possible to create an Assistant Admin Group of the type principal. An Assistant Admin Group becomes principal when assigning a user or group to an ActiveView. |
|
DELETE |
Deletes all custom Assistant Admin Groups with name matching target. When you delete Assistant Admin groups, you do not delete the Assistant Admin group members. However, Assistant Admin group members can no longer act on objects in the previously associated ActiveViews. Deleting an Assistant Admin group also deletes the Security Identifier (SID) associated with the Assistant Admin group assignment. You do not need to delete an Assistant Admin group to disassociate it from an ActiveView or role. |
|
UPDATE |
Updates all custom Assistant Admin Groups with name matching target. |
|
DISPLAY |
Displays any custom or built-in Assistant Admin Groups with a name matching target. The "name" parameter is always returned. However, by specifying only "name" on the command line, only the name field will be returned. "Assigned" corresponds to the "In Use" column of the Delegation and Configuration user interface. "Type" indicates built-in or custom. |
|
ADD |
Creates a user or group rule and associates it with an Assistant Admin. You cannot create rules matching all domains or all OUs matching wildcard in all managed domains. You cannot create a wildcard match where only a single object matches. |
|
REMOVE |
Removes the association between an Assistant Admin and an ActiveView, preventing this Assistant Admin from managing objects specified by the specified ActiveView. |
|
DISPLAYRULES |
Displays rules matching the match parameter in the target Assistant Admin. Target Assistant Admins can include both custom and built-in types. |
|
UPDATERULES |
Updates rules matching the match parameter in the target Assistant Admin. Only custom Assistant Admins will be considered for a match. |
|
/DOMAIN: domain |
Specifies the name of the managed domain. If you do not specify this option, the CLI provides information about the domain to which the consoles last connected. If you have not used a console on this computer and you do not specify this option, the CLI connects to the domain where your user account resides. You can use wildcard characters to specify multiple domains. |
|
/SERVER: computername |
Specifies the name of an Administration server managing the specified domain. If you specify a domain without a server, the CLI automatically locates the closest Administration server in the specified domain. You can prefix the specified computer name with two backslashes (\\) |
|
/MASTER |
Specifies the primary Administration server managing the specified domain. |
|
/DELI:{TAB|x} |
Specifies the delimiter character you want the CLI to use to separate displayed field values. You can use this option to format output redirected to a file, easing the import of the file into a database or spreadsheet program for further analysis and reporting. You can specify any delimiter character. To specify a tab as the delimiter character, type TAB. |
|
fields |
Specifies the fields or options you want to modify or display for an Assist Admin account. When you specify one or more fields with the DISPLAY verb, type the field name without a value. For example, to display the user account comment, type COMMENT. You can specify the following field values: |
|
|
ALL Displays all fields. |
|
|
ASSIGNED Specifies whether the rule is in use. |
|
|
COMMENT:text Specifies the comment for the Assistant Admin group. To display comments, type COMMENT with the DISPLAY verb. |
|
|
DESCRIPTION:text Specifies the description for the Assistant Admin group. To display comments, type Description with the DISPLAY verb. |
|
|
NAME Specifies the new Assistant Admin name. |
|
|
TYPE Specifies the Assistant Admin type. |
|
ruleFields |
Specifies the rule fields or options you want to modify or display that pertain to the specified AA account. COMMENT Specifies the rule comment. DESCRIPTION Provides the rule description. The description is read-only. NAME Specifies the rule name. |
|
TYPE: ruleType |
[G|GROUP] Specifies a group rule. [U|USER] Specifies a user rule. |
|
MATCH: accountname |
Specifies the user account characters on which to match. You can use domain\AccountName format or wildcards. Uses the NetBIOS name of the current CLI focus domain. |
|
ACTION:{include|exclude} |
Specifies whether to include or exclude objects. Excludes overrule includes. For example, specifically excluding Marketing\Bob overrules an include of Marketing\B*. |
|
RESTRICTION: {S|T|ST} |
Specifies whether the rule is source or target. Default is source and target. |
|
RECURSIVE:{Y|N} |
Specifies whether to match objects in sub-containers or not. Default is yes. |
|
SELECTBASE:{YES|NO} |
Specifies whether the rule matches the group itself. Default is yes. For rules matching containers or groups, specifies whether to match base object. Default is yes. |
|
GROUPSCOPE[[U|Universal] [G|Global] [L|Local]] |
Specifies any combination of [[U|Universal] [G|Global] [L|Local]] or [All]. Multiple entries should be separated by commas. |
|
GROUPTYPE:{S|D|ALL} |
Specifies Security, Distribution, or All. Default is “All”. |
|
MEMBERS: memberTypes |
Specifies which type of member objects to manage. Group rules can specify group member types. Container and domain rules can specify managed object types. |
|
|
OU Specifies OU objects. |
|
|
U|USER Specifies user account objects. |
|
|
C|COMPUTER Specifies the computer member object. |
|
|
G|GROUP Specifies group objects. |
|
|
CT|CONTACT Specifies contact objects. |
|
|
ALL|NONE Specifies the all or none parameter. |
|
MATCHNESTED:{YES|NO} |
Specifies whether group rules match objects in nested groups. Adding one ActiveView to another is called nesting. By using nested ActiveViews in your security model, you can divide administration power and scope into smaller pieces and then assemble these pieces to meet different needs. |
|
MODE:{I|B} |
B|BATCH Specifies batch mode. Batch mode runs silently and processes without confirmation. I:Interactive Specifies interactive mode. Interactive mode provides confirmation and allows you to see the rule sentence. This is the default mode. |
To create an AA, enter:
EA AA SeattleAdmins CREATE comment:testComment description:"Admins in Seattle"
To delete an AA, enter:
EA AA SeattleAdmins Delete
To update an AA, enter:
EA AA "SeattleAdmins" UPDATE comment:"Seattle Printer Admins"
To rename an AA, enter:
EA AA "SeattleAdmins" RENAME
To display an AA, enter:
EA AA b* DISPLAY
To display the Assistant Admin group properties, enter
EA AA "SeattleAdmins" DISPLAY type
To create and associate a group rule with an AA, enter:
EA AA us-los* ADD groupRule type:g match:a* ou:testou*
The ACCOUNT command displays a list of all user accounts and groups in the specified domain.
To run this command, you must have the appropriate powers, such as those included in the built-in User Administration and Group Administration roles.
EA [/DOMAIN: domain [/SERVER: computername |/MASTER]] ACCOUNT targetdomain\"accountname" DISPLAY
NOTE:If the value for an option contains spaces, such as a user account name of Jane Smith, you must surround the option value with quotation marks. In this case, to specify a value for the accountname option, type "Jane Smith".
|
DISPLAY |
Displays the list of user accounts and groups in the specified domain. |
|
/DOMAIN: domain |
Specifies the name of the managed domain. If you do not specify this option, the CLI provides information about the domain to which the consoles last connected. If you have not used a console on this computer and you do not specify this option, the CLI connects to the domain where your user account resides. You can use wildcard characters to specify multiple domains. |
|
/SERVER: computername |
Specifies the name of an Administration server managing the specified domain. If you specify a domain without a server, the CLI automatically locates the closest Administration server in the specified domain. You can prefix the specified computer name with two backslashes (\\) |
|
/MASTER |
Specifies the primary Administration server managing the specified domain. |
|
targetdomain |
Specifies the name of the domain that contains the accounts you want to display. If the target domain is the same as the domain specified by /DOMAIN, then you do not need to specify this option. You can use wildcard characters to specify multiple domains. |
|
" accountname " |
Specifies the accounts the CLI displays. The specified account name can contain wildcard characters. |
To display all user accounts in the managed domains, enter:
EA ACCOUNT * DISPLAY
To display all user accounts in managed domains with names that start with HOU, enter:
EA ACCOUNT HOU*\* DISPLAY
To display all user accounts managed by the HOU_ADMIN02 secondary Administration server in the CITIES domain, enter:
EA /DOMAIN:CITIES /SERVER:\\HOU_ADMIN02 ACCOUNT * DISPLAY
To display all user accounts managed by the Primary Administration server in the SPACE domain, enter:
EA /DOMAIN:SPACE /MASTER ACCOUNT * DISPLAY
The ActiveView command can create, delete, update, and rename ActiveViews. You can also use the ActiveView command to display the properties of an ActiveView, including the name, comment, description and type fields.
