JSI Tip 4646. How do I run commands on my domain controller for every user?

Tip 3410 General purpose Domain User Properties reporting script has the abilityto run a script for all your domain user, but it is overkill for some simple functions, like setting the logon hours.

Copying from Windows 2000 CMD help, you can see that Net Userand Net Group are some of the commands that can be run on a domain controller, from your workstation:

Net user

Adds or modifies user accounts or displays user account information.

net user [username [password | *] [options]] [/domain]

net user username {password | *} /add [options] [/domain]

net user username [/delete] [/domain]

Parameters

none

Used without parameters, net user displays a list of the user accounts on the computer.

username

Specifies the name of the user account to add, delete, modify, or view. The name of the user account can have as many as 20 characters.

password

Assigns or changes a password for the user's account. A password must satisfy the minimum length set with the /minpwlen option of the net accounts command. It can have as many as 127 characters. However, if you're using Windows 2000 on a network that also has computers using Windows 95 or Windows 98, consider using passwords not longer than 14 characters. Windows 95 and Windows 98 support passwords of up to 14 characters. If your password is longer, you may not be able to log on to your network from those computers.

*

Produces a prompt for the password. The password is not displayed when you type it at a password prompt.

/domain

Performs the operation on the primary domain controller of the computer's primary domain.

This parameter applies only to Windows 2000 Professional computers that are members of a Windows 2000 Server domain. By default, Windows 2000 Server computers perform operations on the primary domain controller.

Note

/add

Adds a user account to the user accounts database.

/delete

Removes a user account from the user accounts database.

options

Specifies the following options:

/active:{no | yes}

Enables or disables the user account. If the user account is not active, the user cannot access resources on the computer. The default is yes (active).

/comment:"text"

Provides a descriptive comment about the user's account. This comment can have as many as 48 characters. Enclose the text in quotation marks.

/countrycode:nnn

Uses the operating-system Country/Region codes to implement the specified language files for a user's Help and error messages. A value of 0 signifies the default Country/Region code.

/expires:{date | never}

Causes the user account to expire if date is set; does not ever set a time limit on the user account. Expiration dates can be in mm/dd/yy, dd/mm/yy, or mmm,dd,yy format, depending on the Country/Region code. Note that the account expires at the beginning of the date specified. Months can be a number, spelled out, or abbreviated with three letters. Years can be two or four numbers. Use commas or slashes to separate parts of the date (no spaces). If yy is omitted, the next occurrence of the date (according to your computer's date and time) is assumed. For example, the following date entries are equivalent if entered between Jan. 10, 1994, and Jan. 8, 1995:

 jan,9 
1/9/95 
january,9,1995 
1/9 

/fullname:"name"

Specifies a user's full name rather than a user name. Enclose the name in quotation marks.

/homedir:path

Sets the path for the user's home directory. The path must exist.

/passwordchg:{yes | no}

Specifies whether users can change their own password. The default is yes.

/passwordreq:{yes | no}

Specifies whether a user account must have a password. The default is yes.

/profilepath:[path]

Sets a path for the user's logon profile. This path points to a registry profile.

/scriptpath:path

Sets a path for the user's logon script. The path value cannot be an absolute path; path is relative to %systemroot%System32ReplImportScripts.

/times:{times | all}

Specifies the times the user is allowed to use the computer. The times value is expressed as day[-day][,day[-day]] ,time[-time][,time[-time]], limited to 1-hour time increments. Days can be spelled out or abbreviated (M,T,W,Th,F,Sa,Su). Hours can be 12- or 24-hour notation. For 12-hour notation, use AM, PM, or A.M., P.M. The value all means a user can always log on. A null value (blank) means a user can never log on. Separate day and time with commas, and units of day and time with semicolons (for example, M,4AM-5PM;T,1PM-3PM). Do not use spaces when designating times.

/usercomment:"text"

Specifies that an administrator add or change the "User comment" for the account. Enclose the text in quotation marks.

