How To Use the Directory Service Command-Line Tools to Manage Active Directory Objects in Windows Server 2003 (322684)


The information in this article applies to:

  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Small Business Server 2003, Premium Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition
This article was previously published under Q322684

IN THIS TASK

SUMMARY

This article describes how to use the Directory Service command-line tools to perform administrative tasks for Active Directory in Windows Server 2003. The following tasks are broken down into task groups.

back to the top

How to Manage Users

Creating a New User Account

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:

    dsadd user userdn -samid sam_name

    The following values are used in this command:
    • userdn specifies the distinguished name (also known as the DN) of the user object that you want to add.
    • sam_name specifies the security account manager (SAM) name used as the unique SAM account name for this user (for example, Linda).
  4. To specify the user account password, type the following command, where password is the password that is to be used for the user account:

    dsadd user userdn -pwd password

NOTE: To view the complete syntax for this command, and to obtain more information about entering more user account information, at a command prompt, type dsadd user /?.

back to the top

Resetting a User Password

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:

    dsmod user user_dn -pwd new_password

    This command uses the following values:
    • user_dn specifies the distinguished name of the user for which the password will be reset.
    • new_password specifies the password that will replace the current user password
  4. If you want to require the user to change this password at the next logon process, type the following command:

    dsmod user user_dn -mustchpwd {yes|no}

NOTE: If a password is not assigned, the first time the user tries to log on (by using a blank password), the following logon message is displayed:

You are required to change your password at first logon

After the user has changed the password, the logon process continues.

You must reset the services that are authenticated with a user account if the password for the service's user account is changed.

NOTE: To view the complete syntax for this command, and to obtain more information about entering more user account information, at a command prompt, type dsmod user /?.

back to the top

Disabling or Enabling a User Account

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:

    dsmod user user_dn -disabled {yes|no}

    This command uses the following values:
    • user_dn specifies the distinguished name of the user object to be disabled or enabled.
    • {yes|no}specifies whether the user account is disabled for log on (yes) or not (no).
NOTE: As a security measure, instead of deleting that user's account, you can disable user accounts to prevent a particular user from logging on. If you disable user accounts that have common group memberships, you can use disabled user accounts as account templates to simplify user account creation.

back to the top

Deleting a User Account

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command, where user_dn specifies the distinguished name of the user object to be deleted:

    dsrm user_dn

After you delete a user account, all of the permissions and memberships that are associated with that user account are permanently deleted. Because the security identifier (SID) for each account is unique, if you create a new user account that has the same name as a previously deleted user account, the new account does not automatically assume the permissions and memberships of the previously deleted account. To duplicate a deleted user account, you must manually re-create all permissions and memberships.

NOTE: To view the complete syntax for this command, and to obtain more information about entering more user account information, at a command prompt, type dsrm /?.

back to the top

How to Manage Groups

Creating a New Group

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:

    dsadd group group_dn -samid sam_name -secgrp yes | no -scope l | g | u

    This command uses the following values:
    • group_dn specifies the distinguished name of the group object that you want to add.
    • sam_name specifies the SAM name that is the unique SAM account name for this group (for example, operators).
    • yes | no specifies whether the group you want to add is a security group (yes) or a distribution group (no).
    • l | g | u specifies the scope of the group you want to add ( domain local [l], global [g], or universal [u]).
If the domain in which you are creating the group is set to the domain functional level of Windows 2000 mixed, you can select only security groups with domain local scopes or global scopes.

To view the complete syntax for this command, and to obtain more information about entering more group information, at a command prompt, type dsadd group /?.

back to the top

Adding a Member to a Group

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:

    dsmod group group_dn -addmbr member_dn

    This command uses the following values:
    • group_dn specifies the distinguished name of the group object that you want to add.
    • member_dn specifies the distinguished name of the object that you want to add to the group.
In addition to users and computers, a group can contain contacts and other groups.

To view the complete syntax for this command, and to obtain more information about entering more user account and group information, at a command prompt, type dsmod group /?.

back to the top

Converting a Group to Another Group Type

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:

    dsmod group group_dn -secgrp {yes|no}

    This command uses the following values:
    • group_dn specifies the distinguished name of the group object for which you want to change the group type.
    • {yes|no} specifies that the group type is set to security group (yes) or distribution group (no).
To convert a group, the domain functionality must be set to Windows 2000 Native or higher. You cannot convert groups when the domain functionality is set to Windows 2000 Mixed.

To view the complete syntax for this command, at a command prompt, type dsmod group /?.

back to the top

Changing Group Scope

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:

    dsmod group group_dn -scope l|g|u

    This command uses the following values:
    • group_dn specifies the distinguished names of the group object to which the scope will be changed.
    • l|g|u specifies the scope that the group is to be set to (local, global or universal). If the domain is still set to Windows 2000 mixed, the universal scope is not supported. Also, it is not possible to convert a domain local group to global group or vice versa.
    NOTE: You can only change group scopes when the domain functional level is set to Windows 2000 native or higher.
back to the top

Deleting a Group

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:

    dsrm group_dn

    This command uses the following value:
    • group_dn specifies the distinguished name of the group object to be deleted.
NOTE: If you delete the group, the group is permanently removed.

By default, local groups that are provided automatically in domain controllers that are running Windows Server 2003, such as Administrators and Account Operators, are located in the Builtin folder. By default, common global groups, such as Domain Admins and Domain Users, are located in the Users folder. You can add or move new groups to any folder. Microsoft recommends that you keep groups in an organizational unit folder.

