Help for
Directory Service command line tools
Windows XP SP 2
Microsoft Windows XP [Version 5.1.2600]
| DSADD |
|
This tool's commands add specific types of objects to the directory |
| DSGET |
|
This tool's commands display the selected properties of a specific object in the directory |
| DSMOD |
|
This dsmod command modifies existing objects in the directory |
| DSMOVE |
|
This command moves or renames an object within the directory |
| DSQUERY |
|
This tool's commands suite allow you to query the directory according to specified criteria |
| DSRM |
|
This command deletes objects from the directory |
DSADD
Description: This tool's commands add specific types of objects to the
directory. The dsadd commands:
dsadd_computer - adds a computer to the directory.
dsadd_contact - adds a contact to the directory.
dsadd_group - adds a group to the directory.
dsadd_ou - adds an organizational unit to the directory.
dsadd_user - adds a user to the directory.
dsadd_quota - adds a quota specification to a directory partition.
For help on a specific command, type "dsadd <ObjectType> /?" where
<ObjectType> is one of the supported object types shown above.
For example, dsadd ou /?.
Remarks:
Commas that are not used as separators in distinguished names must be
escaped with the backslash ("\") character
(for example, "CN=Company\, Inc.,CN=Users,DC=microsoft,DC=com").
Backslashes used in distinguished names must be escaped with a backslash
(for example,
"CN=Sales\\ Latin America,OU=Distribution Lists,DC=microsoft,DC=com").
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsadd computer
Description: Adds a computer to the directory.
Syntax: dsadd computer <ComputerDN> [-samid <SAMName>] [-desc <Description>]
[-loc <Location>] [-memberof <Group ...>]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]
Parameters:
Value Description
<ComputerDN> Required. Specifies the distinguished name (DN) of
the computer you want to add.
If the target object is omitted, it will be taken
from standard input (stdin).
-samid <SAMName> Sets the computer SAM account name to <SAMName>.
If this parameter is not specified, then a
SAM account name is derived from the value of
the common name (CN) attribute used in <ComputerDN>.
-desc <Description> Sets the computer description to <Description>.
-loc <Location> Sets the computer location to <Location>.
-memberof <Group ...> Makes the computer a member of one or more groups
given by the space-separated list of DNs <Group ...>.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *}
Password for the user <UserName>. If * is entered
then you are prompted for a password.
-q Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be
accepted from the keyboard, a redirected file, or as piped output from
another command. To mark the end of stdin data from the keyboard or
in a redirected file, use Control+Z, for End of File (EOF).
If a value that you supply contains spaces, use quotation marks
around the text (for example,
"CN=DC2,OU=Domain Controllers,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of computer distinguished names).
See also:
dsadd computer /? - help for adding a computer to the directory.
dsadd contact /? - help for adding a contact to the directory.
dsadd group /? - help for adding a group to the directory.
dsadd ou /? - help for adding an organizational unit to the directory.
dsadd user /? - help for adding a user to the directory.
dsadd quota /? - help for adding a quota to the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsadd failed:The parameter is incorrect.
type dsadd /? for help.
dsadd contact
Description: Adds a contact to the directory.
Syntax: dsadd contact <ContactDN> [-fn <FirstName>] [-mi <Initial>]
[-ln <LastName>] [-display <DisplayName>] [-desc <Description>]
[-office <Office>] [-tel <Phone#>] [-email <Email>]
[-hometel <HomePhone#>] [-pager <Pager#>] [-mobile <CellPhone#>]
[-fax <Fax#>] [-iptel <IPPhone#>] [-title <Title>]
[-dept <Department>] [-company <Company>]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]
Parameters:
Value Description
<ContactDN> Required. Distinguished name (DN) of contact to add.
If the target object is omitted, it will be taken
from standard input (stdin).
-fn <FirstName> Sets contact first name to <FirstName>.
-mi <Initial> Sets contact middle initial to <Initial>.
-ln <LastName> Sets contact last name to <LastName>.
-display <DisplayName> Sets contact display name to <DisplayName>.
-desc <Description> Sets contact description to <Description>.
-office <Office> Sets contact office location to <Office>.
-tel <Phone#> Sets contact telephone# to <Phone#>.
-email <Email> Sets contact e-mail address to <Email>.
-hometel <HomePhone#> Sets contact home phone# to <HomePhone#>.
-pager <Pager#> Sets contact pager# to <Pager#>.
-mobile <CellPhone#> Sets contact mobile# to <CellPhone#>.
-fax <Fax#> Sets contact fax# to <Fax#>.
-iptel <IPPhone#> Sets contact IP phone# to <IPPhone#>.
-title <Title> Sets contact title to <Title>.
-dept <Department> Sets contact department to <Department>.
-company <Company> Sets contact company info to <Company>.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *}
Password for the user <UserName>. If * is entered
then you are prompted for a password.
-q Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be
accepted from the keyboard, a redirected file, or as piped output from
another command. To mark the end of stdin data from the keyboard or
in a redirected file, use Control+Z, for End of File (EOF).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
See also:
dsadd computer /? - help for adding a computer to the directory.
dsadd contact /? - help for adding a contact to the directory.
dsadd group /? - help for adding a group to the directory.
dsadd ou /? - help for adding an organizational unit to the directory.
dsadd user /? - help for adding a user to the directory.
dsadd quota /? - help for adding a quota to the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsadd failed:The parameter is incorrect.
type dsadd /? for help.
dsadd group
Description: Adds a group to the directory.
Syntax: dsadd group <GroupDN> [-secgrp {yes | no}] [-scope {l | g | u}]
[-samid <SAMName>] [-desc <Description>] [-memberof <Group ...>]
[-members <Member ...>] [{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]
Parameters:
Value Description
<GroupDN> Required. Distinguished name (DN) of group to add.
If the target object is omitted, it will be taken
from standard input (stdin).
-secgrp {yes | no} Sets this group as a security group (yes) or not (no).
Default: yes.
-scope {l | g | u} Sets the scope of this group: local, global
or universal. If the domain is still in mixed-mode,
then the universal scope is not supported.
Default: global.
-samid <SAMName> Set the SAM account name of group to <SAMName>
(for example, operators).
-desc <Description> Sets group description to <Description>.
-memberof <Group ...> Makes the group a member of one or more groups
given by the space-separated list of DNs <Group ...>.
-members <Member ...> Adds one or more members to this group. Members are
set by space-separated list of DNs <Member ...>.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *} Password for the user <UserName>. If * is entered,
then you are prompted for a password.
-q Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be
accepted from the keyboard, a redirected file, or as piped output from
another command. To mark the end of stdin data from the keyboard or
in a redirected file, use Control+Z, for End of File (EOF).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of group distinguished names).
See also:
dsadd computer /? - help for adding a computer to the directory.
dsadd contact /? - help for adding a contact to the directory.
dsadd group /? - help for adding a group to the directory.
dsadd ou /? - help for adding an organizational unit to the directory.
dsadd user /? - help for adding a user to the directory.
dsadd quota /? - help for adding a quota to the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsadd failed:The parameter is incorrect.
type dsadd /? for help.
| dsadd ou |
| help for adding an organizational unit to the directory. |
dsadd ou
Description: Adds an organizational unit to the directory
Syntax: dsadd ou <OrganizationalUnitDN> [-desc <Description>]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]
Parameters:
Value Description
<OrganizationalUnitDN> Required. Distinguished name (DN)
of the organizational unit (OU) to add.