/workstations:{computername[,...] | *}

Lists as many as eight workstations from which a user can log on to the network. Separate multiple entries in the list with commas. If /workstations has no list, or if the list is *, the user can log on from any computer.

Net group

Adds, displays, or modifies global groups on Windows 2000 Server domains. This command is available for use only on Windows 2000 Server Domain Controllers.

net group [groupname [/comment:"text"]] [/domain]

net group groupname {/add [/comment:"text"] | /delete} [/domain]

net group groupname username[ ...] {/add | /delete} [/domain]

Parameters

none

Type net group without parameters to display the name of a server and the names of groups on the server.

groupname

Specifies the name of the group to add, expand, or delete. Supply only a group name to view a list of users in a group.

/comment:"text"

Adds a comment for a new or existing group. The comment can have as many as 48 characters. Enclose the text in quotation marks.

/domain

Performs the operation on the primary domain controller of the current domain. Otherwise, the operation is performed on the local computer.

This parameter applies only to Windows 2000 Professional computers that are members of a Windows 2000 Server domain. By default, Windows 2000 Server computers perform operations on the primary domain controller.

username[ ...]

Lists one or more user names to add to or remove from a group. Separate multiple user name entries with a space.

/add

Adds a group, or adds a user name to a group. An account must be established for users added to a group with this command.

/delete

Removes a group, or removes a user name from a group.

DomUsers.bat

I have scripted DomUsers.bat to allow you to run a command for each domain user. The syntax is:

DomUsers "Command" [ExludeList]

where:

"Command" is a quoted string that contains the command you wish to run. In the quoted string, usea single quote (') to represent a quote ("). Use %user% to represent the user name.

ExcludeList is optional and is a list of every user name that you wish to exclude.

Example:

To set the logon script for every user except Administrator and Jerold Schulman:

DomUsers "net user %user% /scriptpath:logon.bat" Administrator "Jerold Schulman"

To add every user to the "Current Members" global group:

DomUsers "net group 'current members' %user% /add"

To pass every domain user to your test.bat, which is NOT in the path:

DomUsers "call D:batchtest.bat %user%"

NOTE: The /domain switch is automatically added to every "Command", as the last switch.

DomUsers.bat contains:

@echo offif {%1}

<h1><a name="_echo_Syntax_Domusers_Command_ExludeList_amp_goto_EOF_setlocal_set_command_1_set_command_command_set_command_command_domain_loop_shift_if_1_" id="_echo_Syntax_Domusers_Command_ExludeList_amp_goto_EOF_setlocal_set_command_1_set_command_command_set_command_command_domain_loop_shift_if_1_">{} @echo Syntax: Domusers "Command" [ExludeList]&amp;goto :EOFsetlocalset command=%1set command=%command:"=%set command=%command:'="% /domain:loopshiftif {%1}</a></h1>

{} set exclude=%exclude%1234567890123456789012345&goto usersset work=%1set work=%work:"=%                         #set work=%work:~0,25%set exclude=%exclude%%work%goto loop:usersfor /f "Skip=4 Tokens=*" %%i in ('net user /domain^|findstr /v /c:"----"^|findstr /v /i /c:"The command completed"') do ( set line=%%i call :parse)endlocalgoto :EOF:stripset short=%name%#set short=%short:  =%set short=%short: #=#%set short=%short:#=%set user="%short%"set /a cnt=0:excfor /f "Tokens=*" %%n in ('@echo %%exclude:~%cnt%^,25%%') do set char=%%n                         #set char=%char:~0,25%if "%char%" EQU "1234567890123456789012345" goto doitif /i "%char%" EQU "%name%" goto :EOFset /a cnt=%cnt% + 25goto exc:doitfor /f "Tokens=*" %%j in ('@echo %command%') do %%jgoto :EOF:parseset name=%line:~0,25%call :stripset name=%line:~25,25%if not "%name%" EQU "" call :stripset name=%line:~50,25%if not "%name%" EQU "" call :strip

NOTE:See tip 4647 How do I run commands on my domain controller for every member of a domain group?