The ActiveView command allows for the creation of rules in conjunction with the ADD verb.
An ActiveView creates a virtual domain containing only those objects you want. You can then associate Assistant Admins with these ActiveViews and grant extremely granular control over the included objects. For more information, see What ActiveViews Provide.
To create or delete an ActiveView or assign rules to ActiveViews, you must have the appropriate powers, such as those included in the built-in DRA Administration or Manage Security Model roles.
EA [/DOMAIN: domain [/SERVER: computername |/MASTER]] AV target CREATE [fields]
EA [/DOMAIN: domain [/SERVER: computername |/MASTER]] AV target DELETE [mode:{I|B}]
EA [/DOMAIN: domain [/SERVER: computername |/MASTER]] AV target UPDATE [mode:{I|B}] [fields] [NAME: target ]
EA [/DOMAIN: domain [/SERVER: computername |/MASTER]] AV target DISPLAY [fields]
EA [/DOMAIN: domain [/SERVER: computername |/MASTER]] AV target ADD ruleName [ruleFields] {TYPE:ruleType} {MATCH:matchString} [OU:ouString] [ACTION:] [RESTRICTION:] [RECURSIVE:] [SELECTBASE:] [MEMBERS:memberType,...] [MODE:] [MATCHWILDCARD]
EA [/DOMAIN: domain [/SERVER: computername |/MASTER]] AV target ADD ruleName [ruleFields] {TYPE:ruleType} {MATCH:matchString} [OU:ouString] [ACTION:] [RESTRICTION:] [RECURSIVE:] [SELECTBASE:] [MEMBERS:memberType,...] [MODE:] [MATCHWILDCARD] Resource rules only, {RESOURCES:resourceType,...} required parameter
EA [/DOMAIN: domain [/SERVER: computername |/MASTER]] AV target ADD ruleName [ruleFields] {TYPE:ruleType} {MATCH:matchString} [OU:ouString] [ACTION:] [RESTRICTION:] [RECURSIVE:] [SELECTBASE:] [MEMBERS:memberType,...] [MODE:] [MATCHWILDCARD] Group rules only, [matchNested], [groupScope], [groupType] optional parameters may be specified
EA [/DOMAIN: domain [/SERVER: computername |/MASTER]] AV target REMOVE ruleName [MODE:{I|B}]
EA [/DOMAIN: domain [/SERVER: computername |/MASTER]] AV target DISPLAYRULES ruleTarget [ruleFields]
EA [/DOMAIN: domain [/SERVER: computername |/MASTER]] AV target UPDATERULES ruleTarget [ruleFields] [NAME:newname] [MODE:{I|B}]
|
CREATE |
Creates an ActiveView and specifies the name and the properties for the ActiveView including the comment and description. |
|
DELETE |
Deletes a custom AV that matches the target. You can automate large deletes using a matching target in MODE:batch. |
|
UPDATE |
Updates any custom AV that matches target. |
|
RENAME |
Renames any custom AV that matches target. |
|
DISPLAY |
Displays any custom or built-in AVs matching target. The name parameter is always returned. However, by specifying only "name" on the command line, then only the name field will be returned (by default other fields are displayed). The display command can be used to enumerate ActiveViews matching a certain name, including wildcards. |
|
ADD |
Creates and assigns rules in conjunction with the AV command to cover the most frequent types of delegation. You use the ADD command with the following options and parameters: ruleName, [ruleFields], {TYPE:ruleType}, {MATCH:matchString}, [OU:ouString], [ACTION:], [RESTRICTION:], [RECURSIVE:], [SELECTBASE:], [MEMBERS:memberType,...], [MODE:], {RESOURCES:resourceType,...}, [matchNested], [groupScope], and [groupType] |
|
REMOVE |
Removes the associated rule from the AV. |
|
DISPLAYRULES |
Displays rules and rule properties for a given AV. Properties for a rule include the name, comment, and description. |
|
UPDATERULES |
Updates rules and rule properties for a given AV. Properties for a rule include the name, comment, and description. |
|
/DOMAIN: domain |
Specifies the name of the managed domain. If you do not specify this option, the CLI provides information about the domain to which the consoles last connected. If you have not used a console on this computer and you do not specify this option, the CLI connects to the domain where your user account resides. You can use wildcard characters to specify multiple domains. |
|
/SERVER: computername |
Specifies the name of an Administration server managing the specified domain. If you specify a domain without a server, the CLI automatically locates the closest Administration server in the specified domain. You can prefix the specified computer name with two backslashes (\\). |
|
/MASTER |
Specifies the primary Administration server managing the specified domain. |
|
target |
Specifies the name of the AV you want to manage. The AV name can contain wildcard characters. You can also precede the AV name with a trusted domain or wildcard character, such as *\*, which targets all groups in the managed domains and trusted domains. When using the CREATE verb, the specified AV must not already exist and you cannot specify wildcard characters. When using the DISPLAY verb, specify the target as * to list all AVs in the specified OU. |
|
commonfields |
Specifies the fields or options that you want to specify, modify, or display for the ActiveView group. When you specify one or more of fields with the DISPLAY verb, specify the field name without any value. For example, to display the ActiveView comment, specify COMMENT. You can specify the following field values: ALL Displays all fields. COMMENT:"text" Specifies the comment for the ActiveView group. To display comments, type COMMENT with the DISPLAY verb. DESCRIPTION:"text" Specifies the description for the ActiveView group. To display comments, type DESCRIPTION with the DISPLAY verb. NAME:"name" Specifies the new name of the ActiveView. TYPE: Specifies the type of ActiveView. |
|
RuleName: |
Specifies the name of the rule you want to create or manage. |
|
ruleFields |
Specifies the rule properties that you want to modify or display for the ActiveView. These are universal rule parameters. COMMENT Specifies the comment for the specified rule. DESCRIPTION Provides the rule description. The description is read-only. NAME Specifies the name for the rule. |
|
TYPE:{ ruleType } |
G|GROUP Specifies a group rule. OU Specifies an OU rule. DOMAIN Specifies a domain rule. U|USER Specifies a user rule. COMPUTER Specifies a computer rule. RESOURCE Specifies a resource rule. |
|
MATCH: matchString |
Specifies domain or wildcard name match. Must be at least one character, though that character can be a *. For ActiveViews it matches by name. |
|
OU: ouname |
Specifies the name of either a DN path to an OU, container, built-in, or a wildcard matching at most one OU by name. If this is specified, then the match will be evaluated only within this OU. In the case of resource rules, note that the "match" that this will apply to is the "compMatch" parameter. Default is any OU. Note that if an OU is specified for an NT4 domain, the CLI should return an error message to the client indicating that this is an invalid argument. |
|
ACTION:{include|exclude} |
Specifies whether the rule is include or exclude. This is a universal rule parameter. The default is include. |
|
RESTRICTION:{S|T|ST} |
Specifies whether the rule is source or target only (or both). This is a universal rule parameter. The default is both. |
|
RECURSIVE:{Y|N} |
Specifies whether the container rule manages groups from children OUs and containers. Default is yes. Specifies whether the rule manages nested OUs and members. Default is yes. This parameter applies to either groups or OU rules. |
|
SELECTBASE:{YES|NO} |
Specifies whether the rule matches the group itself. Default is yes. For rules matching containers or groups, specifies whether to match base object. Default is yes. |
|
MEMBERS:memberType |
Specifies which type of member objects is managed. There are group member types for group rules or managed object types for container or domain rules. Default is ALL. OU Specifies OU objects. U|USER Specifies account objects. C|COMPUTER Specifies computer objects. G|GROUP Specifies group objects. CT|CONTACT Specifies contact objects. ALL|NONE Specifies the all or none parameter. |
|
MATCHNESTED:{Y|N} |
Specifies whether the rule manages nested groups and members. Default is yes. |
|
GROUPSCOPE |
