Scribd
Upload
163 views

Objects in Windows Server 2003

This article summarizes how to use the Directory Service command-line tools to perform common administrative tasks for Active Directory such as managing users, groups, and computer accounts. Key tasks include creating, modifying, disabling, and deleting users, groups, and computer accounts. The document provides step-by-step instructions for performing each task using common Directory Service commands like dsadd, dsmod, and dsrm.

Uploaded by

armaanonscribd
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
163 views

Objects in Windows Server 2003

This article summarizes how to use the Directory Service command-line tools to perform common administrative tasks for Active Directory such as managing users, groups, and computer accounts. Key tasks include creating, modifying, disabling, and deleting users, groups, and computer accounts. The document provides step-by-step instructions for performing each task using common Directory Service commands like dsadd, dsmod, and dsrm.

Uploaded by

armaanonscribd
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

10/6/2009 How To Use the Directory Service Co…

Article ID: 322684 - Last Review: December 3, 2007 - Revision: 8.4


How To Use the Directory Service Command-Line Tools to Manage
Active Directory Objects in Windows Server 2003
This article was previously published under Q322684

SUMMARY

This article describes how to use the Directory Service command-line tools to
perform administrative tasks for Active Directory in Windows Server 2003. The following tasks are broken down into
task groups.

How to Manage Users


Creating a New User Account

1. C lick Start, and then click Run.


2. In the Open box, type cmd.
3. At the command prompt, type the following command: dsadd user userdn -samid
sam_name The following values are used in this command:
userdn specifies the distinguished name (also known as the DN) of the user object that you want to
add.
sam_name specifies the security account manager (SAM) name used as the unique SAM account
name for this user (for example, Linda).
4. To specify the user account password, type the following command, where password is the password that is
to be used for the user account: dsadd user userdn -pwd password

NOTE: To view the complete syntax for this command, and to obtain more
information about entering more user account information, at a command prompt, type dsadd user /?.

Resetting a User Password

1. C lick Start, and then click Run.


2. In the Open box, type cmd.
3. At the command prompt, type the following command: dsmod user user_dn -pwd
new_password This command uses the following values:
user_dn specifies the distinguished name of the user for which the password will be reset.
new_password specifies the password that will replace the current user password
4. If you want to require the user to change this password at the next logon process, type the following
command: dsmod user user_dn -mustchpwd {yes|no}

NOTE: If a password is not assigned, the first time the user tries to log on (by
using a blank password), the following logon message is displayed: You are required to change your password at
first logon After the user has changed the password, the logon process continues.

You must reset the services that are authenticated with a user account if the password for the service's user account
is changed.

NOTE: To view the complete syntax for this command, and to obtain more information about entering more user
account information, at a command prompt, type dsmod user /?.

Disabling or Enabling a User Account

1. C lick Start, and then click Run.


2. In the Open box, type cmd.
3. At the command prompt, type the following command: dsmod user user_dn -disabled
{yes|no} This command uses the following values:
user_dn specifies the distinguished name of the user object to be disabled or enabled.

support.microsoft.com/kb/322684 1/7
10/6/2009 How To Use the Directory Service Co…
{yes|no}specifies whether the user account is disabled for log on (yes) or not (no).

NOTE: As a security measure, instead of deleting that user's account, you can
disable user accounts to prevent a particular user from logging on. If you disable user accounts that have common
group memberships, you can use disabled user accounts as account templates to simplify user account creation.

Deleting a User Account

1. C lick Start, and then click Run.


2. In the Open box, type cmd.
3. At the command prompt, type the following command, where user_dn specifies the distinguished name of the
user object to be deleted: dsrm user_dn

After you delete a user account, all of the permissions and memberships that are
associated with that user account are permanently deleted. Because the security identifier (SID) for each account is
unique, if you create a new user account that has the same name as a previously deleted user account, the new
account does not automatically assume the permissions and memberships of the previously deleted account. To
duplicate a deleted user account, you must manually re-create all permissions and memberships.

NOTE: To view the complete syntax for this command, and to obtain more information about entering more user
account information, at a command prompt, type dsrm /?.

How to Manage Groups


Creating a New Group

1. C lick Start, and then click Run.


2. In the Open box, type cmd.
3. At the command prompt, type the following command: dsadd group group_dn -samid
sam_name -secgrp yes | no -scope l | g | u This command uses the following values:
group_dn specifies the distinguished name of the group object that you want to add.
sam_name specifies the SAM name that is the unique SAM account name for this group (for
example, operators).
yes | no specifies whether the group you want to add is a security group (yes) or a distribution group
(no).
l | g | u specifies the scope of the group you want to add ( domain local [l], global [g], or universal
[u]).

If the domain in which you are creating the group is set to the domain functional
level of Windows 2000 mixed, you can select only security groups with domain local scopes or global scopes.

