Directory Service Command Line Tools
DSADD This tool's commands add specific types of objects to the directory
DSGET This tool's commands display the selected properties of a specific object in the directory
DSMOD This dsmod command modifies existing objects in the directory
DSMOVE This command moves or renames an object within the directory
DSQUERY This tool's commands suite allow you to query the directory according to specified criteria
DSRM This command deletes objects from the directory
DSADD
Description: This tool's commands add specific types of objects to the
directory. The dsadd commands:
dsadd_computer - adds a computer to the directory.
dsadd_contact - adds a contact to the directory.
dsadd_group - adds a group to the directory.
dsadd_ou - adds an organizational unit to the directory.
dsadd_user - adds a user to the directory.
dsadd_quota - adds a quota specification to a directory partition.
For help on a specific command, type "dsadd <ObjectType> /?" where
<ObjectType> is one of the supported object types shown above.
For example, dsadd ou /?.
Remarks:
Commas that are not used as separators in distinguished names must be
escaped with the backslash ("\") character
(for example, "CN=Company\, Inc.,CN=Users,DC=microsoft,DC=com").
Backslashes used in distinguished names must be escaped with a backslash
(for example,
"CN=Sales\\ Latin America,OU=Distribution Lists,DC=microsoft,DC=com").
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsadd computer |
---|
help for adding a computer to the directory. |
Description: Adds a computer to the directory.
Syntax: dsadd computer <ComputerDN> [-samid <SAMName>] [-desc <Description>]
[-loc <Location>] [-memberof <Group ...>]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]
Parameters:
Value Description
<ComputerDN> Required. Specifies the distinguished name (DN) of
the computer you want to add.
If the target object is omitted, it will be taken
from standard input (stdin).
-samid <SAMName> Sets the computer SAM account name to <SAMName>.
If this parameter is not specified, then a
SAM account name is derived from the value of
the common name (CN) attribute used in <ComputerDN>.
-desc <Description> Sets the computer description to <Description>.
-loc <Location> Sets the computer location to <Location>.
-memberof <Group ...> Makes the computer a member of one or more groups
given by the space-separated list of DNs <Group ...>.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *}
Password for the user <UserName>. If * is entered
then you are prompted for a password.
-q Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be
accepted from the keyboard, a redirected file, or as piped output from
another command. To mark the end of stdin data from the keyboard or
in a redirected file, use Control+Z, for End of File (EOF).
If a value that you supply contains spaces, use quotation marks
around the text (for example,
"CN=DC2,OU=Domain Controllers,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of computer distinguished names).
See also:
dsadd computer /? - help for adding a computer to the directory.
dsadd contact /? - help for adding a contact to the directory.
dsadd group /? - help for adding a group to the directory.
dsadd ou /? - help for adding an organizational unit to the directory.
dsadd user /? - help for adding a user to the directory.
dsadd quota /? - help for adding a quota to the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsadd failed:The parameter is incorrect.
type dsadd /? for help.
dsadd contact |
---|
help for adding a contact to the directory. |
Description: Adds a contact to the directory.
Syntax: dsadd contact <ContactDN> [-fn <FirstName>] [-mi <Initial>]
[-ln <LastName>] [-display <DisplayName>] [-desc <Description>]
[-office <Office>] [-tel <Phone#>] [-email <Email>]
[-hometel <HomePhone#>] [-pager <Pager#>] [-mobile <CellPhone#>]
[-fax <Fax#>] [-iptel <IPPhone#>] [-title <Title>]
[-dept <Department>] [-company <Company>]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]
Parameters:
Value Description
<ContactDN> Required. Distinguished name (DN) of contact to add.
If the target object is omitted, it will be taken
from standard input (stdin).
-fn <FirstName> Sets contact first name to <FirstName>.
-mi <Initial> Sets contact middle initial to <Initial>.
-ln <LastName> Sets contact last name to <LastName>.
-display <DisplayName> Sets contact display name to <DisplayName>.
-desc <Description> Sets contact description to <Description>.
-office <Office> Sets contact office location to <Office>.
-tel <Phone#> Sets contact telephone# to <Phone#>.
-email <Email> Sets contact e-mail address to <Email>.
-hometel <HomePhone#> Sets contact home phone# to <HomePhone#>.
-pager <Pager#> Sets contact pager# to <Pager#>.
-mobile <CellPhone#> Sets contact mobile# to <CellPhone#>.
-fax <Fax#> Sets contact fax# to <Fax#>.
-iptel <IPPhone#> Sets contact IP phone# to <IPPhone#>.
-title <Title> Sets contact title to <Title>.
-dept <Department> Sets contact department to <Department>.
-company <Company> Sets contact company info to <Company>.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *}
Password for the user <UserName>. If * is entered
then you are prompted for a password.
-q Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be
accepted from the keyboard, a redirected file, or as piped output from
another command. To mark the end of stdin data from the keyboard or
in a redirected file, use Control+Z, for End of File (EOF).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
See also:
dsadd computer /? - help for adding a computer to the directory.
dsadd contact /? - help for adding a contact to the directory.
dsadd group /? - help for adding a group to the directory.
dsadd ou /? - help for adding an organizational unit to the directory.
dsadd user /? - help for adding a user to the directory.
dsadd quota /? - help for adding a quota to the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsadd failed:The parameter is incorrect.
type dsadd /? for help.
dsadd group |
---|
help for adding a group to the directory. |
Description: Adds a group to the directory.
Syntax: dsadd group <GroupDN> [-secgrp {yes | no}] [-scope {l | g | u}]
[-samid <SAMName>] [-desc <Description>] [-memberof <Group ...>]
[-members <Member ...>] [{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]
Parameters:
Value Description
<GroupDN> Required. Distinguished name (DN) of group to add.
If the target object is omitted, it will be taken
from standard input (stdin).
-secgrp {yes | no} Sets this group as a security group (yes) or not (no).
Default: yes.
-scope {l | g | u} Sets the scope of this group: local, global
or universal. If the domain is still in mixed-mode,
then the universal scope is not supported.
Default: global.
-samid <SAMName> Set the SAM account name of group to <SAMName>
(for example, operators).
-desc <Description> Sets group description to <Description>.
-memberof <Group ...> Makes the group a member of one or more groups
given by the space-separated list of DNs <Group ...>.
-members <Member ...> Adds one or more members to this group. Members are
set by space-separated list of DNs <Member ...>.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *} Password for the user <UserName>. If * is entered,
then you are prompted for a password.
-q Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be
accepted from the keyboard, a redirected file, or as piped output from
another command. To mark the end of stdin data from the keyboard or
in a redirected file, use Control+Z, for End of File (EOF).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of group distinguished names).
See also:
dsadd computer /? - help for adding a computer to the directory.
dsadd contact /? - help for adding a contact to the directory.
dsadd group /? - help for adding a group to the directory.
dsadd ou /? - help for adding an organizational unit to the directory.
dsadd user /? - help for adding a user to the directory.
dsadd quota /? - help for adding a quota to the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsadd failed:The parameter is incorrect.
type dsadd /? for help.
dsadd ou |
---|
help for adding an organizational unit to the directory. |
Description: Adds an organizational unit to the directory
Syntax: dsadd ou <OrganizationalUnitDN> [-desc <Description>]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]
Parameters:
Value Description
<OrganizationalUnitDN> Required. Distinguished name (DN)
of the organizational unit (OU) to add.
If the target object is omitted, it will be taken
from standard input (stdin).
-desc <Description> Set the OU description to <Description>.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *}
Password for the user <UserName>. If * is entered
then you are prompted for a password.
-q Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be
accepted from the keyboard, a redirected file, or as piped output from
another command. To mark the end of stdin data from the keyboard or
in a redirected file, use Control+Z, for End of File (EOF).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "OU=Domain Controllers,DC=microsoft,DC=com").
See also:
dsadd computer /? - help for adding a computer to the directory.
dsadd contact /? - help for adding a contact to the directory.
dsadd group /? - help for adding a group to the directory.
dsadd ou /? - help for adding an organizational unit to the directory.
dsadd user /? - help for adding a user to the directory.
dsadd quota /? - help for adding a quota to the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsadd failed:The parameter is incorrect.
type dsadd /? for help.
dsadd user |
---|
help for adding a user to the directory. |
Description: Adds a user to the directory.
Syntax: dsadd user <UserDN> [-samid <SAMName>] [-upn <UPN>] [-fn <FirstName>]
[-mi <Initial>] [-ln <LastName>] [-display <DisplayName>]
[-empid <EmployeeID>] [-pwd {<Password> | *}] [-desc <Description>]
[-memberof <Group ...>] [-office <Office>] [-tel <Phone#>]
[-email <Email>] [-hometel <HomePhone#>] [-pager <Pager#>]
[-mobile <CellPhone#>] [-fax <Fax#>] [-iptel <IPPhone#>]
[-webpg <WebPage>] [-title <Title>] [-dept <Department>]
[-company <Company>] [-mgr <Manager>] [-hmdir <HomeDir>]
[-hmdrv <DriveLtr:>] [-profile <ProfilePath>] [-loscr <ScriptPath>]
[-mustchpwd {yes | no}] [-canchpwd {yes | no}]
[-reversiblepwd {yes | no}] [-pwdneverexpires {yes | no}]
[-acctexpires <NumDays>] [-disabled {yes | no}]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]
Parameters:
Value Description
<UserDN> Required. Distinguished name (DN) of user to add.
If the target object is omitted, it will be taken
from standard input (stdin).
-samid <SAMName> Set the SAM account name of user to <SAMName>.
If not specified, dsadd will attempt
to create SAM account name using up to
the first 20 characters from the
common name (CN) value of <UserDN>.
-upn <UPN> Set the upn value to <UPN>.
-fn <FirstName> Set user first name to <FirstName>.
-mi <Initial> Set user middle initial to <Initial>.
-ln <LastName> Set user last name to <LastName>.
-display <DisplayName> Set user display name to <DisplayName>.
-empid <EmployeeID> Set user employee ID to <EmployeeID>.
-pwd {<Password> | *} Set user password to <Password>. If *, then you are
prompted for a password.
-desc <Description> Set user description to <Description>.
-memberof <Group ...> Make user a member of one or more groups <Group ...>
-office <Office> Set user office location to <Office>.
-tel <Phone#> Set user telephone# to <Phone#>.
-email <Email> Set user e-mail address to <Email>.
-hometel <HomePhone#> Set user home phone# to <HomePhone#>.
-pager <Pager#> Set user pager# to <Pager#>.
-mobile <CellPhone#> Set user mobile# to <CellPhone#>.
-fax <Fax#> Set user fax# to <Fax#>.
-iptel <IPPhone#> Set user IP phone# to <IPPhone#>.
-webpg <WebPage> Set user web page URL to <WebPage>.
-title <Title> Set user title to <Title>.
-dept <Department> Set user department to <Department>.
-company <Company> Set user company info to <Company>.
-mgr <Manager> Set user's manager to <Manager> (format is DN).
-hmdir <HomeDir> Set user home directory to <HomeDir>. If this is
UNC path, then a drive letter that will be mapped to
this path must also be specified through -hmdrv.
-hmdrv <DriveLtr:> Set user home drive letter to <DriveLtr:>
-profile <ProfilePath> Set user's profile path to <ProfilePath>.
-loscr <ScriptPath> Set user's logon script path to <ScriptPath>.
-mustchpwd {yes | no} User must change password at next logon or not.
Default: no.
-canchpwd {yes | no} User can change password or not. This should be
"yes" if the -mustchpwd is "yes". Default: yes.
-reversiblepwd {yes | no}
Store user password using reversible encryption or
not. Default: no.
-pwdneverexpires {yes | no}
User password never expires or not. Default: no.
-acctexpires <NumDays> Set user account to expire in <NumDays> days from
today. A value of 0 implies account expires
at the end of today; a positive value
implies the account expires in the future;
a negative value implies the account already expired
and sets an expiration date in the past;
the string value "never" implies that the
account never expires.
-disabled {yes | no} User account is disabled or not. Default: no.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *} Password for the user <UserName>. If * is entered,
then you are prompted for a password.
-q Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be
accepted from the keyboard, a redirected file, or as piped output from
another command. To mark the end of stdin data from the keyboard or
in a redirected file, use Control+Z, for End of File (EOF).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
The special token $username$ (case insensitive) may be used to place the SAM
account name in the value of a parameter. For example, if the target user DN
is CN=Jane Doe,CN=users,CN=microsoft,CN=com and the SAM account name
attribute is "janed," the -hmdir parameter can have
the following substitution:
-hmdir \users\$username$\home
The value of the -hmdir parameter is modified to the following value:
- hmdir \users\janed\home
See also:
dsadd computer /? - help for adding a computer to the directory.
dsadd contact /? - help for adding a contact to the directory.
dsadd group /? - help for adding a group to the directory.
dsadd ou /? - help for adding an organizational unit to the directory.
dsadd user /? - help for adding a user to the directory.
dsadd quota /? - help for adding a quota to the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsadd failed:The parameter is incorrect.
type dsadd /? for help.
dsadd quota |
---|
help for adding a quota to the directory. |
Adds a quota specification to a directory partition. A quota specification
determines the maximum number of directory objects a given security principal
can own in a specified directory partition.
dsadd quota -part <PartitionDN> [-rdn <RDN>] -acct Name
-qlimit <Value> | -1 [-desc <Description>]
[{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}]
[-q] [{-uc | -uco | -uci}]
-part <PartitionDN> Required. Specifies the distinguished name of the
directory partition on which you want to create a
quota. If the distinguished name is omitted, it
will be taken from standard input (stdin).
-rdn <RDN> Specifies the relative distinguished name (RDN)
of the quota specification being created. If the
-rdn option is omitted, it will be set to
<domain>_<accountname>, using the domain and
account name of the security principal specified
by the -acct parameter.