Specifies any combination of [[U|Universal] [G|Global] [L|Local]] (multiple entries must be separated by commas) or [All]. |
|
GROUPTYPE:{S|D} |
Specifies Security, Distribution, or All. Default is "All". |
|
MODE: [I|B] |
B specifies batch mode. The default is interactive. This mode will allow the client to see the rule sentence. By setting mode to batch, the command is processed without confirmation. |
|
MATCHWILDCARD |
Specifies whether to include all groups that do not exactly match the string specified in the MATCH:matchString option. |
To create a custom AV with the given name, comment, and description, enter:
EA AV ouComputers CREATE comment:testComment description:"Contents of computers OU"
To delete all custom AVs matching "g*", enter:
EA AV g* DELETE
To update or rename any custom AVs matching "h*", enter:
EA AV h* UPDATE comment:"This AV starts with letter h"
To add a group rule, enter:
EA AV us-los* add groupRule type:g match:a* ou:testou*
To create an exclude rule for ou1, which is the only OU matching ou* within testou2, enter:
EA AV kt* add ouRule type:ou match:ou* ou:testou2 action:exclude
To create a rule that manages the domain and only OUs and Groups in the domain, enter:
EA AV d* ADD domainRule type:d match:schwamx-dom members:OU,G
To create a rule that excludes the CEO from management in any custom AV, enter:
EA AV * ADD ceoExcludeRule type:u match:netiqus\boesenb* action:exclude
To exclude objects from the K* AVs in the L* AVs, enter:
EA AV L* Add ExcludeKAvs type:av match:K* action:exclude
To add a rule to the "Domain Controllers" AV to match computers named "dc*" in the OU "domain controllers" in domain netiq.local, enter:
EA AV "Domain Controllers" Add DCRule1 type:c match:dc* ou:"ou=domain controllers,dc=netiq,dc=local"
To add a rule to the "Resources" AV to match services on computer "HOULAGOS" in the current CLI focus domain, enter:
EA AV Resources ADD type:resource resources:services match:houlagos
NOTE:Through ActiveViews, you can display and change the settings of many resource properties, create and clone resources, delete resources, as well as stop and start resources. Wildcard specifications allow you to include objects from several domains or OUs while making your security model more dynamic.
The CACHE command refreshes the accounts cache and the resource cache on the Administration server.
The accounts cache contains information about user accounts, groups, computer accounts, and contacts. The Administration server builds and maintains the accounts cache, which contains portions of the Microsoft Windows 2008 or higher Active Directory. The Administration server uses the accounts cache to improve performance when validating requests. The Administration server maintains the coherency of this cache for all account administration performed through DRA and ExA.
The resource cache contains computer information. The Administration server uses the resource cache to improve performance when managing computers.
NOTE:When you use the CACHE command to refresh the accounts cache, the Administration server performs an incremental cache refresh by default. An incremental accounts cache refresh updates only the data that changed since the previous refresh.
To perform a manual refresh of the accounts and resource caches, you must have the appropriate powers, such as those included in the built-in Configure Servers and Domains role. Other AAs can only view cache refresh information.
EA [/DOMAIN:domain [/SERVER:computername|/MASTER]] CACHE {targetdomain} [/FULL|/SYSTEM] EA [/DOMAIN:domain [/SERVER:computername|/MASTER]] CACHE {targetdomain} [DISPLAY]
|
DISPLAY |
Displays the time of the last refresh and the time of the next refresh. |
|
/DOMAIN: domain |
Specifies the name of the managed domain for which you want to refresh or display the accounts and resource caches. If you do not specify this option, the CLI refreshes the cache for the domain to which the consoles most recently connected. If you have not used the CLI before and you do not specify this option, the CLI connects to the domain where your user account resides. You can use wildcard characters to specify multiple domains. |
|
/SERVER: computername |
Specifies the name of an Administration server that manages the specified domain. If you specify a domain and do not specify a server, the CLI automatically locates the best available Administration server in the specified domain. You can prefix the specified computer name with two backslashes (\\). |
|
/MASTER |
Specifies the primary Administration server that manages the specified domain. |
|
targetdomain |
Refreshes the accounts or resource cache for the specified domain, domain member, or computer. |
|
/FULL |
Performs a full accounts cache refresh. By default, the CLI performs an incremental accounts cache refresh. |
|
/SYSTEM |
Performs a resource cache refresh. |
To perform an incremental accounts cache refresh for the NORTHEAST domain, enter:
EA /DOMAIN:NORTHEAST CACHE NORTHEAST
To perform a full accounts cache refresh on the LAB01 server in the NORTHEAST domain, enter:
EA /DOMAIN:NORTHEAST /SERVER:\\LAB01 CACHE NORTHEAST /FULL
To refresh the resource cache for the PITTSBURGH child domain in the NORTHEAST domain, enter:
EA /DOMAIN:NORTHEAST CACHE PITTSBURGH /SYSTEM
To display the last and next cache refresh times for the primary Administration server in the NORTHEAST domain, enter:
EA /DOMAIN:NORTHEAST /MASTER CACHE NORTHEAST DISPLAY
The DOMAIN command displays an alphabetical list of all managed and trusted domains. The domain list includes the workstation, the domain to which the workstation belongs, and all the domains the workstation trusts.
You must have the appropriate powers, such as those included in the built-in Computer Administration role, to run this command.
EA [/DOMAIN:domain [/SERVER:computername|/MASTER]] DOMAIN namespec DISPLAY [CONFIG]
|
DISPLAY |
Displays the information about the specified domain. |
|
/DOMAIN: domain |
Specifies the name of the managed domain. If you do not specify this option, the CLI displays the information for the domain to which the consoles most recently connected. If you have not used the CLI before and you do not specify this option, the CLI connects to the domain where your user account resides. You can use wildcard characters to specify multiple domains. |
|
/SERVER: computername |
Specifies the name of an Administration server that manages the specified domain. If you specify a domain and do not specify a server, the CLI automatically locates the best available Administration server in the specified domain. You can prefix the specified computer name with two backslashes (\\). |
|
/MASTER |
Specifies the primary Administration server that manages the specified domain. |
|
namespec |
Specifies the domains you want to include in the displayed list. The namespec variable can include wildcard characters. To display all managed and trusted domains, specify an asterisk (*). |
|
CONFIG |
Displays domain information, such as the number of user accounts and groups, and the scheduled accounts cache refresh time. |
To display information for all managed and trusted domains, as well as the PDC computer names, enter:
EA DOMAIN * DISPLAY
The CLI displays the domain names and the PDC computer names:
EA 7.50.00 (c) Copyright 2011 NetIQ Corporation; all rights reserved. LAB_HOULAB_HOU LAB_HOULAB_HOU.COM HOUSTON_LABHOUSTON_LAB HOUSTON_LABHOUSTON_LAB.LOCAL NORTH_HOUNORTH_HOU NORTH_HOUNORTH_HOU.COM
To display the configuration information for the HOUTX domain, enter:
EA DOMAIN HOUTX DISPLAY CONFIG
The EXEC command allows you to apply actions to large numbers of objects. This command differs from other CLI commands because it does not inherently perform specific administrative tasks. Use the EXEC command to run a command against a result set built through CLI wildcard characters and special functions. For more information about special functions, see Special Functions and Variables. The EXEC command runs a specified command at the CLI client where you enter the EXEC command. The EXEC command also allows you to run commands other than CLI commands.
