Section 3.13. Command Line Utilities

3.13. Command Line Utilities

In this section, I'll look at several ways you can manage file, print, and user services from the command line.

3.13.1. Using Shares

Sometimes it's inconvenient to use the Windows GUI to map a drivethis is a problem particularly in logon scripts. How do you use a batch file to tell the mouse pointer to move over to My Network Places? Instead, there's a better way. The net use command enables you to map any drive to any server on your network, and in some cases, outside networks, too. The syntax is:

    net use drive \\server\share

Here are some common examples that you should find useful.

To map drive H to Lisa Johnson's home directory on server MERCURY:

    net use H: \\mercury\users\lmjohnson

To map the first available drive letter to the same directory:

    net use * \\mercury\users\lmjohnson

Sometimes you might need to connect to a share on a domain that isn't trusted by your home domain. If you have an account on that domain, you can use it to connect, like so:

    net use H:
    \\foreignmachine\sharename
     /user:foreigndomain\username

(If you need to use a password, you'll be prompted for it.)

If you need to terminate a connection or map to a server, use the /d switch:

    net use \\mercury\users\lmjohnson /d

To disconnect all drive mappings on the local machine maps:

    net use * /d

To connect to a foreign machine (152.1.171.133 in this example) over the Internet or an intranet without relying on name resolution:

    net use H: \\152.1.171.133\c$

You also can use a different account with the IP address:

    net use H:
    \\152.1.171.133\c$
     /user:hasselltech\hassell

And you can specify that this mapping be for the current session only and not be restored upon logon. This is a feature that I call map persistencykeeping the same mappings across login sessions, a big timesaver for your users. To do so:

    net use H:
    \\152.1.171.133\c$
     /persistent:no

3.13.2. FSUTIL

To set up default quotas and modify them using the command line, type the following at the prompt:

    fsutil quota modify [VolumeOrDrive] [warninglevel] [hardquota] [username]

replacing the text in brackets with the appropriate information as specified in the following list:

VolumeOrDrive: The drive letter or volume name of the disk on which you want to modify a quota. Volume names are tricky to specify because you must do so using the globally unique identifier (GUID), which can be a long string of seemingly random numbers.
warninglevel: The amount of space at which warnings will be recorded in the system event log.
hardquota: The amount of space at which users will reach their maximum allowed disk space.
username: The user to which this quota specification applies.

Using fsutil.exe, you can create scripts to automatically set quota entries upon new-user creation to work around the limitation of assigning quotas to groups, as described earlier in this chapter. fsutil.exe can help you access functionality more quickly and efficiently than you can by using the GUI interface. The following examples, designed to run from a command line, illustrate the quota functionality available through fsutil.exe.

To disable quota support on drive C:

    fsutil quota disable C:

To enable quota support on drive E:

    fsutil quota enforce E:

To set a 250MB quota for Lisa Johnson (user ID lmjohnson) on drive C:

    fsutil quota modify C: 250000000 lmjohnson

To list the current quotas set on drive D:

    fsutil quota query D:

To track the disk usagein other words, to list which users are taking up what amount or portion of spaceon drive F:

    fsutil quota track F:

To list all users over quota on any volume on the server:

    fsutil quota violations

3.13.3. ABECMD

ABECMD is the command-line counterpart to the access-based enumeration add-in to Windows Server 2003. You can enable access on a specific shared folder, on all shared folders on the current computer, or on shared folders on another machine. The syntax works like this:

abecmd /enable "Users Folder": Enables ABE on the "Users Folder" shared folder
abecmd /enable /all: Enables ABE on all shared folders on the current machine
abecmd /disable "Users Folder": Disables ABE on the "Users Folder" shared folder
abecmd /enable 192.168.0.2 "Common": Enables ABE on the "Common" shared folder residing on the machine at IP address 192.168.0.2

3.13.4. Managing Offline Folders

To make a share's contents available offline from the command line, at a prompt type:

    net share
    nameofshare
     /CACHE:[manual | documents | programs | none]

/CACHE:manual enables manual client caching of programs and documents from this share. /CACHE: documents enables automatic caching of documents from this share /CACHE:programs enables automatic caching of documents and programs (distinguished by their file extension) from this share. /CACHE:none disables caching from this share.

3.13.5. VSSADMIN

The GUI for managing shadow copies is somewhat complete; however, it lacks the ability to specify on what disk or volume shadow copies are stored. Also, an administrator cannot delete specific shadow copy files using the GUI. This might be needed if a user creates an incorrect version of a file, then leaves and another worker comes back the next day. An administrator might need to delete the previous version as soon as possible so that the new user doesn't inadvertently work from the incorrect version.

The vssadmin.exe command-line utility was created to offer administrators the ability to control these factors. I'll now walk through several examples.

This command specifies that storage for shadow copies (known as an association) of drive C: will be stored on drive D::

    vssadmin Add ShadowStorage /For=C: /On=D: /MaxSize=150MB

The maximum space the association can occupy on the shadow copy storage volume is 150 MB. If a value is not specified, there is no limit to the amount of space shadow copies can use. Shadow copies require at least 100 MB of space, and you can specify the maximum amount in KB, MB, GB, TB, PB, and EB, although it's assumed if you don't use a suffix, the value is in bytes.