-acct Name Required. Specifies the security principal (user,
group, computer, InetOrgPerson) for whom the
quota specification is being specified. The -acct
option can be provided in the following forms:
DN of the security principal
domain\SAM account name of the security
principal
-qlimit <Value> | -1
Required. Specifies the number of objects within
the directory partition that can be owned by
the security principal. To specify an unlimited
quota, specify -1 as the value.
-desc <Description> Specifies a description for the quota
specification you want to add.
{-s <Server> | -d <Domain>} Connects the computer to either a specified
server or domain. By default, the computer is
connected to a domain controller in the logon
domain.
-u <UserName> Specifies the user name with which user will log
on to a remote server. By default, the logged on
user name is used. You can specify a user name
using one of the following formats:
user name (such as, Linda)
domain\user name (such as, widgets\Linda)
user principal name (UPN) (such as,
Linda@widgets.microsoft.com)
-p {<Password> | *} Specifies use of a specific password or a * to
log on to a remote server. If you type *, then
you are prompted for a password.
-q Suppresses all output to standard output (quiet
mode).
{-uc | -uco | -uci} Specifies that output or input data is formatted
in Unicode. The -uc value specifies a Unicode
format for input from or output to pipe.
The -uco value specifies a Unicode format for
output to pipe or file. The -uci value specifies
a Unicode format for input from pipe or file.
/? Displays help at the command prompt.
If you do not supply a target object at the command prompt, the target object
is obtained from standard input (stdin). Stdin data can be accepted from the
keyboard, a redirected file, or as piped output from another command. To mark
the end of stdin data from the keyboard or in a redirected file, use
Control+Z, for End of File (EOF).
If a value that you supply contains spaces, use quotation marks around the
text (for example, "CN=DC 2,OU=Domain Controllers,DC=Microsoft,DC=Com").
dsadd computer /? - help for adding a computer to the directory.
dsadd contact /? - help for adding a contact to the directory.
dsadd group /? - help for adding a group to the directory.
dsadd ou /? - help for adding an organizational unit to the directory.
dsadd user /? - help for adding a user to the directory.
dsadd quota /? - help for adding a quota to the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsadd failed:The parameter is incorrect.
type dsadd /? for help.
DSGET
Description: This tool's commands display the selected properties
of a specific object in the directory. The dsget commands:
dsget_computer - displays properties of computers in the directory.
dsget_contact - displays properties of contacts in the directory.
dsget_subnet - displays properties of subnets in the directory.
dsget_group - displays properties of groups in the directory.
dsget_ou - displays properties of ou's in the directory.
dsget_server - displays properties of servers in the directory.
dsget_site - displays properties of sites in the directory.
dsget_user - displays properties of users in the directory.
dsget_quota - displays properties of quotas in the directory.
dsget_partition - displays properties of partitions in the directory.
To display an arbitrary set of attributes of any given object in the
directory use the dsquery * command (see examples below).
For help on a specific command, type "dsget <ObjectType> /?" where
<ObjectType> is one of the supported object types shown above.
For example, dsget ou /?.
Remarks:
The dsget commands help you to view the properties of a specific object in
the directory: the input to dsget is an object and the output is a list of
properties for that object. To find all objects that meet a given search
criterion, use the dsquery commands (dsquery /?).
The dsget commands support piping of input to allow you to pipe results from
the dsquery commands as input to the dsget commands and display detailed
information on the objects found by the dsquery commands.
Commas that are not used as separators in distinguished names must be
escaped with the backslash ("\") character
(for example, "CN=Company\, Inc.,CN=Users,DC=microsoft,DC=com").
Backslashes used in distinguished names must be escaped with a backslash (for
example, "CN=Sales\\ Latin America,OU=Distribution Lists,DC=microsoft,
DC=com").
Examples:
To find all users with names starting with "John" and display their office
numbers:
dsquery user -name John* | dsget user -office
To display the sAMAccountName, userPrincipalName and department attributes of
the object whose DN is ou=Test,dc=microsoft,dc=com:
dsquery * ou=Test,dc=microsoft,dc=com -scope base -attr
sAMAccountName userPrincipalName department
To read all attributes of any object use the dsquery * command.
For example, to read all attributes of the object whose DN is
ou=Test,dc=microsoft,dc=com:
dsquery * ou=Test,dc=microsoft,dc=com -scope base -attr *
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget succeeded
dsget computer |
---|
displays properties of computers in the directory. |
Description: Displays the properties of a computer in the directory.
There are two variations of this command. The first variation
allows you to view the properties of multiple computers. The
second variation allows you to view the membership information
of a single computer.
Syntax: dsget computer <ComputerDN ...> [-dn] [-samid] [-sid] [-desc]
[-loc] [-disabled] [{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]
[-part <PartitionDN> [-qlimit] [-qused]]
dsget computer <ComputerDN> [-memberof [-expand]]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]
Parameters:
Value Description
<ComputerDN ...> Required/stdin. Distinguished names (DNs) of one
or more computers to view.
If the target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another
command to input of this command.
Compare with <ComputerDN> below.
-dn Displays the computer DN.
-samid Displays the computer SAM account name.
-sid Displays the computer Security ID (SID).
-desc Displays the computer description.
-loc Displays the computer location.
-disabled Displays if the computer account is
disabled (yes) or not (no).
<ComputerDN> Required. Distinguished name (DN) of the computer to
view.
-memberof Displays the groups of which the computer is a member.
-expand Displays the recursively expanded list of groups of
which the computer is a member. This option takes
the immediate group membership list of the computer
and then recursively expands each group in this list to
determine its group memberships and arrive at a
complete set of the groups.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *} Password for the user <UserName>. If * then prompt for
password.
-c Continuous operation mode: report errors but continue
with next object in argument list when multiple target
objects are specified. Without this option, command
exits on first error.
-q Quiet mode: suppress all output to standard output.
-L Displays the entries in the search result set in a
list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
-part <PartitionDN> Connects to the directory partition with the
distinguished name of <PartitionDN>.
-qlimit Displays the effective quota of the computer within
the specified directory partition.
-qused Displays how much of its quota the computer has
used within the specified directory partition.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be accepted
from the keyboard, a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a redirected
file, use Control+Z, for End of File (EOF).
A quota specification determines the maximum number of directory objects a
given security principal can own in a specific directory partition.
The dsget commands help you view the properties of a
specific object in the directory: the input to dsget is an object
and the output is a list of properties for that object.
To find all objects that meet a given search criterion,
use the dsquery commands (dsquery /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=DC2,OU=Domain Controllers,DC=microsoft,
DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To find all computers in a given OU whose name starts with "tst" and show
their descriptions.
dsquery computer ou=Test,dc=microsoft,dc=com -name tst* |
dsget computer -desc
To show the list of groups, recursively expanded, to which a given computer
"MyDBServer" belongs:
dsget computer cn=MyDBServer,cn=computers,dc=microsoft,dc=com
-memberof -expand
To display the effective quota and quota used of a given computer
"MyDBServer" on a given partition "cn=domain1,dc=microsoft,dc=com", type:
dsget computer cn=MyDBServer,cn=computers,dc=microsoft,dc=com
-part cn=domain1,dc=microsoft,dc=com -qlimit -qused
See also:
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.
dsget contact |
---|
displays properties of contacts in the directory. |
Description: Displays properties of a contact in the directory.
Syntax: dsget contact <ContactDN ...> [-dn] [-fn] [-mi] [-ln]
[-display] [-desc] [-office] [-tel] [-email] [-hometel]
[-pager] [-mobile] [-fax] [-iptel] [-title] [-dept]
[-company] [{-s <Server> | -d <Domain>}]
[-u <UserName>] [-p {<Password> | *}] [-c] [-q] [-l]
[{-uc | -uco | -uci}]
Parameters:
Value Description
<ContactDN ...> Required/stdin. Specifies Distinguished names (DNs)
of one or more contacts to view.
If the target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another
command to input of this command.
-dn Specifies the contact DN.
-fn Specifies the contact first name.
-mi Specifies the contact middle initial.
-ln Specifies the contact last name.
-display Specifies the contact display name.
-desc Specifies the contact description.
-office Specifies the contact office location.
-tel Specifies the contact telephone#.
-email Specifies the contact e-mail address.
-hometel Specifies the contact home phone#.
-pager Specifies the contact pager#.
-mobile Specifies the contact mobile#.
-fax Specifies the contact fax#.
-iptel Specifies the contact IP phone#.
-title Specifies the contact title.
-dept Specifies the contact department.
-company Specifies the contact company info.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *}
Password for the user <UserName>. If * then prompt for
password.
-c Continuous operation mode: report errors but continue
with next object in argument list when multiple target
objects are specified. Without this option, command
exits on first error.
-q Quiet mode: suppress all output to standard output.
-L Displays the entries in the search result set in a
list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be accepted
from the keyboard, a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a redirected
file, use Control+Z, for End of File (EOF).
The dsget commands help you view the properties of a
specific object in the directory: the input to dsget is
an object and the output is a list of properties for that object.
To find all objects that meet a given search criterion,
use the dsquery commands (dsquery /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,OU=Contacts,DC=microsoft,
DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To display the description and phone numbers for contacts
"Jon Smith" and "Jona Jones".
dsget contact "CN=John Doe,OU=Contacts,DC=microsoft,DC=com"
"CN=Jane Doe,OU=Contacts,DC=microsoft,DC=com" -desc -tel
See also:
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.
dsget subnet |
---|
displays properties of subnets in the directory. |
Description: Displays properties of a subnet defined
in the directory.
Syntax: dsget subnet <SubnetCN ...> [-dn] [-desc] [-loc] [-site]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]
Parameters:
Value Description
<SubnetCN ...> Required/stdin. Common name (CN) of one
or more subnets to view. The format is
the subnet's RDN (see examples below).
-dn Displays the subnet distinguished name (DN).
If the target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another
command to input of this command.
-desc Displays the subnet description.
-loc Displays the subnet location.
-site Displays the site name associated with the subnet.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *}
Password for the user <UserName>. If * then prompt for
password.
-c Continuous operation mode: report errors but continue
with next object in argument list when multiple target
objects are specified. Without this option, command
exits on first error.
-q Quiet mode: suppress all output to standard output.
-L Displays the entries in the search result set in a
list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be accepted
from the keyboard, a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a redirected
file, use Control+Z, for End of File (EOF).
The dsget commands help you view the properties of
a specific object in the directory: the input to dsget is
an object and the output is a list of properties for that object.
To find all objects that meet a given search criterion,
use the dsquery commands (dsquery /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "123.56.15.0/24,CN=Subnets,CN=Sites
,CN=Configuration,DC=My Domain,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of subnet common names).
Examples:
To show all relevant properties for the subnets "123.56.15.0/24" and
"123.56.16.0/24":
dsget subnet
"123.56.15.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=microsoft,DC=com"
"123.56.16.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=microsoft,DC=com"
See also:
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.
dsget group |
---|
displays properties of groups in the directory. |
Description: Displays the various properties of a group including the
members of a group in the directory. There are two variations
of this command. The first variation allows you to view the
properties of multiple groups. The second variation allows you
to view the group membership information of a single group.
Syntax: dsget group <GroupDN ...> [-dn] [-samid] [-sid] [-desc] [-secgrp]
[-scope] [{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]
[-part <PartitionDN> [-qlimit] [-qused]]
dsget group <GroupDN> [{-memberof | -members} [-expand]]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]
Parameters:
Value Description
<GroupDN ...> Required/stdin. Distinguished names (DNs) of one
or more groups to view.
If the target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another command
to input of this command.
Compare with <GroupDN> below.
-dn Displays the group DN.
-samid Displays the group SAM account name.
-sid Displays the group Security ID.
-desc Displays the group description.
-secgrp Displays if the group is a security group or not.
-scope Displays the scope of the group - Local, Global
or Universal.
<GroupDN> Required. DN of group to view.
{-memberof | -members}
Displays the groups of the group
is a member (-memberof), or
displays the members of the group (-members).
-expand For -memberof, displays the recursively expanded
list of groups of which the group is a member.
This option takes the immediate group membership list
of the group and then recursively expands each group
in this list to determine its group memberships
and arrive at a complete set of the groups.
For -members, displays the recursively expanded list
of members of the group. This option takes the
immediate list of members of the group and
then recursively expands each group in this list
to determine its group memberships and arrive
at a complete set of its members.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *} Password for the user <UserName>. If * then prompt for
password.
-c Continuous operation mode: report errors but continue
with next object in argument list when multiple target
objects are specified. Without this option, command
exits on first error.
-q Quiet mode: suppress all output to standard output.
-L Displays the entries in the search result set in a
list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
-part <PartitionDN> Connects to the directory partition with the
distinguished name of <PartitionDN>.
-qlimit Displays the effective quota of the group within
the specified directory partition.
-qused Displays how much of its quota the group has
used within the specified directory partition.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be accepted
from the keyboard, a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a redirected
file, use Control+Z, for End of File (EOF).
A quota specification determines the maximum number of directory objects a
given security principal can own in a specific directory partition.
The dsget commands help you view the properties of a specific
object in the directory: the input to dsget is an object
and the output is a list of properties for that object.
To find all objects that meet a given search criterion,
use the dsquery commands (dsquery /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=USA Sales,OU=Distribution Lists,
DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To find all groups in a given OU whose names start with "adm" and display
their descriptions.
dsquery group ou=Test,dc=microsoft,dc=com -name adm* |
dsget group -desc
To display the list of members, recursively expanded, of the group "Backup
Operators":
dsget group "CN=Backup Operators,ou=Test,dc=microsoft,dc=com" -members
-expand
To display the effective quota and quota used for a group on a specified
partition, type:
dsget group "CN=Backup Operators,OU=Test,DC=microsoft,DC=com"
-part "CN=domain1,dc=microsoft,dc=Com" -qlimit -qused
See also:
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.
dsget ou |
---|
displays properties of ou's in the directory. |
Description: Displays properties of an organizational unit in the
directory.
Syntax: dsget ou <OrganizationalUnitDN ...> [-dn] [-desc]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]
Parameters:
Value Description
<OrganizationalUnitDN ...>
Required/stdin. Distinguished names (DNs) of one
or more organizational units (OUs) to view.