If the target object is omitted, it will be taken
from standard input (stdin).
-desc <Description> Set the OU description to <Description>.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *}
Password for the user <UserName>. If * is entered
then you are prompted for a password.
-q Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be
accepted from the keyboard, a redirected file, or as piped output from
another command. To mark the end of stdin data from the keyboard or
in a redirected file, use Control+Z, for End of File (EOF).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "OU=Domain Controllers,DC=microsoft,DC=com").
See also:
dsadd computer /? - help for adding a computer to the directory.
dsadd contact /? - help for adding a contact to the directory.
dsadd group /? - help for adding a group to the directory.
dsadd ou /? - help for adding an organizational unit to the directory.
dsadd user /? - help for adding a user to the directory.
dsadd quota /? - help for adding a quota to the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsadd failed:The parameter is incorrect.
type dsadd /? for help.
| dsadd user |
| help for adding a user to the directory. |
dsadd user
Description: Adds a user to the directory.
Syntax: dsadd user <UserDN> [-samid <SAMName>] [-upn <UPN>] [-fn <FirstName>]
[-mi <Initial>] [-ln <LastName>] [-display <DisplayName>]
[-empid <EmployeeID>] [-pwd {<Password> | *}] [-desc <Description>]
[-memberof <Group ...>] [-office <Office>] [-tel <Phone#>]
[-email <Email>] [-hometel <HomePhone#>] [-pager <Pager#>]
[-mobile <CellPhone#>] [-fax <Fax#>] [-iptel <IPPhone#>]
[-webpg <WebPage>] [-title <Title>] [-dept <Department>]
[-company <Company>] [-mgr <Manager>] [-hmdir <HomeDir>]
[-hmdrv <DriveLtr:>] [-profile <ProfilePath>] [-loscr <ScriptPath>]
[-mustchpwd {yes | no}] [-canchpwd {yes | no}]
[-reversiblepwd {yes | no}] [-pwdneverexpires {yes | no}]
[-acctexpires <NumDays>] [-disabled {yes | no}]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]
Parameters:
Value Description
<UserDN> Required. Distinguished name (DN) of user to add.
If the target object is omitted, it will be taken
from standard input (stdin).
-samid <SAMName> Set the SAM account name of user to <SAMName>.
If not specified, dsadd will attempt
to create SAM account name using up to
the first 20 characters from the
common name (CN) value of <UserDN>.
-upn <UPN> Set the upn value to <UPN>.
-fn <FirstName> Set user first name to <FirstName>.
-mi <Initial> Set user middle initial to <Initial>.
-ln <LastName> Set user last name to <LastName>.
-display <DisplayName> Set user display name to <DisplayName>.
-empid <EmployeeID> Set user employee ID to <EmployeeID>.
-pwd {<Password> | *} Set user password to <Password>. If *, then you are
prompted for a password.
-desc <Description> Set user description to <Description>.
-memberof <Group ...> Make user a member of one or more groups <Group ...>
-office <Office> Set user office location to <Office>.
-tel <Phone#> Set user telephone# to <Phone#>.
-email <Email> Set user e-mail address to <Email>.
-hometel <HomePhone#> Set user home phone# to <HomePhone#>.
-pager <Pager#> Set user pager# to <Pager#>.
-mobile <CellPhone#> Set user mobile# to <CellPhone#>.
-fax <Fax#> Set user fax# to <Fax#>.
-iptel <IPPhone#> Set user IP phone# to <IPPhone#>.
-webpg <WebPage> Set user web page URL to <WebPage>.
-title <Title> Set user title to <Title>.
-dept <Department> Set user department to <Department>.
-company <Company> Set user company info to <Company>.
-mgr <Manager> Set user's manager to <Manager> (format is DN).
-hmdir <HomeDir> Set user home directory to <HomeDir>. If this is
UNC path, then a drive letter that will be mapped to
this path must also be specified through -hmdrv.
-hmdrv <DriveLtr:> Set user home drive letter to <DriveLtr:>
-profile <ProfilePath> Set user's profile path to <ProfilePath>.
-loscr <ScriptPath> Set user's logon script path to <ScriptPath>.
-mustchpwd {yes | no} User must change password at next logon or not.
Default: no.
-canchpwd {yes | no} User can change password or not. This should be
"yes" if the -mustchpwd is "yes". Default: yes.
-reversiblepwd {yes | no}
Store user password using reversible encryption or
not. Default: no.
-pwdneverexpires {yes | no}
User password never expires or not. Default: no.
-acctexpires <NumDays> Set user account to expire in <NumDays> days from
today. A value of 0 implies account expires
at the end of today; a positive value
implies the account expires in the future;
a negative value implies the account already expired
and sets an expiration date in the past;
the string value "never" implies that the
account never expires.
-disabled {yes | no} User account is disabled or not. Default: no.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *} Password for the user <UserName>. If * is entered,
then you are prompted for a password.
-q Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be
accepted from the keyboard, a redirected file, or as piped output from
another command. To mark the end of stdin data from the keyboard or
in a redirected file, use Control+Z, for End of File (EOF).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
The special token $username$ (case insensitive) may be used to place the SAM
account name in the value of a parameter. For example, if the target user DN
is CN=Jane Doe,CN=users,CN=microsoft,CN=com and the SAM account name
attribute is "janed," the -hmdir parameter can have
the following substitution:
-hmdir \users\$username$\home
The value of the -hmdir parameter is modified to the following value:
- hmdir \users\janed\home
See also:
dsadd computer /? - help for adding a computer to the directory.
dsadd contact /? - help for adding a contact to the directory.
dsadd group /? - help for adding a group to the directory.
dsadd ou /? - help for adding an organizational unit to the directory.
dsadd user /? - help for adding a user to the directory.
dsadd quota /? - help for adding a quota to the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsadd failed:The parameter is incorrect.
type dsadd /? for help.
dsadd quota
Adds a quota specification to a directory partition. A quota specification
determines the maximum number of directory objects a given security principal
can own in a specified directory partition.
dsadd quota -part <PartitionDN> [-rdn <RDN>] -acct Name
-qlimit <Value> | -1 [-desc <Description>]
[{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}]
[-q] [{-uc | -uco | -uci}]
-part <PartitionDN> Required. Specifies the distinguished name of the
directory partition on which you want to create a
quota. If the distinguished name is omitted, it
will be taken from standard input (stdin).
-rdn <RDN> Specifies the relative distinguished name (RDN)
of the quota specification being created. If the
-rdn option is omitted, it will be set to
<domain>_<accountname>, using the domain and
account name of the security principal specified
by the -acct parameter.
-acct Name Required. Specifies the security principal (user,
group, computer, InetOrgPerson) for whom the
quota specification is being specified. The -acct
option can be provided in the following forms:
DN of the security principal
domain\SAM account name of the security
principal
-qlimit <Value> | -1
Required. Specifies the number of objects within
the directory partition that can be owned by
the security principal. To specify an unlimited
quota, specify -1 as the value.
-desc <Description> Specifies a description for the quota
specification you want to add.
{-s <Server> | -d <Domain>} Connects the computer to either a specified
server or domain. By default, the computer is
connected to a domain controller in the logon
domain.