This command creates a new shadow copy of drive E::

    vssadmin Create Shadow /For=E: /AutoRetry=2

The /AutoRetry switch dictates that if another process is attempting to make shadow copies at the same time vssadmin is attempting to make them, the utility will keep trying for two minutes.

This command deletes the oldest shadow copy on drive C::

    vssadmin Delete Shadows /For=C: /Oldest

You can use the /all switch to instead delete all shadow copies that can be deleted. You also can specify a specific shadow copy to delete by using /Shadow=ID, where ID is the hexadecimal number you obtain through the List Shadows command, covered later in this section.

This command deletes the storage space on drive D: that is used to store shadow copies of drive C::

    vssadmin Delete ShadowStorage /For=C: /On=D:

If you leave off the /On switch, all shadow copy storage associations for drive C: will be deleted.

This command modifies the maximum size for a shadow-copy storage association between drives C: and D::

    vssadmin Resize ShadowStorage /For=C: /On=D: /MaxSize=150MB

Again, the maximum size has to be 100 MB or more. If you decrease the maximum size, older shadow copies can be deleted to make room for more recent shadow copies.

Here are some other useful commands:

This command lists registered volume shadow copy providers:

    vssadmin List Providers

This command lists existing volume shadow copies and their ID numbers, for use with the Delete Shadows command:

    vssadmin List Shadows

This command shows the disks that are eligible to support shadow copy functionality:

    vssadmin List ShadowStorage

3.13.6. NTBACKUP

To back up to a file or tape from the command line, use:

    ntbackup backup [systemstate] "@FileName.bks"/J "JobName" [/P "PoolName"] [/G
    "GUIDName"][/T "TapeName"] [/N "MediaName"] [/F "FileName"][/D "SetDescription"] /DS
    "ServerName"][/IS "ServerName"] [/A] [/V:yes | no] [/R:yes | no][/L:f | s | n] /M
    "BackupType"][/RS:yes | no] [/HC:on | off] [/SNAP:on | off]

Table 3-3 explains the various options.

Table 3-3. NTBACKUP command-line options
Option
Explanation
@FileName.bks
Specifies the name of the backup selection file (.bks file) to be used. The @ character must precede the name of the backup selection file. The .bks file must be created using the GUI version of NTBACKUP, and is essentially a summary of what set of files a particular job is supposed to back up.
Alternatively, you could supply the path to the drive or file to back upfor example, D:\.
/J "JobName"
Specifies the job name to be filled in the post-backup report.
/F "FileName"
If you back up to a file, this specifies the path of that file.
You cannot use the /P, /G, and /T switches when using /F.
/T "TapeName"
If you back up to a tape, this specifies the tape to which to overwrite or append data.
/P "PoolName"
If you back up to a tape, this specifies the media pool to use. This is usually a subpool of the media specified with the /N switch.
You cannot use the /A, /G, /F, and /T switches when using /P.
/G "GUIDName"
If you back up to a tape, this specifies the tape to which to overwrite or append data.
You cannot use the /P switch when using /G.
/N "MediaName"
If you back up to a tape, this specifies the new tape name.
You cannot use the /A switch when using /N.
/A
If you back up to a tape, this specifies to perform an append operation.
You must use either the /G or /T switch when using /A. You cannot use the /P switch when using /A.
/D "SetDescription"
Specifies a label for each backup.
/DS "ServerName"
Backs up the directory service information and contents for an Exchange Server machine.
/IS "ServerName"
Backs up the Information Store on an Exchange Server computer.
/V:yes | no
Specifies whether to perform a verification pass when the backup is complete.
/R:yes | no
Restricts access to the tape to members of the Administrators group only.
/L:f | s | n
Specifies the type of log file to be written. "f" indicates a full file, "s" indicates a summary, and "n" instructs NTBACKUP not to write any logs.
/M "BackupType"
Specifies the type of backup. Replace BackupType with one of the following: copy, daily, differential, incremental, or normal.
/RS:yes | no
Backs up the migrated data files located in Remote Storage. (This also is backed up when you select the system root folder to be included in a job.)
/HC:on | off
If available, uses hardware compression for the job.
/SNAP:on | off
Specifies whether to use a volume shadow copy for the backup.
Systemstate
Includes system state data (registry and other critical system information) in the backup.

Using NTBACKUP from the command line has two important limitations. One, you cannot restore files, and two, you cannot back up system state data on a remote computer.

Actually, you can back up system state data on a remote computercheck out Hack 93 in Mitch Tulloch's book Windows Server Hacks (O'Reilly).

Switches /V, /R, /L, /M, /RS, and /HC default to the setting in the GUI version of Backup unless you explicitly set them on the command line.

3.13.6.1. Sample scenarios

In this section, I'll offer some possibilities for automating backups using the command line. You should find that it's easy to modify the examples provided here (if they don't fit your needs as-is) to extend their capabilities.

