Dela via

Dsmod user


Applies To: Windows Server 2008, Windows Server 2012, Windows 8

Modifies attributes of one or more existing users in the directory.

Dsmod is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use dsmod, you must run the dsmod command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.


dsmod user <UserDN> ... [-upn <UPN>] [-fn <FirstName>] [-mi <Initial>] [-ln <LastName>] [-display <DisplayName>] [-empid <EmployeeID>] [-pwd (<Password> | *)] [-desc <Description>] [-office <Office>] [-tel <PhoneNumber>] [-email <E-mailAddress>] [-hometel <HomePhoneNumber>] [-pager <PagerNumber>] [-mobile <CellPhoneNumber>] [-fax <FaxNumber>] [-iptel <IPPhoneNumber>] [-webpg <WebPage>] [-title <Title>] [-dept <Department>] [-company <Company>] [-mgr <Manager>] [-hmdir <HomeDirectory>] [-hmdrv <DriveLetter>:] [-profile <ProfilePath>] [-loscr <ScriptPath>] [-mustchpwd {yes | no}] [-canchpwd {yes | no}] [-reversiblepwd {yes | no}] [-pwdneverexpires {yes | no}] [-acctexpires <NumberOfDays>] [-disabled {yes | no}] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}][-c] [-q] [{-uc | -uco | -uci}]





Required. Specifies the distinguished names of the users that you want to modify. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command.

-upn <UPN>

Specifies the user principal names (UPNs) of the users that you want to modify, for example,

-fn <FirstName>

Specifies the first names of the user objects you want to modify.

-mi <Initial>

Specifies the middle initials of the user objects you want to modify.

-ln <LastName>

Specifies the last names of the user objects you want to modify.

-display <DisplayName>

Specifies the display names of the user objects you want to modify.

-empid <EmployeeID>

Specifies the employee IDs of the user objects you want to modify.

-pwd {<Password> | *}

Resets the passwords for the users that you want to modify as Password or an asterisk (*). If you type *, AD DS prompts you for a user password.

-desc <Description>

Specifies the descriptions of the user objects you want to modify.

-office <Office>

Specifies the office locations of the user objects you want to modify.

-tel <PhoneNumber>

Specifies the telephone numbers of the user objects you want to modify.

-email <E-mailAddress>

Specifies the e-mail addresses of the user objects you want to modify.

-hometel <HomePhoneNumber>

Specifies the home telephone numbers of the user objects you want to modify.

-pager <PagerNumber>

Specifies the pager numbers of the user objects you want to modify.

-mobile <CellPhoneNumber>

Specifies the cell numbers of the user objects you want to modify.

-fax <FaxNumber>

Specifies the fax numbers of the user objects you want to modify.

-iptel <IPPhoneNumber>

Specifies the IP phone numbers of the user objects you want to modify.

-webpg <WebPage>

Specifies the Web page URLs of the user objects you want to modify.

-title <Title>

Specifies the titles of the user objects you want to modify.

-dept <Department>

Specifies the departments of the user objects you want to modify.

-company <Company>

Specifies the company information of the user objects you want to modify.

-mgr <Manager>

Specifies the distinguished names of the managers of the user objects you want to modify.

You can only use the distinguished name format to specify the manager.

-hmdir <HomeDirectory>

Specifies the home directory locations of the user objects you want to modify. If HomeDirectory is given as a UNC name, you must specify a mapped drive to this path by using the -hmdrv parameter.

-hmdrv <DriveLetter> :

Specifies the home directory drive letters (for example, E:) of the user objects you want to modify.

-profile <ProfilePath>

Specifies the profile paths of the user objects you want to modify.

-loscr <ScriptPath>

Specifies the logon script paths of the user objects you want to modify.

-mustchpwd{ yes| no}

Specifies whether users must change their passwords when they next log on. The available values are yes and no. Yes indicates that users must change their passwords and no indicates that they do not have to change their passwords.

-canchpwd {yes | no}

Specifies whether users can change their passwords. The available values are yes and no. Yes indicates that users can change their passwords and no indicates that they cannot change their passwords. The value of this parameter must be yes if the value of the -mustchpwd parameter is yes.