-u <UserName> Specifies the user name with which user will log
on to a remote server. By default, the logged on
user name is used. You can specify a user name
using one of the following formats:
user name (such as, Linda)
domain\user name (such as, widgets\Linda)
user principal name (UPN) (such as,
Linda@widgets.microsoft.com)
-p {<Password> | *} Specifies use of a specific password or a * to
log on to a remote server. If you type *, then
you are prompted for a password.
-q Suppresses all output to standard output (quiet
mode).
{-uc | -uco | -uci} Specifies that output or input data is formatted
in Unicode. The -uc value specifies a Unicode
format for input from or output to pipe.
The -uco value specifies a Unicode format for
output to pipe or file. The -uci value specifies
a Unicode format for input from pipe or file.
/? Displays help at the command prompt.
If you do not supply a target object at the command prompt, the target object
is obtained from standard input (stdin). Stdin data can be accepted from the
keyboard, a redirected file, or as piped output from another command. To mark
the end of stdin data from the keyboard or in a redirected file, use
Control+Z, for End of File (EOF).
If a value that you supply contains spaces, use quotation marks around the
text (for example, "CN=DC 2,OU=Domain Controllers,DC=Microsoft,DC=Com").
dsadd computer /? - help for adding a computer to the directory.
dsadd contact /? - help for adding a contact to the directory.
dsadd group /? - help for adding a group to the directory.
dsadd ou /? - help for adding an organizational unit to the directory.
dsadd user /? - help for adding a user to the directory.
dsadd quota /? - help for adding a quota to the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsadd failed:The parameter is incorrect.
type dsadd /? for help.
DSGET
Description: This tool's commands display the selected properties
of a specific object in the directory. The dsget commands:
dsget_computer - displays properties of computers in the directory.
dsget_contact - displays properties of contacts in the directory.
dsget_subnet - displays properties of subnets in the directory.
dsget_group - displays properties of groups in the directory.
dsget_ou - displays properties of ou's in the directory.
dsget_server - displays properties of servers in the directory.
dsget_site - displays properties of sites in the directory.
dsget_user - displays properties of users in the directory.
dsget_quota - displays properties of quotas in the directory.
dsget_partition - displays properties of partitions in the directory.
To display an arbitrary set of attributes of any given object in the
directory use the dsquery * command (see examples below).
For help on a specific command, type "dsget <ObjectType> /?" where
<ObjectType> is one of the supported object types shown above.
For example, dsget ou /?.
Remarks:
The dsget commands help you to view the properties of a specific object in
the directory: the input to dsget is an object and the output is a list of
properties for that object. To find all objects that meet a given search
criterion, use the dsquery commands (dsquery /?).
The dsget commands support piping of input to allow you to pipe results from
the dsquery commands as input to the dsget commands and display detailed
information on the objects found by the dsquery commands.
Commas that are not used as separators in distinguished names must be
escaped with the backslash ("\") character
(for example, "CN=Company\, Inc.,CN=Users,DC=microsoft,DC=com").
Backslashes used in distinguished names must be escaped with a backslash (for
example, "CN=Sales\\ Latin America,OU=Distribution Lists,DC=microsoft,
DC=com").
Examples:
To find all users with names starting with "John" and display their office
numbers:
dsquery user -name John* | dsget user -office
To display the sAMAccountName, userPrincipalName and department attributes of
the object whose DN is ou=Test,dc=microsoft,dc=com:
dsquery * ou=Test,dc=microsoft,dc=com -scope base -attr
sAMAccountName userPrincipalName department
To read all attributes of any object use the dsquery * command.
For example, to read all attributes of the object whose DN is
ou=Test,dc=microsoft,dc=com:
dsquery * ou=Test,dc=microsoft,dc=com -scope base -attr *
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget succeeded
dsget computer
Description: Displays the properties of a computer in the directory.
There are two variations of this command. The first variation
allows you to view the properties of multiple computers. The
second variation allows you to view the membership information
of a single computer.
Syntax: dsget computer <ComputerDN ...> [-dn] [-samid] [-sid] [-desc]
[-loc] [-disabled] [{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]
[-part <PartitionDN> [-qlimit] [-qused]]
dsget computer <ComputerDN> [-memberof [-expand]]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]
Parameters:
Value Description
<ComputerDN ...> Required/stdin. Distinguished names (DNs) of one
or more computers to view.
If the target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another
command to input of this command.
Compare with <ComputerDN> below.
-dn Displays the computer DN.
-samid Displays the computer SAM account name.
-sid Displays the computer Security ID (SID).
-desc Displays the computer description.
-loc Displays the computer location.
-disabled Displays if the computer account is
disabled (yes) or not (no).
<ComputerDN> Required. Distinguished name (DN) of the computer to
view.
-memberof Displays the groups of which the computer is a member.
-expand Displays the recursively expanded list of groups of
which the computer is a member. This option takes
the immediate group membership list of the computer
and then recursively expands each group in this list to
determine its group memberships and arrive at a
complete set of the groups.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *} Password for the user <UserName>. If * then prompt for
password.
-c Continuous operation mode: report errors but continue
with next object in argument list when multiple target
objects are specified. Without this option, command
exits on first error.
-q Quiet mode: suppress all output to standard output.
-L Displays the entries in the search result set in a
list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
-part <PartitionDN> Connects to the directory partition with the
distinguished name of <PartitionDN>.
-qlimit Displays the effective quota of the computer within
the specified directory partition.
-qused Displays how much of its quota the computer has
used within the specified directory partition.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be accepted
from the keyboard, a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a redirected
file, use Control+Z, for End of File (EOF).
A quota specification determines the maximum number of directory objects a
given security principal can own in a specific directory partition.
The dsget commands help you view the properties of a
specific object in the directory: the input to dsget is an object
and the output is a list of properties for that object.
To find all objects that meet a given search criterion,
use the dsquery commands (dsquery /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=DC2,OU=Domain Controllers,DC=microsoft,
DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To find all computers in a given OU whose name starts with "tst" and show
their descriptions.
dsquery computer ou=Test,dc=microsoft,dc=com -name tst* |
dsget computer -desc
To show the list of groups, recursively expanded, to which a given computer
"MyDBServer" belongs:
dsget computer cn=MyDBServer,cn=computers,dc=microsoft,dc=com
-memberof -expand
To display the effective quota and quota used of a given computer
"MyDBServer" on a given partition "cn=domain1,dc=microsoft,dc=com", type:
dsget computer cn=MyDBServer,cn=computers,dc=microsoft,dc=com
-part cn=domain1,dc=microsoft,dc=com -qlimit -qused
See also:
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.
dsget contact
Description: Displays properties of a contact in the directory.
Syntax: dsget contact <ContactDN ...> [-dn] [-fn] [-mi] [-ln]
[-display] [-desc] [-office] [-tel] [-email] [-hometel]
[-pager] [-mobile] [-fax] [-iptel] [-title] [-dept]
[-company] [{-s <Server> | -d <Domain>}]
[-u <UserName>] [-p {<Password> | *}] [-c] [-q] [-l]
[{-uc | -uco | -uci}]
Parameters:
Value Description
<ContactDN ...> Required/stdin. Specifies Distinguished names (DNs)
of one or more contacts to view.
If the target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another
command to input of this command.
-dn Specifies the contact DN.
-fn Specifies the contact first name.
-mi Specifies the contact middle initial.
-ln Specifies the contact last name.
-display Specifies the contact display name.
-desc Specifies the contact description.
-office Specifies the contact office location.
-tel Specifies the contact telephone#.
