Windows 7 / Security and Privacy

Creating group accounts at the command line

At the command line, you can create groups using DSADD. For groups, AD path strings describe the group's location in the directory from the group name to the actual containers in which it is stored. You specify whether the group is a security group using -secgrp yes or that a group is a distribution group using -secgrp no. You specify the scope of the group using -scope u for universal, -scope g for global, and -scope l for domain local.

For example, if you want to create a global security group called SeattleServices in the Services OU for the cpandl.com domain, the full path to this group object is CN=SeattleServices,OU=Services,DC=cpandl,DC=com. When creating the group object using DSADD, you must specify this path as follows:

dsadd group "CN=SeattleServices,OU=Services,DC=cpandl,DC=com" -secgrp yes - scope g

For the full syntax and usage, type dsadd group /? at a command prompt. Although quotation marks aren't required in this example, always use them to ensure that don't forget them when they actually are needed, such as when name components contain spaces.

The directory services commands can also be used to perform many group management tasks. Using DSGET GROUP at a command prompt, you can:

  • Determine whether a group is a security group by typing dsget group GroupDN -secgrp.
  • Determine group scope by typing dsget group GroupDN -scope.
  • Determine the members of a group by typing dsget group GroupDN -members where GroupDN is the distinguished name of the group.
  • Determine the groups of which a group is a member by typing dsget group GroupDN -memberof. The -expand option can be added to display the recursively expanded list of groups of which a group is a member.

Using DSMOD GROUP at a command prompt, you can:

  • Change group scope using dsmod group GroupDN -scope u for universal, -scope g for global, and -scope l for domain local.
  • Add members by typing dsmod group GroupDN -addmbr MemberDN where GroupDN is the distinguished name of the group and MemberDN is the distinguished name of the account or group you want to add to the designated group.
  • Remove members by typing dsmod group GroupDN -rmmbr MemberDN.
  • Convert the group to a security group using dsmod group GroupDN -secgrp yes or to a distribution group using dsmod group GroupDN -secgrp no.
[Previous] [Contents] [Next]