-reversiblepwd {yes | no}

Specifies whether AD DS stores user passwords by using reversible encryption. The available values are yes and no. Yes indicates that AD DS stores user passwords by using reversible encryption and no indicates that AD DS does not store user passwords by using reversible encryption.

-pwdneverexpires {yes | no}

Specifies whether user accounts never expire. The available values are yes and no. Yes indicates that user passwords never expire and no indicates that user passwords do expire.

-acctexpires <NumberOfDays>

Specifies the number of days from today that the user accounts expire. A value of 0 sets expiration at the end of today. A positive value sets expiration in the future. A negative value sets expiration in the past. The value of never sets the account to never expire. For example, a value of 0 specifies that the account expires at the end of today. A value of -5 specifies that the account expires 5 days in the past. A value of 5 specifies that the account expires 5 days in the future.

-disabled {yes | no}

Specifies whether AD DS disables user accounts for logon. The available values are yes and no. Yes indicates that AD DS disables user accounts for logon and no indicates that AD DS does not disable user accounts for logon.

{-s <Server> | -d <Domain>}

Connects a computer to a remote server or domain that you specify. By default, dsmod connects the computer to the domain controller in the logon domain.

-u <UserName>

Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name:

  • user name (for example, Linda)

  • domain\user name (for example, widgets\Linda)

  • user principal name (UPN) (for example,

-p {<Password> | *}

Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsmod prompts you for a password.


Reports errors, but continues with the next object in the argument list when you specify multiple target objects (continuous operation mode). If you do not supply this parameter, dsmod exits when the first error occurs.


Suppresses all output to standard output (quiet mode).

{-uc | -uco | -uci}

Specifies that output or input data is formatted in Unicode. The following list explains each format.

  • -uc: Specifies a Unicode format for input from or output to a pipe (|).

  • -uco : Specifies a Unicode format for output to a pipe (|) or a file.

  • -uci: Specifies a Unicode format for input from a pipe (|) or a file.


Displays help at the command prompt.


  • If a value that you supply contains spaces, use quotation marks around the text, for example, "CN=Mike Danseglio,CN=Users,DC=Contoso,DC=Com".

  • If you supply multiple values for a parameter, use spaces to separate the values, for example, a list of distinguished names.

  • You can use the token $username$ (case insensitive) to replace the Security Accounts Manager (SAM) account name in the value of the -webpg, -profile, -hmdir, and -email parameters. For example, if a SAM account name is Denise, you can use either of the following formats for the -hmdir location parameter:

    -hmdir \users\Denise\home

    -hmdir \users\$username$\home

  • This command supports only a subset of commonly used object class attributes.

  • Dsmod does not support the addition of security principals in one forest to groups that are located in another forest when a forest trust joins both forests. You can use Active Directory Users and Computers to add security principals across a forest trust.


To reset the password for Don Funk and force him to change his password when he next logs on to the network, type:

dsmod user "CN=Don Funk,CN=Users,DC=Contoso,DC=Com" -pwd A1b2C3d4 -mustchpwd yes 

To reset multiple user passwords to a common password and force users to change their passwords when they next log on to the network, type:

dsmod user "CN=Don Funk,CN=Users,DC=Contoso,DC=Com" "CN=Denise Smith,CN=Users,DC=Contoso,DC=Com" -pwd A1b2C3d4 -mustchpwd yes 

To disable multiple user accounts at the same time, type:

dsmod user "CN=Don Funk,CN=Users,DC=Contoso,DC=Com" "CN=Denise Smith,CN=Users,DC=Contoso,DC=Com" -disabled yes 

To modify the profile path of multiple users to a common path using the $username$ token, type:

dsmod user "CN=Don Funk,CN=Users,DC=Contoso,DC=Com" "CN=Denise Smith,CN=Users,DC=Contoso,DC=Com" -profile \users\$username$\profile

Additional references

Command-Line Syntax Key


Dsmod computer

Dsmod contact

Dsmod group

Dsmod ou

Dsmod server

Dsmod quota

Dsmod partition