-email Specifies the contact e-mail address.
-hometel Specifies the contact home phone#.
-pager Specifies the contact pager#.
-mobile Specifies the contact mobile#.
-fax Specifies the contact fax#.
-iptel Specifies the contact IP phone#.
-title Specifies the contact title.
-dept Specifies the contact department.
-company Specifies the contact company info.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *}
Password for the user <UserName>. If * then prompt for
password.
-c Continuous operation mode: report errors but continue
with next object in argument list when multiple target
objects are specified. Without this option, command
exits on first error.
-q Quiet mode: suppress all output to standard output.
-L Displays the entries in the search result set in a
list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be accepted
from the keyboard, a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a redirected
file, use Control+Z, for End of File (EOF).
The dsget commands help you view the properties of a
specific object in the directory: the input to dsget is
an object and the output is a list of properties for that object.
To find all objects that meet a given search criterion,
use the dsquery commands (dsquery /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,OU=Contacts,DC=microsoft,
DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To display the description and phone numbers for contacts
"Jon Smith" and "Jona Jones".
dsget contact "CN=John Doe,OU=Contacts,DC=microsoft,DC=com"
"CN=Jane Doe,OU=Contacts,DC=microsoft,DC=com" -desc -tel
See also:
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.
| dsget subnet |
| displays properties of subnets in the directory. |
dsget subnet
Description: Displays properties of a subnet defined
in the directory.
Syntax: dsget subnet <SubnetCN ...> [-dn] [-desc] [-loc] [-site]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]
Parameters:
Value Description
<SubnetCN ...> Required/stdin. Common name (CN) of one
or more subnets to view. The format is
the subnet's RDN (see examples below).
-dn Displays the subnet distinguished name (DN).
If the target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another
command to input of this command.
-desc Displays the subnet description.
-loc Displays the subnet location.
-site Displays the site name associated with the subnet.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *}
Password for the user <UserName>. If * then prompt for
password.
-c Continuous operation mode: report errors but continue
with next object in argument list when multiple target
objects are specified. Without this option, command
exits on first error.
-q Quiet mode: suppress all output to standard output.
-L Displays the entries in the search result set in a
list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be accepted
from the keyboard, a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a redirected
file, use Control+Z, for End of File (EOF).
The dsget commands help you view the properties of
a specific object in the directory: the input to dsget is
an object and the output is a list of properties for that object.
To find all objects that meet a given search criterion,
use the dsquery commands (dsquery /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "123.56.15.0/24,CN=Subnets,CN=Sites
,CN=Configuration,DC=My Domain,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of subnet common names).
Examples:
To show all relevant properties for the subnets "123.56.15.0/24" and
"123.56.16.0/24":
dsget subnet
"123.56.15.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=microsoft,DC=com"
"123.56.16.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=microsoft,DC=com"
See also:
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.
| dsget group |
| displays properties of groups in the directory. |
dsget group
Description: Displays the various properties of a group including the
members of a group in the directory. There are two variations
of this command. The first variation allows you to view the
properties of multiple groups. The second variation allows you
to view the group membership information of a single group.
Syntax: dsget group <GroupDN ...> [-dn] [-samid] [-sid] [-desc] [-secgrp]
[-scope] [{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]
[-part <PartitionDN> [-qlimit] [-qused]]
dsget group <GroupDN> [{-memberof | -members} [-expand]]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]
Parameters:
Value Description
<GroupDN ...> Required/stdin. Distinguished names (DNs) of one
or more groups to view.
If the target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another command
to input of this command.
Compare with <GroupDN> below.
-dn Displays the group DN.
-samid Displays the group SAM account name.
-sid Displays the group Security ID.
-desc Displays the group description.
-secgrp Displays if the group is a security group or not.
-scope Displays the scope of the group - Local, Global
or Universal.
<GroupDN> Required. DN of group to view.
{-memberof | -members}
Displays the groups of the group
is a member (-memberof), or
displays the members of the group (-members).
-expand For -memberof, displays the recursively expanded
list of groups of which the group is a member.
This option takes the immediate group membership list
of the group and then recursively expands each group
in this list to determine its group memberships
and arrive at a complete set of the groups.
For -members, displays the recursively expanded list
of members of the group. This option takes the
immediate list of members of the group and
then recursively expands each group in this list
to determine its group memberships and arrive
at a complete set of its members.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *} Password for the user <UserName>. If * then prompt for
password.
-c Continuous operation mode: report errors but continue
with next object in argument list when multiple target
objects are specified. Without this option, command
exits on first error.
-q Quiet mode: suppress all output to standard output.
-L Displays the entries in the search result set in a
list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
-part <PartitionDN> Connects to the directory partition with the
distinguished name of <PartitionDN>.
-qlimit Displays the effective quota of the group within
the specified directory partition.
-qused Displays how much of its quota the group has
used within the specified directory partition.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be accepted
from the keyboard, a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a redirected
file, use Control+Z, for End of File (EOF).
A quota specification determines the maximum number of directory objects a
given security principal can own in a specific directory partition.
The dsget commands help you view the properties of a specific
object in the directory: the input to dsget is an object
and the output is a list of properties for that object.
To find all objects that meet a given search criterion,
use the dsquery commands (dsquery /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=USA Sales,OU=Distribution Lists,
DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To find all groups in a given OU whose names start with "adm" and display
their descriptions.
dsquery group ou=Test,dc=microsoft,dc=com -name adm* |
dsget group -desc
To display the list of members, recursively expanded, of the group "Backup
Operators":
dsget group "CN=Backup Operators,ou=Test,dc=microsoft,dc=com" -members
-expand
To display the effective quota and quota used for a group on a specified
partition, type:
dsget group "CN=Backup Operators,OU=Test,DC=microsoft,DC=com"
-part "CN=domain1,dc=microsoft,dc=Com" -qlimit -qused
See also:
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.
| dsget ou |
| displays properties of ou's in the directory. |
dsget ou
Description: Displays properties of an organizational unit in the
directory.
Syntax: dsget ou <OrganizationalUnitDN ...> [-dn] [-desc]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]
Parameters:
Value Description
<OrganizationalUnitDN ...>
Required/stdin. Distinguished names (DNs) of one
or more organizational units (OUs) to view.
If the target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another
command to input of this command.
-dn Displays the OU DN.
-desc Displays the OU description.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *} Password for the user <UserName>. If * then prompt for
password.
-c Continuous operation mode: report errors but continue
with next object in argument list when multiple target
objects are specified. Without this option, command
exits on first error.
-q Quiet mode: suppress all output to standard output.
-L Displays the entries in the search result set in a
list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be accepted
from the keyboard, a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a redirected
file, use Control+Z, for End of File (EOF).
The dsget commands help you view the properties of a specific object in the
directory: the input to dsget is an object and the output is a list of
properties for that object.
To find all objects that meet a given search criterion, use the dsquery
commands (dsquery /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "OU=Domain Controllers,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To find all OU's in the current domain and display their descriptions.
dsquery ou domainroot | dsget ou -desc
See also:
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.
| dsget server |
| displays properties of servers in the directory. |
dsget server
Description: This command displays the various properties of a domain
controller. There are three variations of this command. The
first variation displays the general properties of a
specified domain controller. The second variation displays
a list of the security principals who own the largest
number of directory objects on the specified domain
controller. The third variation displays the distinguished
names of the directory partitions on the specified
server.
