Dsmod group
Applies To: Windows Server 2008
Modifies attributes of one or more existing groups in the directory.
Dsmod is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use dsmod, you must run the dsmod command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
For examples of how to use this command, see Examples.
Syntax
dsmod group <GroupDN> ... [-samid <SAMName>] [-desc <Description>] [-secgrp {yes | no}] [-scope {l | g | u}] [{-addmbr | -rmmbr | -chmbr} <MemberDN> ...] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]
Parameters
Parameter | Description |
---|---|
<GroupDN> |
Required. Specifies the distinguished names of the groups you want to modify. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command. If you use GroupDN and MemberDN together, then only one parameter can be taken from standard input, and you must specify at least one parameter at the command line. |
-samid <SAMName> |
Specifies the Security Account Manager (SAM) account names of the groups that you want to modify. |
-desc <Description> |
Specifies the descriptions of the groups that you want to modify. |
-secgrp {yes | no} |
Sets the group types to security group (yes) or distribution group (no). |
-scope {l | g | u} |
Sets the scope of the groups that you want to modify to local, global, or universal. If the domain is in mixed mode, then AD DS does not support universal scope. Also, it is not possible to convert a domain local group to a global group, or vice versa. |
{-addmbr | -rmmbr | -chmbr} <MemberDN> |
Specifies to add members to, remove them from, or replace them in a group. MemberDN specifies the members that the operation affects. You can specify only one of these parameters in any command invocation. MemberDN specifies the distinguished names of one or more members for AD DS to add to, delete from, or replace in the group that GroupDN specifies. You must give each member a distinguished name, for example, CN=Mike Danseglio,OU=Users,DC=Contoso,DC=Com. The list of members must follow the -addmbr, -rmmbr, and -chmbr parameters. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command. If you use GroupDN and MemberDN together, then dsmod takes only one parameter from stdin, which requires you to specify at least one parameter at the command prompt. |
{-s <Server> | -d <Domain>} |
Connects a computer to a remote server or domain that you specify. By default, dsmod connects the computer to the domain controller in the logon domain. |
-u <UserName> |
Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name:
|
-p {<Password> | *} |
Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsmod prompts you for a password. |
-c |
Reports errors, but continues with the next object in the argument list when you specify multiple target objects (continuous operation mode). If you do not supply this parameter, dsmod exits when the first error occurs. |
-q |
Suppresses all output to standard output (quiet mode). |
{-uc | -uco | -uci} |
Specifies that dsmod formats output or input data in Unicode. The following list explains each format.
|
/? |
Displays help at the command prompt. |
Remarks
If a value that you supply contains spaces, use quotation marks around the text, for example, "CN=USA Sales,OU=DistributionLists,DC=Contoso,DC=Com".
If you supply multiple values for a parameter, use spaces to separate the values, for example, a list of distinguished names.
Dsmod does not support the addition of security principals in one forest to groups that are located in another forest when a forest trust joins both forests. You can use Active Directory Users and Computers to add security principals across a forest trust.
Examples
To add the user Mike Danseglio to all administrator distribution list groups, type:
dsquery group "OU=Distribution Lists,DC=contoso,DC=com" -name adm* | dsmod group -addmbr "CN=Mike Danseglio,CN=Users,DC=contoso,DC=com"
To add all members of the US Info group to the Canada Info group, type:
dsget group "CN=US INFO,OU=Distribution Lists,DC=contoso,DC=com" -members | dsmod group "CN=CANADA INFO,OU=Distribution Lists,DC= contoso,DC=com" -addmbr
To convert the group type of several groups from security to nonsecurity, type:
dsmod group "CN=US Info,OU=Distribution Lists,DC=Contoso,DC=Com" "CN=Canada Info,OU=Distribution Lists,DC=Contoso,DC=Com" "CN=Mexico Info,OU=Distribution Lists,DC=Contoso,DC=Com" -secgrp no
To add two new members to the group "CN=US Info,OU=Distribution Lists,DC=Contoso,DC=Com", type:
dsmod group "CN=US Info,OU=Distribution Lists,DC=Contoso,DC=Com" -addmbr "CN=Mike Danseglio,CN=Users,DC=Contoso,DC=Com" "CN=Legal,OU=Distribution Lists,DC=Contoso,DC=Com" "CN=Denise Smith,CN=Users,DC=Contoso,DC=Com"
To add all users from the Marketing organizational unit (OU) to the existing group Marketing Staff, type:
dsquery user OU=Marketing,DC=Contoso,DC=Com | dsmod group "CN=Marketing Staff,OU=Marketing,DC=Contoso,DC=Com" -addmbr
To remove users in the Marketing organizational unit (OU) from the existing group Marketing Staff, type:
dsquery user OU=Marketing,DC=Contoso,DC=Com | dsmod group "CN=Marketing Staff,OU=Marketing,DC=Contoso,DC=Com" -rmmbr
To delete two members from the existing group "CN=US Info,OU=Distribution Lists,DC=Contoso,DC=Com", type:
dsmod group "CN=US Info,OU=Distribution Lists,DC=Contoso,DC=Com" -rmmbr "CN=Mike Danseglio,CN=Users,DC=Contoso,DC=Com" "CN=Legal,OU=Distribution Lists,DC=Contoso,DC=Com"