Logo
PREGNANCY
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
 
 
Windows Server

Windows Server 2008 : Using Basic ds Commands - Understanding Distinguished Names & Adding Objects with dsadd

3/5/2012 4:13:28 PM

Understanding Distinguished Names

Active Directory Domain Services (AD DS) uses the Lightweight Directory Access Protocol (LDAP). Every object in AD DS is uniquely identified with a distinguished name (DN). The DN identifies the object, domain, and Organizational Unit (OU) or container where it’s located.

Figure 1 shows the Active Directory Users and Computers (ADUC) console with the properties of a user account in the pearson.pub domain. It’s in the East OU, which is in the Sales OU.

Figure 1. ADUC showing user account

The DN for the user account shown in the figure is

cn=Darril Gibson, ou=East, ou=Sales, dc=pearson, dc=pub

Note

DNs are not case sensitive. You can use the same case shown in ADUC, or any combination of upper- and lowercase characters. For example, the following DN is the same, even though it doesn’t match the case shown in ADUC:

cn=darril gibson, ou=east, ou=sales, dc=pearson, dc=pub


DS commands (such as dsadd, dsmod, and so on) need the DN to identify the object to create, modify, or delete. When the DN is used within a command, it must be enclosed within quotes if it includes spaces. The following table shows the common components of a DN used with DS commands.

DN ComponentDescription
CNCN is short for common name. It’s used to indicate the common name of an object (such as the user’s account name) or the name of a container (such as the Users or Computers containers). Notice in Figure 7-1 that the account name is Darril Gibson (with a space) but the user logon name is DarrilGibson (with no space).
OUOU is short for Organizational Unit. When multiple OUs are listed, the top level is listed last. For example, the Sales OU is the top-level OU in Figure 7-1 and is listed as the last OU and closest to the domain.

Note

Nested OUs often give people the most trouble when building the DN. An easy check is to see whether the top-level OU is next to the domain component (dc) and the last child OU is listed first.

DCDC is short for domain component. Notice that each portion of the DC must be separate. This is incorrect and results in an error: dc=pearson.pub. It must be separated as dc=pearson, dc=pub.

Note

Although there are many more DN components that can be used with LDAP, the three shown in the preceding table are the ones you need to know for the DS commands.


You can use spaces in some places in the DN command or omit them. For example, you can use spaces after the commas to separate the DN components. You also can use spaces before the equal signs (but not after the equal signs in some commands). They will be interpreted the same. The following table shows both valid usage of spaces and one example, which causes errors.

Valid?DN ComponentDescription
Valid
"cn=Joe,ou=east,ou=sales,dc=
pearson,dc=pub"

No spaces
Valid
"cn=Joe, ou=east, ou=sales,
dc=pearson, dc=pub"

Spaces after the commas
Valid
"cn =Joe, ou =east,
ou =sales, dc =pearson,
dc =pub"

Spaces after the commas and before the equal (=) signs
Error
"cn = Joe, ou = east,
ou = sales, dc = pearson,
dc = pub"

Spaces after the equal (=) sign results in errors in many commands

Tip

Avoid commas before and after the equal (=) sign to prevent potential problems. However, it’s common to use spaces after the commas for readability. Just remember that if any spaces are used, the entire DN must be enclosed in quotes.

Adding Objects with dsadd

You can add objects with the dsadd command. The basic syntax is

dsadd object-type DN

Some common object types you can add are users, computers, groups, and OUs. The following table shows the syntax to create specific accounts. Each of these commands creates an account in the pearson.pub domain, in the East OU nested in the Sales OU.

Note

The dsadd command creates accounts using the same case you use in the command. In other words, you can create an account named joe or an account named Joe, depending on the case you use in the DN. If the DN is lowercase, the account is built with lowercase.


dsadd CommandComments
Add a user.
dsadd user dn [-pwd password]
C:\>dsadd user "cn=Joe,
ou=east,ou=sales,dc=pearson,
dc=pub"
C:\>dsadd user "cn=joe2,
ou=east,ou=sales,dc=pearson,
dc=pub" -pwd P@ssw0rd

Adds a user account. The example adds a user account named Joe to the sales\east OU.

If you don’t include a password, the account is disabled by default. If you include the password, but it doesn’t meet the password complexity requirements, the account is disabled.

However, if you include the password and it meets complexity requirements, the account is enabled (as shown in Figure 2).
Add a group.
dsadd group dn -secgroup
{yes | no} -scope { l | g
| u }
C:\>dsadd group "cn=IT Admins,
ou=east,ou=sales,dc=pearson,
dc=pub" -secgrp yes -scope g
C:\>dsadd group "cn=IT
Admins2, ou=east, ou=sales,
dc=pearson, dc=pub"
C:\>dsadd group "cn=dl_
printer, ou=east, ou=sales,
dc=pearson, dc=pub" -scope l

You can add security groups (with -secgroup yes) or distribution groups (with -secgroup no). You add different scopes with the -scope switch. Create domain local groups (with -scope l), create global groups (with -scope g), and create universal groups (with -scope u).

Tip

The dsadd group command defaults to a global security group so you can omit the -secgroup and -scope switches.