NOTE:Use caution when using this command. Before using this command to make major system changes, back up your complete system. You can create a user account that has specific permissions and then sign on with this user account to restrict the use of this command to a limited number of objects.
You must have the appropriate powers to run this command. The command you choose to run with the EXEC command may require specific powers for the objects affected by that command. If you do not have the required powers, the command fails and the CLI displays an error message.
EA [/DOMAIN:domain [/SERVER:computername|/MASTER]] EXEC ["userspec" command [command_options]]
NOTE:
If the value for an option contains spaces, such as a user account name of Jane Smith, you must surround the option value with quotation marks. In this case, to specify a value for the userspec option, type userspec:"Jane Smith".
The userspec, command, and command_options parameters can include up to a total of 256 characters. If these parameters total more than 256 characters, the Administration server processes only the first 256 characters that you specify.
|
/DOMAIN: domain |
Specifies the name of the managed domain. If you do not specify this option, the CLI executes the specified command in the domain to which the consoles most recently connected. If you have not used the CLI before and you do not specify this option, the CLI connects to the domain where your user account resides. You can use wildcard characters to specify multiple domains. |
|
/SERVER: computername |
Specifies the name of an Administration server that manages the specified domain. If you specify a domain and do not specify a server, the CLI automatically locates the best available Administration server in the specified domain. You can prefix the specified computer name with two backslashes (\\). |
|
/MASTER |
Specifies the primary Administration server that manages the specified domain. |
|
targetdomain |
Refreshes the accounts or resource cache for the specified domain, domain member, or computer. |
|
"userspec" |
Specifies an explicit user account or list of user accounts on which to execute the command. This option is often a list of user account specifications that you generate using wildcard characters or the @GroupUsers filter. |
|
command |
Specifies a command to run against the users you specified for the userspec variable. |
|
command_options |
Specifies an option for the command you specified. This option often references the @Target() set operation function. For example, you can use the @Target() set operation to create a home directory using the user account name as part of the directory path. |
To move the home directories for all user accounts in the SALES group from the \\TREK1 server to the \\TREK2 server, enter the following commands:
EA EXEC @GroupUsers(SALES) XCOPY /O \\TREK1\USERS\@Target() \\TREK2\USERS\@Target() EA USER @GroupUsers(SALES) UPDATE HOMEDIR:\\TREK2\USERS\@Target() EA EXEC @GroupUsers(SALES) DELTREE \\TREK1\USERS\@Target()
Administrators often need to reconfigure systems and relocate files and user account directories as system capacities and usages change. In this example, the first command runs the XCOPY /O command for each user account in the SALES group. The XCOPY command copies the home directory data for each user from the \\TREK1 server to the \\TREK2 server.
The second command (the USER command) changes the user account information to point the home directory to this new location.
The third command runs the DELTREE command for each user account in the SALES group. The DELTREE command deletes all the previous home directory data for these users on the \\TREK1 server.
NOTE:The EXEC command allows you to run commands other than CLI commands. The XCOPY and DELTREE commands in this example are not CLI commands. This example outlines how the EXEC command allows you to run the XCOPY and DELTREE commands.
Rather than separately specifying each of these commands, combine the three commands from the previous example into a single script file (.bat or .cmd) and use the EXEC command to run the script file.
To perform the actions in the previous example using a single script file, enter:
EA EXEC @GroupUsers(SALES) MOVEHD @Target()
In this example, the MOVEHD.cmd file contains the following lines:
XCOPY /O \\TREK1\USERS\%1 \\TREK2\USERS\%1 EA USER %1 UPDATE HOMEDIR:\\TREK2\USERS\%1 DELTREE \\TREK1\USERS\%1
The GROUP command allows you to create, clone, modify, display, and delete groups.
The different tasks you can perform with the GROUP command require different powers. The following table identifies the powers required for each task.
|
Tasks |
Required Powers |
|
Creating a new group |
Create Group and Modify All Properties In order to create a group in an ActiveView, the AA must be associated with the ActiveView. |
|
Cloning a group |
Clone Group and Modify All Properties |
|
Adding a member |
Add a Member Modify Group Memberships Both the new member and the group must exist in the same ActiveView. |
|
Removing a member |
Add Object to Group |
|
Updating the group description |
Modify General Group Properties |
|
Renaming a group |
Modify Group Name |
|
Displaying group information |
View All Group Properties |
|
Deleting a Group |
Delete Group |
EA [/DOMAIN:domain [/SERVER:computername|/MASTER]] GROUP target CREATE {OU:ouname} {CN:commonname} [GLOBAL|LOCAL|UNIVERSAL|LOCALDIST|GLOBALDIST|UNIVERSALDIST] [CLONE:{"group"}] [COMMENT:"comment"] [TERRITORIES:"activeview"] EA [/DOMAIN:domain [/SERVER:computername|/MASTER]] GROUP target MEMBERADD "member" EA [/DOMAIN:domain [/SERVER:computername|/MASTER]] GROUP target MEMBERREMOVE "member" EA [/DOMAIN:domain [/SERVER:computername|/MASTER]] GROUP target DISPLAY [OU:ouname] ["member"] [ALLMEMBERS] EA [/DOMAIN:domain [/SERVER:computername|/MASTER]] GROUP target UPDATE {[NAME:newname]|[COMMENT:"comment"]|[CN:commonname]}EA [/DOMAIN:domain [/SERVER:computername|/MASTER]] GROUP target DELETE
NOTE:If the value for an option contains spaces, such as an OU name of Sales and Marketing Consultants, you must surround the option value with quotation marks. In this case, to specify a value for the OU option, type OU:OU="Sales and Marketing Consultants",DC=Houston,DC=local.