The first example executes a normal backup named "Nightly" of the network share \\winsrv-1\c$. This example selects media from the Tapes pool and names the tape "Nightly NTBACKUP 1." The description of the backup job is "Standard evening backup." A verification pass is done, access to the tape is open to all, and only a summary log will be produced, Remote Storage data is not backed up, and hardware compression will be used.

    ntbackup backup \\winsrv-1\c$ /m normal /j "Nightly" /p "Tapes" /n
    "Nightly NTBACKUP 1" /d "Standard evening backup" /v:yes /r:no /l:s
    /rs:no /hc:on

The next example starts a copy backup named "Lunchtime" of the E: drive on the server itself. The backed-up files and folders are appended to the tape named "Nightly NTBACKUP 1." Because no other switches are present, the default settings in the GUI version of Backup are used.

    ntbackup backup e:\ /j "Lunchtime" /a /t "Nightly NTBACKUP 1" /m copy

The following example performs a backup using the GUI Backup program's current setting. The program looks at the file weekend-backup.bks, located in the C:\Program Files\Windows NT\ntbackup\data\ directory, to select the particular data to back up. The backup job is named "Weekend" and it overwrites the tape named "Weekend NTBACKUP 1" with the new name "Weekend NTBACKUP 2." It also includes System Statesystem state information.

    ntbackup backup systemstate "@C:\Program Files\Windows NT\ntbackup\data\
    weekend-backup.bks" /j "Weekend" /t "Weekend NTBACKUP 1" /n "Weekend
NTBACKUP 2"

The final example backs up a remote share to a file named backup.bkf using the Backup program's default values for the backup type, verification setting, logging level, hardware compression, and access restrictions:

    ntbackup backup \\win-srv2\acctg$ /j "To File on MWF" /f "E:\backup.bkf"

When running this command again, if you want to append another backup to the existing file, simply add the /a switch as shown. Otherwise, you will overwrite the existing file automatically.

    ntbackup backup \\ntsrv-5\sales-execs$ /j "To File on TH" /f "E:\
    backup.bkf" /a

3.13.7. CIPHER

You can control encryption from the command line using the CIPHER utility, located in %SystemRoot%\System32:

To encrypt a folder using the command line, run cipher /e foldername.
To decrypt a folder using the command line, run cipher /d foldername.
To encrypt a folder and all its subdirectories recursively, run cipher /e /s:foldername.
To encrypt a single file within a directory, run cipher /e /a filename.
To decrypt a single file within a directory, run cipher /d /a filename.
To create a user's file encryption key before the first encryption request is submitted, run cipher /k.
To generate an EFS recovery agent, allowing a user other than the one who encrypted a file or folder to decrypt it in emergency situations, run cipher /r:filename.
filename represents the name of a file without its extension, because the command will generate both a .PFX file containing the certificate and private key and a .CER file containing only the certificate.

You also can decrypt files and folders quickly from the command line if you are the recovery agent for those folders or the user who originally encrypted the objects. Use the cipher command with the /u and /a switches. For example, to decrypt a file called man_ch3r3.doc, issue the following command:

    cipher /u /a man_ch3r3.doc

Table 3-4 lists other command-line arguments for the CIPHER utility.

Table 3-4. Miscellaneous command-line CIPHER switches
Argument
Function
/F
Forces an encryption function to encrypt all files, regardless of whether they are encrypted already.
/H
Displays hidden and system files, which are left out by default, in the listing of files that are affected by an action.
/I
Ignores errors that normally stop an encryption function.
/N
Prevents keys from being updated. Used mainly to locate all encrypted files on a specified volume.
Works only with /U.
/Q
Displays only essential information when an action is completed.
/U
Hits all encrypted files on a volume and updates the user's encryption key if it has changed. Works only with /N.
/W
Removes any data from available, noncommitted portions of a volume. This is an exclusive option. No other switches are acknowledged when /W is used.

3.13.8. Printing from the Command Line

You can accomplish some of the more basic printing functions through the command line, which makes it easier for an administrator to script printer configuration and mapping for logon/logoff scripts and other batch automation procedures.

The following example commands perform a variety of printing functions:

To print a text file called employees.txt to a printer on LPT1:
```
    print /d:LPT1 employees.txt
```
To print a text file called phonelist.txt in the HR directory to the front office laser printer on the server Lisa:
```
    print /d:\\lisa\frnt-laser c:\public\hr\phonelist.txt
```
To view the current jobs in the print queue for the front office laser:
```
    net print \\lisa\frnt-laser
```
To view information on job 902 (based on the output of the preceding command):
```
    net print \\lisa 902
```

To hold, release, or delete job 902:

    net print \\lisa 902 /hold (or /release or /delete)

To manually assign physical port LPT1: to a network printer:
```
    net use lpt1: \\lisa\frnt-laser
```
To view information on a network printer mapped to the physical port LPT1:
```
    net use lpt1:
```

To start or stop the printer spooler:

    net start spooler or net stop spooler