Syntax: dsget server <ServerDN ...> [-dn] [-desc] [-dnsname]
[-site] [-isgc] [{-s <Server> | -d <Domain>}]
[-u <UserName>] [-p {<Password> | *}] [-c] [-q] [-l]
[{-uc | -uco | -uci}]
dsget server <ServerDN ...> [-topobjowner <Display>]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]
dsget server <ServerDN ...> [-part]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]
Parameters:
Value Description
<ServerDN ...> Required/stdin. Distinguished names (DNs) of one
or more servers to view.
If the target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another
command to input of this command.
-dn Displays the server's DN.
-desc Displays the server's description.
-dnsname Displays the server's Domain Name System (DNS) host name.
-site Displays the site to which this server belongs.
-isgc Displays whether or not the server is a
global catalog server.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *}
Password for the user <UserName>. If * then prompt for
password.
-c Continuous operation mode: report errors but continue
with next object in argument list when multiple target
objects are specified. Without this option, command
exits on first error.
-q Quiet mode: suppress all output to standard output.
-L Displays the entries in the search result set in a
list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
-part Displays the distinguished names of the directory
partitions on the specified server.
-topobjowner <display>
Displays a sorted list of the security principals
(users, computers, security groups, and inetOrgPersons)
who own the largest number of directory objects across
all directory partitions on the server and the number
of directory objects they own. The number of accounts to
display in the list is specified by <display>. Enter
"0" to display all object owners. If <display> is not
specified, the number of principals listed defaults
to 10.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be accepted
from the keyboard, a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a redirected
file, use Control+Z, for End of File (EOF).
A quota specification determines the maximum number of directory objects a
given security principal can own in a specific directory partition.
The dsget commands help you view the properties of a
specific object in the directory: the input to dsget is
an object and the output is a list of properties for that object.
To find all objects that meet a given search criterion,
use the dsquery commands (dsquery /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=My Server,CN=Servers,CN=Site10,
CN=Sites,CN=Configuration,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated
by spaces (for example, a list of distinguished names).
If either -part or -topobjowner is specified, they override any other
specified parameters, so that only the results of the -part or -topobjowner
parameter are displayed.
Examples:
To find all domain controllers for domain corp.microsoft.com
and display their DNS host name and site name:
dsquery server -domain corp.microsoft.com |
dsget server -dnsname -site
To show if a domain controller with the name DC1 is also a
global catalog server:
dsget server cn=DC1,cn=Servers,cn=Site10,cn=Sites,cn=Configuration,
dc=microsoft,dc=com -isgc
To show the distinguished names of the directory partitions on a domain
controller with the name DC1, type:
dsget server cn=DC1,cn=Servers,cn=Site10,cn=Sites,cn=Configuration,
dc=microsoft,dc=com -part
To show the security principals that own the largest total number of
directory objects on the directory partitions of a domain controller with the
name DC1, and limiting the list to the top 5 owners, type:
dsget server cn=DC1,cn=Servers,cn=Site10,cn=Sites,cn=Configuration,
dc=microsoft,dc=com -topobjowner 5
See also:
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.
| dsget site |
| displays properties of sites in the directory. |
dsget site
Description: Display properties of a site defined in the directory.
Syntax: dsget site <SiteCN ...> [-dn] [-desc] [-autotopology]
[-cachegroups] [-prefGCsite] [{-s <Server> | -d <Domain>}]
[-u <UserName>] [-p {<Password> | *}] [-c] [-q] [-l]
[{-uc | -uco | -uci}]
Parameters:
Value Description
<SiteCN ...> Required/stdin. Common name (CN) of one
or more sites to view.
If the target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another
command to input of this command.
-dn Specifies the site's distinguished name (DN).
-desc Specifies the site's description.
-autotopology Specifies if automatic inter-site topology generation
is enabled (yes) or disabled (no).
-cachegroups Specifies if caching of group membership is enabled
to support GC-less logon (yes) or disabled (no).
-prefGCsite Specifies the preferred GC site name if caching
of groups is enabled.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *}
Password for the user <UserName>. If * then prompt for
password.
-c Continuous operation mode: report errors but continue
with next object in argument list when multiple target
objects are specified. Without this option, command
exits on first error.
-q Quiet mode: suppress all output to standard output.
-L Displays the entries in the search result set in a
list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be accepted
from the keyboard, a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a redirected
file, use Control+Z, for End of File (EOF).
The dsget commands help you view the properties of a
specific object in the directory: the input to dsget is
an object and the output is a list of properties for that object.
To find all objects that meet a given search criterion,
use the dsquery commands (dsquery /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To find all sites in the forest and display their descriptions.
dsquery site | dsget site -dn -desc
See also:
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.
| dsget user |
| displays properties of users in the directory. |
dsget user
Description: Display the various properties of a user in the directory.
There are two variations of this command. The first variation
allows you to view the properties of multiple users. The second
variation allows you to view the group membership information
of a single user.
Syntax: dsget user <UserDN ...> [-dn] [-samid] [-sid] [-upn] [-fn] [-mi]
[-ln] [-display] [-empid] [-desc] [-office] [-tel] [-email]
[-hometel] [-pager] [-mobile] [-fax] [-iptel] [-webpg]
[-title] [-dept] [-company] [-mgr] [-hmdir] [-hmdrv]
[-profile] [-loscr] [-mustchpwd] [-canchpwd]
[-pwdneverexpires] [-disabled] [-acctexpires]
[-reversiblepwd] [-part <PartitionDN> [-qlimit] [-qused]]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]
dsget user <UserDN> [-memberof [-expand]]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [-l]
[{-uc | -uco | -uci}]
Parameters:
Value Description
<UserDN ...> Required/stdin. Distinguished names (DNs) of one
or more users to view.
If the target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another command
to input of this command. Compare with <UserDN>
below.
-dn Shows the DN of the user.
-samid Shows the SAM account name of the user.
-sid Shows the user Security ID.
-upn Shows the user principal name of the user.
-fn Shows the first name of the user.
-mi Shows the middle initial of the user.
-ln Shows the last name of the user.
-display Shows the display name of the user.
-empid Shows the user employee ID.
-desc Shows the description of the user.
-office Shows the office location of the user.
-tel Shows the telephone number of the user.
-email Shows the e-mail address of the user.
-hometel Shows the home telephone number of the user.
-pager Shows the pager number of the user.
-mobile Shows the mobile phone number of the user.
-fax Shows the fax number of the user.
-iptel Shows the user IP phone number.
-webpg Shows the user web page URL.
-title Shows the title of the user.
-dept Shows the department of the user.
-company Shows the company info of the user.
-mgr Shows the user's manager.
-hmdir Shows the user home directory.
Displays the drive letter to which the
home directory of the user is mapped
(if the home directory path is a UNC path).
-hmdrv Shows the user's home drive letter
(if home directory is a UNC path).
-profile Shows the user's profile path.
-loscr Shows the user's logon script path.
-mustchpwd Shows if the user must change his/her password
at the time of next logon. Displays: yes or no.
-canchpwd Shows if the user can change his/her password.
Displays: yes or no.
-pwdneverexpires Shows if the user password never expires.
Displays: yes or no.
-disabled Shows if the user account is disabled
for logon or not. Displays: yes or no.
-acctexpires Shows when the user account expires.
Display values: a date when the account expires
or the string "never" if the account never expires.
