How To Use the Directory Service

Command-Line Tools to Manage Active

Directory Objects in Windows Server
2003

IN THIS TASK

• SUMMARY
•
• How to Manage Users
•
• Creating a New User Account
• Resetting a User Password
• Disabling or Enabling a User
Account
• Deleting a User Account
• How to Manage Groups
•
• Creating a New Group
• Adding a Member to a Group
• Converting a Group to Another
Group Type
• Changing Group Scope
• Deleting a Group
• Finding Groups in Which a User Is a
Member
• How to Manage Computers
•
 • Creating a New Computer Account
• Adding a Computer Account to a
Group
• Resetting a Computer Account
• Disabling or Enabling a Computer
Account
• How to Manage Organizational Units
•
• Creating a New Organizational Unit
• Deleting an Organizational Unit
• How to Search Active Directory
•
• Finding a User Account
• Finding a Contact
• Finding a Group
• Finding a Computer Account
• Finding an Organizational Unit
• Finding a Domain Controller
• Performing a Custom Search
• REFERENCES

Summary

This article describes how to use the Directory Service command-line

tools to perform administrative tasks for Active Directory in Windows
Server 2003. The following tasks are broken down into task groups.
How to Manage Users

Creating a New User Account

1. Click Start, and then click Run.

2. In the Open box, type cmd.
3. At the command prompt, type the following command:
dsadd user userdn -samid sam_name
The following values are used in this command:
• userdn specifies the distinguished name (also known
as the DN) of the user object that you want to add.
• sam_name specifies the security account manager
(SAM) name used as the unique SAM account name
for this user (for example, Linda).
4. To specify the user account password, type the following
command, where password is the password that is to be used for
the user account:
dsadd user userdn -pwd password

NOTE: To view the complete syntax for this command, and to obtain
more information about entering more user account information, at a
command prompt, type dsadd user /?.

Resetting a User Password

1. Click Start, and then click Run.

2. In the Open box, type cmd.
3. At the command prompt, type the following command:
dsmod user user_dn -pwd new_password
This command uses the following values:
• user_dn specifies the distinguished name of the user
for which the password will be reset.
• new_password specifies the password that will replace
the current user password
4. If you want to require the user to change this password at the
next logon process, type the following command:
 dsmod user user_dn -mustchpwd {yes|no}

NOTE: If a password is not assigned, the first time the user tries to log
on (by using a blank password), the following logon message is
displayed:
You are required to change your password at first logon
After the user has changed the password, the logon process continues.

You must reset the services that are authenticated with a user account
if the password for the service's user account is changed.

NOTE: To view the complete syntax for this command, and to obtain
more information about entering more user account information, at a
command prompt, type dsmod user /?.

Disabling or Enabling a User Account

1. Click Start, and then click Run.

2. In the Open box, type cmd.
3. At the command prompt, type the following command:
dsmod user user_dn -disabled {yes|no}
This command uses the following values:
• user_dn specifies the distinguished name of the user
object to be disabled or enabled.
• {yes|no}specifies whether the user account is disabled
for log on (yes) or not (no).

NOTE: As a security measure, instead of deleting that user's account,

you can disable user accounts to prevent a particular user from
logging on. If you disable user accounts that have common group
memberships, you can use disabled user accounts as account
templates to simplify user account creation.

Deleting a User Account

1. Click Start, and then click Run.

2. In the Open box, type cmd.
 3. At the command prompt, type the following command, where
user_dn specifies the distinguished name of the user object to be
deleted:
dsrm user_dn

After you delete a user account, all of the permissions and

memberships that are associated with that user account are
permanently deleted. Because the security identifier (SID) for each
account is unique, if you create a new user account that has the same
name as a previously deleted user account, the new account does not
automatically assume the permissions and memberships of the
previously deleted account. To duplicate a deleted user account, you
must manually re-create all permissions and memberships.

NOTE: To view the complete syntax for this command, and to obtain
more information about entering more user account information, at a
command prompt, type dsrm /?.

How to Manage Groups

Creating a New Group

1. Click Start, and then click Run.

2. In the Open box, type cmd.
3. At the command prompt, type the following command:
dsadd group group_dn -samid sam_name -secgrp yes | no -
scope l | g | u
This command uses the following values:
• group_dn specifies the distinguished name of the
group object that you want to add.
• sam_name specifies the SAM name that is the unique
SAM account name for this group (for example,
operators).
• yes | no specifies whether the group you want to add
is a security group (yes) or a distribution group (no).
• l | g | u specifies the scope of the group you want to
add ( domain local [l], global [g], or universal [u]).
If the domain in which you are creating the group is set to the domain
functional level of Windows 2000 mixed, you can select only security
groups with domain local scopes or global scopes.

To view the complete syntax for this command, and to obtain more
information about entering more group information, at a command
prompt, type dsadd group /?.