|
CREATE |
Creates a new global or local group. The required GLOBAL or LOCAL keyword specifies whether the group is global or local. You can also specify UNIVERSAL, LOCALDIST, GLOBALDIST, or UNIVERSALDIST instead. There is no default group type. |
|
MEMBERADD |
Adds the specified members to the specified group. You can add multiple accounts to a group. To specify multiple accounts, use the following syntax: MEMBERADD accountA,accountB |
|
MEMBERREMOVE |
Removes the specified members from the specified group. This verb does not delete the group member or group itself. You can remove multiple accounts from a group. To specify multiple accounts, use the following syntax: MEMBERADD accountA,accountB |
|
DISPLAY |
Displays the specified group names, as well as the group comments. If you specify an OU of a Microsoft Windows domain, the CLI lists all groups contained in the specified OU. |
|
UPDATE |
Updates the specified group information for the specified group. The group name specification can be a list of wildcards. If you rename a group, the Administration server does not rename the non wildcard rules that identify this group. However, the rule will match the renamed group because the Administration server uses the group SID to identify the group. If you rename a group that is included in ActiveViews through wildcard specifications, that group may no longer be included in the same ActiveViews. The Administration server ensures that a renamed group remains in at least one ActiveView in which the AA has one or more powers. The Administration server also ensures that the ActiveView that includes the renamed group does not give the AA more powers over the renamed group. |
|
DELETE |
Deletes the specified group. When you delete a group, the Administration server also deletes all group rules that exactly match the deleted group in all ActiveViews. The Administration server does not delete the group members. If the Recycle Bin is disabled for the specified domain, the Administration server permanently deletes the group when you delete a group. If the Recycle Bin is enabled for the specified domain, the deleted group is transferred to the Recycle Bin and can be restored or permanently deleted later. If you permanently delete a group, you cannot return access capabilities for that group simply by creating a new group with the same name. Microsoft Windows uses an internal Security Identifier (SID) to refer to a group. When you create a group, Microsoft Windows assigns a unique SID to that group, rather than generating the SID from the group name. |
|
/DOMAIN: domain |
Specifies the name of the managed domain. If you do not specify this option, the CLI displays the information for the domain to which the consoles most recently connected. If you have not used the CLI before and you do not specify this option, the CLI connects to the domain where your user account resides. You can use wildcard characters to specify multiple domains. |
|
/SERVER: computername |
Specifies the name of an Administration server that manages the specified domain. If you specify a domain and do not specify a server, the CLI automatically locates the best available Administration server in the specified domain. You can prefix the specified computer name with two backslashes (\\). |
|
/MASTER |
Specifies the primary Administration server that manages the specified domain. |
|
target |
Specifies the name of the group you want to manage. The group name can contain wildcard characters. You can also precede the group name with a trusted domain or wildcard character, such as *\*, which targets all groups in the managed domains and trusted domains. When using the CREATE verb, the specified group must not already exist and you cannot specify wildcard characters. When using the DISPLAY verb, specify the target as * to list all groups in the specified OU. |
|
CLONE:" group " |
Specifies the group you want to clone. The Administration server uses the specified group as a template to create a new group. The Administration server then adds all members from the cloned group to the new group. If applicable, the Administration server also adds the new group to the ActiveViews of the original group. In a Microsoft Windows 2000 domain, you can specify the group type. |
|
COMMENT:" comment " |
Specifies the comment for the specified group. This comment is usually a description of the group. |
|
OU: ouname |
Specifies the name of a Microsoft Windows OU. |
|
|
If you want to specify the name of an enterprise OU, use the following format: OU=ou,DC=domain,DC=toplevel For example, to specify the SALES OU in the HOUSTON.LOCAL domain, type: OU:OU=SALES,DC=HOUSTON,DC=LOCAL |
|
|
If you want to specify the name of a built-in OU, use the following format: CN=ou,DC=domain,DC=toplevel For example, to specify the Users OU in the HOUSTON.LOCAL domain, type: OU:CN=Users,DC=HOUSTON,DC=LOCAL When you create or clone a group, you must specify a Microsoft Windows OU. You do not need to specify an OU for a Microsoft Windows 2000 member server. |
|
CN:" commonname " |
Specifies the common name (display name) of the group. |
|
NAME:" group " |
Specifies the new account name of the group. This option allows you to rename an existing group. The powers you have in the selected ActiveView determine whether you can rename the group and the name you can assign to the group. |
|
"member" |
Specifies the name of the group member. When you use the MEMBERADD or MEMBERREMOVE verbs, use this option to specify which members should be added or removed from the group. If the Administration server does not find the specified member in the group, the CLI displays an error. |
|
|
If you specify the DISPLAY verb, this option specifies which group members the CLI displays. For local groups, the member specification can include a domain/ prefix. If you do not specify this option, the CLI does not display any member information. You can use wildcard characters to specify the list of members you want to display. |
|
|
You can also use the @GroupUsers set operation to specify all members of a group. |
|
|
To add or remove a computer from group, enter the computer name in the following format: [domainname\]computername[$] |
|
|
If you are managing Microsoft Windows domains and want to add computer accounts created by either the DRA user interfaces or the native Windows 2000 Active Directory Users and Computers, append the computer name with a $. If you are managing Microsoft Windows domains and want to add computer accounts created with the NetIQ and LDAP ADSI providers, do not append the computer name with a $. |
|
ALLMEMBERS |
Displays group members the group contains, and includes group members in domains that DRA does not manage. To display all group members from the EasternRegion group, enter: EA GROUP EasternRegion DISPLAY ALLMEMBERS |
To create the EasternRegion global group in the SalesRegions OU of the USRegion domain and populate that group with the members of the Boston, Phila, and NYC groups, enter the following commands:
EA GROUP EasternRegion CREATE OU:OU=SalesRegions,DC=USRegion,DC=ACME,DC=COM GLOBAL EA GROUP EasternRegion MEMBERADD @GroupUsers(Boston),@GroupUsers(Phila),@GroupUsers(NYC)
To create the WesternRegion group on the primary Administration server by cloning the EasternRegion group, enter:
EA /DOMAIN:USRegion /MASTER GROUP WesternRegion CREATE OU:OU=SalesRegions,DC=USRegion,DC=ACME,DC=COM CLONE:EasternRegion
To populate the EasternRegion group with members of the Boston group, enter:
EA GROUP EasternRegion MEMBERADD @GroupUsers(Boston)
To add all members of the TXPoliticians global group to the Friends local group, enter:
EA GROUP Friends MEMBERADD @GroupUsers(TXPoliticians)
To remove all members of the Players group from the Cleveland group, enter:
EA GROUP Cleveland MEMBERREMOVE @GroupUsers(Players)
To update the comment for the Programmers local group, enter:
EA GROUP Programmers UPDATE COMMENT:"very unique individuals"
To display all instances of a SmithJL user account in any domain in a group beginning with NYC_, enter:
EA GROUP NYC_* DISPLAY *\SmithJL
To display all groups that contain members' names beginning with the letter m, enter:
EA GROUP * DISPLAY m*
To display a list of all groups in the Sales OU of the SW domain, enter:
EA /DOMAIN:SW GROUP * DISPLAY OU:OU=Sales,DC=Houston,DC=SW,DC=US
To delete the Mammoth group, enter:
EA GROUP Mammoth DELETE
The INFO command displays information about the Administration server to which you are connected, the DRA client computer, and your current user account.
The Administration server does not require any powers or permissions to run this command.
EA [/DOMAIN:domain [/SERVER:computername]] INFO
|
/DOMAIN: v |
Specifies the name of the managed domain for which you want to refresh or display the accounts and resource caches. If you do not specify this option, the CLI refreshes the cache for the domain to which the consoles most recently connected. If you have not used the CLI before and you do not specify this option, the CLI connects to the domain where your user account resides. You can use wildcard characters to specify multiple domains. |
|
/SERVER: computername |
Specifies the name of an Administration server that manages the specified domain. If you specify a domain and do not specify a server, the CLI automatically locates the best available Administration server in the specified domain. You can prefix the specified computer name with two backslashes (\\). |
To display information about the NORTHEAST domain, enter:
EA /DOMAIN:NORTHEAST INFO
To display information about the NORTHEAST domain by connecting to the PIT SERVER01 computer, enter:
EA /DOMAIN:NORTHEAST /SERVER:PIT SERVER01 INFO
The ROLE command displays roles and role properties, enumerates roles matching a certain name, delegates and revokes roles to AVs. Properties for a role include the name, comment, description, type, and whether the role is assigned.
A role and role properties can be displayed. You can enumerate the roles with the DISPLAY command. The command is interpreted as a wildcard match of roles.
A role is a set of powers that provide the permissions required to perform a specific administration task, such as creating a user account or moving shared directories. To create a role, first define the job description. The job description provides the list of powers an AA needs to perform a task or complete a workflow.