-reversiblepwd Shows if the user password is allowed to be
stored using reversible encryption (yes or no).
<UserDN> Required. DN of group to view.
-memberof Displays the groups of which the user is a member.
-expand Displays a recursively expanded list of groups
of which the user is a member.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *} Password for the user <UserName>. If * then prompt
for password.
-c Continuous operation mode: report errors but continue
with next object in argument list when multiple
target objects are specified. Without this option,
command exits on first error.
-q Quiet mode: suppress all output to standard output.
-L Displays the entries in the search result set in a
list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
-part <PartitionDN> Connect to the directory partition with the
distinguished name of <PartitionDN>.
-qlimit Displays the effective quota of the user within
the specified directory partition.
-qused Displays how much of the quota the user has
used within the specified directory partition.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be accepted
from the keyboard, a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a redirected
file, use Control+Z, for End of File (EOF).
A quota specification determines the maximum number of directory objects a
given security principal can own in a specific directory partition.
The dsget commands help you view the properties of a
specific object in the directory: the input to dsget is
an object and the output is a list of properties for that object.
To find all objects that meet a given search criterion,
use the dsquery commands (dsquery /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To find all users in a given OU whose names start with "jon" and display
their descriptions, type:
dsquery user ou=Test,dc=microsoft,dc=com -name jon* | dsget user -desc
To display the list of groups, recursively expanded, to which a given user
"Jon Smith" belongs, type:
dsget user "cn=Jon Smith,cn=users,dc=microsoft,dc=com" -memberof -expand
To display the effective quota and quota used for a given user
"Jon Smith" on a given partition "cn=domain,dc=microsoft,dc=com", type:
dsget user "cn=Jon Smith,cn=users,dc=microsoft,dc=com"
-part "cn=domain,dc=microsoft,dc=com" -qlimit -qused
See also:
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.
| dsget quota |
| displays properties of quotas in the directory. |
dsget quota
Description: Displays the properties of a quota specification. A quota
specification determines the maximum number of directory objects a given
security principal can own in a specific directory partition.
dsget quota <QuotaDN ...> [-dn] [-acct] [-qlimit] [{-s <Server> | -d <Domain>}]
[-u <UserName>] [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]
<QuotaDN ...> Required. Specifies the distinguished names of the quota
objects to view. If values are omitted, they are
obtained through standard input (stdin) to support
piping of output from another command to input of this
command.
-dn Displays the distinguished names of the quota
specifications.
-acct Displays the the distinguished names of the accounts to
which the quotas are assigned.
-qlimit Displays the quota limits for the specified quotas.
An unlimited quota displays as "-1".
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *}
Password for the user <UserName>. If * then prompt for
password.
-c Continuous operation mode: report errors but continue
with next object in argument list when multiple target
objects are specified. Without this option, command
exits on first error.
-q Quiet mode: suppress all output to standard output.
-L Displays the entries in the search result set in a
list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
/? Displays help at the command prompt.
If you do not supply a target object at the command prompt, the target object
is obtained from standard input (stdin). Stdin data can be accepted from the
keyboard, a redirected file, or as piped output from another command. To mark
the end of stdin data from the keyboard or in a redirected file, use
Control+Z, for End of File (EOF).
When none of the optional parameters is specified, the distinguished names of
the quota specification, the account to which the quota is assigned, and the
quota limit are all displayed.
Use the dsget command to view properties of a specific object in the
directory. To search for all objects that match a specific criterion, see
Dsquery *.
As a result of dsquery searches, you can pipe returned objects to dsget and
obtain object properties. See Examples.
If a value that you supply contains spaces, use quotation marks around the
text (for example, "CN=Mike Danseglio,CN=Users,DC=Microsoft,DC=Com").
If you supply multiple values for a parameter, use spaces to separate the
values (for example, a list of distinguished names).
To display the account to which the quota is assigned and the quota limit
for the quota specification "CN=quota1,dc=marketing,dc=northwindtraders,
dc=com", type:
dsget quota CN=quota1,dc=marketing,dc=northwindtraders,dc=com -acct -qlimit
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.
dsget partition
Description: Displays the properties of a directory partition.
dsget partition ObjectDN ... [-dn] [-qdefault] [-qtmbstnwt]
[-topobjowner <Display>] [{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]
Parameters
OBJECTDN Required. Specifies the distinguished names (DN) of the
partition objects to view. If values are omitted, they
are obtained through standard input (stdin) to support
piping of output from another command to input of this
command.
-dn Displays the distinguished names of the directory
partition objects.
-qdefault Displays the default quota that applies to any security
principal (user, group, computer or inetOrgPerson)
creating an object in the directory partition, if no
quota specification exists for the security principal.
-qtmbstnwt Displays the percent by which the tombstone object count
should be reduced when calculating quota usage.
-topobjowner <Display>
Specifies to generate a sorted list of the distinguished
names of the accounts owning the largest number of
objects in the specified directory partition, along
with the number of directory objects they own. The
number of accounts to display in the list is determined
by <display>. Enter "0" to display all object owners. If
<display> is not specified, the number of principals
listed defaults to 10.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *}
Password for the user <UserName>. If * then prompt for
password.
-c Continuous operation mode: report errors but continue
with next object in argument list when multiple target
objects are specified. Without this option, command
exits on first error.
-q Quiet mode: suppress all output to standard output.
-L Displays the entries in the search result set in a
list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
/? Displays help at the command prompt.
If you do not supply a target object at the command prompt, the target object
is obtained from standard input (stdin). Stdin data can be accepted from the
keyboard, a redirected file, or as piped output from another command. To mark
the end of stdin data from the keyboard or in a redirected file, use
Control+Z, for End of File (EOF).
A quota specification determines the maximum number of directory objects a
given security principal can own in a specific directory partition.
When none of the optional parameters is specified, the distinguished name of
the directory partition object is displayed.
When -topobjowner is specified, it overrides any other specified parameters,
so that only the results of -topobjowner are displayed.
Use the dsget command to view properties of a specific object in the
directory. To search for all objects that match a specific criterion, see
Dsquery *.
As a result of dsquery searches, you can pipe returned objects to dsget and
obtain object properties. See Examples.
If a value that you supply contains spaces, use quotation marks around the
text (for example, "CN=Mike Danseglio,CN=Users,DC=Microsoft,DC=Com").
If you supply multiple values for a parameter, use spaces to separate the
values (for example, a list of distinguished names).
To display all directory partitions in the forest that
begin with "application", along with the top three directory object owners
on each partition, type:
dsquery server -forest -part application* |
dsget server -part |
dsget partition -topjobowner 3
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.
DSMOD
Description: This dsmod command modifies existing objects in the directory.
The dsmod commands include:
dsmod_computer - modifies an existing computer in the directory.
dsmod_contact - modifies an existing contact in the directory.
dsmod_group - modifies an existing group in the directory.
dsmod_ou - modifies an existing organizational unit in the directory.
dsmod_server - modifies an existing domain controller in the directory.
dsmod_user - modifies an existing user in the directory.
dsmod_quota - modifies an existing quota specification in the directory.
dsmod_partition - modifies an existing quota specification in the directory.
For help on a specific command, type "dsmod <ObjectType> /?" where
<ObjectType> is one of the supported object types shown above.
For example, dsmod ou /?.
Remarks:
The dsmod commands support piping of input to allow you to pipe results from
the dsquery commands as input to the dsmod commands and modify the objects
found by the dsquery commands.
