3. group
The group object adds a new group to Active Directory. This object uses the following syntax:
dsadd group GroupDN [-secgrp {yes | no}] [-scope {l | g | u}]
[-samid SAMName] [-desc Description] [-memberof Group ...]
[-members Member...] [{-s Server | -d Domain}] [-u UserName]
[-p {Password | *}] [-q] [{-uc | -uco | -uci}]
The following list describes each of the command line arguments.
-secgrp {yes | no}
Determines
whether the utility adds the group as a security group (yes) or as a
distribution group (no). The default setting adds the group as a
security group.
-scope {l | g | u}
Determines
the group scope. The scopes include local (l), global (g), and universal
(u). Mixed mode domains don't support the universal scope. The default
setting is global.
-samid
SAMName
Specifies the
SAM name for the group. You must supply a unique value. The utility
creates a SAM name for the group from the distinguished name when you
don't supply this value.
-memberof
Group
...
Defines the
group membership of the group you want to add. The input argument is the
distinguished name of a group. You may specify more than one group.
Separate the group distinguished names with spaces.
-members
Member
...
Defines the membership of this group. All objects that have membership in this group have the same rights as this group.
4. ou (Organizational Unit)
The ou object adds a new organizational unit to Active Directory. This object uses the following syntax:
dsadd ou OrganizationalUnitDN [-desc Description]
[{-s Server | -d Domain}] [-u UserName] [-p {Password | *}] [-q]
[{-uc | -uco | -uci}]
This object doesn't support any specialized command line arguments.
5. user
The user object adds a new
user to Active Directory. A user is someone who has actual access to the
network and generally works for the company. This object uses the
following syntax:
dsadd user UserDN [-samid SAMName] [-upn UPN] [-fn FirstName]
[-mi Initial] [-ln LastName] [-display DisplayName]
[-empid EmployeeID]
[-pwd {Password | *}] [-desc Description] [-memberof Group ...]
[-office Office] [-tel PhoneNumber] [-email Email]
[-hometel HomePhoneNumber] [-pager PagerNumber]
[-mobile CellPhoneNumber] [-fax FaxNumber] [-iptel IPPhoneNumber]
[-webpg WebPage] [-title Title] [-dept Department]
[-company Company] [-mgr Manager] [-hmdir HomeDirectory]
[-hmdrv DriveLetter:] [-profile ProfilePath] [-loscr ScriptPath]
[-mustchpwd {yes | no}] [-canchpwd {yes | no}]
[-reversiblepwd {yes | no}] [-pwdneverexpires {yes | no}]
[-acctexpires NumberOfDays] [-disabled {yes | no}]
[{-s Server | -d Domain}] [-u UserName] [-p {Password | *}]
[-q] [{-uc | -uco | -uci}]
The following list describes each of the command line arguments.
-samid
SAMName
Defines the SAM account name for the user.
-upn
UPN
Defines the UPN version of the username that includes the fully qualified domain such as [email protected].
-fn
FirstName
Specifies the user's first name.
-mi
Initial
Specifies the user's middle initial.
-ln
LastName
Specifies the user's last name.
-display
DisplayName
Determines the user's display name (the name you see when you access the contact entry).
-empid EmployeeID
Specifies the employee identifier. This is a text field, so you can use any form of identifier you want.
-pwd {Password | *}
Defines the
user's password. Using a default password and requiring the user to
reset it on first access to the network is always the most secure choice
for creating a password (see the -mustchpwd command line switch for details). If you supply an asterisk (*), the system prompts you for the password.
-memberof
Group
...
Defines the
group membership of the user you want to add. The input argument is the
distinguished name of a group. You may specify more than one group.
Separate the group distinguished names with spaces.
-office
Office
Defines the physical office location of the contact.
-tel
PhoneNumber
Specifies the user's landline business telephone number.