A role can contain any set of powers you specify. Because you can choose from hundreds of powers, you have the flexibility to create roles that best fit your organization.
To run these commands, you must have the appropriate powers, such as those included in the built-in DRA Administration and Manage Security Model roles.
EA [/DOMAIN:domain [/SERVER:computername|/MASTER]] AV target DELEGATE {role:} {admin:} [mode:]
EA [/DOMAIN:domain [/SERVER:computername|/MASTER]] AA target DISPLAY
EA [/DOMAIN:domain [/SERVER:computername|/MASTER]] AV target REVOKE {role:} {admin:} [mode:]
|
DELEGATE |
Delegates a specific role to a specific admin in a given AV or AV wildcard match. The DELEGATE command can clearly distinguish the AA as a user, group, or AA Group. Specify users or groups by their Account Name or a wildcard that matches at most one user or group. Roles can be delegated or revoked, but cannot be defined. |
|
DISPLAY |
Displays any custom or built-in roles and role properties with name matching target. Properties for a role include the name, comment, description, type, and whether the role is assigned. The name parameter is always returned. By specifying only "name" on the command line, then only the name field will be returned. By default other fields are displayed |
|
REVOKE |
Revokes a specific role from a specific admin in a given AV or AV wildcard match. An error message is returned, if the delegation is not found on the Administration server. |
|
/DOMAIN: domain |
Specifies the name of the managed domain. If you do not specify this option, the CLI provides information about the domain to which the consoles last connected. If you have not used a console on this computer and you do not specify this option, the CLI connects to the domain where your user account resides. You can use wildcard characters to specify multiple domains. |
|
/SERVER: computername |
Specifies the name of an Administration server managing the specified domain. If you specify a domain without a server, the CLI automatically locates the closest Administration server in the specified domain. You can prefix the specified computer name with two backslashes (\\) |
|
/MASTER |
Specifies the primary Administration server managing the specified domain. |
|
{ADMIN:} |
Specifies the domain\Account Name match, or the AA name. This must match only one object or the command will not be processed. This required option is used with the DELEGATE and REVOKE command. |
|
commonfields |
ALL Displays all fields. ASSIGNED Specifies whether the rule assigned or in use. COMMENT:"text" Specifies the comment for the ActiveView group. To display comments, specify COMMENT with the DISPLAY verb. DESCRIPTION:"text" Specifies the description for the ActiveView group. To display comments, specify COMMENT with the DISPLAY verb. NAME Specifies the new AV name of the ActiveView. TYPE Specifies the type of AV. |
|
{ROLE:} |
Specifies the role alias or role name that the client wants to assign to the target AV match. This is interpreted as a role name match. This must match only one object or the command will not be processed. This required option is used with the DELEGATE and REVOKE command. |
|
MODE:{B|BATCH} |
Allows you to display GUID information for the specified Administration servers. |
To delegate a role to the target AV match, enter:
EA AV kt* DELEGATE role:helpdesk* admin:dep1
To enumerate roles matching a certain name, enter:
EA ROLE "a*" DISPLAY type
The SERVER command displays Administration server information.
The Administration server does not require any powers or permissions to run this command.
EA SERVER {BEST|MASTER|*} DISPLAY [ADVANCED]
|
DISPLAY |
Displays a list of Administration servers for the user's domain as well as information for each server. |
|
BEST |
Specifies the closest Administration server for the user's domain. Specify an asterisk (*) to display information for all Administration servers managing the domain. |
|
MASTER |
Specifies the primary Administration server for the user's domain. Specify an asterisk (*) to display information for all Administration servers managing the domain. |
|
ADVANCED |
Allows you to display GUID information for the specified Administration servers. |
To display information about the primary Administration server for the managed domain, enter:
EA SERVER MASTER DISPLAY
To display information, including GUID information, about all Administration servers for the managed domain, enter:
EA SERVER * DISPLAY ADVANCED
The USER command allows you to create, clone, modify, display, and delete user accounts on an Administration server.
The different tasks you can perform with the USER command require different powers. The following table identifies the powers you need for each task.
|
Tasks |
Required Powers |
|
Creating or cloning a user account |
|
|
Adding a mailbox for an existing user account |
Create Exchange mailbox and modify all properties. |
|
Updating user account or mailbox properties |
The powers required to update user account properties depends on what properties you want to update. |
|
Displaying user account properties |
View All User Properties |
|
Deleting a user account |
Delete User Account |
EA [/DOMAIN:domain [/SERVER:computername|/MASTER]] USER target CREATE {OU:ouname} {PASSWORD:password} [fields] [CLONE:"username"] [mailboxfields] [MBDIRNAME] [GROUPS:"groupname"] EA [/DOMAIN:domain [/SERVER:computername|/MASTER]] USER target MBCLONE [CLONE:"username"] [Code1Variable] [MBDIRNAME] EA [/DOMAIN:domain [/SERVER: computername |/MASTER]] USER target UPDATE [fields] [mailboxfields] [wtsfields] [NAME:newname] [PASSWORD:password] EA [/DOMAIN:domain [/SERVER: computername |/MASTER]] USER target DELETE EA [/DOMAIN:domain [/SERVER: computername |/MASTER]] USER target GROUPS EA [/DOMAIN:domain [/SERVER: computername |/MASTER]] [/DELI:{TAB|x}] USER target DISPLAY {OU:ouname} [fields] [wtsfields] [displayfields]
NOTE:If the value for an option contains spaces, such as an OU name of Sales and Marketing Consultants, you must surround the option value with quotation marks. In this case, to specify a value for the OU option, type OU:OU="Sales and Marketing Consultants",DC=Houston,DC=local.
