Logo
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
EPL Standings
 
 
Windows Server

Windows Server 2008 : Using Basic ds Commands - Understanding Distinguished Names & Adding Objects with dsadd

3/5/2012 4:13:28 PM

Understanding Distinguished Names

Active Directory Domain Services (AD DS) uses the Lightweight Directory Access Protocol (LDAP). Every object in AD DS is uniquely identified with a distinguished name (DN). The DN identifies the object, domain, and Organizational Unit (OU) or container where it’s located.

Figure 1 shows the Active Directory Users and Computers (ADUC) console with the properties of a user account in the pearson.pub domain. It’s in the East OU, which is in the Sales OU.

Figure 1. ADUC showing user account

The DN for the user account shown in the figure is

cn=Darril Gibson, ou=East, ou=Sales, dc=pearson, dc=pub

Note

DNs are not case sensitive. You can use the same case shown in ADUC, or any combination of upper- and lowercase characters. For example, the following DN is the same, even though it doesn’t match the case shown in ADUC:

cn=darril gibson, ou=east, ou=sales, dc=pearson, dc=pub


DS commands (such as dsadd, dsmod, and so on) need the DN to identify the object to create, modify, or delete. When the DN is used within a command, it must be enclosed within quotes if it includes spaces. The following table shows the common components of a DN used with DS commands.

DN ComponentDescription
CNCN is short for common name. It’s used to indicate the common name of an object (such as the user’s account name) or the name of a container (such as the Users or Computers containers). Notice in Figure 7-1 that the account name is Darril Gibson (with a space) but the user logon name is DarrilGibson (with no space).
OUOU is short for Organizational Unit. When multiple OUs are listed, the top level is listed last. For example, the Sales OU is the top-level OU in Figure 7-1 and is listed as the last OU and closest to the domain.

Note

Nested OUs often give people the most trouble when building the DN. An easy check is to see whether the top-level OU is next to the domain component (dc) and the last child OU is listed first.

DCDC is short for domain component. Notice that each portion of the DC must be separate. This is incorrect and results in an error: dc=pearson.pub. It must be separated as dc=pearson, dc=pub.

Note

Although there are many more DN components that can be used with LDAP, the three shown in the preceding table are the ones you need to know for the DS commands.


You can use spaces in some places in the DN command or omit them. For example, you can use spaces after the commas to separate the DN components. You also can use spaces before the equal signs (but not after the equal signs in some commands). They will be interpreted the same. The following table shows both valid usage of spaces and one example, which causes errors.

Valid?DN ComponentDescription
Valid
"cn=Joe,ou=east,ou=sales,dc=
pearson,dc=pub"

No spaces
Valid
"cn=Joe, ou=east, ou=sales,
dc=pearson, dc=pub"

Spaces after the commas
Valid
"cn =Joe, ou =east,
ou =sales, dc =pearson,
dc =pub"

Spaces after the commas and before the equal (=) signs
Error
"cn = Joe, ou = east,
ou = sales, dc = pearson,
dc = pub"

Spaces after the equal (=) sign results in errors in many commands

Tip

Avoid commas before and after the equal (=) sign to prevent potential problems. However, it’s common to use spaces after the commas for readability. Just remember that if any spaces are used, the entire DN must be enclosed in quotes.

Adding Objects with dsadd

You can add objects with the dsadd command. The basic syntax is

dsadd object-type DN

Some common object types you can add are users, computers, groups, and OUs. The following table shows the syntax to create specific accounts. Each of these commands creates an account in the pearson.pub domain, in the East OU nested in the Sales OU.

Note

The dsadd command creates accounts using the same case you use in the command. In other words, you can create an account named joe or an account named Joe, depending on the case you use in the DN. If the DN is lowercase, the account is built with lowercase.


dsadd CommandComments
Add a user.
dsadd user dn [-pwd password]
C:\>dsadd user "cn=Joe,
ou=east,ou=sales,dc=pearson,
dc=pub"
C:\>dsadd user "cn=joe2,
ou=east,ou=sales,dc=pearson,
dc=pub" -pwd P@ssw0rd

Adds a user account. The example adds a user account named Joe to the sales\east OU.

If you don’t include a password, the account is disabled by default. If you include the password, but it doesn’t meet the password complexity requirements, the account is disabled.

However, if you include the password and it meets complexity requirements, the account is enabled (as shown in Figure 2).
Add a group.
dsadd group dn -secgroup
{yes | no} -scope { l | g
| u }
C:\>dsadd group "cn=IT Admins,
ou=east,ou=sales,dc=pearson,
dc=pub" -secgrp yes -scope g
C:\>dsadd group "cn=IT
Admins2, ou=east, ou=sales,
dc=pearson, dc=pub"
C:\>dsadd group "cn=dl_
printer, ou=east, ou=sales,
dc=pearson, dc=pub" -scope l

You can add security groups (with -secgroup yes) or distribution groups (with -secgroup no). You add different scopes with the -scope switch. Create domain local groups (with -scope l), create global groups (with -scope g), and create universal groups (with -scope u).