To view the complete syntax for this command, and to obtain more information about entering more group
information, at a command prompt, type dsadd group /?.

Adding a Member to a Group

1. C lick Start, and then click Run.


2. In the Open box, type cmd.
3. At the command prompt, type the following command: dsmod group group_dn -addmbr
member_dn This command uses the following values:
group_dn specifies the distinguished name of the group object that you want to add.
member_dn specifies the distinguished name of the object that you want to add to the group.

In addition to users and computers, a group can contain contacts and other
groups.

To view the complete syntax for this command, and to obtain more information about entering more user account
and group information, at a command prompt, type dsmod group /?.

support.microsoft.com/kb/322684 2/7
10/6/2009 How To Use the Directory Service Co…
Converting a Group to Another Group Type

1. C lick Start, and then click Run.


2. In the Open box, type cmd.
3. At the command prompt, type the following command: dsmod group group_dn -secgrp
{yes|no} This command uses the following values:
group_dn specifies the distinguished name of the group object for which you want to change the
group type.
{yes|no} specifies that the group type is set to security group (yes) or distribution group (no).

To convert a group, the domain functionality must be set to Windows 2000


Native or higher. You cannot convert groups when the domain functionality is set to Windows 2000 Mixed.

To view the complete syntax for this command, at a command prompt, type dsmod group /?.

Changing Group Scope

1. C lick Start, and then click Run.


2. In the Open box, type cmd.
3. At the command prompt, type the following command: dsmod group group_dn -scope
l|g|u This command uses the following values:
group_dn specifies the distinguished names of the group object to which the scope will be changed.
l|g|u specifies the scope that the group is to be set to (local, global or universal). If the domain is still
set to Windows 2000 mixed, the universal scope is not supported. Also, it is not possible to convert
a domain local group to global group or vice versa.
NOTE: You can only change group scopes when the domain functional level is set to Windows 2000 native
or higher.

Deleting a Group

1. C lick Start, and then click Run.


2. In the Open box, type cmd.
3. At the command prompt, type the following command: dsrm group_dn This command uses
the following value:
group_dn specifies the distinguished name of the group object to be deleted.

NOTE: If you delete the group, the group is permanently removed.

By default, local groups that are provided automatically in domain controllers that are running Windows Server
2003, such as Administrators and Account Operators, are located in the Builtin folder. By default, common global
groups, such as Domain Admins and Domain Users, are located in the Users folder. You can add or move new
groups to any folder. Microsoft recommends that you keep groups in an organizational unit folder.

To view the complete syntax for this command, at a command prompt, type dsrm /?.

Finding Groups in Which a User Is a Member

1. C lick Start, and then click Run.


2. In the Open box, type cmd.
3. At the command prompt, type the following command: dsget user user_dn -
memberof This command uses the following value:
user_dn specifies the distinguished name of the user object for which you want to display group
membership.

To view the complete syntax for this command, at a command prompt, type
dsget user /?.

How to Manage Computers

support.microsoft.com/kb/322684 3/7
10/6/2009 How To Use the Directory Service Co…
Creating a New Computer Account

1. C lick Start, and then click Run.


2. In the Open box, type cmd.
3. At the command prompt, type the following command: dsadd computer computer_dn This
command uses the following value:
computer_dn specifies the distinguished name of the computer you want to add. The distinguished
name indicates the folder location.

To view the complete syntax for this command, at a command prompt, type
dsadd computer /?.

To modify the properties of a computer account, use the dsmod computer command.

Adding a Computer Account to a Group

1. C lick Start, and then click Run.


2. In the Open box, type cmd.
3. At the command prompt, type the following command: dsmod group group_dn -addmbr
computer_dn This command uses the following values:
group_dn specifies the distinguished name of the group object to which you want to add the
computer object.
computer_dn specifies the distinguished name of the computer object to be added to the group. The
distinguished name indicates the folder location.

When you add a computer to a group, you can assign permissions to all of the
computer accounts in that group, and then filter Group Policy settings on all accounts in that group.

To view the complete syntax for this command, at a command prompt, type dsmod group /?.

Resetting a Computer Account

1. C lick Start, and then click Run.


2. In the Open box, type cmd.
3. At the command prompt, type the following command: dsmod computer computer_dn -
reset This command uses the following value:
computer_dn specifies the distinguished names of one or more computer objects that you want to
reset.

NOTE: When you reset a computer account, you break the computer's connection
to the domain. You must rejoin computer account to the domain computer account after you reset it.

To view the complete syntax for this command, at a command prompt, type dsmod computer /?.