|
CREATE |
Creates the specified user account. |
|
MBCLONE |
Creates a mailbox for the specified user account by cloning the existing mailbox for the user account identified by the CLONE:username option. |
|
UPDATE |
Updates the specified attributes of an existing user account. You can update only the properties for which you have the required powers to modify. |
|
GROUPS |
Displays the groups to which the specified user account belongs. |
|
DISPLAY |
Displays the existing user account information. If you do not identify specific field names, the CLI displays the values for the user name, comment, and user comment fields. The CLI always displays the user name field. If you specify an OU of a Microsoft Windows 2000 domain, the CLI lists all user accounts contained in the specified OU. |
|
DELETE |
Deletes the specified user accounts. When you delete a user, the Administration server automatically deletes all user rules that exactly match (not through a wildcard rule specification) the deleted user in all ActiveViews. If the Recycle Bin is disabled for the specified domain, the Administration server permanently deletes the user account when you delete a user account. If the Recycle Bin is enabled for the specified domain, the deleted user account is transferred to the Recycle Bin and can be restored or permanently deleted later. If you permanently delete a user account, you cannot return access capabilities for that account simply by creating a new user account with the same name. Microsoft Windows uses an internal Security Identifier (SID) to refer to a user account. When you create a user account, Microsoft Windows assigns a uniue SID to that account, rather than generating the SID from the user account name. You can use policy to configure the Administration server to also delete the associated home directory or mailbox. |
|
/DOMAIN: domain |
Specifies the name of the managed domain. If you do not specify this option, the CLI uses the domain to which the consoles most recently connected. If you have not used the CLI before and you do not specify this option, the CLI connects to the domain where your user account resides. You can use wildcard characters to specify multiple domains. |
|
|
/SERVER: computername |
Specifies the name of an Administration server that manages the specified domain. If you specify a domain and do not specify a server, the CLI automatically locates the best available Administration server in the specified domain. You can prefix the specified computer name with two backslashes (\\). |
|
|
/MASTER |
Specifies the primary Administration server that manages the specified domain. |
|
|
/DELI:{TAB|x} |
Specifies the delimiter character that the CLI uses to separate the displayed field values. This option allows you to format the output when you redirect the results to a file. You can then import the file into a database or spreadsheet program for further analysis and reporting. You can specify any delimiter character. To specify a tab as the delimiter character, type TAB. |
|
|
OU: ouname |
Specifies the name of a Microsoft Windows 2000 OU. If you want to specify the name of an enterprise OU, use the following format: OU=ou,DC=domain,DC=toplevel For example, to specify the SALES OU in the HOUSTON.LOCAL domain, type: OU:OU=SALES,DC=HOUSTON,DC=LOCAL If you want to specify the name of a built-in OU, use the following format: CN=ou,DC=domain,DC=toplevel For example, to specify the Users OU in the HOUSTON.LOCAL domain, type: OU:CN=Users,DC=HOUSTON,DC=LOCAL When you create or clone a user, you must specify a Microsoft Windows 2000 OU. You do not need to specify an OU for a Microsoft Windows 2000 member server. |
|
|
target |
Specifies the user account name or logon name for the user account you want to create or manage. If you are creating a new user account, you must specify a single user account name. You can specify wildcard characters with all verbs except the CREATE verb. When using the DISPLAY verb, specify the target as * to list all users in the specified OU. |
|
|
CLONE:" username " |
Specifies the user account to use as a template for the new user account. The Administration server copies the field values and group memberships from the specified user account and uses them as defaults for the new user account. The Administration server sets any fields not specified in this USER command, except the password field, to the value of the specified user account you want to clone. |
|
|
GROUPS:" groupname " |
Specifies the groups to which you want to add the new user account as a member. |
|
|
NAME:" name " |
Specifies a new common name for the user account. This option allows you to rename an existing user account. |
|
|
fields |
Specifies the fields or options that you want to specify, modify, or display for the specified user account. When you specify one or more of fields with the DISPLAY verb, specify the field name without any value. For example, to display the user account comment, specify COMMENT. You can specify the following field values: |
|
|
|
ACTIVE:{Y|:N} Specifies whether the account is enabled (:Y) or disabled (:N). The default is enabled (Y). |
|
|
|
CODEPAGE:nnn Specifies the code page you want to use to display characters. The default is 0, which specifies the code page configured for the local computer. |
|
|
|
COMMENT:"text" Specifies the comment for the user account. To display comments, specify COMMENT with the DISPLAY verb. |
|
|
|
COUNTRYCODE:nnn Specifies the country code number. The default is 0. |
|
|
|
DIALCALLBACK:telephonenumber Specifies the telephone number for the AdminSetCallBack value of the DIALFLAGS field. |
|
|
|
DIALFLAGS:[DialinPrivilege,]callbacksetting Specifies the dial-in privileges for the user account. If you do not specify the DialinPrivilege option, the Administration server disables the dial-in privileges. You can use the following values for the callbacksetting value: |
|
|
|
AdminSetCallBack Directs the server to call the user at the telephone number specified by the DIALCALLBACK field. The server calls the user back only at the specified number. CallerSetCallBack Directs the server to prompt the user for a telephone number. NoCallBack Disables the call back function for the user account. This is the default setting. |
|
|
|
DISPName:"displayname" Specifies the display name of a Microsoft Windows user account. |
|
|
|
EXPIRES:{date|NEVER} Specifies an expiration date and time for the user account. Specify dates in the following format: YYYY MM DD,hh:mm:ss You can truncate the date at any point, after which the Administration server completes the specification with the lowest allowable value. For example, if you specify 2002-1, the Administration server sets the expiration date to 2002-1 01,00:00:00. If you specify NEVER, the Administration server sets no expiration date for the user account. |
|
|
|
FIRSTNAME:"givenname" Specifies the first name of the user account. |
|
|
|
FULLNAME:"name" Specifies the full name of a Microsoft Windows user account. |
|
|
|
HOMEDIR:"path" Specifies the UNC path of the home directory. If you want to map a drive letter to a location, you must specify the HOMEDIRDRIVE and the HOMEDIR options to identify the mapping. DRA allows you to use %username% to represent the current target. However, when you use the %username% variable in the CLI, Microsoft Window 2000 defines the %username% variable as the currently logged on user. |
|
|
|
HOMEDIRDRIVE:"x:" Specifies the drive letter you want to map to the home directory (HOMEDIR:) when the user logs on. To clear the mapped home directory for a user account, specify a space instead of a drive letter. HOMEDIRREQ:{Y|N} Specifies whether a home directory is required for a user account. The default is Yes (Y). |
|
|
|
INITIALS:"initials" Specifies the initials of the user account. |
|
|
|
LASTNAME:"sn" Specifies the last name of the user account. |
|
|
|
MIDDLENAME:"middlename" Specifies the middle name of the user account. |
|
|
|
PASSWORDCHG:{Y|N} Specifies whether the user can change the user account password. The default is Yes (Y). |
|
|
|
PASSWORDEXPIRED:{Y|N} Specifies whether the user must change the password the next time the user logs on. The default is No (N). If you specify Yes (Y), the user must change the password. If you specify PASSWORDNOEXPIRE:Y for a user account, you cannot specify PASSWORDEXPIRED:Y for the same user account. |
|
|
|
PASSWORDNOEXPIRE:{Y|N} Specifies whether the user account password never expires (Y). The default is No (N). |
|
|
|
PASSWORDREQ:{Y|N} Specifies whether the user account must have a password. The default is Yes (Y). |
|
|
|
PRIMARYGROUP:"group" Specifies the primary group for the user account. The primary group must be a global group. In addition, the user account must be a member of the group before you can specify the group as the primary group for the user account. You cannot remove a user account from the primary group. Use primary groups mainly for POSIX compatibility |
|
|
|
PROFILEPATH:"path" Specifies the path of the logon profile for the user account. To specify a path that ends with a backslash (\), such as "C:\PROFILE\", you must specify two backslashes: C:\PROFILE\\. A specified share cannot end with a backslash. |
|
|
|
SCRIPTPATH:"path" Specifies the location of the logon script for the user account relative to the %SYSTEMROOT%\SYSTEM32\REPL\IMPORT\SCRIPTS directory. This script is run when the identified user logs on. Do not specify a file name with a UNC or drive letter. |
|
|
|