If the target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another
command to input of this command.
-dn Displays the OU DN.
-desc Displays the OU description.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *} Password for the user <UserName>. If * then prompt for
password.
-c Continuous operation mode: report errors but continue
with next object in argument list when multiple target
objects are specified. Without this option, command
exits on first error.
-q Quiet mode: suppress all output to standard output.
-L Displays the entries in the search result set in a
list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be accepted
from the keyboard, a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a redirected
file, use Control+Z, for End of File (EOF).
The dsget commands help you view the properties of a specific object in the
directory: the input to dsget is an object and the output is a list of
properties for that object.
To find all objects that meet a given search criterion, use the dsquery
commands (dsquery /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "OU=Domain Controllers,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To find all OU's in the current domain and display their descriptions.
dsquery ou domainroot | dsget ou -desc
See also:
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.
dsget server |
---|
displays properties of servers in the directory. |
Description: This command displays the various properties of a domain
controller. There are three variations of this command. The
first variation displays the general properties of a
specified domain controller. The second variation displays
a list of the security principals who own the largest
number of directory objects on the specified domain
controller. The third variation displays the distinguished
names of the directory partitions on the specified
server.
Syntax: dsget server <ServerDN ...> [-dn] [-desc] [-dnsname]
[-site] [-isgc] [{-s <Server> | -d <Domain>}]
[-u <UserName>] [-p {<Password> | *}] [-c] [-q] [-l]
[{-uc | -uco | -uci}]
dsget server <ServerDN ...> [-topobjowner <Display>]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]
dsget server <ServerDN ...> [-part]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]
Parameters:
Value Description
<ServerDN ...> Required/stdin. Distinguished names (DNs) of one
or more servers to view.
If the target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another
command to input of this command.
-dn Displays the server's DN.
-desc Displays the server's description.
-dnsname Displays the server's Domain Name System (DNS) host name.
-site Displays the site to which this server belongs.
-isgc Displays whether or not the server is a
global catalog server.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *}
Password for the user <UserName>. If * then prompt for
password.
-c Continuous operation mode: report errors but continue
with next object in argument list when multiple target
objects are specified. Without this option, command
exits on first error.
-q Quiet mode: suppress all output to standard output.
-L Displays the entries in the search result set in a
list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
-part Displays the distinguished names of the directory
partitions on the specified server.
-topobjowner <display>
Displays a sorted list of the security principals
(users, computers, security groups, and inetOrgPersons)
who own the largest number of directory objects across
all directory partitions on the server and the number
of directory objects they own. The number of accounts to
display in the list is specified by <display>. Enter
"0" to display all object owners. If <display> is not
specified, the number of principals listed defaults
to 10.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be accepted
from the keyboard, a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a redirected
file, use Control+Z, for End of File (EOF).
A quota specification determines the maximum number of directory objects a
given security principal can own in a specific directory partition.
The dsget commands help you view the properties of a
specific object in the directory: the input to dsget is
an object and the output is a list of properties for that object.
To find all objects that meet a given search criterion,
use the dsquery commands (dsquery /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=My Server,CN=Servers,CN=Site10,
CN=Sites,CN=Configuration,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated
by spaces (for example, a list of distinguished names).
If either -part or -topobjowner is specified, they override any other
specified parameters, so that only the results of the -part or -topobjowner
parameter are displayed.
Examples:
To find all domain controllers for domain corp.microsoft.com
and display their DNS host name and site name:
dsquery server -domain corp.microsoft.com |
dsget server -dnsname -site
To show if a domain controller with the name DC1 is also a
global catalog server:
dsget server cn=DC1,cn=Servers,cn=Site10,cn=Sites,cn=Configuration,
dc=microsoft,dc=com -isgc
To show the distinguished names of the directory partitions on a domain
controller with the name DC1, type:
dsget server cn=DC1,cn=Servers,cn=Site10,cn=Sites,cn=Configuration,
dc=microsoft,dc=com -part
To show the security principals that own the largest total number of
directory objects on the directory partitions of a domain controller with the
name DC1, and limiting the list to the top 5 owners, type:
dsget server cn=DC1,cn=Servers,cn=Site10,cn=Sites,cn=Configuration,
dc=microsoft,dc=com -topobjowner 5
See also:
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.
dsget site |
---|
displays properties of sites in the directory. |
Description: Display properties of a site defined in the directory.
Syntax: dsget site <SiteCN ...> [-dn] [-desc] [-autotopology]
[-cachegroups] [-prefGCsite] [{-s <Server> | -d <Domain>}]
[-u <UserName>] [-p {<Password> | *}] [-c] [-q] [-l]
[{-uc | -uco | -uci}]
Parameters:
Value Description
<SiteCN ...> Required/stdin. Common name (CN) of one
or more sites to view.
If the target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another
command to input of this command.
-dn Specifies the site's distinguished name (DN).
-desc Specifies the site's description.
-autotopology Specifies if automatic inter-site topology generation
is enabled (yes) or disabled (no).
-cachegroups Specifies if caching of group membership is enabled
to support GC-less logon (yes) or disabled (no).
-prefGCsite Specifies the preferred GC site name if caching
of groups is enabled.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *}
Password for the user <UserName>. If * then prompt for
password.
-c Continuous operation mode: report errors but continue
with next object in argument list when multiple target
objects are specified. Without this option, command
exits on first error.
-q Quiet mode: suppress all output to standard output.
-L Displays the entries in the search result set in a
list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be accepted
from the keyboard, a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a redirected
file, use Control+Z, for End of File (EOF).
The dsget commands help you view the properties of a
specific object in the directory: the input to dsget is
an object and the output is a list of properties for that object.
To find all objects that meet a given search criterion,
use the dsquery commands (dsquery /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To find all sites in the forest and display their descriptions.
dsquery site | dsget site -dn -desc
See also:
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.
dsget user |
---|
displays properties of users in the directory. |
Description: Display the various properties of a user in the directory.
There are two variations of this command. The first variation
allows you to view the properties of multiple users. The second
variation allows you to view the group membership information
of a single user.
Syntax: dsget user <UserDN ...> [-dn] [-samid] [-sid] [-upn] [-fn] [-mi]
[-ln] [-display] [-empid] [-desc] [-office] [-tel] [-email]
[-hometel] [-pager] [-mobile] [-fax] [-iptel] [-webpg]
[-title] [-dept] [-company] [-mgr] [-hmdir] [-hmdrv]
[-profile] [-loscr] [-mustchpwd] [-canchpwd]
[-pwdneverexpires] [-disabled] [-acctexpires]
[-reversiblepwd] [-part <PartitionDN> [-qlimit] [-qused]]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]
dsget user <UserDN> [-memberof [-expand]]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [-l]
[{-uc | -uco | -uci}]
Parameters:
Value Description
<UserDN ...> Required/stdin. Distinguished names (DNs) of one
or more users to view.
If the target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another command
to input of this command. Compare with <UserDN>
below.
-dn Shows the DN of the user.
-samid Shows the SAM account name of the user.
-sid Shows the user Security ID.
-upn Shows the user principal name of the user.
-fn Shows the first name of the user.
-mi Shows the middle initial of the user.
-ln Shows the last name of the user.
-display Shows the display name of the user.
-empid Shows the user employee ID.
-desc Shows the description of the user.
-office Shows the office location of the user.
-tel Shows the telephone number of the user.
-email Shows the e-mail address of the user.
-hometel Shows the home telephone number of the user.
-pager Shows the pager number of the user.
-mobile Shows the mobile phone number of the user.
-fax Shows the fax number of the user.
-iptel Shows the user IP phone number.
-webpg Shows the user web page URL.
-title Shows the title of the user.
-dept Shows the department of the user.
-company Shows the company info of the user.
-mgr Shows the user's manager.
-hmdir Shows the user home directory.
Displays the drive letter to which the
home directory of the user is mapped
(if the home directory path is a UNC path).
-hmdrv Shows the user's home drive letter
(if home directory is a UNC path).
-profile Shows the user's profile path.
-loscr Shows the user's logon script path.
-mustchpwd Shows if the user must change his/her password
at the time of next logon. Displays: yes or no.
-canchpwd Shows if the user can change his/her password.
Displays: yes or no.
-pwdneverexpires Shows if the user password never expires.
Displays: yes or no.
-disabled Shows if the user account is disabled
for logon or not. Displays: yes or no.
-acctexpires Shows when the user account expires.
Display values: a date when the account expires
or the string "never" if the account never expires.
-reversiblepwd Shows if the user password is allowed to be
stored using reversible encryption (yes or no).
<UserDN> Required. DN of group to view.
-memberof Displays the groups of which the user is a member.
-expand Displays a recursively expanded list of groups
of which the user is a member.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *} Password for the user <UserName>. If * then prompt
for password.
-c Continuous operation mode: report errors but continue
with next object in argument list when multiple
target objects are specified. Without this option,
command exits on first error.
-q Quiet mode: suppress all output to standard output.
-L Displays the entries in the search result set in a
list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
-part <PartitionDN> Connect to the directory partition with the
distinguished name of <PartitionDN>.
-qlimit Displays the effective quota of the user within
the specified directory partition.
-qused Displays how much of the quota the user has
used within the specified directory partition.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be accepted
from the keyboard, a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a redirected
file, use Control+Z, for End of File (EOF).
A quota specification determines the maximum number of directory objects a
given security principal can own in a specific directory partition.
The dsget commands help you view the properties of a
specific object in the directory: the input to dsget is
an object and the output is a list of properties for that object.
To find all objects that meet a given search criterion,
use the dsquery commands (dsquery /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To find all users in a given OU whose names start with "jon" and display
their descriptions, type:
dsquery user ou=Test,dc=microsoft,dc=com -name jon* | dsget user -desc
To display the list of groups, recursively expanded, to which a given user
"Jon Smith" belongs, type:
dsget user "cn=Jon Smith,cn=users,dc=microsoft,dc=com" -memberof -expand
To display the effective quota and quota used for a given user
"Jon Smith" on a given partition "cn=domain,dc=microsoft,dc=com", type:
dsget user "cn=Jon Smith,cn=users,dc=microsoft,dc=com"
-part "cn=domain,dc=microsoft,dc=com" -qlimit -qused
See also:
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.
dsget quota |
---|
displays properties of quotas in the directory. |
Description: Displays the properties of a quota specification. A quota
specification determines the maximum number of directory objects a given
security principal can own in a specific directory partition.
dsget quota <QuotaDN ...> [-dn] [-acct] [-qlimit] [{-s <Server> | -d <Domain>}]
[-u <UserName>] [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]
<QuotaDN ...> Required. Specifies the distinguished names of the quota
objects to view. If values are omitted, they are
obtained through standard input (stdin) to support
piping of output from another command to input of this
command.
-dn Displays the distinguished names of the quota
specifications.
-acct Displays the the distinguished names of the accounts to
which the quotas are assigned.
-qlimit Displays the quota limits for the specified quotas.
An unlimited quota displays as "-1".
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *}
Password for the user <UserName>. If * then prompt for
password.
-c Continuous operation mode: report errors but continue
with next object in argument list when multiple target
objects are specified. Without this option, command
exits on first error.
-q Quiet mode: suppress all output to standard output.
-L Displays the entries in the search result set in a
list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
/? Displays help at the command prompt.
If you do not supply a target object at the command prompt, the target object
is obtained from standard input (stdin). Stdin data can be accepted from the
keyboard, a redirected file, or as piped output from another command. To mark
the end of stdin data from the keyboard or in a redirected file, use
Control+Z, for End of File (EOF).
When none of the optional parameters is specified, the distinguished names of
the quota specification, the account to which the quota is assigned, and the
quota limit are all displayed.
Use the dsget command to view properties of a specific object in the
directory. To search for all objects that match a specific criterion, see
Dsquery *.
As a result of dsquery searches, you can pipe returned objects to dsget and
obtain object properties. See Examples.
If a value that you supply contains spaces, use quotation marks around the
text (for example, "CN=Mike Danseglio,CN=Users,DC=Microsoft,DC=Com").
If you supply multiple values for a parameter, use spaces to separate the
values (for example, a list of distinguished names).
To display the account to which the quota is assigned and the quota limit
for the quota specification "CN=quota1,dc=marketing,dc=northwindtraders,
dc=com", type:
dsget quota CN=quota1,dc=marketing,dc=northwindtraders,dc=com -acct -qlimit
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.
dsget partition |
---|
displays properties of partitions in the directory. |
Description: Displays the properties of a directory partition.
dsget partition ObjectDN ... [-dn] [-qdefault] [-qtmbstnwt]
[-topobjowner <Display>] [{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]
Parameters
OBJECTDN Required. Specifies the distinguished names (DN) of the
partition objects to view. If values are omitted, they
are obtained through standard input (stdin) to support
piping of output from another command to input of this
command.
-dn Displays the distinguished names of the directory
partition objects.
-qdefault Displays the default quota that applies to any security
principal (user, group, computer or inetOrgPerson)
creating an object in the directory partition, if no
quota specification exists for the security principal.
-qtmbstnwt Displays the percent by which the tombstone object count
should be reduced when calculating quota usage.
-topobjowner <Display>
Specifies to generate a sorted list of the distinguished
names of the accounts owning the largest number of
objects in the specified directory partition, along
with the number of directory objects they own. The
number of accounts to display in the list is determined
by <display>. Enter "0" to display all object owners. If
<display> is not specified, the number of principals
listed defaults to 10.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *}
Password for the user <UserName>. If * then prompt for
password.
-c Continuous operation mode: report errors but continue
with next object in argument list when multiple target
objects are specified. Without this option, command
exits on first error.
-q Quiet mode: suppress all output to standard output.
-L Displays the entries in the search result set in a
list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
/? Displays help at the command prompt.
If you do not supply a target object at the command prompt, the target object
is obtained from standard input (stdin). Stdin data can be accepted from the
keyboard, a redirected file, or as piped output from another command. To mark
the end of stdin data from the keyboard or in a redirected file, use
Control+Z, for End of File (EOF).