Commas that are not used as separators in distinguished names must be
escaped with the backslash ("\") character
(for example, "CN=Company\, Inc.,CN=Users,DC=microsoft,DC=com").
Backslashes used in distinguished names must be escaped with a backslash
(for example,
"CN=Sales\\ Latin America,OU=Distribution Lists,DC=microsoft,DC=com").
Examples:
To find all users in the organizational unit (OU)
"ou=Marketing,dc=microsoft,dc=com" and add them to the Marketing Staff group:
dsquery user –startnode "ou=Marketing,dc=microsoft,dc=com" |
dsmod group "cn=Marketing Staff,ou=Marketing,dc=microsoft,dc=com" -addmbr
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
| dsmod computer |
| help for modifying an existing computer in the directory. |
dsmod computer
Description: Modifies an existing computer in the directory.
Syntax: dsmod computer <ComputerDN ...> [-desc <Description>]
[-loc <Location>] [-disabled {yes | no}] [-reset]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]
Parameters:
Value Description
<ComputerDN ...> Required/stdin. Distinguished names (DNs) of one
or more computers to modify.
If target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another command
to input of this command.
-desc <Description> Sets computer description to <Description>.
-loc <Location> Sets the location of the computer object to
<Location>.
-disabled {yes | no} Sets whether the computer account is disabled (yes)
or not (no).
-reset Resets computer account.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p <Password> Password for the user <UserName>. If * then prompt
for password.
-c Continuous operation mode. Reports errors but
continues with next object in argument list when
multiple target objects are specified.
Without this option, the command exits on first
error.
-q Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If a value that you supply contains spaces, use quotation marks
around the text
(for example, "CN=DC2,OU=Domain Controllers,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To disable multiple computer accounts:
dsmod computer CN=MemberServer1,CN=Computers,DC=microsoft,DC=com
CN=MemberServer2,CN=Computers,DC=microsoft,DC=com
-disabled yes
To reset multiple computer accounts:
dsmod computer CN=MemberServer1,CN=Computers,DC=microsoft,DC=com
CN=MemberServer2,CN=Computers,DC=microsoft,DC=com -reset
See also:
dsmod computer /? - help for modifying an existing computer in the directory.
dsmod contact /? - help for modifying an existing contact in the directory.
dsmod group /? - help for modifying an existing group in the directory.
dsmod ou /? - help for modifying an existing ou in the directory.
dsmod server /? - help for modifying an existing domain controller in the
directory.
dsmod user /? - help for modifying an existing user in the directory.
dsmod quota /? - help for modifying an existing quota specification in the
directory
dsmod partition /? - help for modifying an existing partition in the
directory
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsmod failed:The parameter is incorrect.
type dsmod /? for help.
| dsmod contact |
| help for modifying an existing contact in the directory. |
dsmod contact
Description: Modify an existing contact in the directory.
Syntax: dsmod contact <ContactDN ...> [-fn <FirstName>] [-mi <Initial>]
[-ln <LastName>] [-display <DisplayName>] [-desc <Description>]
[-office <Office>] [-tel <Phone#>] [-email <Email>]
[-hometel <HomePhone#>] [-pager <Pager#>] [-mobile <CellPhone#>]
[-fax <Fax#>] [-iptel <IPPhone#>] [-title <Title>]
[-dept <Department>] [-company <Company>]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]
Parameters:
Value Description
<ContactDN ...> Required/stdin. Distinguished names (DNs)
of one or more contacts to modify.
If target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another
command to input of this command.
-fn <FirstName> Sets contact first name to <FirstName>.
-mi <Initial> Sets contact middle initial to <Initial>.
-ln <LastName> Sets contact last name to <LastName>.
-display <DisplayName> Sets contact display name to <DisplayName>.
-desc <Description> Sets contact description to <Description>.
-office <Office> Sets contact office location to <Office>.
-tel <Phone#> Sets contact telephone# to <Phone#>.
-email <Email> Sets contact e-mail address to <Email>.
-hometel <HomePhone#> Sets contact home phone# to <HomePhone#>.
-pager <Pager#> Sets contact pager# to <Pager#>.
-mobile <CellPhone#> Sets contact mobile# to <CellPhone#>.
-fax <Fax#> Sets contact fax# to <Fax#>.
-iptel <IPPhone#> Sets contact IP phone# to <IPPhone#>.
-title <Title> Sets contact title to <Title>.
-dept <Department> Sets contact department to <Department>.
-company <Company> Sets contact company info to <Company>.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p <Password> Password for the user <UserName>. If * then prompt
for password.
-c Continuous operation mode. Reports errors but
continues with next object in argument list when
multiple target objects are specified. Without
this option, the command exits on first error.
-q Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If a value that you supply contains spaces, use quotation marks
around the text (for example,
"CN=John Smith,OU=Contacts,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To set the company information of multiple contacts:
dsmod contact "CN=John Doe,OU=Contacts,DC=microsoft,DC=com"
"CN=Jane Doe,OU=Contacts,DC=microsoft,DC=com" -company microsoft
See also:
dsmod computer /? - help for modifying an existing computer in the directory.
dsmod contact /? - help for modifying an existing contact in the directory.
dsmod group /? - help for modifying an existing group in the directory.
dsmod ou /? - help for modifying an existing ou in the directory.
dsmod server /? - help for modifying an existing domain controller in the
directory.
dsmod user /? - help for modifying an existing user in the directory.
dsmod quota /? - help for modifying an existing quota specification in the
directory
dsmod partition /? - help for modifying an existing partition in the
directory
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsmod failed:The parameter is incorrect.
type dsmod /? for help.
| dsmod group |
| help for modifying an existing group in the directory. |
dsmod group
Description: Modifies an existing group in the directory.
Syntax: dsmod group <GroupDN ...> [-samid <SAMName>]
[-desc <Description>] [-secgrp {yes | no}] [-scope {l | g | u}]
[{-addmbr | -rmmbr | -chmbr} <Member ...>]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]
Parameters:
Value Description
<GroupDN ...> Required/stdin. Distinguished names (DNs) of
one or more groups to modify.
If target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another command
to input of this command.
If <GroupDN ...> and <Member ...> are used
together then only one parameter can
be taken from standard input, requiring that at
least one parameter be specified on the command line.
-samid <SAMName> Sets the SAM account name of group to <SAMName>.
-desc <Description> Sets group description to <Description>.
-secgrp {yes | no} Sets the group type to security (yes)
or non-security (no).
-scope {l | g | u} Sets the scope of group to local (l),
global (g), or universal (u).
{-addmbr | -rmmbr | -chmbr}
-addmbr adds members to the group.
-rmmbr removes members from the group.
-chmbr changes (replaces) the complete list of
members in the group.
<Member ...> Space-separated list of members to add to,
delete from, or replace in the group.
If target objects are omitted, they
will be taken from standard input (stdin)
to support piping of output from another command
to input of this command.
The list of members must follow the
-addmbr, -rmmbr, and -chmbr parameters.
If <GroupDN ...> and <Member ...> are used
together then only one parameter can
be taken from standard input, requiring that at
least one parameter be specified on the command line.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p <Password> Password for the user <UserName>. If * then prompt
for password.
-c Continuous operation mode. Reports errors but
continues
with next object in argument list when multiple
target objects are specified. Without this option,
the command exits on first error.