TIMES:{times|ALL} Specifies the times during which a user account can log on. Specify the times value in 1 hour increments and in the following format: day[ day][,day[ day]], time[ time][,time[ time]] Abbreviate the name of the day. Specify hour values from 0 to 24, based on a 24 hour clock. If you specify 4-8, the user can log on from 4:00 AM until 7:59 AM. If you specify ALL, the user can log on at any time of the day. If you do not specify any value, the user can never log on. Separate day and time entries with a comma (,), and separate multiple day and time entries with a semicolon (;). For example, to allow a user to log on any time except from 4:00 PM to 8:00 PM on Sundays, specify: sun,0 16;sun,20 24;mon sat,0 24 |
|
|
|
UNLOCK:Y Unlocks a locked user account. |
|
|
|
USERCOMMENT:"comment" Sets the user account comment. If a comment contains a space, such as "Sales and Marketing", you must surround the comment with quotation marks. |
|
|
|
WORKSTATIONS:computername Lists as many as eight computers from which a user account can log on to the network. Separate each workstation name with a comma (,). If you do not specify any computer names, the user account can log on from any computer. |
|
|
|
WTSProfilePath:"path" Specifies the location of the Microsoft Windows terminal services profile path for the specified user account. |
|
|
mailboxfields |
Specifies the properties of the mailbox for the specified user account. You can use the following values to specify the mailbox properties you want to create or change. |
|
|
|
MBALIAS:"alias" Specifies the alias for the mailbox. |
|
|
|
MBDIRNAME:"directory" Specifies the directory where you want to store the mailbox. You can specify this field only when cloning a user account or mailbox. You cannot specify this field when using the UPDATE verb. |
|
|
|
MBFIRSTNAME:"firstname" Specifies the first name for the mailbox. |
|
|
|
MBLASTNAME:"lastname" Specifies the last name for the mailbox. |
|
|
|
MBINITIALS:initials Specifies the initials for the mailbox. |
|
|
wtsfields |
Specifies the Windows Terminal Server (WTS) properties for the specified user account. |
|
|
|
WTSALLOW:{Yes|No} Specifies whether the user can log on to the Terminal Server. |
|
|
|
WTSHOMEDIR:"path" Specifies the UNC path of the home directory for the user when that user logs on to the Terminal Server. If you want to map a drive letter to the location, you must specify the WTSHOMEDIR and the WTSHOMEDIRDRIVE options. If you do not specify this option, the Administration server assigns the user account home directory to the WTSHOMEDIR option. |
|
|
|
WTSHOMEDIRDRIVE:"x:" Specifies the drive letter you want to map to the WTS home directory (WTSHOMEDIR) when the user logs on to the Terminal Server. To clear the mapped WTS home directory for a user account, specify a space instead of a drive letter. |
|
|
|
WTSPROFILEPATH:"path" Specifies the path and name of the user profile to use when the user logs on to Terminal Services. |
|
|
|
WTSCLIENTDRIVES:{Yes|No} Specifies whether Windows Terminal Services reconnects mapped drives after the user logs on, for Citrix ICA clients. This setting does not apply to RDP clients. |
|
|
|
WTSCLIENTPRINTERS:{Yes|No} Specifies the Terminal Services server to download and install the printer driver for the local client printer when the user logs on to a Terminal Services session. |
|
|
|
WTSPRINTERDEFAULT:{Yes|No} Specifies that the Terminal Services session default to the main client printer. Selecting this option prevents Terminal Server from downloading and installing multiple printer drivers when users log on to a Terminal Services session. |
|
|
displayfields |
Specifies the fields for which you want the CLI to display information. You cannot specify these fields when you create or update a user account. Use the following values to specify the information you want to display: |
|
|
|
ALL Displays all user account fields, except the password field. BADPWCOUNT Displays the number of invalid passwords currently outstanding for this user account. This count is cleared once the user enters a valid password. |
|
|
|
DISPNAME Displays the display name, or friendly name, of this user account. |
|
|
|
LASTLOGON Displays the last time the user logged on and the domain controller that validated the log on. The Administration server periodically consolidates this information from all domain controllers. |
|
|
|
NAME Displays the name of the user account. Specify this field if you want to display only the user account name. If you specify any other fields, the CLI automatically displays the user account name. |
|
|
|
NETWARE Displays the NetWare compatibility information of this user account. Specifying this field displays all the NetWare compatibility fields. |
|
|
|
NUMLOGONS Displays the number of times the PDC has validated a logon attempt for that user account. The BDC also validates logon attempts, so this number is not an indicator of how many times a user actually logged on. |
|
|
|
PASSWORDAGE Displays the time interval since the user, Administrator, or AA last set the password. |
|
|
|
USERID Displays the RID of the user account. The RID is an internal numeric identifier for the user account. |
|
To create the JASmith user account on the primary Administration server for the SPACE domain, and add the account to the Sales Personnel group, enter:
EA /DOMAIN:SPACE /MASTER USER JASmith CREATE OU:OU=Jupiter,DC=Space,DC=com FULLNAME:"Jane A. Smith" COMMENT:President GROUPS:"Sales Personnel"
NOTE:The Administration server sets all fields (commonfields and mailboxfields) that you did not specify to the default values.
To create the JohnDoe user account and mailbox on the primary Administration server for the SPACE domain by cloning the JaneDoe user account, enter:
EA /DOMAIN:SPACE /MASTER USER JohnDoe CREATE OU:OU=Jupiter,DC=Space,DC=com FULLNAME:"John Q. Doe" CLONE:JaneDoe MBALIAS:"John Doe" MBFIRSTNAME:John MBLASTNAME:Doe PASSWORD:1234 GROUPS:"Western Region"
NOTE:If you defined proxy generation rules for this domain, use the FIRSTNAME, LASTNAME, MIDDLENAME, and INITIALS fields to specify a unique email address for the target account.
To unlock the JASmith user account enter:
EA USER JASmith UPDATE UNLOCK:Y
NOTE:This example does not update any other properties.
To change the LBond logon name to LDoe, and change the mailbox last name to Doe, enter:
EA USER LBond UPDATE NAME:LDoe MBLASTNAME:Doe
To clone the JSmith user account mailbox to create a mailbox for the LBond user account, enter:
EA USER LBond CREATE OU:OU=agents,DC=london,DC=uk CLONE:JSmith PASSWORD:Phooey MBFIRSTNAME:Lisa MBLASTNAME:Bond
To add more information about the LBond user account, use the UPDATE verb once the Administration server completes creating the LBond user account.
To display a list of all user accounts in the Sales OU of the SW domain, enter:
EA /DOMAIN:SW USER * DISPLAY OU:OU=Sales,DC=Houston,DC=SW,DC=US
To save a tab delimited list of all user accounts, along with the last logon timestamp for each user account, in the D:\TEMP\USERS.TXT file, enter:
EA /DELI:TAB USER * DISPLAY LASTLOGON > D:\TEMP\USERS.TXT
Directory and Resource Reporting provides last logon statistic reports to help you view this important last logon information.
To delete the JASmith user account, enter:
EA USER JASmith DELETE
WARNING:If you delete a user account, you cannot return access capabilities for that user simply by creating a new user account with the same name. Microsoft Windows 2008 or later uses an internal Security Identifier (SID) to refer to a user account. When you create a user account, Microsoft Windows 2008 or later assigns a SID to that user account. Microsoft Windows 2008 or later does not generate the SID from the user account name.
The WHOAMI command displays information, such as the total number of managed domains and user accounts, about both the DRA client computer and the Administration server. This information is often important when diagnosing problems or when reporting any problems to NetIQ Technical Support.
You do not need any special powers or permissions to run this command.
EA [/DOMAIN:domain [/SERVER:computername|/MASTER]] [/POWERS] WHOAMI
|
/DOMAIN: domain |
Specifies the name of the managed domain. If you do not specify this option, the CLI displays the information for the domain to which the consoles most recently connected. If you have not used the CLI before and you do not specify this option, the CLI connects to the domain where your user account resides. You can use wildcard characters to specify multiple domains. |
|
/SERVER: computername |
Specifies the name of an Administration server that manages the specified domain. If you specify a domain and do not specify a server, the CLI automatically locates the best available Administration server in the specified domain. You can prefix the specified computer name with two backslashes (\\). |
|
/MASTER |
Specifies the primary Administration server that manages the specified domain. |
|
/POWERS |
Displays the powers of the user account logged on to the DRA client computer. This option displays all the powers that an AA has in a domain. It does not display the powers for each ActiveView. Therefore, the AA may not have all the displayed powers in each ActiveView. |
To retrieve information for the MARS Administration server in the SPACE domain, enter:
EA /DOMAIN:SPACE /SERVER:MARS WHOAMI
To retrieve information for the primary Administration server in the SPACE domain, enter:
EA /DOMAIN:SPACE /MASTER WHOAMI
To display all the powers of the user account logged on to the Administration CLI computer, enter:
EA /POWERS WHOAMI