Adding a Member to a Group

1. Click Start, and then click Run.

2. In the Open box, type cmd.
3. At the command prompt, type the following command:
dsmod group group_dn -addmbr member_dn
This command uses the following values:
• group_dn specifies the distinguished name of the
group object that you want to add.
• member_dn specifies the distinguished name of the
object that you want to add to the group.

In addition to users and computers, a group can contain contacts and

other groups.

To view the complete syntax for this command, and to obtain more
information about entering more user account and group information,
at a command prompt, type dsmod group /?.

Converting a Group to Another Group Type

1. Click Start, and then click Run.

2. In the Open box, type cmd.
3. At the command prompt, type the following command:
dsmod group group_dn -secgrp {yes|no}
This command uses the following values:
• group_dn specifies the distinguished name of the
group object for which you want to change the group
type.
 • {yes|no} specifies that the group type is set to security
group (yes) or distribution group (no).

To convert a group, the domain functionality must be set to Windows

2000 Native or higher. You cannot convert groups when the domain
functionality is set to Windows 2000 Mixed.

To view the complete syntax for this command, at a command

prompt, type dsmod group /?.

Changing Group Scope

1. Click Start, and then click Run.

2. In the Open box, type cmd.
3. At the command prompt, type the following command:
dsmod group group_dn -scope l|g|u
This command uses the following values:
• group_dn specifies the distinguished names of the
group object to which the scope will be changed.
• l|g|u specifies the scope that the group is to be set to
(local, global or universal). If the domain is still set to
Windows 2000 mixed, the universal scope is not
supported. Also, it is not possible to convert a domain
local group to global group or vice versa.
NOTE: You can only change group scopes when the domain
functional level is set to Windows 2000 native or higher.

Deleting a Group

1. Click Start, and then click Run.

2. In the Open box, type cmd.
3. At the command prompt, type the following command:
dsrm group_dn
This command uses the following value:
• group_dn specifies the distinguished name of the
group object to be deleted.

NOTE: If you delete the group, the group is permanently removed.

By default, local groups that are provided automatically in domain
controllers that are running Windows Server 2003, such as
Administrators and Account Operators, are located in the Builtin
folder. By default, common global groups, such as Domain Admins
and Domain Users, are located in the Users folder. You can add or
move new groups to any folder. Microsoft recommends that you keep
groups in an organizational unit folder.

To view the complete syntax for this command, at a command

prompt, type dsrm /?.

Finding Groups in Which a User Is a Member

1. Click Start, and then click Run.

2. In the Open box, type cmd.
3. At the command prompt, type the following command:
dsget user user_dn -memberof
This command uses the following value:
• user_dn specifies the distinguished name of the user
object for which you want to display group
membership.

To view the complete syntax for this command, at a command

prompt, type dsget user /?.

How to Manage Computers

Creating a New Computer Account

1. Click Start, and then click Run.

2. In the Open box, type cmd.
3. At the command prompt, type the following command:
dsadd computer computer_dn
This command uses the following value:
 • computer_dn specifies the distinguished name of the
computer you want to add. The distinguished name
indicates the folder location.

To view the complete syntax for this command, at a command

prompt, type dsadd computer /?.

To modify the properties of a computer account, use the dsmod

computer command.

Adding a Computer Account to a Group

1. Click Start, and then click Run.

2. In the Open box, type cmd.
3. At the command prompt, type the following command:
dsmod group group_dn -addmbr computer_dn
This command uses the following values:
• group_dn specifies the distinguished name of the
group object to which you want to add the computer
object.
• computer_dn specifies the distinguished name of the
computer object to be added to the group. The
distinguished name indicates the folder location.

When you add a computer to a group, you can assign permissions to

all of the computer accounts in that group, and then filter Group
Policy settings on all accounts in that group.

To view the complete syntax for this command, at a command

prompt, type dsmod group /?.

Resetting a Computer Account

1. Click Start, and then click Run.

2. In the Open box, type cmd.
3. At the command prompt, type the following command:
dsmod computer computer_dn -reset
This command uses the following value:
 • computer_dn specifies the distinguished names of one
or more computer objects that you want to reset.

NOTE: When you reset a computer account, you break the computer's
connection to the domain. You must rejoin computer account to the
domain computer account after you reset it.

To view the complete syntax for this command, at a command

prompt, type dsmod computer /?.

Disabling or Enabling a Computer Account

1. Click Start, and then click Run.

2. In the Open box, type cmd.
3. At the command prompt, type the following command:
dsmod computer computer_dn -disabled {yes|no}
This command uses the following values:
• computer_dn specifies the distinguished name of the
computer object that you want to disable or enable.
• {yes|no} specifies whether the computer is disabled for
log on (yes) or not (no).

When you disable a computer account, you break the computer's

connection with the domain and the computer cannot authenticate to
the domain.