A quota specification determines the maximum number of directory objects a
given security principal can own in a specific directory partition.
When none of the optional parameters is specified, the distinguished name of
the directory partition object is displayed.
When -topobjowner is specified, it overrides any other specified parameters,
so that only the results of -topobjowner are displayed.
Use the dsget command to view properties of a specific object in the
directory. To search for all objects that match a specific criterion, see
Dsquery *.
As a result of dsquery searches, you can pipe returned objects to dsget and
obtain object properties. See Examples.
If a value that you supply contains spaces, use quotation marks around the
text (for example, "CN=Mike Danseglio,CN=Users,DC=Microsoft,DC=Com").
If you supply multiple values for a parameter, use spaces to separate the
values (for example, a list of distinguished names).
To display all directory partitions in the forest that
begin with "application", along with the top three directory object owners
on each partition, type:
dsquery server -forest -part application* |
dsget server -part |
dsget partition -topjobowner 3
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.
DSMOD
Description: This dsmod command modifies existing objects in the directory.
The dsmod commands include:
dsmod_computer - modifies an existing computer in the directory.
dsmod_contact - modifies an existing contact in the directory.
dsmod_group - modifies an existing group in the directory.
dsmod_ou - modifies an existing organizational unit in the directory.
dsmod_server - modifies an existing domain controller in the directory.
dsmod_user - modifies an existing user in the directory.
dsmod_quota - modifies an existing quota specification in the directory.
dsmod_partition - modifies an existing quota specification in the directory.
For help on a specific command, type "dsmod <ObjectType> /?" where
<ObjectType> is one of the supported object types shown above.
For example, dsmod ou /?.
Remarks:
The dsmod commands support piping of input to allow you to pipe results from
the dsquery commands as input to the dsmod commands and modify the objects
found by the dsquery commands.
Commas that are not used as separators in distinguished names must be
escaped with the backslash ("\") character
(for example, "CN=Company\, Inc.,CN=Users,DC=microsoft,DC=com").
Backslashes used in distinguished names must be escaped with a backslash
(for example,
"CN=Sales\\ Latin America,OU=Distribution Lists,DC=microsoft,DC=com").
Examples:
To find all users in the organizational unit (OU)
"ou=Marketing,dc=microsoft,dc=com" and add them to the Marketing Staff group:
dsquery user -startnode "ou=Marketing,dc=microsoft,dc=com" |
dsmod group "cn=Marketing Staff,ou=Marketing,dc=microsoft,dc=com" -addmbr
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsmod computer |
---|
help for modifying an existing computer in the directory. |
Description: Modifies an existing computer in the directory.
Syntax: dsmod computer <ComputerDN ...> [-desc <Description>]
[-loc <Location>] [-disabled {yes | no}] [-reset]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]
Parameters:
Value Description
<ComputerDN ...> Required/stdin. Distinguished names (DNs) of one
or more computers to modify.
If target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another command
to input of this command.
-desc <Description> Sets computer description to <Description>.
-loc <Location> Sets the location of the computer object to
<Location>.
-disabled {yes | no} Sets whether the computer account is disabled (yes)
or not (no).
-reset Resets computer account.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p <Password> Password for the user <UserName>. If * then prompt
for password.
-c Continuous operation mode. Reports errors but
continues with next object in argument list when
multiple target objects are specified.
Without this option, the command exits on first
error.
-q Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If a value that you supply contains spaces, use quotation marks
around the text
(for example, "CN=DC2,OU=Domain Controllers,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To disable multiple computer accounts:
dsmod computer CN=MemberServer1,CN=Computers,DC=microsoft,DC=com
CN=MemberServer2,CN=Computers,DC=microsoft,DC=com
-disabled yes
To reset multiple computer accounts:
dsmod computer CN=MemberServer1,CN=Computers,DC=microsoft,DC=com
CN=MemberServer2,CN=Computers,DC=microsoft,DC=com -reset
See also:
dsmod computer /? - help for modifying an existing computer in the directory.
dsmod contact /? - help for modifying an existing contact in the directory.
dsmod group /? - help for modifying an existing group in the directory.
dsmod ou /? - help for modifying an existing ou in the directory.
dsmod server /? - help for modifying an existing domain controller in the
directory.
dsmod user /? - help for modifying an existing user in the directory.
dsmod quota /? - help for modifying an existing quota specification in the
directory
dsmod partition /? - help for modifying an existing partition in the
directory
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsmod failed:The parameter is incorrect.
type dsmod /? for help.
dsmod contact |
---|
help for modifying an existing contact in the directory. |
Description: Modify an existing contact in the directory.
Syntax: dsmod contact <ContactDN ...> [-fn <FirstName>] [-mi <Initial>]
[-ln <LastName>] [-display <DisplayName>] [-desc <Description>]
[-office <Office>] [-tel <Phone#>] [-email <Email>]
[-hometel <HomePhone#>] [-pager <Pager#>] [-mobile <CellPhone#>]
[-fax <Fax#>] [-iptel <IPPhone#>] [-title <Title>]
[-dept <Department>] [-company <Company>]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]
Parameters:
Value Description
<ContactDN ...> Required/stdin. Distinguished names (DNs)
of one or more contacts to modify.
If target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another
command to input of this command.
-fn <FirstName> Sets contact first name to <FirstName>.
-mi <Initial> Sets contact middle initial to <Initial>.
-ln <LastName> Sets contact last name to <LastName>.
-display <DisplayName> Sets contact display name to <DisplayName>.
-desc <Description> Sets contact description to <Description>.
-office <Office> Sets contact office location to <Office>.
-tel <Phone#> Sets contact telephone# to <Phone#>.
-email <Email> Sets contact e-mail address to <Email>.
-hometel <HomePhone#> Sets contact home phone# to <HomePhone#>.
-pager <Pager#> Sets contact pager# to <Pager#>.
-mobile <CellPhone#> Sets contact mobile# to <CellPhone#>.
-fax <Fax#> Sets contact fax# to <Fax#>.
-iptel <IPPhone#> Sets contact IP phone# to <IPPhone#>.
-title <Title> Sets contact title to <Title>.
-dept <Department> Sets contact department to <Department>.
-company <Company> Sets contact company info to <Company>.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p <Password> Password for the user <UserName>. If * then prompt
for password.
-c Continuous operation mode. Reports errors but
continues with next object in argument list when
multiple target objects are specified. Without
this option, the command exits on first error.
-q Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If a value that you supply contains spaces, use quotation marks
around the text (for example,
"CN=John Smith,OU=Contacts,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To set the company information of multiple contacts:
dsmod contact "CN=John Doe,OU=Contacts,DC=microsoft,DC=com"
"CN=Jane Doe,OU=Contacts,DC=microsoft,DC=com" -company microsoft
See also:
dsmod computer /? - help for modifying an existing computer in the directory.
dsmod contact /? - help for modifying an existing contact in the directory.
dsmod group /? - help for modifying an existing group in the directory.
dsmod ou /? - help for modifying an existing ou in the directory.
dsmod server /? - help for modifying an existing domain controller in the
directory.
dsmod user /? - help for modifying an existing user in the directory.
dsmod quota /? - help for modifying an existing quota specification in the
directory
dsmod partition /? - help for modifying an existing partition in the
directory
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsmod failed:The parameter is incorrect.
type dsmod /? for help.
dsmod group |
---|
help for modifying an existing group in the directory. |
Description: Modifies an existing group in the directory.
Syntax: dsmod group <GroupDN ...> [-samid <SAMName>]
[-desc <Description>] [-secgrp {yes | no}] [-scope {l | g | u}]
[{-addmbr | -rmmbr | -chmbr} <Member ...>]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]
Parameters:
Value Description
<GroupDN ...> Required/stdin. Distinguished names (DNs) of
one or more groups to modify.
If target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another command
to input of this command.
If <GroupDN ...> and <Member ...> are used
together then only one parameter can
be taken from standard input, requiring that at
least one parameter be specified on the command line.
-samid <SAMName> Sets the SAM account name of group to <SAMName>.
-desc <Description> Sets group description to <Description>.
-secgrp {yes | no} Sets the group type to security (yes)
or non-security (no).
-scope {l | g | u} Sets the scope of group to local (l),
global (g), or universal (u).
{-addmbr | -rmmbr | -chmbr}
-addmbr adds members to the group.
-rmmbr removes members from the group.
-chmbr changes (replaces) the complete list of
members in the group.
<Member ...> Space-separated list of members to add to,
delete from, or replace in the group.
If target objects are omitted, they
will be taken from standard input (stdin)
to support piping of output from another command
to input of this command.
The list of members must follow the
-addmbr, -rmmbr, and -chmbr parameters.
If <GroupDN ...> and <Member ...> are used
together then only one parameter can
be taken from standard input, requiring that at
least one parameter be specified on the command line.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p <Password> Password for the user <UserName>. If * then prompt
for password.
-c Continuous operation mode. Reports errors but
continues
with next object in argument list when multiple
target objects are specified. Without this option,
the command exits on first error.
-q Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If a value that you supply contains spaces, use quotation marks
around the text
(for example, "CN=USA Sales,OU=Distribution Lists,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To add the user Mike Danseglio to all administrator
distribution list groups:
dsquery group "OU=Distribution Lists,DC=microsoft,DC=com" -name adm* |
dsmod group -addmbr "CN=Mike Danseglio,CN=Users,DC=microsoft,DC=com"
To add all members of the US Info group to the Cananda Info group:
dsget group "CN=US INFO,OU=Distribution Lists,DC=microsoft,DC=com" -members |
dsmod group "CN=CANADA INFO,OU=Distribution Lists,DC=microsoft,DC=com"
-addmbr
To convert the group type of several groups from "security" to
"non-security":
dsmod group "CN=US INFO,OU=Distribution Lists,DC=microsoft,DC=com"
"CN=CANADA INFO,OU=Distribution Lists,DC=microsoft,DC=com"
"CN=MEXICO INFO,OU=Distribution Lists,DC=microsoft,DC=com" -secgrp no
To add three new members to the US Info group:
dsmod group "CN=US INFO,OU=Distribution Lists,DC=microsoft,DC=com" -addmbr
"CN=John Smith,CN=Users,DC=microsoft,DC=com"
"CN=Datacenter,OU=Distribution Lists,DC=microsoft,DC=com"
"CN=Jane Smith,CN=Users,DC=microsoft,DC=com"
To add all users from the OU "Marketing" to the exisitng group
"Marketing Staff":
dsquery user ou=Marketing,dc=microsoft,dc=com | dsmod group
"cn=Marketing Staff,ou=Marketing,dc=microsoft,dc=com" -addmbr
To delete two members from the exisitng US Info group:
dsmod group "CN=US INFO,OU=Distribution Lists,DC=microsoft,DC=com" -rmmbr
"CN=John Smith,CN=Users,DC=microsoft,DC=com"
"CN=Datacenter,OU=Distribution Lists,DC=microsoft,DC=com"
See also:
dsmod computer /? - help for modifying an existing computer in the directory.
dsmod contact /? - help for modifying an existing contact in the directory.
dsmod group /? - help for modifying an existing group in the directory.
dsmod ou /? - help for modifying an existing ou in the directory.
dsmod server /? - help for modifying an existing domain controller in the
directory.
dsmod user /? - help for modifying an existing user in the directory.
dsmod quota /? - help for modifying an existing quota specification in the
directory
dsmod partition /? - help for modifying an existing partition in the
directory
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsmod failed:The parameter is incorrect.
type dsmod /? for help.
dsmod ou |
---|
help for modifying an existing ou in the directory. |
Description: Modifies an existing organizational unit in the
directory.
Syntax: dsmod ou <OrganizationalUnitDN ...> [-desc <Description>]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]
Parameters:
Value Description
<OrganizationalUnitDN ...>
Required/stdin. Distinguished names (DNs)
of one or more organizational units (OUs) to modify.
If target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another command
to input of this command.
-desc <Description> Sets OU description to <Description>.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p <Password> Password for the user <UserName>. If * then prompt
for password.
-c Continuous operation mode. Reports errors but
continues with next object in argument list when
multiple target objects are specified.
Without this option, the command exits on first
error.
-q Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If a value that you supply contains spaces, use quotation marks
around the text (for example, "OU=Domain Controllers,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To change the description of several OUs at the same time:
dsmod ou "OU=Domain Controllers,DC=microsoft,DC=com"
"OU=Resources,DC=microsoft,DC=com"
"OU=troubleshooting,DC=microsoft,DC=com" -desc "This is a test OU"
See also:
dsmod computer /? - help for modifying an existing computer in the directory.
dsmod contact /? - help for modifying an existing contact in the directory.
dsmod group /? - help for modifying an existing group in the directory.
dsmod ou /? - help for modifying an existing ou in the directory.
dsmod server /? - help for modifying an existing domain controller in the
directory.
dsmod user /? - help for modifying an existing user in the directory.
dsmod quota /? - help for modifying an existing quota specification in the
directory
dsmod partition /? - help for modifying an existing partition in the
directory
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsmod failed:The parameter is incorrect.
type dsmod /? for help.
dsmod server |
---|
help for modifying an existing domain controller in the |
Description: Modifies properties of a domain controller.
Syntax: dsmod server <ServerDN ...> [-desc <Description>]
[-isgc {yes | no}] [{-s <Server> | -d <Domain>}]
[-u <UserName>] [-p {<Password> | *}] [-c] [-q]
[{-uc | -uco | -uci}]
Parameters:
Value Description
<ServerDN ...> Required/stdin. Distinguished names (DNs)
of one or more servers to modify.
If target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another
command to input of this command.
-desc <Description>
Sets server description to <Description>.
-isgc {yes | no} Sets whether this server to a global catalog server
(yes) or disables it (no).
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p <Password> Password for the user <UserName>.
If * is entered, then you are prompted for a password.
-c Continuous operation mode. Reports errors but
continues with next object in argument list
when multiple target objects are specified.