The examples add two global security groups (IT Admins and IT Admins2) and one domain local security group (dl_printer).
Add a computer.
dsadd computer dn
C:\>dsadd computer "cn=PC-1,
ou=east, ou=sales,
dc=pearson, dc=pub"

The example command creates a computer named PC-1 in the sales\east OU.

Tip

You can also identify different properties for any of these objects. For a full listing of the properties for any of the objects, use the help command as dsadd user /?, dsadd group /?, or dsadd computer /?.


Figure 2 shows ADUC with the accounts created in the previous table. Notice that the Joe account is disabled because a password wasn’t given. The down arrow icon in the user icon indicates that it is disabled. Also, notice that Joe starts with an uppercase J because that’s how the command was entered, and the joe2 account starts with a lowercase j.

Figure 2. ADUC showing accounts created with the dsadd command
Other -----------------
- Windows Server 2008 : Manipulating IIS with appcmd
- Microsoft Lync Server 2010 Edge : Edge Server Administration (part 2)
- Microsoft Lync Server 2010 Edge : Edge Server Administration (part 1)
- Sharepoint 2010 : Setting Up the Crawler - Crawling Other Document Types with iFilters
- Sharepoint 2010 : Setting Up the Crawler - Defining Scopes
- Microsoft Dynamics CRM 4.0 Accelerators : Extended Sales Forecasting Accelerator (part 1) - CRM Reports
- Microsoft Dynamics CRM 4.0 Accelerators : Extended Sales Forecasting Accelerator (part 1) - CRM Customizations
- Microsoft Dynamics AX 2009 : Processing Business Tasks - Building a Display dimensions dialog
- Microsoft Dynamics AX 2009 : Processing Business Tasks - Creating electronic payment format
- Sharepoint 2007 : Change the Look of a Site Using Themes & Change the Home Page of a Site
- Sharepoint 2007 : Open the Site’s Settings Page & Change the Name, Description, Icon, or URL of a Site
- Microsoft Content Management Server : Preparing Postings for Search Indexing - Outputting META Tags
- Microsoft Content Management Server : Influencing Search Engines with the ROBOTS META Tag
- Windows Server 2003 : Recovering from System Failure (part 2) - Recovery Console
- Windows Server 2003 : Recovering from System Failure (part 1)
- Microsoft BizTalk 2010 : Consuming ASDK-based Adapters - The WCF-Custom adapter and SOAP actions
- Microsoft BizTalk 2010 : Consuming ASDK-based Adapters - Using the ASDK development tools
- Microsoft SQL Server 2008 R2 : SQL Server Management Studio - Administration Tools (part 2)
- Microsoft SQL Server 2008 R2 : SQL Server Management Studio - Administration Tools (part 1)
- Microsoft SQL Server 2008 R2 : SQL Server Management Studio - The Integrated Environment
 
 
Most view of day
- Windows Phone 8 : Configuring Basic Device Settings - Date and Time (part 1) - Setting the Date and Time
- Microsoft Access 2010 : Enhancing the Queries That You Build - Everything You Need to Know About Query Basics
- Microsoft SharePoint 2013 : Working with Visio Services - Designing dashboards - Data linking (part 1) - Obtaining external data
- SharePoint 2010 : Farm Governance - Configuring Resource Throttling
- Sharepoint 2013 : Get to a Site’s Permission Management Page (part 2) - Check What Permissions a User or a Group Has on a Site
- Leveraging the SharePoint Workspace : Leveraging the SharePoint Workspace, View Your List and Display Form Offline
- Games and Windows 7 : Using the Games Explorer (part 3) - Rating Your System's Performance
- Microsoft Dynamic GP 2010 : Protecting Dynamics GP with key security settings
- Maintaining Security : Maintaining High Security, Setting Internet Explorer Security
- Microsoft Visio 2010 : Working with Data - Creating Reports (part 3) - Using Reports with Other Documents
Top 10
- Windows Server 2012 : Configuring IPsec (part 7) - Configuring connection security rules - Monitoring IPsec
- Windows Server 2012 : Configuring IPsec (part 6) - Configuring connection security rules - Creating a custom rule, Configuring authenticated bypass
- Windows Server 2012 : Configuring IPsec (part 5) - Configuring connection security rules - Creating an authentication exemption rule, Creating a server-to-server rule, Creating a tunnel rule
- Windows Server 2012 : Configuring IPsec (part 4) - Configuring connection security rules - Types of connection security rules, Creating an isolation rule
- Windows Server 2012 : Configuring IPsec (part 3) - Configuring IPsec settings - Customizing IPsec tunnel authorizations, Configuring IPsec settings using Windows PowerShell
- Windows Server 2012 : Configuring IPsec (part 2) - Configuring IPsec settings - Customizing IPsec defaults
- Windows Server 2012 : Configuring IPsec (part 1) - Understanding connection security
- Microsoft Project 2010 : Linking Tasks (part 8) - Auditing Task Links,Using the Task Inspector
- Microsoft Project 2010 : Linking Tasks (part 7) - Creating Links by Using the Mouse,Working with Automatic Linking Options
- Microsoft Project 2010 : Linking Tasks (part 6) - Creating Links by Using the Entry Table
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro