You can modify account properties from the command prompt with the dsmod command. The basic syntax is
dsmod object-type dn-property property-value
The common object-types you modify with the dsmod command are the same ones you create with the dsadd command: users, computers, groups, and OUs.
Tip
You can also identify different properties for any of these objects with the help command. Useful help commands are dsmod user /?, dsmod group /?, or dsmod computer /?.
The following table shows some common uses of the dsmod command when working with users and computers.
| dsmod Commands for Users and Computers | Comments |
|---|
Change a user password.
dsmod user dn -pwd * | password
C:/>dsmod user "cn=joe,ou=east,
ou=sales,dc=pearson,dc=pub" -pwd
*
C:/>dsmod user "cn=joe,ou=east,
ou=sales,dc=pearson,dc=pub" -pwd
P@ssw0rd
| You can change a user’s password with the -pwd switch. You can either specify the password or use the asterisk (*). If you use the asterisk, you will be prompted to enter the new password. | Enable or disable a user account.
dsmod user dn -disabled yes | no
C:\>dsmod user "cn=joe,ou=east,
ou=sales,dc=pearson,dc=pub"
-disabled no
| You can enable or disable a user account with the -disabled switch. To disable it, use -disabled yes and to enable it, use -disabled no. | Enable or disable a computer account.
dsmod computer dn -disabled yes
| no
C:\>dsmod computer "cn=PC-1,
ou=east, ou=sales, dc=pearson,
dc=pub" -disabled yes
| You can also enable or disable a computer account with the -disabled switch. To disable it, use -disabled yes and to enable it, use -disabled no. |
The following table shows some common uses of the dsmod command when working with groups.
| dsmod Commands for Groups | Comments |
|---|
Change a group type.
Dsmod group DN -secgrp yes | no
C:\>dsmod group "cn=IT Admins,
ou=east, ou=sales, dc=pearson,
dc=pub" -secgrp no
C:\>dsmod group "cn=IT Admins,
ou=east, ou=sales, dc=pearson,
dc=pub" -secgrp yes
| You can designate a group as a security group with -secgrp yes, or as a distribution group with -secgrp no.
Note
Security groups can have permissions assigned and be used for email lists. Distribution groups can only be used for email lists.
| Change a group scope.
Dsmod group DN -scope l | g | u
C:\>dsmod group "cn=IT Admins,
ou=east, ou=sales, dc=pearson,
dc=pub" -scope u
C:\>dsmod group "cn=IT Admins,
ou=east, ou=sales, dc=pearson,
dc=pub" -scope l
C:\>dsmod group "cn=IT Admins,
ou=east, ou=sales, dc=pearson,
dc=pub" -scope u
C:\>dsmod group "cn=IT Admins,
ou=east, ou=sales, dc=pearson,
dc=pub" -scope g
| Group scopes include global, domain local, or universal in a domain. You can use the -scope
group to change the scope from one to another. The examples change the
scope of the IT Admins group from global to universal, then to domain
local, back to universal, and then back to global.
Note
You can’t convert a global group directly to a domain local group, and
you can’t convert a domain local group directly to a global group.
However, you can convert it to a universal group first, and then convert
it to a domain local or global group.
| Add a user to a group.
Dsmod group group-DN -addmbr
user-DN
C:\>dsmod group "cn=IT Admins,
ou=east, ou=sales, dc=pearson,
dc=pub" -addmbr "cn=Joe,ou=east,
ou=sales,dc=pearson,dc=pub"
C:\>dsmod group "cn=IT Admins,
ou=east, ou=sales, dc=pearson,
dc=pub" -addmbr "cn=Joe,ou=east,
ou=sales,dc=pearson,dc=pub"
"cn=Sally,ou=east,ou=sales,
dc=pearson,dc=pub"
| You can add or remove users to a group with the -addmbr
switch.
The first example adds the user named Joe (created previously) to the IT
Admins group and the second example adds both the user Joe and another
user named Sally to the group.
Tip
You can add as many members as desired in the same command by adding
additional DNs. You need only a space between DNs, not a comma.
| Remove a user from a group.
Dsmod group group-DN -rmmbr
user-DN
C:\>dsmod group "cn=IT Admins,
ou=east, ou=sales, dc=pearson,
dc=pub" -rmmbr "cn=Joe, ou=east,
ou=sales, dc=pearson, dc=pub"
| You can remove a user from a group with the -rmmbr command. The example removes the Joe user account from the IT Admins group.
Figure 1 shows the IT Admins Members tab after the user is added. | Add a domain local group to a global group.
Dsmod group domain-local-DN
-addmbr global-group-DN
C:\>dsmod group "cn=dl_printer,
ou=east, ou=sales, dc=pearson,
dc=pub" -addmbr "cn=IT Admins,
ou=east, ou=sales, dc=pearson,
dc=pub"
| This example shows how to add a global group (IT Admins) to a domain local group (named dl_printer) with the -addmbr switch.
In the IT Admins Member Of tab, you see the dl_printer added after executing this command. | Remove a group from another group.
Dsmod group domain-local-DN
-rmmbr global-group-DN
C:\>dsmod group "cn=dl_printer,
ou=east, ou=sales, dc=pearson,
dc=pub" -rmmbr "cn=IT Admins,
ou=east, ou=sales, dc=pearson,
dc=pub"
| This example removes the global group (IT Admins) from the domain local group (named dl_printer) with the -rmmbr switch. |
|