Without this option, the command exits on first error.
-q Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=My Server,CN=Servers,CN=Site10,
CN=Sites,CN=Configuration,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To enable the domain controllers CORPDC1 and CORPDC9 to become global catalog
servers:
dsmod server
"cn=CORPDC1,cn=Servers,cn=site1,cn=sites,cn=configuration,dc=microsoft,dc=com"
"cn=CORPDC9,cn=Servers,cn=site2,cn=sites,cn=configuration,dc=microsoft,dc=com"
-isgc yes
See also:
dsmod computer /? - help for modifying an existing computer in the directory.
dsmod contact /? - help for modifying an existing contact in the directory.
dsmod group /? - help for modifying an existing group in the directory.
dsmod ou /? - help for modifying an existing ou in the directory.
dsmod server /? - help for modifying an existing domain controller in the
directory.
dsmod user /? - help for modifying an existing user in the directory.
dsmod quota /? - help for modifying an existing quota specification in the
directory
dsmod partition /? - help for modifying an existing partition in the
directory
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsmod failed:The parameter is incorrect.
type dsmod /? for help.
dsmod user |
---|
help for modifying an existing user in the directory. |
Description: Modifies an existing user in the directory.
Syntax: dsmod user <UserDN ...> [-upn <UPN>] [-fn <FirstName>]
[-mi <Initial>] [-ln <LastName>] [-display <DisplayName>]
[-empid <EmployeeID>] [-pwd {<Password> | *}]
[-desc <Description>] [-office <Office>] [-tel <Phone#>]
[-email <Email>] [-hometel <HomePhone#>] [-pager <Pager#>]
[-mobile <CellPhone#>] [-fax <Fax#>] [-iptel <IPPhone#>]
[-webpg <WebPage>] [-title <Title>] [-dept <Department>]
[-company <Company>] [-mgr <Manager>] [-hmdir <HomeDir>]
[-hmdrv <DriveLtr>:] [-profile <ProfilePath>]
[-loscr <ScriptPath>] [-mustchpwd {yes | no}]
[-canchpwd {yes | no}] [-reversiblepwd {yes | no}]
[-pwdneverexpires {yes | no}]
[-acctexpires <NumDays>] [-disabled {yes | no}]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]
Parameters:
Value Description
<UserDN ...> Required/stdin. Distinguished names (DNs)
of one or more users to modify.
If target objects are omitted they
will be taken from standard input (stdin)
to support piping of output from another command
to input of this command.
-upn <UPN> Sets the UPN value to <UPN>.
-fn <FirstName> Sets user first name to <FirstName>.
-mi <Initial> Sets user middle initial to <Initial>.
-ln <LastName> Sets user last name to <LastName>.
-display <DisplayName> Sets user display name to <DisplayName>.
-empid <EmployeeID> Sets user employee ID to <EmployeeID>.
-pwd {<Password> | *} Resets user password to <Password>. If *, then
you are prompted for a password.
-desc <Description> Sets user description to <Description>.
-office <Office> Sets user office location to <Office>.
-tel <Phone#> Sets user telephone# to <Phone#>.
-email <Email> Sets user e-mail address to <Email>.
-hometel <HomePhone#> Sets user home phone# to <HomePhone#>.
-pager <Pager#> Sets user pager# to <Pager#>.
-mobile <CellPhone#> Sets user mobile# to <CellPhone#>.
-fax <Fax#> Sets user fax# to <Fax#>.
-iptel <IPPhone#> Sets user IP phone# to <IPPhone#>.
-webpg <WebPage> Sets user web page URL to <WebPage>.
-title <Title> Sets user title to <Title>.
-dept <Department> Sets user department to <Department>.
-company <Company> Sets user company info to <Company>.
-mgr <Manager> Sets user's manager to <Manager>.
-hmdir <HomeDir> Sets user home directory to <HomeDir>. If this is
UNC path, then a drive letter to be mapped to
this path must also be specified through -hmdrv.
-hmdrv <DriveLtr>: Sets user home drive letter to <DriveLtr>:
-profile <ProfilePath> Sets user's profile path to <ProfilePath>.
-loscr <ScriptPath> Sets user's logon script path to <ScriptPath>.
-mustchpwd {yes | no} Sets whether the user must change his password (yes)
or not (no) at his next logon.
-canchpwd {yes | no} Sets whether the user can change his password (yes)
or not (no). This setting should be "yes"
if the -mustchpwd setting is "yes".
-reversiblepwd {yes | no}
Sets whether the user password should be stored using
reversible encryption (yes) or not (no).
-pwdneverexpires {yes | no}
Sets whether the user's password never expires (yes)
or not (no).
-acctexpires <NumDays> Sets user account to expire in <NumDays> days from
today. A value of 0 sets expiration at the end of
today.
A positive value sets expiration in the future.
A negative value sets expiration in the past.
A string value of "never" sets the account
to never expire.
-disabled {yes | no} Sets whether the user account is disabled (yes)
or not (no).
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p <Password> Password for the user <UserName>. If * then prompt
for password.
-c Continuous operation mode. Reports errors but
continues with next object in argument list
when multiple target objects are specified.
Without this option, the command exits on the
first error.
-q Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
The special token $username$ (case insensitive) may be used to place the
SAM account name in the value of -webpg, -profile, -hmdir, and
-email parameter.
For example, if the target user DN is
CN=Jane Doe,CN=users,CN=microsoft,CN=com and the SAM account name
attribute is "janed," the -hmdir parameter can have the following
substitution:
-hmdir \users\$username$\home
The value of the -hmdir parameter is modified to the following value:
- hmdir \users\janed\home
Examples:
To reset a user's password:
dsmod user "CN=John Doe,CN=Users,DC=microsoft,DC=com"
-pwd A1b2C3d4 -mustchpwd yes
To reset multiple user passwords to a common password
and force them to change their passwords the next time they logon:
dsmod user "CN=John Doe,CN=Users,DC=microsoft,DC=com"
"CN=Jane Doe,CN=Users,DC=microsoft,DC=com" -pwd A1b2C3d4 -mustchpwd yes
To disable multiple user accounts at the same time:
dsmod user "CN=John Doe,CN=Users,DC=microsoft,DC=com"
"CN=Jane Doe,CN=Users,DC=microsoft,DC=com" -disabled yes
To modify the profile path of multiple users to a common path using the
$username$ token:
dsmod user "CN=John Doe,CN=Users,DC=microsoft,DC=com"
"CN=Jane Doe,CN=Users,DC=microsoft,DC=com" -profile \users\$username$\profile
See also:
dsmod computer /? - help for modifying an existing computer in the directory.
dsmod contact /? - help for modifying an existing contact in the directory.
dsmod group /? - help for modifying an existing group in the directory.
dsmod ou /? - help for modifying an existing ou in the directory.
dsmod server /? - help for modifying an existing domain controller in the
directory.
dsmod user /? - help for modifying an existing user in the directory.
dsmod quota /? - help for modifying an existing quota specification in the
directory
dsmod partition /? - help for modifying an existing partition in the
directory
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsmod failed:The parameter is incorrect.
type dsmod /? for help.
dsmod quota |
---|
help for modifying an existing quota specification in the |
Modifies attributes of one or more existing quota specifications in the
directory. A quota specification determines the maximum number of directory
objects a given security principal can own in a specific directory partition.
dsmod quota <QuotaDN ...> [-qlimit <Value>]
[-desc <Description>] [{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]
<QuotaDN ...> Specifies the distinguished names of one or more quota
specifications to modify. If values are omitted, they
are obtained through standard input (stdin) to support
piping of output from another command to input of this
command.
-qlimit <Value>
Specifies the number of objects within the
directory partition that can be owned by the security
principal to which the quota specification is assigned.
To specify an unlimited quota, use -1.
-desc <Description> Sets the description of the quota specification to
<Description>.
{-s <Server> | -d <Domain>}
Connects to a specified remote server or domain. By
default, the computer is connected to a domain
controller in the logon domain.
-u <UserName> Specifies the user name with which the user logs on to
a remote server. By default, -u uses the user name with
which the user logged on. You can use any of the
following formats to specify a user name:
user name (for example, Linda)
domain\user name (for example, widgets\Linda)
user principal name (UPN)
(for example, Linda@widgets.microsoft.com)
-p {<Password> | *} Specifies to use either a password or a * to log on to
a remote server. If you type *, you are prompted for a
password.
-c Specifies continuous operation mode. Errors are
reported, but the process continues with the next
object in the argument list when you specify multiple
target objects. If you do not use -c, the command quits
after the first error occurs.
-q Suppresses all output to standard output (quiet mode).
{-uc | -uco | -uci} Specifies that output or input data is formatted in
Unicode.
-uc Specifies a Unicode format for input from or
output to a pipe (|).
-uco Specifies a Unicode format for output to a
pipe (|) or a file.
-uci Specifies a Unicode format for input from a
pipe (|) or a file.
Dsmod quota only supports a subset of commonly used object class attributes.
If a value that you use contains spaces, use quotation marks around the text
(for example, "CN=DC2,OU=Domain Controllers,DC=Microsoft,DC=Com").
dsmod computer /? - help for modifying an existing computer in the directory.
dsmod contact /? - help for modifying an existing contact in the directory.
dsmod group /? - help for modifying an existing group in the directory.
dsmod ou /? - help for modifying an existing ou in the directory.
dsmod server /? - help for modifying an existing domain controller in the
directory.
dsmod user /? - help for modifying an existing user in the directory.
dsmod quota /? - help for modifying an existing quota specification in the
directory
dsmod partition /? - help for modifying an existing partition in the
directory
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsmod failed:The parameter is incorrect.
type dsmod /? for help.
dsmod partition |
---|
help for modifying an existing partition in the |
Modifies attributes of one or more existing partitions in the directory.
dsmod partition <PartitionDN...> [-qdefault <Value>]
[-qtmbstnwt <Percent>] [{-s <Server> | -d <Domain>}]
[-u <UserName>] [-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]
<PartitionDN...> Specifies the distinguished names of one or more
partition objects to modify. If values are omitted,
they are obtained through standard input (stdin) to
support piping of output from another command as
input of this command.
-qdefault <Value> Specifies that the default quota for the directory
partition be set to Value. The default quota will
apply to any security principal (user, group, computer,
or InetOrgPerson) who owns an object in the directory
partition and for whom more specific quota
specification exists. Enter -1 to specify an unlimited
quota.
-qtmbstawt <Percent> Sets the percentage by which tombstone object count
should be reduced when calculating quota usage. The
percentage is specified by <Percent> and must be
between 0 and 100. For example, a value of 25 means
that a tombstone object counts as 25, or 1/4, of a
normal object when calculating quota usage. If a user
were assigned a quota of 100, that user could own a
maximum of 100 normal objects or 400 tombstone objects
in Active Directory.
{-s <Server> | -d <Domain>}
Connects to a specified remote server or domain. By
default, the computer is connected to a domain
controller in the logon domain.
-u <UserName> Specifies the user name with which the user logs on to
a remote server. By default, -u uses the user name with
which the user logged on. You can use any of the
following formats to specify a user name:
user name (for example, Linda)
domain\user name (for example, widgets\Linda)
user principal name (UPN)
(for example, Linda@widgets.microsoft.com)
-p {<Password> | *} Specifies to use either a password or a * to log on to
a remote server. If you type *, you are prompted for a
password.
-c Specifies continuous operation mode. Errors are
reported, but the process continues with the next
object in the argument list when you specify multiple
target objects. If you do not use -c, the command quits
after the first error occurs.
-q Suppresses all output to standard output (quiet mode).
{-uc | -uco | -uci} Specifies that output or input data is formatted in
Unicode.
-uc Specifies a Unicode format for input from or
output to a pipe (|).
-uco Specifies a Unicode format for output to a
pipe (|) or a file.
-uci Specifies a Unicode format for input from a
pipe (|) or a file.
Dsmod quota only supports a subset of commonly used object class attributes.
If a value that you use contains spaces, use quotation marks around the text
(for example, "CN=DC2,OU=Domain Controllers,DC=Microsoft,DC=Com").
The default quota applies to any security principal (for example, user,
group, computer, or InetOrgPerson) that creates an object in the directory
partition when no quota specification exists that covers the security
principal.
The default quota for a given directory partition is an attribute
(ms-DS-Default-Quota) of a special container of class
ms-DS-Quota-Container, as specified by CN=NTDS
Quotas,DirectoryParitionRootDN.
The tombstone quota weight for a given directory partition (set with the
-qtmbstnwt option) is an attribute (ms-DS-Tombstone-Quota-Factor)
of a special container of class (ms-DS-Quota-Container), as
specified by CN=NTDS Quotas,NCRootDN.
dsmod computer /? - help for modifying an existing computer in the directory.
dsmod contact /? - help for modifying an existing contact in the directory.
dsmod group /? - help for modifying an existing group in the directory.
dsmod ou /? - help for modifying an existing ou in the directory.
dsmod server /? - help for modifying an existing domain controller in the
directory.
dsmod user /? - help for modifying an existing user in the directory.
dsmod quota /? - help for modifying an existing quota specification in the
directory
dsmod partition /? - help for modifying an existing partition in the
directory
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsmod failed:The parameter is incorrect.
type dsmod /? for help.
DSMOVE
Description: This command moves or renames an object within the directory.
Syntax: dsmove <ObjectDN>
[-newparent <ParentDN>]
[-newname <NewName>]
[{-s <Server> | -d <Domain>}]
[-u <UserName>]
[-p {<Password> | *}]
[-q]
[{-uc | -uco | -uci}]
Parameters:
Value Description
<ObjectDN> Required/stdin. Distinguished name (DN)
of object to move or rename.
If this parameter is omitted it
will be taken from standard input (stdin).
-newparent <ParentDN> DN of the new parent location to which object
should be moved.
-newname <NewName> New relative distinguished name (RDN) value
to which object should be renamed.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p <Password> Password for the user <UserName>.
If * is used, then the command prompts for a
password.
