DS Commands – DSADD

Understanding Distinguished Names

Active Directory Domain Services (AD DS) uses the Lightweight Directory Access Protocol (LDAP). Every object in AD DS is uniquely identified with a distinguished name (DN). The DN identifies the object, domain, and Organizational Unit (OU) or container where it’s located.

DS commands (such as dsadd, dsmod, and so on) need the DN to identify the object to create, modify, or delete. When the DN is used within a command, it must be enclosed within quotes if it includes spaces. The following table shows the common components of a DN used with DS commands.

DN Component

Description

CN

CN is short for common name. It’s used to indicate the common name of an object (such as the user’s account name) or the name

of a container (such as the Users or Computers containers).

OU

OU is short for Organizational Unit. When multiple OUs are listed, the top level is listed last.

NOTE Nested OUs often give people the most trouble when building the DN. An easy check is to see whether the top-level OU is next to the domain component (dc) and the last child OU is listed first.

DC

DC is short for domain component. Notice that each portion of the DC must be separate. This is incorrect and results in an error: dc=habib.local. It must be separated as dc=habib, dc=local.

DSADD Command

Adding Objects with dsadd

You can add objects with the dsadd command. The basic syntax is

dsadd object-type DN

Some common object types you can add are users, computers, groups, and OUs. The fol- lowing table shows the syntax to create specific accounts. Each of these commands cre- ates an account in the habib.local domain, in the East OU nested in the Sales OU.

Note: The dsadd command creates accounts using the same case you use in the command. In other words, you can create an account named joe or an account named Joe, depending on the case you use in the DN. If the DN is lowercase, the account is built with lowercase.

dsadd Command

Comments

Add a user.

dsadd user dn [-pwd password] C:\>dsadd user “cn=Joe, ou=east,ou=sales,dc=habib, dc=local”

C:\>dsadd user “cn=joe2, ou=east,ou=sales,dc=habib,
dc=local” -pwd abc@123

Adds a user account. The example adds a user account named Joe to the sales\east OU.

If you don’t include a password, the account

is disabled by default. If you include the pass- word, but it doesn’t meet the password com- plexity requirements, the account is disabled.

However, if you include the password and it meets complexity requirements, the account is enabled

dsadd Command

Comments

Add a group.

dsadd group dn -secgroup

{yes | no} -scope { l | g |

u }

C:\>dsadd group “cn=IT Admins, ou=east,ou=sales,dc=habib, dc=local” -secgrp yes -scope g C:\>dsadd group “cn=IT

Admins2, ou=east, ou=sales, dc=habib, dc=local” C:\>dsadd group “cn=dl_ printer, ou=east, ou=sales,

dc=habib, dc=local” -scope l

You can add security groups (with -secgroup yes) or distribution groups (with -secgroup no). You add different scopes with the -scope switch. Create domain local groups (with

-scope l), create global groups (with -scope g), and create universal groups (with -scope u).

TIP The dsadd group command defaults to a global security group so you can omit the -secgroup and -scope switches.

The examples add two global security groups (IT Admins and IT Admins2) and one domain local security group (dl_printer).

Add a computer.

dsadd computer dn

C:\>dsadd computer “cn=PC-1, ou=east, ou=sales, dc=habib, dc=local”

The example command creates a computer named PC-1 in the sales\east OU.

Note: You can also identify different properties for any of these objects. For a full list- ing of the properties for any of the objects, use the help command as dsadd user /?, dsadd group /?, or dsadd computer /?.

Advertisements

3 thoughts on “DS Commands – DSADD

  1. thanks for this article,, i spend a lot of time to correct my script,, when i saw this and i try it,, its really work,, thanks man you are a legend,,, i wish more article will share☺

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s