To view the complete syntax for this command, at a command

prompt, type dsmod computer /?.

How to Manage Organizational Units

Creating a New Organizational Unit

1. Click Start, and then click Run.

2. In the Open box, type cmd.
3. At the command prompt, type the following command:
dsadd ou organizational_unit_dn
 This command uses the following value:
• organizational_unit_dn specifies the distinguished
name of the organizational unit to be added.

To view the complete syntax for this command, at a command

prompt, type dsadd ou /?.

NOTE: To modify the properties of an organizational unit, use the

dsmod ou command.

Deleting an Organizational Unit

1. Click Start, and then click Run.

2. In the Open box, type cmd.
3. At the command prompt, type the following command:
dsrm organizational_unit_dn
This command uses the following value:
• organizational_unit_dn specifies the distinguished
name of the organizational unit to be deleted.
To view the complete syntax for this command, at a command
prompt, type dsrm /?.

NOTE: If you delete an organizational unit, all of the objects that

it contains are deleted.

How to Search Active Directory

Finding a User Account

1. Click Start, and then click Run.

2. In the Open box, type cmd.
3. At the command prompt, type the following command:
dsquery user parameter
This command uses the following value:
• parameter specifies the parameter to use. For the list
of parameters, see the online help for the dsquery user
command.
To view the complete syntax for this command, at a command
prompt, type dsquery user /?.

Finding a Contact

1. Click Start, and then click Run.

2. In the Open box, type cmd.
3. At the command prompt, type the following command:
dsquery contact parameter
This command uses the following values:
• parameter specifies the parameter to use. For the list
of parameters, see the online help for the dsquery user
command.

Finding a Group

1. Click Start, and then click Run.

2. In the Open box, type cmd.
3. At the command prompt, type the following command:
dsquery group parameter
This command uses the following values:
• parameter specifies the parameter to use. For the list
of parameters, see the online help for the dsquery user
command.

By default, local groups that are provided automatically in domain

controllers that are running Windows Server 2003, such as
Administrators and Account Operators, are located in the Builtin
folder. By default, common global groups, such as Domain Admins
and Domain Users, are located in the Users folder. You can add or
move new groups to any folder. Microsoft recommends that you keep
groups in an organizational unit folder.

Finding a Computer Account

1. Click Start, and then click Run.

2. In the Open box, type cmd.
 3. At the command prompt, type the following command:
dsquery computer -name name
This command uses the following value:
• name specifies the computer name that the command
searches for. This command searches for computers
whose name attributes (value of CN attribute) matches
name.

To view the complete syntax for this command, at a command

prompt, type dsquery computer /?.

Finding an Organizational Unit

1. Click Start, and then click Run.

2. In the Open box, type cmd.
3. At the command prompt, type the following command:
dsquery ou parameter
This command uses the following value:
• parameter specifies the parameter to use. For the list
of parameters, see the online help for dsquery ou.

To view the complete syntax for this command, at a command

prompt, type dsquery ou /?.

Finding a Domain Controller

1. Click Start, and then click Run.

2. In the Open box, type cmd.
3. At the command prompt, type the following command:
dsquery server parameter
This command uses the following values:
• parameter specifies the parameter to use. There are
several attributes of a server that you can search by
using this command. For the list of parameters, see
online help for dsquery server.
 Performing a Custom Search

1. Click Start, and then click Run.

2. In the Open box, type cmd.
3. At the command prompt, type the following command:
dsquery * parameter
This command uses the following value:
• parameter specifies the parameter to use. There are
several attributes that you can search by using this
command. For more information about LDAP searches,
see the Windows Server 2003 Resource Kit.

References

For additional information about the Directory Services command-line

tools in Windows Server 2003, click Start, click Help and Support
Center, and then type "directory service" "command-line" tools in the
Search box.

Last Updated: Jul 7, 2018

What's new Store & Education Enterprise Developer Company

Support
NEW Surface Pro Microsoft in Microsoft Azure Microsoft Careers
6 Account profile education Visual Studio
Enterprise About
NEW Surface Download Office for Windows Dev Microsoft
Laptop 2 Center students Data platform Center
Company news
NEW Surface Go Sales & Office 365 for Find a solution Developer
support schools provider Network Privacy at
Xbox One X Microsoft
Returns Deals for Microsoft partner TechNet
Xbox One S students & resources Investors
Order tracking parents Microsoft
VR & mixed Microsoft developer Diversity and
reality Store locations Microsoft AppSource program inclusion
Azure in
Windows 10 apps Support education Manufacturing & Channel 9 Accessibility
resources
Office apps Security
 Buy online, pick Financial services Office Dev
up in store Center

Microsoft
Garage

 English (United States)

Contact us Terms of use Privacy and cookies Trademarks Safety & eco © Microsoft 2018