-q Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Commas that are not used as separators in distinguished names must be
escaped with the backslash ("\") character
(for example, "CN=Company\, Inc.,CN=Users,DC=microsoft,DC=com").
Backslashes used in distinguished names must be escaped with a backslash
(for example,
"CN=Sales\\ Latin America,OU=Distribution Lists,DC=microsoft,DC=com").
Examples:
The user object for the user Jane Doe can be renamed to Jane Jones
with the following command:
dsmove "cn=Jane Doe,ou=sales,dc=microsoft,dc=com" -newname "Jane Jones"
The same user can be moved from the Sales organization to the Marketing
organization with the following command:
dsmove "cn=Jane Doe,ou=sales,dc=microsoft,dc=com"
-newparent ou=Marketing,dc=microsoft,dc=com
The rename and move operations for the user can be combined with the
following command:
dsmove "cn=Jane Doe,ou=sales,dc=microsoft,dc=com"
-newparent ou=Marketing,dc=microsoft,dc=com -newname "Jane Jones"
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
DSQUERY
Description: This tool's commands suite allow you to query the directory
according to specified criteria. Each of the following dsquery commands finds
objects of a specific object type, with the exception of dsquery *, which can
query for any type of object:
dsquery_computer - finds computers in the directory.
dsquery_contact - finds contacts in the directory.
dsquery_subnet - finds subnets in the directory.
dsquery_group - finds groups in the directory.
dsquery_ou - finds organizational units in the directory.
dsquery_site - finds sites in the directory.
dsquery_server - finds domain controllers in the directory.
dsquery_user - finds users in the directory.
dsquery_quota - finds quota specifications in the directory.
dsquery_partition - finds partitions in the directory.
dsquery * - finds any object in the directory by using a generic LDAP query.
For help on a specific command, type "dsquery <ObjectType> /?" where
<ObjectType> is one of the supported object types shown above.
For example, dsquery ou /?.
Remarks:
The dsquery commands help you find objects in the directory that match
a specified search criterion: the input to dsquery is a search criterion
and the output is a list of objects matching the search. To get the
properties of a specific object, use the dsget commands (dsget /?).
The results from a dsquery command can be piped as input to one of the other
directory service command-line tools, such as dsmod, dsget, dsrm or dsmove.
Commas that are not used as separators in distinguished names must be
escaped with the backslash ("\") character
(for example, "CN=Company\, Inc.,CN=Users,DC=microsoft,DC=com"). Backslashes
used in distinguished names must be escaped with a backslash (for example,
"CN=Sales\\ Latin America,OU=Distribution Lists,DC=microsoft,DC=com").
Examples:
To find all computers that have been inactive for the last four weeks and
remove them from the directory:
dsquery computer -inactive 4 | dsrm
To find all users in the organizational unit
"ou=Marketing,dc=microsoft,dc=com" and add them to the Marketing Staff group:
dsquery user ou=Marketing,dc=microsoft,dc=com | dsmod group
"cn=Marketing Staff,ou=Marketing,dc=microsoft,dc=com" -addmbr
To find all users with names starting with "John" and display his office
number:
dsquery user -name John* | dsget user -office
To display an arbitrary set of attributes of any given object in the
directory use the dsquery * command. For example, to display the
sAMAccountName, userPrincipalName and department attributes of the object
whose DN is ou=Test,dc=microsoft,dc=com:
dsquery * ou=Test,dc=microsoft,dc=com -scope base
-attr sAMAccountName userPrincipalName department
To read all attributes of the object whose DN is ou=Test,dc=microsoft,dc=com:
dsquery * ou=Test,dc=microsoft,dc=com -scope base -attr *
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsquery computer |
---|
help for finding computers in the directory. |
Description: Finds computers in the directory matching specified
search criteria.
Syntax: dsquery computer [{<StartNode> | forestroot | domainroot}]
[-o {dn | rdn | samid}] [-scope {subtree | onelevel | base}]
[-name <Name>] [-desc <Description>] [-samid <SAMName>]
[-inactive <NumWeeks>] [-stalepwd <NumDays>] [-disabled]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-q] [-r] [-gc]
[-limit <NumObjects>] [{-uc | -uco | -uci}]
Parameters:
Value Description
{<StartNode> | forestroot | domainroot}
The node where the search will start:
forest root, domain root, or a node
whose DN is <StartNode>.
Can be "forestroot", "domainroot"
or an object DN.
If "forestroot" is specified, the search is done
via the global catalog. Default: domainroot.
-o {dn | rdn | samid} Specifies the output format.
Default: distinguished name (DN).
-scope {subtree | onelevel | base}
Specifies the scope of the search:
subtree rooted at start node (subtree);
immediate children of start node only (onelevel);
the base object represented by start node (base).
Note that subtree and domain scope
are essentially the same for any start node
unless the start node represents a domain root.
If forestroot is specified as <StartNode>,
subtree is the only valid scope.
Default: subtree.
-name <Name> Finds computers whose name matches the value
given by <Name>, e.g., "jon*" or "*ith"
or "j*th".
-desc <Description> Finds computers whose description matches
the value given by <Description>,
e.g., "jon*" or "*ith" or "j*th".
-samid <SAMName> Finds computers whose SAM account name
matches the filter given by <SAMName>.
-inactive <NumWeeks> Finds computers that have been inactive (stale)
for at least <NumWeeks> number of weeks.
-stalepwd <NumDays> Finds computers that have not changed their
password for at least <NumDays> number of days.
-disabled Finds computers with disabled accounts.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller
(DC) with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in
user. User name can be: user name,
domain\user name, or user principal name (UPN).
-p <Password> Password for the user <UserName>.
If * then prompt for password.
-q Quiet mode: suppress all output to
standard output.
-r Recurse or follow referrals during search.
Default: do not chase referrals during search.
-gc Search in the Active Directory global catalog.
-limit <NumObjects> Specifies the number of objects matching the
given criteria to be returned, where <NumObjects>
is the number of objects to be returned.
If the value of <NumObjects> is 0, all
matching objects are returned.
If this parameter is not specified, by default
the first 100 results are displayed.
{-uc | -uco | -uci} -uc Specifies that input from or output
to pipe is formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
The dsquery commands help you find objects in the directory that match
a specified search criterion: the input to dsquery is a search criteria
and the output is a list of objects matching the search. To get the
properties of a specific object, use the dsget commands (dsget /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To find all computers in the current domain whose name starts with "ms"
and whose description starts with "desktop", and display their DNs:
dsquery computer domainroot -name ms* -desc desktop*
To find all computers in the organizational unit (OU) given
by ou=sales,dc=micrsoft,dc=com and display their DNs:
dsquery computer ou=sales,dc=microsoft,dc=com
See also:
dsquery computer /? - help for finding computers in the directory.
dsquery contact /? - help for finding contacts in the directory.
dsquery subnet /? - help for finding subnets in the directory.
dsquery group /? - help for finding groups in the directory.
dsquery ou /? - help for finding organizational units in the directory.
dsquery site /? - help for finding sites in the directory.
dsquery server /? - help for finding servers in the directory.
dsquery user /? - help for finding users in the directory.
dsquery quota /? - help for finding quotas in the directory.
dsquery partition /? - help for finding partitions in the directory.
dsquery * /? - help for finding any object in the directory by using a
generic LDAP query.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsquery failed:The parameter is incorrect.
type dsquery /? for help.
dsquery contact |
---|
help for finding contacts in the directory. |
Description: Finds contacts per given criteria.
Syntax: dsquery contact [{<StartNode> | forestroot | domainroot}]
[-o {dn | rdn}] [-scope {subtree | onelevel | base}]
[-name <Name>] [-desc <Description>]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-q] [-r] [-gc]
[-limit <NumObjects>] [{-uc | -uco | -uci}]
Parameters
Value Description
{<StartNode> | forestroot | domainroot}
The node where the search will start:
forest root, domain root, or a node
whose DN is <StartNode>.
Can be "forestroot", "domainroot" or an object DN.
If "forestroot" is specified, the search is done
via the global catalog. Default: domainroot.
-o {dn | rdn} Specifies the output format.
Default: distinguished name (DN).
-scope {subtree | onelevel | base}
Specifies the scope of the search:
subtree rooted at start node (subtree);
immediate children of start node only (onelevel);
the base object represented by start node (base).
Note that subtree and domain scope
are essentially the same for any start node
unless the start node represents a domain root.
If forestroot is specified as <StartNode>,
subtree is the only valid scope.
Default: subtree.
-name <Name> Finds all contacts whose name matches the filter
given by <Name>, e.g., "jon*" or *ith" or "j*th".
-desc <Description> Finds contacts with descriptions matching the
value given by <Description>, e.g., "corp*" or *branch"
or "j*th".
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in
user. User name can be: user name,
domain\user name, or user principal name (UPN).
-p <Password> Password for the user <UserName>. If * then prompt for
password.
-q Quiet mode: suppress all output to standard output.
-r Recurse or follow referrals during search. Default: do
not chase referrals during search.
-gc Search in the Active Directory global catalog.
-limit <NumObjects>
Specifies the number of objects matching the given
criteria to be returned,
where <NumObjects> is the number of objects
to be returned. If the value of <NumObjects> is 0, all
matching objects are returned. If this parameter is not
specified, by default the first 100 results are
displayed.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
The dsquery commands help you find objects in the directory that match
a specified search criterion: the input to dsquery is a search criteria
and the output is a list of objects matching the search. To get the
properties of a specific object, use the dsget commands (dsget /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
See also:
dsquery computer /? - help for finding computers in the directory.
dsquery contact /? - help for finding contacts in the directory.
dsquery subnet /? - help for finding subnets in the directory.
dsquery group /? - help for finding groups in the directory.
dsquery ou /? - help for finding organizational units in the directory.
dsquery site /? - help for finding sites in the directory.
dsquery server /? - help for finding servers in the directory.
dsquery user /? - help for finding users in the directory.
dsquery quota /? - help for finding quotas in the directory.
dsquery partition /? - help for finding partitions in the directory.
dsquery * /? - help for finding any object in the directory by using a
generic LDAP query.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsquery failed:The parameter is incorrect.
type dsquery /? for help.
dsquery subnet |
---|
help for finding subnets in the directory. |
Description: Finds subnets in the directory per given criteria.
Syntax: dsquery subnet [-o {dn | rdn}] [-name <Name>]
[-desc <Description>] [-loc <Location>] [-site <SiteName>]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-q] [-r] [-gc]
[-limit <NumObjects>] [{-uc | -uco | -uci}]
Parameters:
Value Description
-o {dn | rdn} Specifies the output format.
Default: distinguished name (DN).
-name <Name> Find subnets whose name matches the value given
by <Name>, e.g., "10.23.*" or "12.2.*".
-desc <Description> Find subnets whose description matches the value
given by <Description>, e.g., "corp*" or "*nch"
or "j*th".
-loc <Location> Find subnets whose location matches the value
given by <Location>.
-site <SiteName> Find subnets that are part of site <SiteName>.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in
user. User name can be: user name,
domain\user name, or user principal name (UPN).
-p <Password> Password for the user <UserName>. If * then prompt for
password.
-q Quiet mode: suppress all output to standard output.
-r Recurse or follow referrals during search. Default: do
not chase referrals during search.
-gc Search in the Active Directory global catalog.
-limit <NumObjects> Specifies the number of objects matching the given
criteria to be returned, where <NumObjects>
is the number of objects to be returned.
If the value of <NumObjects> is 0,
all matching objects are returned.
If this parameter is not specified,
by default the first 100 results are displayed.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
The dsquery commands help you find objects in the directory that match
a specified search criterion: the input to dsquery is a search criteria
and the output is a list of objects matching the search. To get the
properties of a specific object, use the dsget commands (dsget /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To find all subnets with the network IP address starting with 123.12:
dsquery subnet -name 123.12.*
To find all subnets in the site whose name is "Latin-America",
and display their names as Relative Distinguished Names (RDNs):
dsquery subnet -o rdn -site Latin-America
To list the names (RDNs) of all subnets defined in the directory:
dsquery subnet -o rdn
dsquery failed:The parameter is incorrect.
type dsquery /? for help.
dsquery group |
---|
help for finding groups in the directory. |
Description: Finds groups in the directory per given criteria.
Syntax: dsquery group [{<StartNode> | forestroot | domainroot}]
[-o {dn | rdn | samid}] [-scope {subtree | onelevel | base}]
[-name <Name>] [-desc <Description>] [-samid <SAMName>]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-q] [-r] [-gc]
[-limit <NumObjects>] [{-uc | -uco | -uci}]
Parameters:
Value Description
{<StartNode> | forestroot | domainroot}
The node where the search will start:
forest root, domain root, or a node
whose DN is <StartNode>.
Can be "forestroot", "domainroot" or an
object DN. If "forestroot" is specified,
the search is done via the global catalog.
Default: domainroot.
-o {dn | rdn | samid} Specifies the output format.
Default: distinguished name (DN).
-scope {subtree | onelevel | base}
Specifies the scope of the search:
subtree rooted at start node (subtree);
immediate children of start node only (onelevel);
the base object represented by start node (base).
Note that subtree and domain scope
are essentially the same for any start node
unless the start node represents a domain root.
If forestroot is specified as <StartNode>,
subtree is the only valid scope.
Default: subtree.
-name <Name> Find groups whose name matches the value given
by <Name>, e.g., "jon*" or "*ith"
or "j*th".
-desc <Description> Find groups whose description matches the value
given by <Description>, e.g., "jon*" or "*ith"
or "j*th".
-samid <SAMName> Find groups whose SAM account name matches the
value given by <SAMName>.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller
(DC) with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in
user. User name can be: user name,
domain\user name, or user principal name (UPN).
-p <Password> Password for the user <UserName>.
If * is specified, then you are prompted for
a password.
-q Quiet mode: suppress all output to
standard output.
-r Recurse or follow referrals during search.
Default: do not chase referrals during search.
-gc Search in the Active Directory global catalog.