-q Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If a value that you supply contains spaces, use quotation marks
around the text
(for example, "CN=USA Sales,OU=Distribution Lists,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To add the user Mike Danseglio to all administrator
distribution list groups:
dsquery group "OU=Distribution Lists,DC=microsoft,DC=com" -name adm* |
dsmod group -addmbr "CN=Mike Danseglio,CN=Users,DC=microsoft,DC=com"
To add all members of the US Info group to the Cananda Info group:
dsget group "CN=US INFO,OU=Distribution Lists,DC=microsoft,DC=com" -members |
dsmod group "CN=CANADA INFO,OU=Distribution Lists,DC=microsoft,DC=com"
-addmbr
To convert the group type of several groups from "security" to
"non-security":
dsmod group "CN=US INFO,OU=Distribution Lists,DC=microsoft,DC=com"
"CN=CANADA INFO,OU=Distribution Lists,DC=microsoft,DC=com"
"CN=MEXICO INFO,OU=Distribution Lists,DC=microsoft,DC=com" -secgrp no
To add three new members to the US Info group:
dsmod group "CN=US INFO,OU=Distribution Lists,DC=microsoft,DC=com" -addmbr
"CN=John Smith,CN=Users,DC=microsoft,DC=com"
"CN=Datacenter,OU=Distribution Lists,DC=microsoft,DC=com"
"CN=Jane Smith,CN=Users,DC=microsoft,DC=com"
To add all users from the OU "Marketing" to the exisitng group
"Marketing Staff":
dsquery user ou=Marketing,dc=microsoft,dc=com | dsmod group
"cn=Marketing Staff,ou=Marketing,dc=microsoft,dc=com" -addmbr
To delete two members from the exisitng US Info group:
dsmod group "CN=US INFO,OU=Distribution Lists,DC=microsoft,DC=com" -rmmbr
"CN=John Smith,CN=Users,DC=microsoft,DC=com"
"CN=Datacenter,OU=Distribution Lists,DC=microsoft,DC=com"
See also:
dsmod computer /? - help for modifying an existing computer in the directory.
dsmod contact /? - help for modifying an existing contact in the directory.
dsmod group /? - help for modifying an existing group in the directory.
dsmod ou /? - help for modifying an existing ou in the directory.
dsmod server /? - help for modifying an existing domain controller in the
directory.
dsmod user /? - help for modifying an existing user in the directory.
dsmod quota /? - help for modifying an existing quota specification in the
directory
dsmod partition /? - help for modifying an existing partition in the
directory
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsmod failed:The parameter is incorrect.
type dsmod /? for help.
| dsmod ou |
| help for modifying an existing ou in the directory. |
dsmod ou
Description: Modifies an existing organizational unit in the
directory.
Syntax: dsmod ou <OrganizationalUnitDN ...> [-desc <Description>]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]
Parameters:
Value Description
<OrganizationalUnitDN ...>
Required/stdin. Distinguished names (DNs)
of one or more organizational units (OUs) to modify.
If target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another command
to input of this command.
-desc <Description> Sets OU description to <Description>.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p <Password> Password for the user <UserName>. If * then prompt
for password.
-c Continuous operation mode. Reports errors but
continues with next object in argument list when
multiple target objects are specified.
Without this option, the command exits on first
error.
-q Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If a value that you supply contains spaces, use quotation marks
around the text (for example, "OU=Domain Controllers,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To change the description of several OUs at the same time:
dsmod ou "OU=Domain Controllers,DC=microsoft,DC=com"
"OU=Resources,DC=microsoft,DC=com"
"OU=troubleshooting,DC=microsoft,DC=com" -desc "This is a test OU"
See also:
dsmod computer /? - help for modifying an existing computer in the directory.
dsmod contact /? - help for modifying an existing contact in the directory.
dsmod group /? - help for modifying an existing group in the directory.
dsmod ou /? - help for modifying an existing ou in the directory.
dsmod server /? - help for modifying an existing domain controller in the
directory.
dsmod user /? - help for modifying an existing user in the directory.
dsmod quota /? - help for modifying an existing quota specification in the
directory
dsmod partition /? - help for modifying an existing partition in the
directory
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsmod failed:The parameter is incorrect.
type dsmod /? for help.
| dsmod server |
| help for modifying an existing domain controller in the |
dsmod server
Description: Modifies properties of a domain controller.
Syntax: dsmod server <ServerDN ...> [-desc <Description>]
[-isgc {yes | no}] [{-s <Server> | -d <Domain>}]
[-u <UserName>] [-p {<Password> | *}] [-c] [-q]
[{-uc | -uco | -uci}]
Parameters:
Value Description
<ServerDN ...> Required/stdin. Distinguished names (DNs)
of one or more servers to modify.
If target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another
command to input of this command.
-desc <Description>
Sets server description to <Description>.
-isgc {yes | no} Sets whether this server to a global catalog server
(yes) or disables it (no).
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p <Password> Password for the user <UserName>.
If * is entered, then you are prompted for a password.
-c Continuous operation mode. Reports errors but
continues with next object in argument list
when multiple target objects are specified.
Without this option, the command exits on first error.
-q Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=My Server,CN=Servers,CN=Site10,
CN=Sites,CN=Configuration,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To enable the domain controllers CORPDC1 and CORPDC9 to become global catalog
servers:
dsmod server
"cn=CORPDC1,cn=Servers,cn=site1,cn=sites,cn=configuration,dc=microsoft,dc=com"
"cn=CORPDC9,cn=Servers,cn=site2,cn=sites,cn=configuration,dc=microsoft,dc=com"
-isgc yes
See also:
dsmod computer /? - help for modifying an existing computer in the directory.
dsmod contact /? - help for modifying an existing contact in the directory.
dsmod group /? - help for modifying an existing group in the directory.
dsmod ou /? - help for modifying an existing ou in the directory.
dsmod server /? - help for modifying an existing domain controller in the
directory.
dsmod user /? - help for modifying an existing user in the directory.
dsmod quota /? - help for modifying an existing quota specification in the
directory
dsmod partition /? - help for modifying an existing partition in the
directory
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsmod failed:The parameter is incorrect.
type dsmod /? for help.
| dsmod user |
| help for modifying an existing user in the directory. |
dsmod user
Description: Modifies an existing user in the directory.
Syntax: dsmod user <UserDN ...> [-upn <UPN>] [-fn <FirstName>]
[-mi <Initial>] [-ln <LastName>] [-display <DisplayName>]
[-empid <EmployeeID>] [-pwd {<Password> | *}]
[-desc <Description>] [-office <Office>] [-tel <Phone#>]
[-email <Email>] [-hometel <HomePhone#>] [-pager <Pager#>]
[-mobile <CellPhone#>] [-fax <Fax#>] [-iptel <IPPhone#>]
[-webpg <WebPage>] [-title <Title>] [-dept <Department>]
[-company <Company>] [-mgr <Manager>] [-hmdir <HomeDir>]
[-hmdrv <DriveLtr>:] [-profile <ProfilePath>]
[-loscr <ScriptPath>] [-mustchpwd {yes | no}]
[-canchpwd {yes | no}] [-reversiblepwd {yes | no}]
[-pwdneverexpires {yes | no}]
[-acctexpires <NumDays>] [-disabled {yes | no}]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]
Parameters:
Value Description
<UserDN ...> Required/stdin. Distinguished names (DNs)
of one or more users to modify.
If target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another command