Active Directory Command Line Utilities




Import and export Active Directory data using comma-separated format.


Add users, groups, computers, contacts, and organizational units to Active Directory.


Modify an existing object of a specific type in the directory. The types of objects that can be modified are: users, groups, computers, servers, contacts, and organizational units.


Remove objects of the specified type from Active Directory.


Rename an object without moving it in the directory tree, or move an object from its current location in the directory to a new location within a single domain controller. (For cross-domain moves, use the Movetree command-line tool.)


Query and find a list of objects in the directory using specified search criteria. Use in a generic mode to query for any type of object or in a specialized mode to query for for selected object types. The specific types of objects that can be queried through this command are: computers, contacts, subnets, groups, organizational units, sites, servers and users.


Display selected attributes of specific object types in Active Directory. Attributes of the following object types can be viewed: computers, contacts, subnets, groups, organizational units, servers, sites, and users.


Ceate, modify, and delete directory objects. This tool can also be used to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory with data from other directory services.


General purpose Active Directory management tool. Use Ntdsutil to perform database maintenance of Active Directory, to manage single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled.

Authoritative Restore

Restore from DSRM


For this to work Windows Backup must have taken backups for the ntds.dit file.


Browsing the Backups and the NTDS.dit file


Manual Snapshots of the drive can be done from

ntdsutil: act inst ntds

snapshot create

list all


Select the GUID of the backup and Mount it as follows:


Mount {GUID}


You can then browse the snapshot in the c:\


You can then mount the ntds.dit file inside the mounted backup as follows:


Exit ntdsutil and run:


dsamain -dbpath c:\$SNAP_65168161358_VOLUMEC$\Windows\ntds\ntds.dit -ldapport 5000


This will be mounted and then can be accesses from dsa.msc. You need to change domain controller to dc1.contoso.local:5000 to browse the NTDS.dit file.


Performing an Authorative Restore

If an OU or user or whatever needed to be restored authorativly do the following.


Restart DC in DSRM (Directory Services Restore Mode)


Open CMD


bcdedit /set safeboot dsrepair

shutdown /r /t 0

Restore AD from backup

To restore AD using this Windows Backup Server needs to be running full backups of the drive with the NTDS.dit file on the DC.


To browse the backups/NTDS snapshots



Activate instance ntds


List all


Identify the backup and copy the GUID to be mounted


Snapshot>Mount {GUID}


You can browse the backup and copy things from it if needed. You can also mount the NTDS file within it.

Note the path of the NTDS.dit file within it for the next part.


Dsamain-dbpath c:\$SNAP_465746_VOLUME_C$\windows\ntds\ntds.dit -ldapport:5000


From a dsa.msc you can now "change domain controller" and look at do.contoso.local:5000 to mount the AD database.


To un-mount


Unmount {GUID}


Restore AD from directory service recovery mode


If an OU or user our group or any object is deleted from AD you will need to perform an authorities restore by rebooting into DRSM


Bcdedit /set safeboot dsrepair


Shutdown /r /t 0


Server reboots


To identify the backup again run


Wbadmin get versions


Copy the version   :dd/mm/yyyy-hh:mm


Run a non-authoritative restore


Wbadmin start systemstaterecovery -version:03/24/2015-18:22


Run an authoritative restore



Act inst ntds

authoritative restore subtree "ou=test,dc=contoso,dc=local"



Reset boot method


Bcdedit /deletevalue safeboot


Shutdown /r /t 0

Active Directory Compaction Script

Compaction Script


ECHO To compact the NTDS.dit file for this domain

ECHO controller ensure you have the following

ECHO folders set up on the c:\


ECHO C:\Temp

ECHO C:\OriginalNTDS



del C:\temp\*.dit

del C:\originalntds\*.dit

net stop ntds /y

ntdsutil "activate instance NTDS" files "compact to C:\temp" quit quit

cd \windows\ntds

del *.log

copy ntds.dit \originalntds

del ntds.dit

copy c:\temp\ntds.dit

ntdsutil "activate instance NTDS" files integrity quit "semantic database analysis" "go fixup" quit quit

ECHO To restart the AD DS press enter.


net start ntds

ECHO Compacting Finished.