-limit <NumObjects> Specifies the number of objects matching the
given criteria to be returned, where <NumObjects>
is the number of objects to be returned.
If the value of <NumObjects> is 0,
all matching objects are returned.
If this parameter is not specified,
by default the first 100 results are displayed.
{-uc | -uco | -uci} -uc Specifies that input from or output
to pipe is formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
The dsquery commands help you find objects in the directory that match
a specified search criterion: the input to dsquery is a search criteria
and the output is a list of objects matching the search. To get the
properties of a specific object, use the dsget commands (dsget /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To find all groups in the current domain whose name starts
with "ms" and whose description starts with "admin",
and display their DNs:
dsquery group domainroot -name ms* -desc admin*
Find all groups in the domain given by dc=microsoft,dc=com
and display their DNs:
dsquery group dc=microsoft,dc=com
See also:
dsquery computer /? - help for finding computers in the directory.
dsquery contact /? - help for finding contacts in the directory.
dsquery subnet /? - help for finding subnets in the directory.
dsquery group /? - help for finding groups in the directory.
dsquery ou /? - help for finding organizational units in the directory.
dsquery site /? - help for finding sites in the directory.
dsquery server /? - help for finding servers in the directory.
dsquery user /? - help for finding users in the directory.
dsquery quota /? - help for finding quotas in the directory.
dsquery partition /? - help for finding partitions in the directory.
dsquery * /? - help for finding any object in the directory by using a
generic LDAP query.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsquery failed:The parameter is incorrect.
type dsquery /? for help.
dsquery ou |
---|
help for finding organizational units in the directory. |
Description: Finds organizational units (OUs) in the directory according to
specified criteria.
Syntax: dsquery ou [{<StartNode> | forestroot | domainroot}]
[-o {dn | rdn}] [-scope {subtree | onelevel | base}]
[-name <Name>] [-desc <Description>]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-q] [-r] [-gc]
[-limit <NumObjects>] [{-uc | -uco | -uci}]
Parameters:
Value Description
{<StartNode> | forestroot | domainroot}
The node where the search will start:
forest root, domain root, or a node
whose DN is <StartNode>.
Can be "forestroot", "domainroot" or an object DN.
If "forestroot" is specified, the search is done
via the global catalog. Default: domainroot.
-o {dn | rdn} Specifies the output format.
Default: distinguished name (DN).
-scope {subtree | onelevel | base}
Specifies the scope of the search:
subtree rooted at start node (subtree);
immediate children of start node only (onelevel);
the base object represented by start node (base).
Note that subtree and domain scope
are essentially the same for any start node
unless the start node represents a domain root.
If forestroot is specified as <StartNode>,
subtree is the only valid scope.
Default: subtree.
-name <Name> Find organizational units (OUs) whose name
matches the value given by <Name>,
e.g., "jon*" or "*ith" or "j*th".
-desc <Description> Find OUs whose description matches the value
given by <Description>, e.g., "jon*" or "*ith"
or "j*th".
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in
user. User name can be: user name,
domain\user name, or user principal name (UPN).
-p <Password> Password for the user <UserName>.
If * then prompt for password.
-q Quiet mode: suppress all output to standard output.
-r Recurse or follow referrals during search.
Default: do not chase referrals during search.
-gc Search in the Active Directory global catalog.
-limit <NumObjects> Specifies the number of objects matching
the given criteria to be returned, where
<NumObjects> is the number of objects
to be returned.
If the value of <NumObjects> is 0, all
matching objects are returned.
If this parameter is not specified,
by default the first 100 results are displayed.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
The dsquery commands help you find objects in the directory that match
a specified search criterion: the input to dsquery is a search criteria
and the output is a list of objects matching the search. To get the
properties of a specific object, use the dsget commands (dsget /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To find all OUs in the current domain whose name starts with "ms"
and whose description starts with "sales", and display their DNs:
dsquery ou domainroot -name ms* -desc sales*
To find all OUs in the domain given by dc=microsoft,dc=com and display their
DNs:
dsquery ou dc=microsoft,dc=com
See also:
dsquery computer /? - help for finding computers in the directory.
dsquery contact /? - help for finding contacts in the directory.
dsquery subnet /? - help for finding subnets in the directory.
dsquery group /? - help for finding groups in the directory.
dsquery ou /? - help for finding organizational units in the directory.
dsquery site /? - help for finding sites in the directory.
dsquery server /? - help for finding servers in the directory.
dsquery user /? - help for finding users in the directory.
dsquery quota /? - help for finding quotas in the directory.
dsquery partition /? - help for finding partitions in the directory.
dsquery * /? - help for finding any object in the directory by using a
generic LDAP query.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsquery failed:The parameter is incorrect.
type dsquery /? for help.
dsquery site |
---|
help for finding sites in the directory. |
Description: Finds sites in the directory per given criteria.
Syntax: dsquery site [-o {dn | rdn}] [-name <Name>]
[-desc <Description>] [{-s <Server> | -d <Domain>}]
[-u <UserName>] [-p {<Password> | *}] [-q]
[-r] [-gc] [-limit <NumObjects>] [{-uc | -uco | -uci}]
Parameters:
Value Description
-o {dn | rdn} Specifies the output format.
Default: distinguished name (DN).
-name <Name> Finds subnets whose name matches the value given
by <Name>, e.g., "NA*" or "Europe*".
-desc <Description> Finds subnets whose description matches the filter
given by <Description>, e.g., "corp*" or "*nch"
or "j*th".
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in
user. User name can be: user name,
domain\user name, or user principal name (UPN).
-p <Password> Password for the user <UserName>. If * then prompt for
password.
-q Quiet mode: suppress all output to standard output.
-r Recurse or follow referrals during search. Default: do
not chase referrals during search.
-gc Search in the Active Directory global catalog.
-limit <NumObjects> Specifies the number of objects matching the given
criteria to be returned, where <NumObjects>
is the number of objects to be returned.
If the value of <NumObjects> is 0,
all matching objects are returned.
If this parameter is not specified,
by default the first 100 results are displayed.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
The dsquery commands help you find objects in the directory that match
a specified search criterion: the input to dsquery is a search criteria
and the output is a list of objects matching the search. To get the
properties of a specific object, use the dsget commands (dsget /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To find all sites in North America with name starting with "north"
and display their DNs:
dsquery site -name north*
To list the distinguished names (RDNs) of all sites defined in the directory:
dsquery site -o rdn
See also:
dsquery computer /? - help for finding computers in the directory.
dsquery contact /? - help for finding contacts in the directory.
dsquery subnet /? - help for finding subnets in the directory.
dsquery group /? - help for finding groups in the directory.
dsquery ou /? - help for finding organizational units in the directory.
dsquery site /? - help for finding sites in the directory.
dsquery server /? - help for finding servers in the directory.
dsquery user /? - help for finding users in the directory.
dsquery quota /? - help for finding quotas in the directory.
dsquery partition /? - help for finding partitions in the directory.
dsquery * /? - help for finding any object in the directory by using a
generic LDAP query.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsquery failed:The parameter is incorrect.
type dsquery /? for help.
dsquery server |
---|
help for finding servers in the directory. |
Description: Finds domain controllers according to specified search criteria.
Syntax: dsquery server [-o {dn | rdn}] [-forest]
[-domain <DomainName>] [-site <SiteName>]
[-name <Name>] [-desc <Description>]
[-hasfsmo {schema | name | infr | pdc | rid}] [-isgc]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-q] [-r] [-gc]
[-limit <NumObjects>] [{-uc | -uco | -uci}]
Parameters:
Value Description
-o {dn | rdn} Specifies output format.
Default: distinguished name (DN).
-forest Finds all domain controllers (DCs) in the current
forest.
-domain <DomainName> Finds all DCs in the domain with a DNS name
matching <DomainName>.
-site <SiteName> Finds all DCs that are part of site <SiteName>.
-name <Name> Finds DCs with names matching the value given
by <Name>, e.g., "NA*" or "Europe*" or "j*th".
-desc <Description> Finds DCs with descriptions matching the value
given by <Description>, e.g., "corp*" or "j*th".
-hasfsmo {schema | name | infr | pdc | rid}
Finds the DC that holds the specified
Flexible Single-master Operation (FSMO) role.
(For the "infr," "pdc" and "rid" FSMO roles,
if no domain is specified with the -domain
parameter, the current domain is used.)
-isgc Find all DCs that are also global
catalog servers (GCs) in the scope specified
(if the -forest, -domain or -site parameters
are not specified, then find all GCs in the current
domain are used).
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC)
with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in
user. User name can be: user name,
domain\user name, or user principal name (UPN).
-p <Password> Password for the user <UserName>.
If * then prompt for password.
-q Quiet mode: suppress all output to standard output.
-r Recurse or follow referrals during search.
Default: do not chase referrals during search.
-gc Search in the Active Directory global catalog.
-limit <NumObjects> Specifies the number of objects matching the given
criteria to be returned, where <NumObjects> is the
number of objects to be returned. If the value of
<NumObjects> is 0, all matching objects are returned.
If this parameter is not specified,
by default the first 100 results are displayed.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
The dsquery commands help you find objects in the directory that match
a specified search criterion: the input to dsquery is a search criteria
and the output is a list of objects matching the search. To get the
properties of a specific object, use the dsget commands (dsget /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To find all DCs in the current domain:
dsquery server
To find all DCs in the forest and display their
Relative Distinguished Names:
dsquery server -o rdn -forest
To find all DCs in the site whose name is "Latin-America", and display their
Relative Distinguished Names:
dsquery server -o rdn -site Latin-America
Find the DC in the forest that holds the schema FSMO role:
dsquery server -forest -hasfsmo schema
Find all DCs in the domain example.microsoft.com that are
global catalog servers:
dsquery server -domain example.microsoft.com -isgc
Find all DCs in the current domain that hold a copy of a given directory
partition called "ApplicationSales":
dsquery server -part "Application*"
See also:
dsquery computer /? - help for finding computers in the directory.
dsquery contact /? - help for finding contacts in the directory.
dsquery subnet /? - help for finding subnets in the directory.
dsquery group /? - help for finding groups in the directory.
dsquery ou /? - help for finding organizational units in the directory.
dsquery site /? - help for finding sites in the directory.
dsquery server /? - help for finding servers in the directory.
dsquery user /? - help for finding users in the directory.
dsquery quota /? - help for finding quotas in the directory.
dsquery partition /? - help for finding partitions in the directory.
dsquery * /? - help for finding any object in the directory by using a
generic LDAP query.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsquery failed:The parameter is incorrect.
type dsquery /? for help.
dsquery user |
---|
help for finding users in the directory. |
Description: Finds users in the directory per given criteria.
Syntax: dsquery user [{<StartNode> | forestroot | domainroot}]
[-o {dn | rdn | upn | samid}]
[-scope {subtree | onelevel | base}]
[-name <Name>] [-desc <Description>] [-upn <UPN>]
[-samid <SAMName>] [-inactive <NumWeeks>] [-stalepwd <NumDays>]
[-disabled] [{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-q] [-r] [-gc] [-limit <NumObjects>]
[{-uc | -uco | -uci}]
Parameters:
Value Description
{<StartNode> | forestroot | domainroot}
The node where the search will start:
forest root, domain root, or a node
whose DN is <StartNode>.
Can be "forestroot", "domainroot" or an
object DN. If "forestroot" is specified,
the search is done via the global catalog.
Default: domainroot.
-o {dn | rdn | upn | samid}
Specifies the output format.
Default: distinguished name (DN).
-scope {subtree | onelevel | base}
Specifies the scope of the search:
subtree rooted at start node (subtree);
immediate children of start node only (onelevel);
the base object represented by start node (base).
Note that subtree and domain scope
are essentially the same for any start node
unless the start node represents a domain root.
If forestroot is specified as <StartNode>,
subtree is the only valid scope.
Default: subtree.
-name <Name> Finds users whose name matches the filter
given by <Name>, e.g., "jon*" or "*ith"
or "j*th".
-desc <Description> Finds users whose description matches the
filter given by <Description>, e.g., "jon*" or
"*ith" or "j*th".
-upn <UPN> Finds users whose UPN matches the filter given
by <UPN>.
-samid <SAMName> Finds users whose SAM account name matches the
filter given by <SAMName>.
-inactive <NumWeeks> Finds users that have been inactive
(not logged on) for at least <NumWeeks>
number of weeks.
-stalepwd <NumDays> Finds users that have not changed their password
for at least <NumDays> number of days.
-disabled Finds users whose account is disabled.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller
(DC) with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in
user. User name can be: user name,
domain\user name, or user principal name (UPN).
-p <Password> Password for the user <UserName>.
If * is specified, then you are prompted
for a password.
-q Quiet mode: suppress all output to
standard output.
-r Recurse or follow referrals during search.
Default: do not chase referrals during search.
-gc Search in the Active Directory global catalog.
-limit <NumObjects> Specifies the number of objects matching the
given criteria to be returned, where <NumObjects>
is the number of objects to be returned.
