Windows 7 / Security and Privacy

Creating group accounts at the command line

At the command line, you can create groups using DSADD. For groups, AD path strings describe the group's location in the directory from the group name to the actual containers in which it is stored. You specify whether the group is a security group using -secgrp yes or that a group is a distribution group using -secgrp no. You specify the scope of the group using -scope u for universal, -scope g for global, and -scope l for domain local.

For example, if you want to create a global security group called SeattleServices in the Services OU for the cpandl.com domain, the full path to this group object is CN=SeattleServices,OU=Services,DC=cpandl,DC=com. When creating the group object using DSADD, you must specify this path as follows:

dsadd group "CN=SeattleServices,OU=Services,DC=cpandl,DC=com" -secgrp yes - scope g

For the full syntax and usage, type dsadd group /? at a command prompt. Although quotation marks aren't required in this example, always use them to ensure that don't forget them when they actually are needed, such as when name components contain spaces.

The directory services commands can also be used to perform many group management tasks. Using DSGET GROUP at a command prompt, you can:

  • Determine whether a group is a security group by typing dsget group GroupDN -secgrp.
  • Determine group scope by typing dsget group GroupDN -scope.
  • Determine the members of a group by typing dsget group GroupDN -members where GroupDN is the distinguished name of the group.
  • Determine the groups of which a group is a member by typing dsget group GroupDN -memberof. The -expand option can be added to display the recursively expanded list of groups of which a group is a member.

Using DSMOD GROUP at a command prompt, you can:

  • Change group scope using dsmod group GroupDN -scope u for universal, -scope g for global, and -scope l for domain local.
  • Add members by typing dsmod group GroupDN -addmbr MemberDN where GroupDN is the distinguished name of the group and MemberDN is the distinguished name of the account or group you want to add to the designated group.
  • Remove members by typing dsmod group GroupDN -rmmbr MemberDN.
  • Convert the group to a security group using dsmod group GroupDN -secgrp yes or to a distribution group using dsmod group GroupDN -secgrp no.
[Previous] [Contents] [Next]

In this tutorial:

  1. Managing Users, Groups, and Computers
  2. Managing Domain User Accounts
  3. Configuring User Account Policies
  4. Enforcing Password Policy
  5. Configuring Account Lockout Policy
  6. Creating Password Settings Objects and Applying Secondary Settings
  7. Understanding User Account Capabilities, Privileges, and Rights
  8. Assigning User Rights
  9. Creating and Configuring Domain User Accounts
  10. Configuring Account Options
  11. Configuring Profile Options
  12. Troubleshooting User Accounts
  13. Implementing and Creating Preconfigured Profiles
  14. Configuring Local User Profiles
  15. Implementing Mandatory User Profiles
  16. Managing User Data
  17. Using Offline Files
  18. Configuring Offline Files on Clients
  19. Maintaining User Accounts
  20. Moving User Accounts
  21. Resetting a User's Domain Password
  22. Creating a User Account Password Backup
  23. Managing Groups
  24. Understanding the Scopes of Groups
  25. Creating a Group
  26. Creating group accounts at the command line
  27. Modifying Groups
  28. Managing Computer Accounts
  29. Moving a Computer Account
  30. Configuring Properties of Computer Accounts
  31. Troubleshooting Computer Accounts