DS Commands – DSMOD

Modifying Accounts with DSMOD Command

You can modify account properties from the command prompt with the dsmod com- mand. The basic syntax is

dsmod object-type dn-property property-value

The common object-types you modify with the dsmod command are the same ones you create with the dsadd command: users, computers, groups, and OUs.

Note:
You can also identify different properties for any of these objects with the help command. Useful help commands are dsmod user /?, dsmod group /?, or dsmod computer /?.

The following table shows some common uses of the dsmod command when working with users and computers.

dsmod Commands for Users and Computers	Comments
Change a user password. dsmod user dn -pwd * | password C:/>dsmod user “cn=joe,ou=east, ou=sales,dc=habib,dc=local” –pwd * C:/>dsmod user “cn=joe,ou=east, ou=sales, dc=habib,dc=local” -pwd abc@123	You can change a user’s password with the -pwd switch. You can either specify the password or use the asterisk (*). If you use the asterisk, you will be prompted to enter the new password.
Enable or disable a user account. dsmod user dn -disabled yes | no C:\>dsmod user “cn=joe,ou=east, ou=sales, dc=habib,dc=local” -disabled no	You can enable or disable a user account with the -disabled switch. To disable it, use -disabled yes and to enable it, use -disabled no.
Enable or disable a computer account. dsmod computer dn -disabled yes | no C:\>dsmod computer “cn=PC-1, ou=east, ou=sales, dc=habib, dc=local” –disabled yes	You can also enable or disable a computer account with the -disabled switch. To dis- able it, use -disabled yes and to enable it, use -disabled no.

The following table shows some common uses of the dsmod command when working with groups.

dsmod Commands for Groups	Comments
Change a group type. Dsmod group DN -secgrp yes | no C:\>dsmod group “cn=IT Admins, ou=east, ou=sales, dc=habib, dc=local ” -secgrp no C:\>dsmod group “cn=IT Admins, ou=east, ou=sales, dc=habib, dc=local ” -secgrp yes	You can designate a group as a security group with -secgrp yes, or as a distribution group with -secgrp no. Note: Security groups can have permissions assigned and be used for email lists. Distribution groups can only be used for email lists.
Change a group scope. Dsmod group DN -scope l | g | u C:\>dsmod group “cn=IT Admins, ou=east, ou=sales, dc=habib, dc=local ” -scope u C:\>dsmod group “cn=IT Admins, ou=east, ou=sales, dc=habib, dc=local ” -scope l C:\>dsmod group “cn=IT Admins, ou=east, ou=sales, dc=habib, dc=local ” -scope u C:\>dsmod group “cn=IT Admins, ou=east, ou=sales, dc=habib, dc=local ” -scope g	Group scopes include global, domain local, or universal in a domain. You can use the -scope group to change the scope from one to another. The examples change the scope of the IT Admins group from global to universal, then to domain local, back to universal, and then back to global. Note: You can’t convert a global group directly to a domain local group, and you can’t convert a domain local group directly to a global group. However, you can convert it to a uni- versal group first, and then convert it to a domain local or global group.
Add a user to a group. Dsmod group group-DN -addmbr user-DN C:\>dsmod group “cn=IT Admins, ou=east, ou=sales, dc=habib, dc=local ” -addmbr “cn=Joe,ou=east, ou=sales, dc=habib, dc=local ” C:\>dsmod group “cn=IT Admins, ou=east, ou=sales, dc=habib, dc=local ” -addmbr “cn=Joe,ou=east, ou=sales, dc=habib, dc=local ” “cn=Sally,ou=east,ou=sales, dc=habib, dc=local “	You can add or remove users to a group with the -addmbr switch. The first example adds the user named Joe (created previously) to the IT Admins group and the second example adds both the user Joe and another user named Sally to the group. Note: You can add as many members as desired in the same command by adding additional DNs. You need only a space between DNs, not a comma.
Remove a user from a group. Dsmod group group-DN -rmmbr user-DN C:\>dsmod group “cn=IT Admins, ou=east, ou=sales, dc=habib, dc=local ” -rmmbr “cn=Joe, ou=east, ou=sales, dc=habib, dc=local “	You can remove a user from a group with the -rmmbr command. The example removes the Joe user account from the IT Admins group.

Add a domain local group to a global group. Dsmod group domain-local-DN -addmbr global-group-DN C:\>dsmod group “cn=dl_printer, ou=east, ou=sales, dc=habib, dc=local” -addmbr “cn=IT Admins, ou=east, ou=sales, dc=habib, dc=local”	This example shows how to add a global group (IT Admins) to a domain local group (named dl_printer) with the -addmbr switch. In the IT Admins Member Of tab, you see the dl_printer added after executing this command.
Remove a group from another group. Dsmod group domain-local-DN -rmmbr global-group-DN C:\>dsmod group “cn=dl_printer, ou=east, ou=sales, dc=habib, dc=local” -rmmbr “cn=IT Admins, ou=east, ou=sales, dc=habib, dc=local”	This example removes the global group (IT Admins) from the domain local group (named dl_printer) with the -rmmbr switch.