To view the complete syntax for this command, at a command prompt, type dsrm /?.

back to the top

Finding Groups in Which a User Is a Member

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:

    dsget user user_dn -memberof

    This command uses the following value:
    • user_dn specifies the distinguished name of the user object for which you want to display group membership.
To view the complete syntax for this command, at a command prompt, type dsget user /?.

back to the top

How to Manage Computers

Creating a New Computer Account

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:

    dsadd computer computer_dn

    This command uses the following value:
    • computer_dn specifies the distinguished name of the computer you want to add. The distinguished name indicates the folder location.
To view the complete syntax for this command, at a command prompt, type dsadd computer /?.

To modify the properties of a computer account, use the dsmod computer command.

back to the top

Adding a Computer Account to a Group

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:

    dsmod group group_dn -addmbr computer_dn

    This command uses the following values:
    • group_dn specifies the distinguished name of the group object to which you want to add the computer object.
    • computer_dn specifies the distinguished name of the computer object to be added to the group. The distinguished name indicates the folder location.
When you add a computer to a group, you can assign permissions to all of the computer accounts in that group, and then filter Group Policy settings on all accounts in that group.

To view the complete syntax for this command, at a command prompt, type dsmod group /?.

back to the top

Resetting a Computer Account

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:

    dsmod computer computer_dn -reset

    This command uses the following value:
    • computer_dn specifies the distinguished names of one or more computer objects that you want to reset.
NOTE: When you reset a computer account, you break the computer's connection to the domain. You must rejoin computer account to the domain computer account after you reset it.

To view the complete syntax for this command, at a command prompt, type dsmod computer /?.

back to the top

Disabling or Enabling a Computer Account

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:

    dsmod computer computer_dn -disabled {yes|no}

    This command uses the following values:
    • computer_dn specifies the distinguished name of the computer object that you want to disable or enable.
    • {yes|no} specifies whether the computer is disabled for log on (yes) or not (no).
When you disable a computer account, you break the computer's connection with the domain and the computer cannot authenticate to the domain.

To view the complete syntax for this command, at a command prompt, type dsmod computer /?.

back to the top

How to Manage Organizational Units

Creating a New Organizational Unit

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:

    dsadd ou organizational_unit_dn

    This command uses the following value:
    • organizational_unit_dn specifies the distinguished name of the organizational unit to be added.
To view the complete syntax for this command, at a command prompt, type dsadd ou /?.

NOTE: To modify the properties of an organizational unit, use the dsmod ou command.

back to the top

Deleting an Organizational Unit

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:

    dsrm organizational_unit_dn

    This command uses the following value:
    • organizational_unit_dn specifies the distinguished name of the organizational unit to be deleted.
    To view the complete syntax for this command, at a command prompt, type dsrm /?.

    NOTE: If you delete an organizational unit, all of the objects that it contains are deleted.
back to the top

How to Search Active Directory

Finding a User Account

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:

    dsquery user parameter

    This command uses the following value:
    • parameter specifies the parameter to use. For the list of parameters, see the online help for the dsquery user command.
To view the complete syntax for this command, at a command prompt, type dsquery user /?.

back to the top

Finding a Contact

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:

    dsquery contact parameter

    This command uses the following values:
    • parameter specifies the parameter to use. For the list of parameters, see the online help for the dsquery user command.
back to the top

Finding a Group

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:

    dsquery group parameter

    This command uses the following values:
    • parameter specifies the parameter to use. For the list of parameters, see the online help for the dsquery user command.
By default, local groups that are provided automatically in domain controllers that are running Windows Server 2003, such as Administrators and Account Operators, are located in the Builtin folder. By default, common global groups, such as Domain Admins and Domain Users, are located in the Users folder. You can add or move new groups to any folder. Microsoft recommends that you keep groups in an organizational unit folder.

back to the top

Finding a Computer Account

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:

    dsquery computer -name name

    This command uses the following value:
    • name specifies the computer name that the command searches for. This command searches for computers whose name attributes (value of CN attribute) matches name.
To view the complete syntax for this command, at a command prompt, type dsquery computer /?.

back to the top

Finding an Organizational Unit

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:

    dsquery ou parameter

    This command uses the following value:
    • parameter specifies the parameter to use. For the list of parameters, see the online help for dsquery ou.
To view the complete syntax for this command, at a command prompt, type dsquery ou /?.

back to the top

Finding a Domain Controller

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:

    dsquery server parameter

    This command uses the following values:
    • parameter specifies the parameter to use. There are several attributes of a server that you can search by using this command. For the list of parameters, see online help for dsquery server.
back to the top

Performing a Custom Search

  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the following command:

    dsquery * parameter

    This command uses the following value:
    • parameter specifies the parameter to use. There are several attributes that you can search by using this command. For more information about LDAP searches, see the Windows Server 2003 Resource Kit.
back to the top

REFERENCES

For additional information about the Directory Services command-line tools in Windows Server 2003, click Start, click Help and Support Center, and then type "directory service" "command-line" tools in the Search box.

back to the top
Modification Type:MinorLast Reviewed:7/15/2004
Keywords:kbActiveDirectory kbActiveDirectory kbHOWTOmaster KB322684 kbAudITPro
©2004 Microsoft Corporation. All rights reserved.