-email
Email
Specifies the user's email address.
|
You can use the $username$ token to your advantage when creating scripts with this utility. This token can replace the user's name for the -email, -hmdir, -profile, and -webpg arguments. For example, you can specify the user's home directory as -hmdir\users\ $username$\home.
|
|
-hometel
HomePhoneNumber
Specifies
the user's home telephone number. Normally, this entry is for a landline
telephone, but could also contain a secondary cellular telephone
number.
-pager
PagerNumber
Specifies the user's pager telephone number and any required special codes.
-mobile
CellPhoneNumber
Specifies the user's cellular telephone number.
-fax
FaxNumber
Specifies the user's facsimile telephone number.
-iptel
IPPhoneNumber
Specifies the user's Internet Protocol (IP) telephone number.
-webpg
WebPage
Specifies the user's Web page URL.
-title
Title
Specifies the user's business title.
-dept
Department
Defines the department in which the contact works.
-company
Company
Specifies the user's company name.
-mgr
ManagerDN
Defines the user's manager using a distinguished name.
-hmdir
HomeDirectory
Defines the user's
home directory. The home directory is where the user stores data and
begins any computing session. When you supply the home directory using a
UNC path, the utility requires that you also supply a drive letter for
mapping this path using the -hmdrv command line switch.
-hmdrv DriveLetter:
Defines the user's home directory drive letter. The utility maps the drive letter to the user's directory path on the server.
-profile
ProfilePath
Defines the user's profile path.
-loscr
ScriptPath
Defines the user's logon script path.
-mustchpwd {yes | no}
Forces the user
to change their password during the next logon when set to yes. The
default setting is no, which means the user doesn't need to change their
password.
-canchpwd {yes | no}
Specifies whether
the user can change their password. The default setting of yes allows
the user to change their password. You must set this argument to yes
when you use the -mustchpwd command line switch. Always force the user to change the password for a new account or after resetting the account.
-reversiblepwd {yes | no}
Determines
whether the system stores the password using reversible encryption. The
default setting of no prevents the user from using reversible
encryption. Always set this argument to no to improve system security.
-pwdneverexpires {yes | no}
Determines
whether the user's password expires based on a system policy. The
default setting of no forces the user to change the password regularly.
Always set this argument to no to improve system security.
-acctexpires
NumberOfDays
Specifies the
number of days after today when the user's account expires. A value of 0
sets the account to expire at the end of today. A positive value sets
the account to expire in the future. A negative value sets the account
to expire in the past. You can't set the account to never expire using
this argument.
-disabled {yes | no}
Specifies
whether the user account is disabled. The default setting of yes
disables the account for use. You must specifically enable the account
by setting this argument to no.
6. quota
The quota object creates
a quota specification for Active Directory. The quota specification
determines the maximum number of directory objects that a given security
principal can hold. This object uses the following syntax:
dsadd quota -part PartitionDN [-rdn RelativeDistinguishedName]
-acct Name -qlimit Value [-desc Description]
[{-s Server | -d Domain}] [-u UserName] [-p {Password | *}] [-q]
[{-uc | -uco | -uci}]
The following list describes each of the command line arguments.
-part
PartitionDN
Specifies the
distinguished name of the directory partition that receives the quota.
If you don't supply the distinguished name on the command line, the
utility attempts to obtain the distinguished name using the standard
input (StdIn) device, which can include the keyboard, a redirected file,
or as piped output from another command. Always end the standard input
with the Ctrl+Z character.
-rdn
RelativeDistinguishedName
Specifies the
relative distinguished name of the quota that you want to create. If you
don't specify this command line switch, the utility sets it to Domain_AccountName using the domain and account name of the security principal specified by the -acct command line switch.
-acct
Name
Specifies
the security principal (user, group, computer, or InetOrgPerson) to
whom the quota specification applies. You may use a distinguished name
as input for this command line argument. The command line argument also
accepts the security principal information in the form Domain\SAMAccountName.
-qlimit
Value
Specifies the
number of directory objects that the security principal can own within
the specified partition. Provide a value of −1 to specify an unlimited quota.