Disabling or Enabling a Computer Account

1. C lick Start, and then click Run.


2. In the Open box, type cmd.
3. At the command prompt, type the following command: dsmod computer computer_dn -
disabled {yes|no} This command uses the following values:
computer_dn specifies the distinguished name of the computer object that you want to disable or
enable.
{yes|no} specifies whether the computer is disabled for log on (yes) or not (no).

When you disable a computer account, you break the computer's connection with
the domain and the computer cannot authenticate to the domain.

To view the complete syntax for this command, at a command prompt, type dsmod computer /?.

support.microsoft.com/kb/322684 4/7
10/6/2009 How To Use the Directory Service Co…

How to Manage Organizational Units


Creating a New Organizational Unit

1. C lick Start, and then click Run.


2. In the Open box, type cmd.
3. At the command prompt, type the following command: dsadd ou organizational_unit_dn
This command uses the following value:
organizational_unit_dn specifies the distinguished name of the organizational unit to be added.

To view the complete syntax for this command, at a command prompt, type
dsadd ou /?.

NOTE: To modify the properties of an organizational unit, use the dsmod ou command.

Deleting an Organizational Unit

1. C lick Start, and then click Run.


2. In the Open box, type cmd.
3. At the command prompt, type the following command: dsrm organizational_unit_dn This
command uses the following value:
organizational_unit_dn specifies the distinguished name of the organizational unit to be deleted.
To view the complete syntax for this command, at a command prompt, type dsrm /?.

NOTE: If you delete an organizational unit, all of the objects that it contains are deleted.

How to Search Active Directory


Finding a User Account

1. C lick Start, and then click Run.


2. In the Open box, type cmd.
3. At the command prompt, type the following command: dsquery user parameter This
command uses the following value:
parameter specifies the parameter to use. For the list of parameters, see the online help for the
dsquery user command.

To view the complete syntax for this command, at a command prompt, type
dsquery user /?.

Finding a Contact

1. C lick Start, and then click Run.


2. In the Open box, type cmd.
3. At the command prompt, type the following command: dsquery contact parameter This
command uses the following values:
parameter specifies the parameter to use. For the list of parameters, see the online help for the
dsquery user command.

Finding a Group

1. C lick Start, and then click Run.


2. In the Open box, type cmd.
3. At the command prompt, type the following command: dsquery group parameter This
command uses the following values:
parameter specifies the parameter to use. For the list of parameters, see the online help for the
dsquery user command.

By default, local groups that are provided automatically in domain controllers that
are running Windows Server 2003, such as Administrators and Account Operators, are located in the Builtin folder.
By default, common global groups, such as Domain Admins and Domain Users, are located in the Users folder. You
support.microsoft.com/kb/322684 5/7
10/6/2009 How To Use the Directory Service Co…
can add or move new groups to any folder. Microsoft recommends that you keep groups in an organizational unit
folder.

Finding a Computer Account

1. C lick Start, and then click Run.


2. In the Open box, type cmd.
3. At the command prompt, type the following command: dsquery computer -name name This
command uses the following value:
name specifies the computer name that the command searches for. This command searches for
computers whose name attributes (value of C N attribute) matches name.

To view the complete syntax for this command, at a command prompt, type
dsquery computer /?.

Finding an Organizational Unit

1. C lick Start, and then click Run.


2. In the Open box, type cmd.
3. At the command prompt, type the following command: dsquery ou parameter This command
uses the following value:
parameter specifies the parameter to use. For the list of parameters, see the online help for
dsquery ou.

To view the complete syntax for this command, at a command prompt, type
dsquery ou /?.

Finding a Domain Controller

1. C lick Start, and then click Run.


2. In the Open box, type cmd.
3. At the command prompt, type the following command: dsquery server parameter This
command uses the following values:
parameter specifies the parameter to use. There are several attributes of a server that you can
search by using this command. For the list of parameters, see online help for dsquery server.

Performing a Custom Search

1. C lick Start, and then click Run.


2. In the Open box, type cmd.
3. At the command prompt, type the following command: dsquery * parameter This command
uses the following value:
parameter specifies the parameter to use. There are several attributes that you can search by using
this command. For more information about LDAP searches, see the Windows Server 2003 Resource
Kit.

REFERENC ES

For additional information about the Directory Services command-line tools in


Windows Server 2003, click Start, click Help and Support Center, and then type "directory service"
"command-line" tools in the Search box.

APPLIES TO

Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)


Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows Small Business Server 2003 Premium Edition

support.microsoft.com/kb/322684 6/7
10/6/2009 How To Use the Directory Service Co…
Microsoft Windows Small Business Server 2003 Standard Edition

Keywords: kbactivedirectory kbactivedirectory kbhowtomaster KB322684

Get Help Now


C ontact a support professional by E-mail, Online, or Phone

Help and Support


©2009 Microsoft

support.microsoft.com/kb/322684 7/7

You might also like