If the value of <NumObjects> is 0, all
matching objects are returned. If this parameter
is not specified, by default the first
100 results are displayed.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe
is formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
The dsquery commands help you find objects in the directory that match
a specified search criterion: the input to dsquery is a search criteria
and the output is a list of objects matching the search. To get the
properties of a specific object, use the dsget commands (dsget /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To find all users in a given organizational unit (OU)
whose name starts with "jon" and whose account has been disabled
for logon and display their user principal names (UPNs):
dsquery user ou=Test,dc=microsoft,dc=com -o upn -name jon* -disabled
To find all users in only the current domain, whose names end with "smith"
and who have been inactive for 3 weeks or more, and display their DNs:
dsquery user domainroot -name *smith -inactive 3
To find all users in the OU given by ou=sales,dc=microsoft,dc=com and display
their UPNs:
dsquery user ou=sales,dc=microsoft,dc=com -o upn
See also:
dsquery computer /? - help for finding computers in the directory.
dsquery contact /? - help for finding contacts in the directory.
dsquery subnet /? - help for finding subnets in the directory.
dsquery group /? - help for finding groups in the directory.
dsquery ou /? - help for finding organizational units in the directory.
dsquery site /? - help for finding sites in the directory.
dsquery server /? - help for finding servers in the directory.
dsquery user /? - help for finding users in the directory.
dsquery quota /? - help for finding quotas in the directory.
dsquery partition /? - help for finding partitions in the directory.
dsquery * /? - help for finding any object in the directory by using a
generic LDAP query.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsquery failed:The parameter is incorrect.
type dsquery /? for help.
dsquery quota |
---|
help for finding quotas in the directory. |
Quota specifications in the directory that match the specified search
criteria. A quota specification determines the maximum number of directory objects a
given security principal can own in a specific directory partition. If the
predefined search criteria in this command is insufficient, then use the more
general version of the query command, dsquery *.
dsquery quota startnode {domain root | <ObjectDN>} [-o {dn | rdn}]
[-acct <Name>] [-qlimit <Filter>] [-desc <Description>]
[{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [-r]
[-limit <NumberOfObjects>] [{-uc | -uco | -uci}]
startnode {domain root | <ObjectDN>}
Required. Specifies where the search should begin.
Use ObjectDN to specify the distinguished name (also
known as DN), or use domainroot to specify the root
of the current domain.
-o {dn | rdn} Specifies the output format. The default format is
distinguished name (dn).
-acct <Name> Finds the quota specifications assigned to the
security principal (user, group, computer, or
InetOrgPerson) as represented by Name. The -acct
option can be provided in the form of the
distinguished name of the security principal or the
Domain\SAMAccountName of the security principal.
-qlimit <Filter> Finds the quota specifications whose limit matches
Filter.
-desc <Description> Searches for quota specifications that have a
description attribute that matches Description
(for example, "jon*" or "*ith" or "j*th").
{-s <Server> | -d <Domain>}
Connects to a specified remote server or domain. By
default, the computer is connected to a domain
controller in the logon domain.
-u <UserName> Specifies the user name with which the user logs on
to a remote server. By default, -u uses the user name
with which the user logged on. You can use any of the
following formats to specify a user name:
user name (for example, Linda)
domain\user name (for example, widgets\Linda)
user principal name (UPN)
(for example, Linda@widgets.microsoft.com)
-p {<Password> | *} Specifies to use either a password or a * to log on
to a remote server. If you type *, you are prompted
for a password.
-q Suppresses all output to standard output (quiet
mode).
-r Specifies that the search use recursion or follow
referrals during search. By default, the search does
not follow referrals.
-limit <NumberOfObjects>
Specifies the number of objects that match the given
criteria to be returned. If the value of
NumberOfObjects is 0, all matching objects are
returned. If this parameter is not specified, the
first 100 results are displayed by default.
{-uc | -uco | -uci} Specifies that output or input data is formatted in
Unicode, as follows:
-uc Specifies a Unicode format for input from or
output to a pipe (|).
-uco Specifies a Unicode format for output to a
pipe (|) or a file.
-uci Specifies a Unicode format for input from a
pipe (|) or a file.
The results from a dsquery search can be piped as input to one of the other
directory service command-line tools, such as dsget, dsmod, dsmove, dsrm, or
to an additional dsquery search.
If a value that you use contains spaces, use quotation marks around the text
(for example, "CN=Linda,CN=Users,DC=Microsoft,DC=Com").
If you use multiple values for a parameter, use spaces to separate the values
(for example, a list of distinguished names).
If you do not specify any search filter options (that is, -forest, -domain,
-site, -name, -desc, -hasfsmo, -isgc), the default search criterion is to
find all servers in the current domain, as represented by an appropriate LDAP
search filter.
When you specify values for Description, you can use the wildcard
character (*) (for example, "NA*," "*BR," and "NA*BA").
Any value for Filter that you specify with qlimit is read as a string.
You must always use quotation marks around this parameter. Any value ranges
you specify using <=, =, or >= must also be inside quotation marks
(for example, -qlimit "=100", -qlimit "<=99", -qlimit ">=101").
To find quotas with no limit, use "-1". To find all quotas not equal
to unlimited, use ">=-1".
To list all of the quota specifications in the current domain, type:
type:
dsquery quota domainroot
To list all users whose name begins with "Jon" that have quotas
assigned to them, type:
dsquery user -name jon* | dsquery quota domainroot -acct |
dsget quota -acct
See also:
dsquery computer /? - help for finding computers in the directory.
dsquery contact /? - help for finding contacts in the directory.
dsquery subnet /? - help for finding subnets in the directory.
dsquery group /? - help for finding groups in the directory.
dsquery ou /? - help for finding organizational units in the directory.
dsquery site /? - help for finding sites in the directory.
dsquery server /? - help for finding servers in the directory.
dsquery user /? - help for finding users in the directory.
dsquery quota /? - help for finding quotas in the directory.
dsquery partition /? - help for finding partitions in the directory.
dsquery * /? - help for finding any object in the directory by using a
generic LDAP query.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsquery failed:The parameter is incorrect.
type dsquery /? for help.
dsquery partition |
---|
help for finding partitions in the directory. |
Finds partition objects in the directory that match the specified search
criteria. If the predefined search criteria in this command is
insufficient, then use the more general version of the query command,
dsquery *.
dsquery partition [-o {dn | rdn}] [-part <Filter>] [-desc <Description>]
[{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}]
[-q] [-r] [-limit <NumberOfObjects>] [{-uc | -uco | -uci}]
-o {dn | rdn} Specifies the output format. The default format is
distinguished name (dn).
-part <Filter> Finds partition specifications whose common name (CN)
matches the filter given by Filter.
{-s <Server> | -d <Domain>}
Connects to a specified remote server or domain. By
default, the computer is connected to a domain
controller in the logon domain.
-u <UserName> Specifies the user name with which the user logs on
to a remote server. By default, -u uses the user name
with which the user logged on. You can use any of the
following formats to specify a user name:
user name (for example, Linda)
domain\user name (for example, widgets\Linda)
user principal name (UPN)
(for example, Linda@widgets.microsoft.com)
-p {<Password> | *} Specifies to use either a password or a * to log on
to a remote server. If you type *, you are prompted
for a password.
-q Suppresses all output to standard output (quiet
mode).
-r Specifies that the search use recursion or follow
referrals during search. By default, the search does
not follow referrals.
-limit <NumberOfObjects>
Specifies the number of objects that match the given
criteria to be returned. If the value of
NumberOfObjects is 0, all matching objects are
returned. If this parameter is not specified, the
first 100 results are displayed by default.
{-uc | -uco | -uci} Specifies that output or input data is formatted in
Unicode, as follows:
-uc Specifies a Unicode format for input from or
output to a pipe (|).
-uco Specifies a Unicode format for output to a
pipe (|) or a file.
-uci Specifies a Unicode format for input from a
pipe (|) or a file.
The results from a dsquery search can be piped as input to one of the other
directory service command-line tools, such as dsget, dsmod, dsmove, dsrm, or
to an additional dsquery search.
If a value that you use contains spaces, use quotation marks around the text
(for example, "CN=Linda,CN=Users,DC=Microsoft,DC=Com").
If you use multiple values for a parameter, use spaces to separate the values
(for example, a list of distinguished names).
If you do not specify any search filter options (that is, -forest, -domain,
-site, -name, -desc, -hasfsmo, -isgc), the default search criterion is to
find all servers in the current domain, as represented by an appropriate LDAP
search filter.
When you specify values for Description, you can use the wildcard character
(*) (for example, "NA*," "*BR," and "NA*BA").
To list the DNs of all directory partitions in the forest, type:
dsquery partition
To list the DNs of all directory partitions in the forest whose common names
start with SQL, type:
dsquery partition -part SQL*
See also:
dsquery computer /? - help for finding computers in the directory.
dsquery contact /? - help for finding contacts in the directory.
dsquery subnet /? - help for finding subnets in the directory.
dsquery group /? - help for finding groups in the directory.
dsquery ou /? - help for finding organizational units in the directory.
dsquery site /? - help for finding sites in the directory.
dsquery server /? - help for finding servers in the directory.
dsquery user /? - help for finding users in the directory.
dsquery quota /? - help for finding quotas in the directory.
dsquery partition /? - help for finding partitions in the directory.
dsquery * /? - help for finding any object in the directory by using a
generic LDAP query.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsquery failed:The parameter is incorrect.
type dsquery /? for help.
dsquery * |
---|
help for finding any object in the directory by using a generic LDAP query. |
Description: Finds any objects in the directory according to criteria.
Syntax: dsquery * [{<StartNode> | forestroot | domainroot}]
[-scope {subtree | onelevel | base}] [-filter <LDAPFilter>]
[-attr {<AttrList> | *}] [-attrsonly] [-l]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-q] [-r] [-gc]
[{-uc | -uco | -uci}]
Parameters:
Value Description
{<StartNode> | forestroot | domainroot}
The node where the search will start:
forest root, domain root, or a node
whose DN is <StartNode>.
Can be "forestroot", "domainroot" or an object
DN.
If "forestroot" is specified, the search is done
via the global catalog. Default: domainroot.
-scope {subtree | onelevel | base}
Specifies the scope of the search:
subtree rooted at start node (subtree);
immediate children of start node only (onelevel);
the base object represented by start node (base).
Note that subtree and domain scope
are essentially the same for any start node
unless the start node represents a domain root.
If forestroot is specified as <StartNode>,
subtree is the only valid scope.
Default: subtree.
-filter <LDAPFilter> Specifies that the search use the explicit
LDAP search filter <LDAPFilter> specified in the
LDAP search filter format for searching.
Default:(objectCategory=*).The search filter
string must be enclosed in double quotes.
-attr {<AttrList> | *} If <AttrList>, specifies a space-separated list
of LDAP display names to be returned for
each entry in the result set.
If *, specifies all attributes present on
the objects in the result set.
Default: distinguishedName.
-attrsonly Shows only the attribute types present on
the entries in the result set but not
their values.
Default: shows both attribute type and value.
-l Shows the entries in the search result set
in a list format. Default: table format.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller
(DC) with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in
user. User name can be: user name,
domain\user name, or user principal name (UPN).
-p <Password> Password for the user <UserName>. If * then you
are prompted for a password.
-q Quiet mode: suppress all output to standard
output.
-r Recurse or follow referrals during search.
Default: do not chase referrals during search.
-gc Search in the Active Directory global catalog.
-limit <NumObjects> Specifies the number of objects matching the
given criteria to be returned, where <NumObjects>
is the number of objects to be returned.
If the value of <NumObjects> is 0, all matching
objects are returned. If this parameter is not
specified, by default the first 100 results are
displayed.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe
is formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
The dsquery commands help you find objects in the directory that match
a specified search criterion: the input to dsquery is a search criteria
and the output is a list of objects matching the search. To get the
properties of a specific object, use the dsget commands (dsget /?).
A user-entered value containing spaces or semicolons must be enclosed in
quotes (""). Multiple user-entered values must be separated using commas
(for example, a list of attribute types).
Examples:
To find all users in the current domain only whose SAM account name begins
with the string "jon" and display their SAM account name,
User Principal Name (UPN) and department in table format:
dsquery * domainroot
-filter "(&(objectCategory=Person)(objectClass=User)(sAMAccountName=jon*))"
-attr sAMAccountName userPrincipalName department
To read the sAMAccountName, userPrincipalName and department attributes of
the object whose DN is ou=Test,dc=microsoft,dc=com:
Dsquery * ou=Test,dc=microsoft,dc=com -scope base
-attr sAMAccountName userPrincipalName department
To read all attributes of the object whose DN is ou=Test,dc=microsoft,dc=com:
Dsquery * ou=Test,dc=microsoft,dc=com -scope base -attr *
See also:
dsquery computer /? - help for finding computers in the directory.
dsquery contact /? - help for finding contacts in the directory.
dsquery subnet /? - help for finding subnets in the directory.
dsquery group /? - help for finding groups in the directory.
dsquery ou /? - help for finding organizational units in the directory.
dsquery site /? - help for finding sites in the directory.
dsquery server /? - help for finding servers in the directory.
dsquery user /? - help for finding users in the directory.
dsquery quota /? - help for finding quotas in the directory.
dsquery partition /? - help for finding partitions in the directory.
dsquery * /? - help for finding any object in the directory by using
a generic LDAP query.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsquery failed:The parameter is incorrect.
type dsquery /? for help.
DSRM
Description: This command deletes objects from the directory.
Syntax: dsrm <ObjectDN ...> [-noprompt] [-subtree [-exclude]]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]
Parameters:
Value Description
<ObjectDN ...> Required/stdin. List of one or more
distinguished names (DNs) of objects to delete.
If this parameter is omitted it is
taken from standard input (stdin).
-noprompt Silent mode: do not prompt for delete confirmation.
-subtree [-exclude] Delete object and all objects in the subtree under it.
-exclude excludes the object itself
when deleting its subtree.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller (DC) with
name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in user.
User name can be: user name, domain\user name,
or user principal name (UPN).
-p {<Password> | *}
Password for the user <UserName>. If * is used,
then the command prompts you for the password.
-c Continuous operation mode: report errors but continue
with next object in argument list when multiple
target objects are specified.
Without this option, command exits on first error.
-q Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Commas that are not used as separators in distinguished names must be
escaped with the backslash ("\") character
(for example, "CN=Company\, Inc.,CN=Users,DC=microsoft,DC=com").
Backslashes used in distinguished names must be escaped with a backslash
(for example,
"CN=Sales\\ Latin America,OU=Distribution Lists,DC=microsoft,DC=com").
Examples:
To remove an organizational unit (OU) called "Marketing" and all the objects
under that OU, use the following command:
dsrm -subtree -noprompt -c ou=Marketing,dc=microsoft,dc=com
To remove all objects under the OU called "Marketing" but leave
the OU intact, use the following command with the -exclude parameter:
dsrm -subtree -exclude -noprompt -c "ou=Marketing,dc=microsoft,dc=com"
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.