Tip

The dsadd group command defaults to a global security group so you can omit the -secgroup and -scope switches.

The examples add two global security groups (IT Admins and IT Admins2) and one domain local security group (dl_printer).
Add a computer.
dsadd computer dn
C:\>dsadd computer "cn=PC-1,
ou=east, ou=sales,
dc=pearson, dc=pub"

The example command creates a computer named PC-1 in the sales\east OU.

Tip

You can also identify different properties for any of these objects. For a full listing of the properties for any of the objects, use the help command as dsadd user /?, dsadd group /?, or dsadd computer /?.


Figure 2 shows ADUC with the accounts created in the previous table. Notice that the Joe account is disabled because a password wasn’t given. The down arrow icon in the user icon indicates that it is disabled. Also, notice that Joe starts with an uppercase J because that’s how the command was entered, and the joe2 account starts with a lowercase j.

Figure 2. ADUC showing accounts created with the dsadd command
Top Search -----------------
- Windows Server 2008 R2 : Work with RAID Volumes - Understand RAID Levels & Implement RAID
- Windows Server 2008 R2 Administration : Managing Printers with the Print Management Console
- Configuring Email Settings in Windows Small Business Server 2011
- Windows Server 2008 R2 : Configuring Folder Security, Access, and Replication - Implement Permissions
- Monitoring Exchange Server 2010 : Monitoring Mail Flow
- Windows Server 2008 R2 :Task Scheduler
- Windows Server 2008 R2 : File Server Resource Manager
- Windows Server 2008 R2 : Installing DFS
- Exchange Server 2010 : Managing Anti-Spam and Antivirus Countermeasures
- Windows Server 2008 R2 : Configuring Folder Security, Access, and Replication - Share Folders
Other -----------------
- Windows Server 2008 : Manipulating IIS with appcmd
- Microsoft Lync Server 2010 Edge : Edge Server Administration (part 2)
- Microsoft Lync Server 2010 Edge : Edge Server Administration (part 1)
- Sharepoint 2010 : Setting Up the Crawler - Crawling Other Document Types with iFilters
- Sharepoint 2010 : Setting Up the Crawler - Defining Scopes
- Microsoft Dynamics CRM 4.0 Accelerators : Extended Sales Forecasting Accelerator (part 1) - CRM Reports
- Microsoft Dynamics CRM 4.0 Accelerators : Extended Sales Forecasting Accelerator (part 1) - CRM Customizations
- Microsoft Dynamics AX 2009 : Processing Business Tasks - Building a Display dimensions dialog
- Microsoft Dynamics AX 2009 : Processing Business Tasks - Creating electronic payment format
- Sharepoint 2007 : Change the Look of a Site Using Themes & Change the Home Page of a Site
 
 
Most view of day
- Windows Server 2008 Server Core : Compressing Data with the Compact Utility
- Manage the Active Directory Domain Services Schema : Remove Attributes from the Index
- Add an InfoPath Form Web Part to a SharePoint Web Part Page
- Microsoft Systems Management Server 2003 : Defining Parent-Child Relationships (part 2) - Installing the Secondary Site Locally from the SMS CD
- Windows Server 2003 : Analyzing Traffic Using Network Monitor (part 1)
- BizTalk 2009 : Host Integration Server 2009 - Planning Your Host Integration Server Topology
- Using Windows Live Programs (part 2) - Using Windows Live Mail
Top 10
- Windows Server 2008 R2 high-availability and recovery features : Installing and Administering Failover Clustering (part 8) - Administering a Failover Cluster
- Windows Server 2008 R2 high-availability and recovery features : Installing and Administering Failover Clustering (part 7) - Create shared folder on cluster, Testing Failover of Cluster
- Windows Server 2008 R2 high-availability and recovery features : Installing and Administering Failover Clustering (part 6) - Add primary storage to cluster, Configure service or application
- Windows Server 2008 R2 high-availability and recovery features : Installing and Administering Failover Clustering (part 5) - Creating a new Failover Cluster
- Windows Server 2008 R2 high-availability and recovery features : Installing and Administering Failover Clustering (part 4) - Verifying cluster configuration using the Cluster Validation Wizard
- Windows Server 2008 R2 high-availability and recovery features : Installing and Administering Failover Clustering (part 3) - Connecting cluster nodes to shared storage
- Windows Server 2008 R2 high-availability and recovery features : Installing and Administering Failover Clustering (part 2) - Adding Failover Clustering feature
- Windows Server 2008 R2 high-availability and recovery features : Installing and Administering Failover Clustering (part 1) - Failover Clustering prerequisites
- Working in the Background : WORKING WITH THE NETWORK LIST MANAGER
- Working in the Background : IMPLEMENTING APPLICATION RESTART AND RECOVERY
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro