Rob van der Woude's Scripting Pages

Help for

Directory Service command line tools

Windows XP SP 2

Microsoft Windows XP [Version 5.1.2600]

 

DSADD   This tool's commands add specific types of objects to the directory
DSGET   This tool's commands display the selected properties of a specific object in the directory
DSMOD   This dsmod command modifies existing objects in the directory
DSMOVE   This command moves or renames an object within the directory
DSQUERY   This tool's commands suite allow you to query the directory according to specified criteria
DSRM   This command deletes objects from the directory

 

Back to the top of this page

 

 

DSADD

Description:  This tool's commands add specific types of objects to the
directory. The dsadd commands:

dsadd_computer - adds a computer to the directory.
dsadd_contact - adds a contact to the directory.
dsadd_group - adds a group to the directory.
dsadd_ou - adds an organizational unit to the directory.
dsadd_user - adds a user to the directory.
dsadd_quota - adds a quota specification to a directory partition.

For help on a specific command, type "dsadd <ObjectType> /?" where
<ObjectType> is one of the supported object types shown above.
For example, dsadd ou /?.
Remarks:
Commas that are not used as separators in distinguished names must be
escaped with the backslash ("\") character
(for example, "CN=Company\, Inc.,CN=Users,DC=microsoft,DC=com").
Backslashes used in distinguished names must be escaped with a backslash
(for example,
"CN=Sales\\ Latin America,OU=Distribution Lists,DC=microsoft,DC=com").
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.

 

dsadd computer
help for adding a computer to the directory.
Description: Adds a computer to the directory.
Syntax:  dsadd computer <ComputerDN> [-samid <SAMName>] [-desc <Description>]
        [-loc <Location>] [-memberof <Group ...>]
        [{-s <Server> | -d <Domain>}] [-u <UserName>]
        [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]
Parameters:

Value                   Description
<ComputerDN>            Required. Specifies the distinguished name (DN) of 
                        the computer you want to add.
			If the target object is omitted, it will be taken
			from standard input (stdin).
-samid <SAMName>        Sets the computer SAM account name to <SAMName>.
                        If this parameter is not specified, then a 
                        SAM account name is derived from the value of 
                        the common name (CN) attribute used in <ComputerDN>.
-desc <Description>     Sets the computer description to <Description>.
-loc <Location>         Sets the computer location to <Location>.
-memberof <Group ...>   Makes the computer a member of one or more groups 
                        given by the space-separated list of DNs <Group ...>.
{-s <Server> | -d <Domain>}
                        -s <Server> connects to the domain controller (DC)
                        with name <Server>.
                        -d <Domain> connects to a DC in domain <Domain>.
                        Default: a DC in the logon domain.
-u <UserName>           Connect as <UserName>. Default: the logged in user.
                        User name can be: user name, domain\user name,
                        or user principal name (UPN).
-p {<Password> | *}
                        Password for the user <UserName>. If * is entered
                        then you are prompted for a password.
-q                      Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci}	-uc Specifies that input from or output to pipe is
			formatted in Unicode. 
			-uco Specifies that output to pipe or file is 
			formatted in Unicode. 
			-uci Specifies that input from pipe or file is
			formatted in Unicode.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be
accepted from the keyboard, a redirected file, or as piped output from
another command. To mark the end of stdin data from the keyboard or
in a redirected file, use Control+Z, for End of File (EOF).

If a value that you supply contains spaces, use quotation marks 
around the text (for example,
"CN=DC2,OU=Domain Controllers,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of computer distinguished names). 
See also:
dsadd computer /? - help for adding a computer to the directory.
dsadd contact /? - help for adding a contact to the directory.
dsadd group /? - help for adding a group to the directory.
dsadd ou /? - help for adding an organizational unit to the directory.
dsadd user /? - help for adding a user to the directory.
dsadd quota /? - help for adding a quota to the directory.

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsadd failed:The parameter is incorrect.
type dsadd /? for help.

 

Back to DSADD

 

dsadd contact
help for adding a contact to the directory.
Description:  Adds a contact to the directory.
Syntax:  dsadd contact <ContactDN> [-fn <FirstName>] [-mi <Initial>]
        [-ln <LastName>] [-display <DisplayName>] [-desc <Description>]
        [-office <Office>] [-tel <Phone#>] [-email <Email>]
        [-hometel <HomePhone#>] [-pager <Pager#>] [-mobile <CellPhone#>]
        [-fax <Fax#>] [-iptel <IPPhone#>] [-title <Title>]
        [-dept <Department>] [-company <Company>]
        [{-s <Server> | -d <Domain>}] [-u <UserName>]
        [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]
Parameters:

Value                   Description
<ContactDN>             Required. Distinguished name (DN) of contact to add.
			If the target object is omitted, it will be taken
			from standard input (stdin).
-fn <FirstName>         Sets contact first name to <FirstName>.
-mi <Initial>           Sets contact middle initial to <Initial>.
-ln <LastName>          Sets contact last name to <LastName>.
-display <DisplayName>  Sets contact display name to <DisplayName>.
-desc <Description>     Sets contact description to <Description>.
-office <Office>        Sets contact office location to <Office>.
-tel <Phone#>           Sets contact telephone# to <Phone#>.
-email <Email>          Sets contact e-mail address to <Email>.
-hometel <HomePhone#>   Sets contact home phone# to <HomePhone#>.
-pager <Pager#>         Sets contact pager# to <Pager#>.
-mobile <CellPhone#>    Sets contact mobile# to <CellPhone#>.
-fax <Fax#>             Sets contact fax# to <Fax#>.
-iptel <IPPhone#>       Sets contact IP phone# to <IPPhone#>.
-title <Title>          Sets contact title to <Title>.
-dept <Department>      Sets contact department to <Department>.
-company <Company>      Sets contact company info to <Company>.
{-s <Server> | -d <Domain>}
                        -s <Server> connects to the domain controller (DC)
                        with name <Server>.
                        -d <Domain> connects to a DC in domain <Domain>.
                        Default: a DC in the logon domain.
-u <UserName>           Connect as <UserName>. Default: the logged in user.
                        User name can be: user name, domain\user name,
                        or user principal name (UPN).
-p {<Password> | *}
                        Password for the user <UserName>. If * is entered
                        then you are prompted for a password.
-q                      Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci}	-uc Specifies that input from or output to pipe is
			formatted in Unicode. 
			-uco Specifies that output to pipe or file is 
			formatted in Unicode. 
			-uci Specifies that input from pipe or file is
			formatted in Unicode.

Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be
accepted from the keyboard, a redirected file, or as piped output from
another command. To mark the end of stdin data from the keyboard or
in a redirected file, use Control+Z, for End of File (EOF).

If a value that you supply contains spaces, use quotation marks 
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
See also:
dsadd computer /? - help for adding a computer to the directory.
dsadd contact /? - help for adding a contact to the directory.
dsadd group /? - help for adding a group to the directory.
dsadd ou /? - help for adding an organizational unit to the directory.
dsadd user /? - help for adding a user to the directory.
dsadd quota /? - help for adding a quota to the directory.

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsadd failed:The parameter is incorrect.
type dsadd /? for help.

 

Back to DSADD

 

dsadd group
help for adding a group to the directory.
Description:  Adds a group to the directory.
Syntax:  dsadd group <GroupDN> [-secgrp {yes | no}] [-scope {l | g | u}]
        [-samid <SAMName>] [-desc <Description>] [-memberof <Group ...>]
        [-members <Member ...>] [{-s <Server> | -d <Domain>}] [-u <UserName>]
        [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]
Parameters:

Value                   Description
<GroupDN>               Required. Distinguished name (DN) of group to add.
			If the target object is omitted, it will be taken
			from standard input (stdin).
-secgrp {yes | no}      Sets this group as a security group (yes) or not (no).
                        Default: yes.
-scope {l | g | u}      Sets the scope of this group: local, global
                        or universal. If the domain is still in mixed-mode,
                        then the universal scope is not supported.
                        Default: global.
-samid <SAMName>        Set the SAM account name of group to <SAMName>
                        (for example, operators).
-desc <Description>     Sets group description to <Description>.
-memberof <Group ...>   Makes the group a member of one or more groups
                        given by the space-separated list of DNs <Group ...>.
-members <Member ...>   Adds one or more members to this group. Members are
                        set by space-separated list of DNs <Member ...>.
{-s <Server> | -d <Domain>}
                        -s <Server> connects to the domain controller (DC)
                        with name <Server>.
                        -d <Domain> connects to a DC in domain <Domain>.
                        Default: a DC in the logon domain.
-u <UserName>           Connect as <UserName>. Default: the logged in user.
                        User name can be: user name, domain\user name,
                        or user principal name (UPN).
-p {<Password> | *}     Password for the user <UserName>. If * is entered,
                        then you are prompted for a password.
-q                      Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci}	-uc Specifies that input from or output to pipe is
			formatted in Unicode. 
			-uco Specifies that output to pipe or file is 
			formatted in Unicode. 
			-uci Specifies that input from pipe or file is
			formatted in Unicode.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be
accepted from the keyboard, a redirected file, or as piped output from
another command. To mark the end of stdin data from the keyboard or
in a redirected file, use Control+Z, for End of File (EOF).

If a value that you supply contains spaces, use quotation marks 
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of group distinguished names). 
See also:
dsadd computer /? - help for adding a computer to the directory.
dsadd contact /? - help for adding a contact to the directory.
dsadd group /? - help for adding a group to the directory.
dsadd ou /? - help for adding an organizational unit to the directory.
dsadd user /? - help for adding a user to the directory.
dsadd quota /? - help for adding a quota to the directory.

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsadd failed:The parameter is incorrect.
type dsadd /? for help.

 

Back to DSADD

 

dsadd ou
help for adding an organizational unit to the directory.
Description:  Adds an organizational unit to the directory
Syntax:  dsadd ou <OrganizationalUnitDN> [-desc <Description>] 
        [{-s <Server> | -d <Domain>}] [-u <UserName>] 
        [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]
Parameters:

Value                   Description
<OrganizationalUnitDN>  Required. Distinguished name (DN)
                        of the organizational unit (OU) to add.
			If the target object is omitted, it will be taken
			from standard input (stdin).
-desc <Description>     Set the OU description to <Description>.
{-s <Server> | -d <Domain>}
                        -s <Server> connects to the domain controller (DC)
                        with name <Server>.
                        -d <Domain> connects to a DC in domain <Domain>.
                        Default: a DC in the logon domain.
-u <UserName>           Connect as <UserName>. Default: the logged in user.
                        User name can be: user name, domain\user name,
                        or user principal name (UPN).
-p {<Password> | *}
                        Password for the user <UserName>. If * is entered
                        then you are prompted for a password.
-q                      Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci}	-uc Specifies that input from or output to pipe is
			formatted in Unicode. 
			-uco Specifies that output to pipe or file is 
			formatted in Unicode. 
			-uci Specifies that input from pipe or file is
			formatted in Unicode.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be
accepted from the keyboard, a redirected file, or as piped output from
another command. To mark the end of stdin data from the keyboard or
in a redirected file, use Control+Z, for End of File (EOF).

If a value that you supply contains spaces, use quotation marks 
around the text (for example, "OU=Domain Controllers,DC=microsoft,DC=com").
See also:
dsadd computer /? - help for adding a computer to the directory.
dsadd contact /? - help for adding a contact to the directory.
dsadd group /? - help for adding a group to the directory.
dsadd ou /? - help for adding an organizational unit to the directory.
dsadd user /? - help for adding a user to the directory.
dsadd quota /? - help for adding a quota to the directory.

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsadd failed:The parameter is incorrect.
type dsadd /? for help.

 

Back to DSADD

 

dsadd user
help for adding a user to the directory.
Description:  Adds a user to the directory.
Syntax:  dsadd user <UserDN> [-samid <SAMName>] [-upn <UPN>] [-fn <FirstName>]
        [-mi <Initial>] [-ln <LastName>] [-display <DisplayName>] 
        [-empid <EmployeeID>] [-pwd {<Password> | *}] [-desc <Description>] 
        [-memberof <Group ...>] [-office <Office>] [-tel <Phone#>] 
        [-email <Email>] [-hometel <HomePhone#>] [-pager <Pager#>] 
        [-mobile <CellPhone#>] [-fax <Fax#>] [-iptel <IPPhone#>]
        [-webpg <WebPage>] [-title <Title>] [-dept <Department>]
        [-company <Company>] [-mgr <Manager>] [-hmdir <HomeDir>]
        [-hmdrv <DriveLtr:>] [-profile <ProfilePath>] [-loscr <ScriptPath>]
        [-mustchpwd {yes | no}] [-canchpwd {yes | no}] 
        [-reversiblepwd {yes | no}] [-pwdneverexpires {yes | no}] 
        [-acctexpires <NumDays>] [-disabled {yes | no}] 
        [{-s <Server> | -d <Domain>}] [-u <UserName>] 
        [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]

Parameters:

Value                   Description
<UserDN>                Required. Distinguished name (DN) of user to add.
			If the target object is omitted, it will be taken
			from standard input (stdin).
-samid <SAMName>        Set the SAM account name of user to <SAMName>.
			If not specified, dsadd will attempt 
			to create SAM account name using up to 
			the first 20 characters from the 
			common name (CN) value of <UserDN>.
-upn <UPN>              Set the upn value to <UPN>.
-fn <FirstName>         Set user first name to <FirstName>.
-mi <Initial>           Set user middle initial to <Initial>.
-ln <LastName>          Set user last name to <LastName>.
-display <DisplayName>  Set user display name to <DisplayName>.
-empid <EmployeeID>     Set user employee ID to <EmployeeID>.
-pwd {<Password> | *}   Set user password to <Password>. If *, then you are
                        prompted for a password.
-desc <Description>     Set user description to <Description>.
-memberof <Group ...>   Make user a member of one or more groups <Group ...>
-office <Office>        Set user office location to <Office>.
-tel <Phone#>           Set user telephone# to <Phone#>.
-email <Email>          Set user e-mail address to <Email>.
-hometel <HomePhone#>   Set user home phone# to <HomePhone#>.
-pager <Pager#>         Set user pager# to <Pager#>.
-mobile <CellPhone#>    Set user mobile# to <CellPhone#>.
-fax <Fax#>             Set user fax# to <Fax#>.
-iptel <IPPhone#>       Set user IP phone# to <IPPhone#>.
-webpg <WebPage>        Set user web page URL to <WebPage>.
-title <Title>          Set user title to <Title>.
-dept <Department>      Set user department to <Department>.
-company <Company>      Set user company info to <Company>.
-mgr <Manager>          Set user's manager to <Manager> (format is DN).
-hmdir <HomeDir>        Set user home directory to <HomeDir>. If this is
                        UNC path, then a drive letter that will be mapped to
                        this path must also be specified through -hmdrv.
-hmdrv <DriveLtr:>      Set user home drive letter to <DriveLtr:>
-profile <ProfilePath>  Set user's profile path to <ProfilePath>.
-loscr <ScriptPath>     Set user's logon script path to <ScriptPath>.
-mustchpwd {yes | no}   User must change password at next logon or not.
                        Default: no.
-canchpwd {yes | no}    User can change password or not. This should be
                        "yes" if the -mustchpwd is "yes". Default: yes.
-reversiblepwd {yes | no}
                        Store user password using reversible encryption or
                        not. Default: no.
-pwdneverexpires {yes | no}
                        User password never expires or not. Default: no.
-acctexpires <NumDays>  Set user account to expire in <NumDays> days from
                        today. A value of 0 implies account expires
                        at the end of today; a positive value
                        implies the account expires in the future;
                        a negative value implies the account already expired
                        and sets an expiration date in the past; 
                        the string value "never" implies that the 
                        account never expires.
-disabled {yes | no}    User account is disabled or not. Default: no.
{-s <Server> | -d <Domain>}
                        -s <Server> connects to the domain controller (DC)
                        with name <Server>.
                        -d <Domain> connects to a DC in domain <Domain>.
                        Default: a DC in the logon domain.
-u <UserName>           Connect as <UserName>. Default: the logged in user.
                        User name can be: user name, domain\user name,
                        or user principal name (UPN).
-p {<Password> | *}     Password for the user <UserName>. If * is entered,
                        then you are prompted for a password.
-q                      Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci}	-uc Specifies that input from or output to pipe is
			formatted in Unicode. 
			-uco Specifies that output to pipe or file is 
			formatted in Unicode. 
			-uci Specifies that input from pipe or file is
			formatted in Unicode.

Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be
accepted from the keyboard, a redirected file, or as piped output from
another command. To mark the end of stdin data from the keyboard or
in a redirected file, use Control+Z, for End of File (EOF).

If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names). 

The special token $username$ (case insensitive) may be used to place the SAM
account name in the value of a parameter. For example, if the target user DN
is CN=Jane Doe,CN=users,CN=microsoft,CN=com and the SAM account name
attribute is "janed," the -hmdir parameter can have
the following substitution:

-hmdir \users\$username$\home

The value of the -hmdir parameter is modified to the following value:

- hmdir \users\janed\home

See also:
dsadd computer /? - help for adding a computer to the directory.
dsadd contact /? - help for adding a contact to the directory.
dsadd group /? - help for adding a group to the directory.
dsadd ou /? - help for adding an organizational unit to the directory.
dsadd user /? - help for adding a user to the directory.
dsadd quota /? - help for adding a quota to the directory.

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsadd failed:The parameter is incorrect.
type dsadd /? for help.

 

Back to DSADD

 

dsadd quota
help for adding a quota to the directory.
Adds a quota specification to a directory partition. A quota specification
determines the maximum number of directory objects a given security principal
can own in a specified directory partition.
dsadd quota -part <PartitionDN> [-rdn <RDN>] -acct Name
-qlimit <Value> | -1 [-desc <Description>]
[{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}]
[-q] [{-uc | -uco | -uci}]
-part <PartitionDN>         Required. Specifies the distinguished name of the
                            directory partition on which you want to create a
                            quota. If the distinguished name is omitted, it
                            will be taken from standard input (stdin).
-rdn <RDN>                  Specifies the relative distinguished name (RDN)
                            of the quota specification being created. If the
                            -rdn option is omitted, it will be set to 
                            <domain>_<accountname>, using the domain and
                            account name of the security principal specified
                            by the -acct parameter.
-acct Name                  Required. Specifies the security principal (user,
                            group, computer, InetOrgPerson) for whom the
                            quota specification is being specified. The -acct
                            option can be provided in the following forms:
                              DN of the security principal
                              domain\SAM account name of the security
                              principal
-qlimit <Value> | -1
                            Required. Specifies the number of objects within 
                            the directory partition that can be owned by 
                            the security principal. To specify an unlimited 
                            quota, specify -1 as the value. 
-desc <Description>         Specifies a description for the quota
                            specification you want to add.
{-s <Server> | -d <Domain>} Connects the computer to either a specified
                            server or domain. By default, the computer is
                            connected to a domain controller in the logon
                            domain.
-u <UserName>               Specifies the user name with which user will log
                            on to a remote server. By default, the logged on
                            user name is used. You can specify a user name
                            using one of the following formats:
                               user name (such as, Linda)
                               domain\user name (such as, widgets\Linda)
                               user principal name (UPN) (such as,
                               Linda@widgets.microsoft.com)
-p {<Password> | *}         Specifies use of a specific password or a * to
                            log on to a remote server. If you type *, then
                            you are prompted for a password.
-q                          Suppresses all output to standard output (quiet
                            mode).
{-uc | -uco | -uci}         Specifies that output or input data is formatted
                            in Unicode. The -uc value specifies a Unicode
                            format for input from or output to pipe.
                            The -uco value specifies a Unicode format for
                            output to pipe or file. The -uci value specifies
                            a Unicode format for input from pipe or file.
/?                          Displays help at the command prompt.
If you do not supply a target object at the command prompt, the target object
is obtained from standard input (stdin). Stdin data can be accepted from the
keyboard, a redirected file, or as piped output from another command. To mark
the end of stdin data from the keyboard or in a redirected file, use
Control+Z, for End of File (EOF).

If a value that you supply contains spaces, use quotation marks around the
text (for example, "CN=DC 2,OU=Domain Controllers,DC=Microsoft,DC=Com").
dsadd computer /? - help for adding a computer to the directory.
dsadd contact /? - help for adding a contact to the directory.
dsadd group /? - help for adding a group to the directory.
dsadd ou /? - help for adding an organizational unit to the directory.
dsadd user /? - help for adding a user to the directory.
dsadd quota /? - help for adding a quota to the directory.

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsadd failed:The parameter is incorrect.
type dsadd /? for help.

 

Back to DSADD

 

 

Back to the top of this page

 

 

DSGET

Description:  This tool's commands display the selected properties
of a specific object in the directory. The dsget commands:

dsget_computer - displays properties of computers in the directory.
dsget_contact - displays properties of contacts in the directory.
dsget_subnet - displays properties of subnets in the directory.
dsget_group - displays properties of groups in the directory.
dsget_ou - displays properties of ou's in the directory.
dsget_server - displays properties of servers in the directory.
dsget_site - displays properties of sites in the directory.
dsget_user - displays properties of users in the directory.
dsget_quota - displays properties of quotas in the directory.
dsget_partition - displays properties of partitions in the directory.

To display an arbitrary set of attributes of any given object in the
directory use the dsquery * command (see examples below).

For help on a specific command, type "dsget <ObjectType> /?" where
<ObjectType> is one of the supported object types shown above.
For example, dsget ou /?.
Remarks:
The dsget commands help you to view the properties of a specific object in
the directory: the input to dsget is an object and the output is a list of
properties for that object. To find all objects that meet a given search
criterion, use the dsquery commands (dsquery /?).

The dsget commands support piping of input to allow you to pipe results from
the dsquery commands as input to the dsget commands and display detailed
information on the objects found by the dsquery commands.

Commas that are not used as separators in distinguished names must be
escaped with the backslash ("\") character
(for example, "CN=Company\, Inc.,CN=Users,DC=microsoft,DC=com").
Backslashes used in distinguished names must be escaped with a backslash (for
example, "CN=Sales\\ Latin America,OU=Distribution Lists,DC=microsoft,
DC=com").
Examples:
To find all users with names starting with "John" and display their office
numbers:

	dsquery user -name John* | dsget user -office

To display the sAMAccountName, userPrincipalName and department attributes of
the object whose DN is ou=Test,dc=microsoft,dc=com:

	dsquery * ou=Test,dc=microsoft,dc=com -scope base -attr
	sAMAccountName userPrincipalName department

To read all attributes of any object use the dsquery * command.
For example, to read all attributes of the object whose DN is
ou=Test,dc=microsoft,dc=com:

	dsquery * ou=Test,dc=microsoft,dc=com -scope base -attr *

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget succeeded

 

dsget computer
displays properties of computers in the directory.
Description:  Displays the properties of a computer in the directory.
              There are two variations of this command. The first variation
              allows you to view the properties of multiple computers. The
              second variation allows you to view the membership information
              of a single computer.
Syntax:     dsget computer <ComputerDN ...> [-dn] [-samid] [-sid] [-desc]
            [-loc] [-disabled] [{-s <Server> | -d <Domain>}] [-u <UserName>]
            [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]
            [-part <PartitionDN> [-qlimit] [-qused]]

            dsget computer <ComputerDN> [-memberof [-expand]]
            [{-s <Server> | -d <Domain>}] [-u <UserName>]
            [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]

Parameters:

Value               Description
<ComputerDN ...>    Required/stdin. Distinguished names (DNs) of one 
                    or more computers to view.
                    If the target objects are omitted they
                    will be taken from standard input (stdin)
                    to support piping of output from another 
                    command to input of this command.
                    Compare with <ComputerDN> below.
-dn                 Displays the computer DN.
-samid              Displays the computer SAM account name.
-sid                Displays the computer Security ID (SID).
-desc               Displays the computer description.
-loc                Displays the computer location.
-disabled           Displays if the computer account is 
                    disabled (yes) or not (no).
<ComputerDN>        Required. Distinguished name (DN) of the computer to
                    view.
-memberof           Displays the groups of which the computer is a member.
-expand             Displays the recursively expanded list of groups of 
                    which the computer is a member. This option takes
                    the immediate group membership list of the computer
                    and then recursively expands each group in this list to 
                    determine its group memberships and arrive at a 
                    complete set of the groups.
{-s <Server> | -d <Domain>}
                    -s <Server> connects to the domain controller (DC) 
                    with name <Server>.
                    -d <Domain> connects to a DC in domain <Domain>.
                    Default: a DC in the logon domain.
-u <UserName>       Connect as <UserName>. Default: the logged in user.
                    User name can be: user name, domain\user name,
                    or user principal name (UPN).
-p {<Password> | *} Password for the user <UserName>. If * then prompt for
                    password.
-c                  Continuous operation mode: report errors but continue
                    with next object in argument list when multiple target
                    objects are specified. Without this option, command
                    exits on first error.
-q                  Quiet mode: suppress all output to standard output.
-L                  Displays the entries in the search result set in a
                    list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
		    formatted in Unicode.
		    -uco Specifies that output to pipe or file is
		    formatted in Unicode.
		    -uci Specifies that input from pipe or file is
		    formatted in Unicode.
-part <PartitionDN> Connects to the directory partition with the
                    distinguished name of <PartitionDN>.
-qlimit             Displays the effective quota of the computer within
                    the specified directory partition.
-qused              Displays how much of its quota the computer has
                    used within the specified directory partition.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be accepted
from the keyboard, a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a redirected
file, use Control+Z, for End of File (EOF).

A quota specification determines the maximum number of directory objects a
given security principal can own in a specific directory partition.

The dsget commands help you view the properties of a
specific object in the directory: the input to dsget is an object
and the output is a list of properties for that object.
To find all objects that meet a given search criterion, 
use the dsquery commands (dsquery /?).

If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=DC2,OU=Domain Controllers,DC=microsoft,
DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names). 
Examples:
To find all computers in a given OU whose name starts with "tst" and show
their descriptions.

    dsquery computer ou=Test,dc=microsoft,dc=com -name tst* | 
    dsget computer -desc

To show the list of groups, recursively expanded, to which a given computer
"MyDBServer" belongs:

    dsget computer cn=MyDBServer,cn=computers,dc=microsoft,dc=com
    -memberof -expand

To display the effective quota and quota used of a given computer
"MyDBServer" on a given partition "cn=domain1,dc=microsoft,dc=com", type:

    dsget computer cn=MyDBServer,cn=computers,dc=microsoft,dc=com
    -part cn=domain1,dc=microsoft,dc=com -qlimit -qused
See also:
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.

 

Back to DSGET

 

dsget contact
displays properties of contacts in the directory.
Description:  Displays properties of a contact in the directory.
Syntax:     dsget contact <ContactDN ...> [-dn] [-fn] [-mi] [-ln]
            [-display] [-desc] [-office] [-tel] [-email] [-hometel]
            [-pager] [-mobile] [-fax] [-iptel] [-title] [-dept] 
            [-company] [{-s <Server> | -d <Domain>}]
            [-u <UserName>] [-p {<Password> | *}] [-c] [-q] [-l]
	    [{-uc | -uco | -uci}]
Parameters:

Value               Description
<ContactDN ...>     Required/stdin. Specifies Distinguished names (DNs)
                    of one or more contacts to view.
                    If the target objects are omitted they
                    will be taken from standard input (stdin)
                    to support piping of output from another
                    command to input of this command.
-dn                 Specifies the contact DN.
-fn                 Specifies the contact first name.
-mi                 Specifies the contact middle initial.
-ln                 Specifies the contact last name.
-display            Specifies the contact display name.
-desc               Specifies the contact description.
-office             Specifies the contact office location.
-tel                Specifies the contact telephone#.
-email              Specifies the contact e-mail address.
-hometel            Specifies the contact home phone#.
-pager              Specifies the contact pager#.
-mobile             Specifies the contact mobile#.
-fax                Specifies the contact fax#.
-iptel              Specifies the contact IP phone#.
-title              Specifies the contact title.
-dept               Specifies the contact department.
-company            Specifies the contact company info.
{-s <Server> | -d <Domain>}
                    -s <Server> connects to the domain controller (DC) 
                    with name <Server>.
                    -d <Domain> connects to a DC in domain <Domain>.
                    Default: a DC in the logon domain.
-u <UserName>       Connect as <UserName>. Default: the logged in user.
                    User name can be: user name, domain\user name,
                    or user principal name (UPN).
-p {<Password> | *} 
                    Password for the user <UserName>. If * then prompt for
                    password.
-c                  Continuous operation mode: report errors but continue
                    with next object in argument list when multiple target
                    objects are specified. Without this option, command
                    exits on first error.
-q                  Quiet mode: suppress all output to standard output.
-L                  Displays the entries in the search result set in a
                    list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
		    formatted in Unicode.
		    -uco Specifies that output to pipe or file is
		    formatted in Unicode.
		    -uci Specifies that input from pipe or file is
		    formatted in Unicode.

Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be accepted
from the keyboard, a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a redirected
file, use Control+Z, for End of File (EOF).


The dsget commands help you view the properties of a
specific object in the directory: the input to dsget is 
an object and the output is a list of properties for that object.
To find all objects that meet a given search criterion, 
use the dsquery commands (dsquery /?).

If a value that you supply contains spaces, use quotation marks 
around the text (for example, "CN=John Smith,OU=Contacts,DC=microsoft,
DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names). 

Examples:
To display the description and phone numbers for contacts 
"Jon Smith" and "Jona Jones".

dsget contact "CN=John Doe,OU=Contacts,DC=microsoft,DC=com"
"CN=Jane Doe,OU=Contacts,DC=microsoft,DC=com" -desc -tel

See also:
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.


Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.

 

Back to DSGET

 

dsget subnet
displays properties of subnets in the directory.
Description: Displays properties of a subnet defined 
	     in the directory.
Syntax:     dsget subnet <SubnetCN ...> [-dn] [-desc] [-loc] [-site]
            [{-s <Server> | -d <Domain>}] [-u <UserName>]
            [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]

Parameters:

Value               Description
<SubnetCN ...>      Required/stdin. Common name (CN) of one 
                    or more subnets to view. The format is
                    the subnet's RDN (see examples below).
-dn                 Displays the subnet distinguished name (DN).
                    If the target objects are omitted they
                    will be taken from standard input (stdin)
                    to support piping of output from another
                    command to input of this command.
-desc               Displays the subnet description.
-loc                Displays the subnet location.
-site               Displays the site name associated with the subnet.
{-s <Server> | -d <Domain>}
                    -s <Server> connects to the domain controller (DC) 
                    with name <Server>.
                    -d <Domain> connects to a DC in domain <Domain>.
                    Default: a DC in the logon domain.
-u <UserName>       Connect as <UserName>. Default: the logged in user.
                    User name can be: user name, domain\user name,
                    or user principal name (UPN).
-p {<Password> | *}
                    Password for the user <UserName>. If * then prompt for
                    password.
-c                  Continuous operation mode: report errors but continue
                    with next object in argument list when multiple target
                    objects are specified. Without this option, command
                    exits on first error.
-q                  Quiet mode: suppress all output to standard output.
-L                  Displays the entries in the search result set in a
                    list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
		    formatted in Unicode.
		    -uco Specifies that output to pipe or file is
		    formatted in Unicode.
		    -uci Specifies that input from pipe or file is
		    formatted in Unicode.

Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be accepted
from the keyboard, a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a redirected
file, use Control+Z, for End of File (EOF).


The dsget commands help you view the properties of
a specific object in the directory: the input to dsget is 
an object and the output is a list of properties for that object.
To find all objects that meet a given search criterion, 
use the dsquery commands (dsquery /?).

If a value that you supply contains spaces, use quotation marks
around the text (for example, "123.56.15.0/24,CN=Subnets,CN=Sites
,CN=Configuration,DC=My Domain,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of subnet common names).

Examples:
To show all relevant properties for the subnets "123.56.15.0/24" and
"123.56.16.0/24":

dsget subnet
"123.56.15.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=microsoft,DC=com"
"123.56.16.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=microsoft,DC=com"

See also:
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.


Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.

 

Back to DSGET

 

dsget group
displays properties of groups in the directory.
Description:  Displays the various properties of a group including the
              members of a group in the directory. There are two variations
              of this command. The first variation allows you to view the
              properties of multiple groups. The second variation allows you
              to view the group membership information of a single group.
Syntax: dsget group <GroupDN ...> [-dn] [-samid] [-sid] [-desc] [-secgrp]
        [-scope] [{-s <Server> | -d <Domain>}] [-u <UserName>]
        [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}] 
        [-part <PartitionDN> [-qlimit] [-qused]]

        dsget group <GroupDN> [{-memberof | -members} [-expand]]
        [{-s <Server> | -d <Domain>}] [-u <UserName>]
        [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]
Parameters:

Value               Description
<GroupDN ...>       Required/stdin. Distinguished names (DNs) of one 
                    or more groups to view.
                    If the target objects are omitted they
                    will be taken from standard input (stdin)
                    to support piping of output from another command
                    to input of this command. 
                    Compare with <GroupDN> below.
-dn                 Displays the group DN.
-samid              Displays the group SAM account name.
-sid                Displays the group Security ID.
-desc               Displays the group description.
-secgrp             Displays if the group is a security group or not.
-scope              Displays the scope of the group - Local, Global 
                    or Universal.
<GroupDN>           Required. DN of group to view.
{-memberof | -members}
                    Displays the groups of the group 
                    is a member (-memberof), or
                    displays the members of the group (-members).
-expand             For -memberof, displays the recursively expanded 
                    list of groups of which the group is a member.
                    This option takes the immediate group membership list 
                    of the group and then recursively expands each group
                    in this list to determine its group memberships
                    and arrive at a complete set of the groups.
                    For -members, displays the recursively expanded list
                    of members of the group. This option takes the 
                    immediate list of members of the group and 
                    then recursively expands each group in this list 
                    to determine its group memberships and arrive 
                    at a complete set of its members.
{-s <Server> | -d <Domain>}
                    -s <Server> connects to the domain controller (DC) 
                    with name <Server>.
                    -d <Domain> connects to a DC in domain <Domain>.
                    Default: a DC in the logon domain.
-u <UserName>       Connect as <UserName>. Default: the logged in user.
                    User name can be: user name, domain\user name,
                    or user principal name (UPN).
-p {<Password> | *} Password for the user <UserName>. If * then prompt for
                    password.
-c                  Continuous operation mode: report errors but continue
                    with next object in argument list when multiple target
                    objects are specified. Without this option, command
                    exits on first error.
-q                  Quiet mode: suppress all output to standard output.
-L                  Displays the entries in the search result set in a
                    list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
		    formatted in Unicode.
		    -uco Specifies that output to pipe or file is
		    formatted in Unicode.
		    -uci Specifies that input from pipe or file is
		    formatted in Unicode.
-part <PartitionDN> Connects to the directory partition with the
                    distinguished name of <PartitionDN>.
-qlimit             Displays the effective quota of the group within
                    the specified directory partition.
-qused              Displays how much of its quota the group has
                    used within the specified directory partition.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be accepted
from the keyboard, a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a redirected
file, use Control+Z, for End of File (EOF).

A quota specification determines the maximum number of directory objects a
given security principal can own in a specific directory partition.

The dsget commands help you view the properties of a specific
object in the directory: the input to dsget is an object 
and the output is a list of properties for that object.
To find all objects that meet a given search criterion, 
use the dsquery commands (dsquery /?).

If a value that you supply contains spaces, use quotation marks 
around the text (for example, "CN=USA Sales,OU=Distribution Lists,
DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names). 
Examples:
To find all groups in a given OU whose names start with "adm" and display
their descriptions.

    dsquery group ou=Test,dc=microsoft,dc=com -name adm* | 
    dsget group -desc

To display the list of members, recursively expanded, of the group "Backup
Operators":

    dsget group "CN=Backup Operators,ou=Test,dc=microsoft,dc=com" -members
    -expand

To display the effective quota and quota used for a group on a specified
partition, type:

    dsget group "CN=Backup Operators,OU=Test,DC=microsoft,DC=com"
    -part "CN=domain1,dc=microsoft,dc=Com" -qlimit -qused
See also:
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.

 

Back to DSGET

 

dsget ou
displays properties of ou's in the directory.
Description:    Displays properties of an organizational unit in the
directory.
Syntax:     dsget ou <OrganizationalUnitDN ...> [-dn] [-desc]
            [{-s <Server> | -d <Domain>}] [-u <UserName>]
            [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]
Parameters:

Value               Description
<OrganizationalUnitDN ...>
                    Required/stdin. Distinguished names (DNs) of one 
                    or more organizational units (OUs) to view.
                    If the target objects are omitted they
                    will be taken from standard input (stdin)
                    to support piping of output from another
                    command to input of this command.
-dn                 Displays the OU DN.
-desc               Displays the OU description.
{-s <Server> | -d <Domain>}
                    -s <Server> connects to the domain controller (DC) 
                    with name <Server>.
                    -d <Domain> connects to a DC in domain <Domain>.
                    Default: a DC in the logon domain.
-u <UserName>       Connect as <UserName>. Default: the logged in user.
                    User name can be: user name, domain\user name,
                    or user principal name (UPN).
-p {<Password> | *} Password for the user <UserName>. If * then prompt for
                    password.
-c                  Continuous operation mode: report errors but continue
                    with next object in argument list when multiple target
                    objects are specified. Without this option, command
                    exits on first error.
-q                  Quiet mode: suppress all output to standard output.
-L                  Displays the entries in the search result set in a
                    list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
		    formatted in Unicode.
		    -uco Specifies that output to pipe or file is
		    formatted in Unicode.
		    -uci Specifies that input from pipe or file is
		    formatted in Unicode.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be accepted
from the keyboard, a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a redirected
file, use Control+Z, for End of File (EOF).


The dsget commands help you view the properties of a specific object in the
directory: the input to dsget is an object and the output is a list of
properties for that object.
To find all objects that meet a given search criterion, use the dsquery
commands (dsquery /?).

If a value that you supply contains spaces, use quotation marks 
around the text (for example, "OU=Domain Controllers,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names). 

Examples:
To find all OU's in the current domain and display their descriptions.

    dsquery ou domainroot | dsget ou -desc

See also:
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.


Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.

 

Back to DSGET

 

dsget server
displays properties of servers in the directory.
Description:  This command displays the various properties of a domain
              controller. There are three variations of this command. The 
              first variation displays the general properties of a 
              specified domain controller. The second variation displays 
              a list of the security principals who own the largest 
              number of directory objects on the specified domain 
              controller. The third variation displays the distinguished
              names of the directory partitions on the specified
              server.
Syntax:     dsget server <ServerDN ...> [-dn] [-desc] [-dnsname] 
            [-site] [-isgc] [{-s <Server> | -d <Domain>}]
            [-u <UserName>] [-p {<Password> | *}] [-c] [-q] [-l]
            [{-uc | -uco | -uci}]

            dsget server <ServerDN ...> [-topobjowner <Display>]
            [{-s <Server> | -d <Domain>}] [-u <UserName>]
            [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]

            dsget server <ServerDN ...> [-part]
            [{-s <Server> | -d <Domain>}] [-u <UserName>]
            [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]
Parameters:

Value               Description
<ServerDN ...>      Required/stdin. Distinguished names (DNs) of one 
                    or more servers to view.
                    If the target objects are omitted they
                    will be taken from standard input (stdin)
                    to support piping of output from another
                    command to input of this command.
-dn                 Displays the server's DN.
-desc               Displays the server's description.
-dnsname            Displays the server's Domain Name System (DNS) host name.
-site               Displays the site to which this server belongs.
-isgc               Displays whether or not the server is a
                    global catalog server.
{-s <Server> | -d <Domain>}
                    -s <Server> connects to the domain controller (DC) 
                    with name <Server>.
                    -d <Domain> connects to a DC in domain <Domain>.
                    Default: a DC in the logon domain.
-u <UserName>       Connect as <UserName>. Default: the logged in user.
                    User name can be: user name, domain\user name,
                    or user principal name (UPN).
-p {<Password> | *}
                    Password for the user <UserName>. If * then prompt for
                    password.
-c                  Continuous operation mode: report errors but continue
                    with next object in argument list when multiple target
                    objects are specified. Without this option, command
                    exits on first error.
-q                  Quiet mode: suppress all output to standard output.
-L                  Displays the entries in the search result set in a
                    list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
		    formatted in Unicode.
		    -uco Specifies that output to pipe or file is
		    formatted in Unicode.
		    -uci Specifies that input from pipe or file is
		    formatted in Unicode.
-part               Displays the distinguished names of the directory
                    partitions on the specified server.
-topobjowner <display>
                    Displays a sorted list of the security principals
                    (users, computers, security groups, and inetOrgPersons)
                    who own the largest number of directory objects across
                    all directory partitions on the server and the number
                    of directory objects they own. The number of accounts to
                    display in the list is specified by <display>. Enter
                    "0" to display all object owners. If <display> is not
                    specified, the number of principals listed defaults
                    to 10.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be accepted
from the keyboard, a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a redirected
file, use Control+Z, for End of File (EOF).

A quota specification determines the maximum number of directory objects a
given security principal can own in a specific directory partition.

The dsget commands help you view the properties of a
specific object in the directory: the input to dsget is
an object and the output is a list of properties for that object.
To find all objects that meet a given search criterion,
use the dsquery commands (dsquery /?).

If a value that you supply contains spaces, use quotation marks 
around the text (for example, "CN=My Server,CN=Servers,CN=Site10,
CN=Sites,CN=Configuration,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated
by spaces (for example, a list of distinguished names).

If either -part or -topobjowner is specified, they override any other
specified parameters, so that only the results of the -part or -topobjowner
parameter are displayed.
Examples:
To find all domain controllers for domain corp.microsoft.com
and display their DNS host name and site name:

dsquery server -domain corp.microsoft.com | 
dsget server -dnsname -site

To show if a domain controller with the name DC1 is also a 
global catalog server:

dsget server cn=DC1,cn=Servers,cn=Site10,cn=Sites,cn=Configuration,
dc=microsoft,dc=com -isgc

To show the distinguished names of the directory partitions on a domain
controller with the name DC1, type:

dsget server cn=DC1,cn=Servers,cn=Site10,cn=Sites,cn=Configuration,
dc=microsoft,dc=com -part

To show the security principals that own the largest total number of
directory objects on the directory partitions of a domain controller with the
name DC1, and limiting the list to the top 5 owners, type:

dsget server cn=DC1,cn=Servers,cn=Site10,cn=Sites,cn=Configuration,
dc=microsoft,dc=com -topobjowner 5
See also:
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.

 

Back to DSGET

 

dsget site
displays properties of sites in the directory.
Description:  Display properties of a site defined in the directory.

Syntax:     dsget site <SiteCN ...> [-dn] [-desc] [-autotopology]
            [-cachegroups] [-prefGCsite] [{-s <Server> | -d <Domain>}]
            [-u <UserName>] [-p {<Password> | *}] [-c] [-q] [-l]
	    [{-uc | -uco | -uci}]

Parameters:

Value               Description
<SiteCN ...>        Required/stdin. Common name (CN) of one 
                    or more sites to view.
                    If the target objects are omitted they
                    will be taken from standard input (stdin)
                    to support piping of output from another
                    command to input of this command.
-dn                 Specifies the site's distinguished name (DN).
-desc               Specifies the site's description.
-autotopology       Specifies if automatic inter-site topology generation
                    is enabled (yes) or disabled (no).
-cachegroups        Specifies if caching of group membership is enabled
                    to support GC-less logon (yes) or disabled (no).
-prefGCsite         Specifies the preferred GC site name if caching
                    of groups is enabled.
{-s <Server> | -d <Domain>}
                    -s <Server> connects to the domain controller (DC) 
                    with name <Server>.
                    -d <Domain> connects to a DC in domain <Domain>.
                    Default: a DC in the logon domain.
-u <UserName>       Connect as <UserName>. Default: the logged in user.
                    User name can be: user name, domain\user name,
                    or user principal name (UPN).
-p {<Password> | *}
                    Password for the user <UserName>. If * then prompt for
                    password.
-c                  Continuous operation mode: report errors but continue
                    with next object in argument list when multiple target
                    objects are specified. Without this option, command
                    exits on first error.
-q                  Quiet mode: suppress all output to standard output.
-L                  Displays the entries in the search result set in a
                    list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
		    formatted in Unicode.
		    -uco Specifies that output to pipe or file is
		    formatted in Unicode.
		    -uci Specifies that input from pipe or file is
		    formatted in Unicode.

Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be accepted
from the keyboard, a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a redirected
file, use Control+Z, for End of File (EOF).


The dsget commands help you view the properties of a
specific object in the directory: the input to dsget is 
an object and the output is a list of properties for that object.
To find all objects that meet a given search criterion, 
use the dsquery commands (dsquery /?).

If a value that you supply contains spaces, use quotation marks 
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names). 

Examples:
To find all sites in the forest and display their descriptions.

    dsquery site | dsget site -dn -desc

See also:
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.

 

Back to DSGET

 

dsget user
displays properties of users in the directory.
Description:  Display the various properties of a user in the directory.
              There are two variations of this command. The first variation
              allows you to view the properties of multiple users. The second
              variation allows you to view the group membership information
              of a single user.
Syntax:     dsget user <UserDN ...> [-dn] [-samid] [-sid] [-upn] [-fn] [-mi]
            [-ln] [-display] [-empid] [-desc] [-office] [-tel] [-email]
            [-hometel] [-pager] [-mobile] [-fax] [-iptel] [-webpg]
            [-title] [-dept] [-company] [-mgr] [-hmdir] [-hmdrv]
            [-profile] [-loscr] [-mustchpwd] [-canchpwd]
            [-pwdneverexpires] [-disabled] [-acctexpires]
            [-reversiblepwd] [-part <PartitionDN> [-qlimit] [-qused]]
            [{-s <Server> | -d <Domain>}] [-u <UserName>] 
            [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]

            dsget user <UserDN> [-memberof [-expand]]
            [{-s <Server> | -d <Domain>}] [-u <UserName>]
            [-p {<Password> | *}] [-c] [-q] [-l]
            [{-uc | -uco | -uci}]
            
Parameters:

Value                   Description
<UserDN ...>            Required/stdin. Distinguished names (DNs) of one 
                        or more users to view.
                        If the target objects are omitted they
                        will be taken from standard input (stdin)
                        to support piping of output from another command 
                        to input of this command. Compare with <UserDN>
                        below.
-dn                     Shows the DN of the user. 
-samid                  Shows the SAM account name of the user. 
-sid                    Shows the user Security ID. 
-upn                    Shows the user principal name of the user. 
-fn                     Shows the first name of the user. 
-mi                     Shows the middle initial of the user. 
-ln                     Shows the last name of the user. 
-display                Shows the display name of the user. 
-empid                  Shows the user employee ID. 
-desc                   Shows the description of the user. 
-office                 Shows the office location of the user. 
-tel                    Shows the telephone number of the user. 
-email                  Shows the e-mail address of the user. 
-hometel                Shows the home telephone number of the user. 
-pager                  Shows the pager number of the user. 
-mobile                 Shows the mobile phone number of the user. 
-fax                    Shows the fax number of the user. 
-iptel                  Shows the user IP phone number. 
-webpg                  Shows the user web page URL. 
-title                  Shows the title of the user. 
-dept                   Shows the department of the user. 
-company                Shows the company info of the user. 
-mgr                    Shows the user's manager. 
-hmdir                  Shows the user home directory. 
                        Displays the drive letter to which the 
                        home directory of the user is mapped 
                        (if the home directory path is a UNC path). 
-hmdrv                  Shows the user's home drive letter
                        (if home directory is a UNC path).
-profile                Shows the user's profile path. 
-loscr                  Shows the user's logon script path. 
-mustchpwd              Shows if the user must change his/her password
                        at the time of next logon. Displays: yes or no. 
-canchpwd               Shows if the user can change his/her password.
                        Displays: yes or no. 
-pwdneverexpires        Shows if the user password never expires.
                        Displays: yes or no. 
-disabled               Shows if the user account is disabled 
                        for logon or not. Displays: yes or no. 
-acctexpires            Shows when the user account expires. 
                        Display values: a date when the account expires
                        or the string "never" if the account never expires. 
-reversiblepwd          Shows if the user password is allowed to be 
                        stored using reversible encryption (yes or no). 
<UserDN>                Required. DN of group to view.
-memberof               Displays the groups of which the user is a member.
-expand                 Displays a recursively expanded list of groups
                        of which the user is a member.
{-s <Server> | -d <Domain>}
                        -s <Server> connects to the domain controller (DC) 
                        with name <Server>.
                        -d <Domain> connects to a DC in domain <Domain>.
                        Default: a DC in the logon domain.
-u <UserName>           Connect as <UserName>. Default: the logged in user.
                        User name can be: user name, domain\user name,
                        or user principal name (UPN).
-p {<Password> | *}     Password for the user <UserName>. If * then prompt
                        for password.
-c                      Continuous operation mode: report errors but continue
                        with next object in argument list when multiple
                        target objects are specified. Without this option,
                        command exits on first error.
-q                      Quiet mode: suppress all output to standard output.
-L                      Displays the entries in the search result set in a
                        list format. Default: table format.
{-uc | -uco | -uci}	-uc Specifies that input from or output to pipe is
			formatted in Unicode. 
			-uco Specifies that output to pipe or file is 
			formatted in Unicode. 
			-uci Specifies that input from pipe or file is
			formatted in Unicode.
-part <PartitionDN>     Connect to the directory partition with the
                        distinguished name of <PartitionDN>.
-qlimit                 Displays the effective quota of the user within
                        the specified directory partition.
-qused                  Displays how much of the quota the user has
                        used within the specified directory partition.
Remarks:
If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be accepted
from the keyboard, a redirected file, or as piped output from another
command. To mark the end of stdin data from the keyboard or in a redirected
file, use Control+Z, for End of File (EOF).

A quota specification determines the maximum number of directory objects a
given security principal can own in a specific directory partition.


The dsget commands help you view the properties of a
specific object in the directory: the input to dsget is
an object and the output is a list of properties for that object.
To find all objects that meet a given search criterion,
use the dsquery commands (dsquery /?).

If a value that you supply contains spaces, use quotation marks 
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names). 
Examples:
To find all users in a given OU whose names start with "jon" and display
their descriptions, type:

    dsquery user ou=Test,dc=microsoft,dc=com -name jon* | dsget user -desc

To display the list of groups, recursively expanded, to which a given user
"Jon Smith" belongs, type:

    dsget user "cn=Jon Smith,cn=users,dc=microsoft,dc=com" -memberof -expand

To display the effective quota and quota used for a given user
"Jon Smith" on a given partition "cn=domain,dc=microsoft,dc=com", type:

    dsget user "cn=Jon Smith,cn=users,dc=microsoft,dc=com"
    -part "cn=domain,dc=microsoft,dc=com" -qlimit -qused


See also:
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.

 

Back to DSGET

 

dsget quota
displays properties of quotas in the directory.
Description:  Displays the properties of a quota specification. A quota
specification determines the maximum number of directory objects a given
security principal can own in a specific directory partition.
dsget quota <QuotaDN ...> [-dn] [-acct] [-qlimit] [{-s <Server> | -d <Domain>}] 
[-u <UserName>] [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}] 
<QuotaDN ...>        Required. Specifies the distinguished names of the quota
                     objects to view. If values are omitted, they are
                     obtained through standard input (stdin) to support
                     piping of output from another command to input of this
                     command.
-dn                  Displays the distinguished names of the quota
                     specifications.
-acct                Displays the the distinguished names of the accounts to
                     which the quotas are assigned.
-qlimit              Displays the quota limits for the specified quotas.
                     An unlimited quota displays as "-1". 
{-s <Server> | -d <Domain>}
                    -s <Server> connects to the domain controller (DC) 
                    with name <Server>.
                    -d <Domain> connects to a DC in domain <Domain>.
                    Default: a DC in the logon domain.
-u <UserName>       Connect as <UserName>. Default: the logged in user.
                    User name can be: user name, domain\user name,
                    or user principal name (UPN).
-p {<Password> | *}
                    Password for the user <UserName>. If * then prompt for
                    password.
-c                  Continuous operation mode: report errors but continue
                    with next object in argument list when multiple target
                    objects are specified. Without this option, command
                    exits on first error.
-q                  Quiet mode: suppress all output to standard output.
-L                  Displays the entries in the search result set in a
                    list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
		    formatted in Unicode.
		    -uco Specifies that output to pipe or file is
		    formatted in Unicode.
		    -uci Specifies that input from pipe or file is
		    formatted in Unicode.
/?                  Displays help at the command prompt. 
If you do not supply a target object at the command prompt, the target object
is obtained from standard input (stdin). Stdin data can be accepted from the
keyboard, a redirected file, or as piped output from another command. To mark
the end of stdin data from the keyboard or in a redirected file, use
Control+Z, for End of File (EOF).

When none of the optional parameters is specified, the distinguished names of
the quota specification, the account to which the quota is assigned, and the
quota limit are all displayed.

Use the dsget command to view properties of a specific object in the
directory. To search for all objects that match a specific criterion, see
Dsquery *.

As a result of dsquery searches, you can pipe returned objects to dsget and
obtain object properties. See Examples.

If a value that you supply contains spaces, use quotation marks around the
text (for example, "CN=Mike Danseglio,CN=Users,DC=Microsoft,DC=Com").

If you supply multiple values for a parameter, use spaces to separate the
values (for example, a list of distinguished names).
To display the account to which the quota is assigned and the quota limit
for the quota specification "CN=quota1,dc=marketing,dc=northwindtraders,
dc=com", type:

dsget quota CN=quota1,dc=marketing,dc=northwindtraders,dc=com -acct -qlimit 
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.

 

Back to DSGET

 

dsget partition
displays properties of partitions in the directory.
Description:        Displays the properties of a directory partition.
dsget partition ObjectDN ... [-dn] [-qdefault] [-qtmbstnwt] 
[-topobjowner <Display>] [{-s <Server> | -d <Domain>}] [-u <UserName>] 
[-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}] 
Parameters
OBJECTDN            Required. Specifies the distinguished names (DN) of the
                    partition objects to view. If values are omitted, they
                    are obtained through standard input (stdin) to support
                    piping of output from another command to input of this
                    command.
-dn                 Displays the distinguished names of the directory
                    partition objects.
-qdefault           Displays the default quota that applies to any security
                    principal (user, group, computer or inetOrgPerson)
                    creating an object in the directory partition, if no
                    quota specification exists for the security principal.
-qtmbstnwt          Displays the percent by which the tombstone object count
                    should be reduced when calculating quota usage.
-topobjowner <Display>
                    Specifies to generate a sorted list of the distinguished
                    names of the accounts owning the largest number of
                    objects in the specified directory partition, along
                    with the number of directory objects they own. The
                    number of accounts to display in the list is determined
                    by <display>. Enter "0" to display all object owners. If
                    <display> is not specified, the number of principals
                    listed defaults to 10.
{-s <Server> | -d <Domain>}
                    -s <Server> connects to the domain controller (DC) 
                    with name <Server>.
                    -d <Domain> connects to a DC in domain <Domain>.
                    Default: a DC in the logon domain.
-u <UserName>       Connect as <UserName>. Default: the logged in user.
                    User name can be: user name, domain\user name,
                    or user principal name (UPN).
-p {<Password> | *}
                    Password for the user <UserName>. If * then prompt for
                    password.
-c                  Continuous operation mode: report errors but continue
                    with next object in argument list when multiple target
                    objects are specified. Without this option, command
                    exits on first error.
-q                  Quiet mode: suppress all output to standard output.
-L                  Displays the entries in the search result set in a
                    list format. Default: table format.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
		    formatted in Unicode.
		    -uco Specifies that output to pipe or file is
		    formatted in Unicode.
		    -uci Specifies that input from pipe or file is
		    formatted in Unicode.
/?                  Displays help at the command prompt. 
If you do not supply a target object at the command prompt, the target object
is obtained from standard input (stdin). Stdin data can be accepted from the
keyboard, a redirected file, or as piped output from another command. To mark
the end of stdin data from the keyboard or in a redirected file, use
Control+Z, for End of File (EOF).

A quota specification determines the maximum number of directory objects a
given security principal can own in a specific directory partition.

When none of the optional parameters is specified, the distinguished name of
the directory partition object is displayed.

When -topobjowner is specified, it overrides any other specified parameters,
so that only the results of -topobjowner are displayed.

Use the dsget command to view properties of a specific object in the
directory. To search for all objects that match a specific criterion, see
Dsquery *.

As a result of dsquery searches, you can pipe returned objects to dsget and
obtain object properties. See Examples.

If a value that you supply contains spaces, use quotation marks around the
text (for example, "CN=Mike Danseglio,CN=Users,DC=Microsoft,DC=Com").

If you supply multiple values for a parameter, use spaces to separate the
values (for example, a list of distinguished names).
To display all directory partitions in the forest that
begin with "application",  along with the top three directory object owners
on each partition, type:

dsquery server -forest -part application* |
dsget server -part |
dsget partition -topjobowner 3
dsget - describes parameters that apply to all commands.
dsget computer - displays properties of computers in the directory.
dsget contact - displays properties of contacts in the directory.
dsget subnet - displays properties of subnets in the directory.
dsget group - displays properties of groups in the directory.
dsget ou - displays properties of ou's in the directory.
dsget server - displays properties of servers in the directory.
dsget site - displays properties of sites in the directory.
dsget user - displays properties of users in the directory.
dsget quota - displays properties of quotas in the directory.
dsget partition - displays properties of partitions in the directory.

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsget failed:The parameter is incorrect.
type dsget /? for help.

 

Back to DSGET

 

 

Back to the top of this page

 

 

DSMOD

Description:  This dsmod command modifies existing objects in the directory.
The dsmod commands include:

dsmod_computer - modifies an existing computer in the directory.
dsmod_contact - modifies an existing contact in the directory.
dsmod_group - modifies an existing group in the directory.
dsmod_ou - modifies an existing organizational unit in the directory.
dsmod_server - modifies an existing domain controller in the directory.
dsmod_user - modifies an existing user in the directory.
dsmod_quota - modifies an existing quota specification in the directory.
dsmod_partition - modifies an existing quota specification in the directory.

For help on a specific command, type "dsmod <ObjectType> /?" where
<ObjectType> is one of the supported object types shown above.
For example, dsmod ou /?.

Remarks:
The dsmod commands support piping of input to allow you to pipe results from
the dsquery commands as input to the dsmod commands and modify the objects
found by the dsquery commands.

Commas that are not used as separators in distinguished names must be
escaped with the backslash ("\") character
(for example, "CN=Company\, Inc.,CN=Users,DC=microsoft,DC=com").
Backslashes used in distinguished names must be escaped with a backslash 
(for example,
"CN=Sales\\ Latin America,OU=Distribution Lists,DC=microsoft,DC=com").

Examples:
To find all users in the organizational unit (OU)
"ou=Marketing,dc=microsoft,dc=com" and add them to the Marketing Staff group:

dsquery user -startnode "ou=Marketing,dc=microsoft,dc=com" | 
dsmod group "cn=Marketing Staff,ou=Marketing,dc=microsoft,dc=com" -addmbr

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.

 

dsmod computer
help for modifying an existing computer in the directory.
Description: Modifies an existing computer in the directory.
Syntax:     dsmod computer <ComputerDN ...> [-desc <Description>]
            [-loc <Location>] [-disabled {yes | no}] [-reset]
            [{-s <Server> | -d <Domain>}] [-u <UserName>] 
            [-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]
Parameters:

Value                   Description
<ComputerDN ...>        Required/stdin. Distinguished names (DNs) of one 
                        or more computers to modify.
                        If target objects are omitted they
                        will be taken from standard input (stdin)
                        to support piping of output from another command
                        to input of this command.
-desc <Description>     Sets computer description to <Description>.
-loc <Location>         Sets the location of the computer object to
                        <Location>.
-disabled {yes | no}    Sets whether the computer account is disabled (yes)
                        or not (no).
-reset                  Resets computer account.
{-s <Server> | -d <Domain>}
                        -s <Server> connects to the domain controller (DC)
                        with name <Server>.
                        -d <Domain> connects to a DC in domain <Domain>.
                        Default: a DC in the logon domain.
-u <UserName>           Connect as <UserName>. Default: the logged in user.
                        User name can be: user name, domain\user name,
                        or user principal name (UPN).
-p <Password>           Password for the user <UserName>. If * then prompt
                        for password.
-c                      Continuous operation mode. Reports errors but
                        continues with next object in argument list when
                        multiple target objects are specified.
                        Without this option, the command exits on first
                        error.
-q                      Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci}	-uc Specifies that input from or output to pipe is
			formatted in Unicode. 
			-uco Specifies that output to pipe or file is 
			formatted in Unicode. 
			-uci Specifies that input from pipe or file is
			formatted in Unicode.

Remarks:
If a value that you supply contains spaces, use quotation marks 
around the text
(for example, "CN=DC2,OU=Domain Controllers,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names). 

Examples:
To disable multiple computer accounts:

    dsmod computer CN=MemberServer1,CN=Computers,DC=microsoft,DC=com
    CN=MemberServer2,CN=Computers,DC=microsoft,DC=com 
    -disabled yes

To reset multiple computer accounts:

    dsmod computer CN=MemberServer1,CN=Computers,DC=microsoft,DC=com
    CN=MemberServer2,CN=Computers,DC=microsoft,DC=com -reset

See also:
dsmod computer /? - help for modifying an existing computer in the directory.
dsmod contact /? - help for modifying an existing contact in the directory.
dsmod group /? - help for modifying an existing group in the directory.
dsmod ou /? - help for modifying an existing ou in the directory.
dsmod server /? - help for modifying an existing domain controller in the
directory.
dsmod user /? - help for modifying an existing user in the directory.
dsmod quota /? - help for modifying an existing quota specification in the
directory
dsmod partition /? - help for modifying an existing partition in the
directory

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsmod failed:The parameter is incorrect.
type dsmod /? for help.

 

Back to DSMOD

 

dsmod contact
help for modifying an existing contact in the directory.
Description:  Modify an existing contact in the directory.

Syntax:     dsmod contact <ContactDN ...> [-fn <FirstName>] [-mi <Initial>]
            [-ln <LastName>] [-display <DisplayName>] [-desc <Description>]
            [-office <Office>] [-tel <Phone#>] [-email <Email>]
            [-hometel <HomePhone#>] [-pager <Pager#>] [-mobile <CellPhone#>]
            [-fax <Fax#>] [-iptel <IPPhone#>] [-title <Title>] 
            [-dept <Department>] [-company <Company>] 
            [{-s <Server> | -d <Domain>}] [-u <UserName>]
            [-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]

Parameters:
Value                   Description
<ContactDN ...>         Required/stdin. Distinguished names (DNs)
                        of one or more contacts to modify.
                        If target objects are omitted they
                        will be taken from standard input (stdin)
                        to support piping of output from another 
                        command to input of this command.
-fn <FirstName>         Sets contact first name to <FirstName>.
-mi <Initial>           Sets contact middle initial to <Initial>.
-ln <LastName>          Sets contact last name to <LastName>.
-display <DisplayName>	Sets contact display name to <DisplayName>.
-desc <Description>     Sets contact description to <Description>.
-office <Office>        Sets contact office location to <Office>.
-tel <Phone#>           Sets contact telephone# to <Phone#>.
-email <Email>          Sets contact e-mail address to <Email>.
-hometel <HomePhone#>   Sets contact home phone# to <HomePhone#>.
-pager <Pager#>         Sets contact pager# to <Pager#>.
-mobile <CellPhone#>    Sets contact mobile# to <CellPhone#>.
-fax <Fax#>             Sets contact fax# to <Fax#>.
-iptel <IPPhone#>       Sets contact IP phone# to <IPPhone#>.
-title <Title>          Sets contact title to <Title>.
-dept <Department>      Sets contact department to <Department>.
-company <Company>      Sets contact company info to <Company>.
{-s <Server> | -d <Domain>}
                        -s <Server> connects to the domain controller (DC)
                        with name <Server>.
                        -d <Domain> connects to a DC in domain <Domain>.
                        Default: a DC in the logon domain.
-u <UserName>           Connect as <UserName>. Default: the logged in user.
                        User name can be: user name, domain\user name,
                        or user principal name (UPN).
-p <Password>           Password for the user <UserName>. If * then prompt
                        for password.
-c                      Continuous operation mode. Reports errors but
                        continues with next object in argument list when
                        multiple target objects are specified. Without
                        this option, the command exits on first error.
-q                      Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci}	-uc Specifies that input from or output to pipe is
			formatted in Unicode. 
			-uco Specifies that output to pipe or file is 
			formatted in Unicode. 
			-uci Specifies that input from pipe or file is
			formatted in Unicode.

Remarks:
If a value that you supply contains spaces, use quotation marks 
around the text (for example,
"CN=John Smith,OU=Contacts,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names). 

Examples:
To set the company information of multiple contacts:

dsmod contact "CN=John Doe,OU=Contacts,DC=microsoft,DC=com"
"CN=Jane Doe,OU=Contacts,DC=microsoft,DC=com" -company microsoft

See also:
dsmod computer /? - help for modifying an existing computer in the directory.
dsmod contact /? - help for modifying an existing contact in the directory.
dsmod group /? - help for modifying an existing group in the directory.
dsmod ou /? - help for modifying an existing ou in the directory.
dsmod server /? - help for modifying an existing domain controller in the
directory.
dsmod user /? - help for modifying an existing user in the directory.
dsmod quota /? - help for modifying an existing quota specification in the
directory
dsmod partition /? - help for modifying an existing partition in the
directory

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsmod failed:The parameter is incorrect.
type dsmod /? for help.

 

Back to DSMOD

 

dsmod group
help for modifying an existing group in the directory.
Description: Modifies an existing group in the directory.

Syntax:     dsmod group <GroupDN ...> [-samid <SAMName>]
            [-desc <Description>] [-secgrp {yes | no}] [-scope {l | g | u}] 
            [{-addmbr | -rmmbr | -chmbr} <Member ...>]
            [{-s <Server> | -d <Domain>}] [-u <UserName>]
            [-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]

Parameters:
Value                   Description
<GroupDN ...>           Required/stdin. Distinguished names (DNs) of 
                        one or more groups to modify.
                        If target objects are omitted they
                        will be taken from standard input (stdin)
                        to support piping of output from another command
                        to input of this command.
                        If <GroupDN ...> and <Member ...> are used
                        together then only one parameter can
                        be taken from standard input, requiring that at
                        least one parameter be specified on the command line.
-samid <SAMName>        Sets the SAM account name of group to <SAMName>.
-desc <Description>     Sets group description to <Description>.
-secgrp {yes | no}      Sets the group type to security (yes)
                        or non-security (no).
-scope {l | g | u}      Sets the scope of group to local (l),
                        global (g), or universal (u).
{-addmbr | -rmmbr | -chmbr}
                        -addmbr adds members to the group.
                        -rmmbr removes members from the group.
                        -chmbr changes (replaces) the complete list of 
                        members in the group.
<Member ...>            Space-separated list of members to add to, 
                        delete from, or replace in the group.
                        If target objects are omitted, they
                        will be taken from standard input (stdin)
                        to support piping of output from another command
                        to input of this command.
                        The list of members must follow the
                        -addmbr, -rmmbr, and -chmbr parameters.
                        If <GroupDN ...> and <Member ...> are used
                        together then only one parameter can
                        be taken from standard input, requiring that at
                        least one parameter be specified on the command line.
{-s <Server> | -d <Domain>}
                        -s <Server> connects to the domain controller (DC)
                        with name <Server>.
                        -d <Domain> connects to a DC in domain <Domain>.
                        Default: a DC in the logon domain.
-u <UserName>           Connect as <UserName>. Default: the logged in user.
                        User name can be: user name, domain\user name,
                        or user principal name (UPN).
-p <Password>           Password for the user <UserName>. If * then prompt
                        for password.
-c                      Continuous operation mode. Reports errors but
                        continues
                        with next object in argument list when multiple
                        target objects are specified. Without this option,
                        the command exits on first error.
-q                      Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci}	-uc Specifies that input from or output to pipe is
			formatted in Unicode. 
			-uco Specifies that output to pipe or file is 
			formatted in Unicode. 
			-uci Specifies that input from pipe or file is
			formatted in Unicode.

Remarks:
If a value that you supply contains spaces, use quotation marks 
around the text
(for example, "CN=USA Sales,OU=Distribution Lists,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names). 

Examples:
To add the user Mike Danseglio to all administrator 
distribution list groups:

dsquery group "OU=Distribution Lists,DC=microsoft,DC=com" -name adm* | 
dsmod group -addmbr "CN=Mike Danseglio,CN=Users,DC=microsoft,DC=com"

To add all members of the US Info group to the Cananda Info group:

dsget group "CN=US INFO,OU=Distribution Lists,DC=microsoft,DC=com" -members |
dsmod group "CN=CANADA INFO,OU=Distribution Lists,DC=microsoft,DC=com"
-addmbr

To convert the group type of several groups from "security" to
"non-security":

dsmod group "CN=US INFO,OU=Distribution Lists,DC=microsoft,DC=com"
"CN=CANADA INFO,OU=Distribution Lists,DC=microsoft,DC=com"
"CN=MEXICO INFO,OU=Distribution Lists,DC=microsoft,DC=com" -secgrp no

To add three new members to the US Info group:

dsmod group "CN=US INFO,OU=Distribution Lists,DC=microsoft,DC=com" -addmbr 
"CN=John Smith,CN=Users,DC=microsoft,DC=com"
"CN=Datacenter,OU=Distribution Lists,DC=microsoft,DC=com"
"CN=Jane Smith,CN=Users,DC=microsoft,DC=com"

To add all users from the OU "Marketing" to the exisitng group
"Marketing Staff":

dsquery user ou=Marketing,dc=microsoft,dc=com | dsmod group
"cn=Marketing Staff,ou=Marketing,dc=microsoft,dc=com" -addmbr

To delete two members from the exisitng US Info group:

dsmod group "CN=US INFO,OU=Distribution Lists,DC=microsoft,DC=com" -rmmbr
"CN=John Smith,CN=Users,DC=microsoft,DC=com"
"CN=Datacenter,OU=Distribution Lists,DC=microsoft,DC=com"

See also:
dsmod computer /? - help for modifying an existing computer in the directory.
dsmod contact /? - help for modifying an existing contact in the directory.
dsmod group /? - help for modifying an existing group in the directory.
dsmod ou /? - help for modifying an existing ou in the directory.
dsmod server /? - help for modifying an existing domain controller in the
directory.
dsmod user /? - help for modifying an existing user in the directory.
dsmod quota /? - help for modifying an existing quota specification in the
directory
dsmod partition /? - help for modifying an existing partition in the
directory

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsmod failed:The parameter is incorrect.
type dsmod /? for help.

 

Back to DSMOD

 

dsmod ou
help for modifying an existing ou in the directory.
Description: Modifies an existing organizational unit in the
             directory.
Syntax:     dsmod ou <OrganizationalUnitDN ...> [-desc <Description>]
            [{-s <Server> | -d <Domain>}] [-u <UserName>] 
            [-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]

Parameters:
Value                   Description
<OrganizationalUnitDN ...>
                        Required/stdin. Distinguished names (DNs)
                        of one or more organizational units (OUs) to modify.
                        If target objects are omitted they
                        will be taken from standard input (stdin)
                        to support piping of output from another command
                        to input of this command.
-desc <Description>     Sets OU description to <Description>.
{-s <Server> | -d <Domain>}
                        -s <Server> connects to the domain controller (DC)
                        with name <Server>.
                        -d <Domain> connects to a DC in domain <Domain>.
                        Default: a DC in the logon domain.
-u <UserName>           Connect as <UserName>. Default: the logged in user.
                        User name can be: user name, domain\user name,
                        or user principal name (UPN).
-p <Password>           Password for the user <UserName>. If * then prompt
                        for password.
-c                      Continuous operation mode. Reports errors but
                        continues with next object in argument list when
                        multiple target objects are specified.
                        Without this option, the command exits on first
                        error.
-q                      Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci}	-uc Specifies that input from or output to pipe is
			formatted in Unicode. 
			-uco Specifies that output to pipe or file is 
			formatted in Unicode. 
			-uci Specifies that input from pipe or file is
			formatted in Unicode.

Remarks:
If a value that you supply contains spaces, use quotation marks 
around the text (for example, "OU=Domain Controllers,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names). 

Examples:
To change the description of several OUs at the same time:

dsmod ou "OU=Domain Controllers,DC=microsoft,DC=com"
"OU=Resources,DC=microsoft,DC=com"
"OU=troubleshooting,DC=microsoft,DC=com" -desc "This is a test OU"

See also:
dsmod computer /? - help for modifying an existing computer in the directory.
dsmod contact /? - help for modifying an existing contact in the directory.
dsmod group /? - help for modifying an existing group in the directory.
dsmod ou /? - help for modifying an existing ou in the directory.
dsmod server /? - help for modifying an existing domain controller in the
directory.
dsmod user /? - help for modifying an existing user in the directory.
dsmod quota /? - help for modifying an existing quota specification in the
directory
dsmod partition /? - help for modifying an existing partition in the
directory

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsmod failed:The parameter is incorrect.
type dsmod /? for help.

 

Back to DSMOD

 

dsmod server
help for modifying an existing domain controller in the
Description:  Modifies properties of a domain controller.

Syntax:     dsmod server <ServerDN ...> [-desc <Description>]
            [-isgc {yes | no}] [{-s <Server> | -d <Domain>}]
            [-u <UserName>] [-p {<Password> | *}] [-c] [-q]
	    [{-uc | -uco | -uci}]

Parameters:
Value               Description
<ServerDN ...>      Required/stdin. Distinguished names (DNs)
                    of one or more servers to modify.
                    If target objects are omitted they
                    will be taken from standard input (stdin)
                    to support piping of output from another
                    command to input of this command.
-desc <Description> 
                    Sets server description to <Description>.
-isgc {yes | no}    Sets whether this server to a global catalog server
                    (yes) or disables it (no).
{-s <Server> | -d <Domain>}
                    -s <Server> connects to the domain controller (DC)
                    with name <Server>.
                    -d <Domain> connects to a DC in domain <Domain>.
                    Default: a DC in the logon domain.
-u <UserName>       Connect as <UserName>. Default: the logged in user.
                    User name can be: user name, domain\user name,
                    or user principal name (UPN).
-p <Password>       Password for the user <UserName>. 
                    If * is entered, then you are prompted for a password.
-c                  Continuous operation mode. Reports errors but
                    continues with next object in argument list 
                    when multiple target objects are specified.
                    Without this option, the command exits on first error.
-q                  Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
		    formatted in Unicode. 
		    -uco Specifies that output to pipe or file is 
		    formatted in Unicode. 
		    -uci Specifies that input from pipe or file is
		    formatted in Unicode.

Remarks:
If a value that you supply contains spaces, use quotation marks 
around the text (for example, "CN=My Server,CN=Servers,CN=Site10,
CN=Sites,CN=Configuration,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names). 

Examples:
To enable the domain controllers CORPDC1 and CORPDC9 to become global catalog
servers:

dsmod server
"cn=CORPDC1,cn=Servers,cn=site1,cn=sites,cn=configuration,dc=microsoft,dc=com"
"cn=CORPDC9,cn=Servers,cn=site2,cn=sites,cn=configuration,dc=microsoft,dc=com"
-isgc yes

See also:
dsmod computer /? - help for modifying an existing computer in the directory.
dsmod contact /? - help for modifying an existing contact in the directory.
dsmod group /? - help for modifying an existing group in the directory.
dsmod ou /? - help for modifying an existing ou in the directory.
dsmod server /? - help for modifying an existing domain controller in the
directory.
dsmod user /? - help for modifying an existing user in the directory.
dsmod quota /? - help for modifying an existing quota specification in the
directory
dsmod partition /? - help for modifying an existing partition in the
directory

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.

dsmod failed:The parameter is incorrect.
type dsmod /? for help.

 

Back to DSMOD

 

dsmod user
help for modifying an existing user in the directory.
Description:  Modifies an existing user in the directory.

Syntax:     dsmod user <UserDN ...> [-upn <UPN>] [-fn <FirstName>]
            [-mi <Initial>] [-ln <LastName>] [-display <DisplayName>]
            [-empid <EmployeeID>] [-pwd {<Password> | *}] 
            [-desc <Description>] [-office <Office>] [-tel <Phone#>]
            [-email <Email>] [-hometel <HomePhone#>] [-pager <Pager#>]
            [-mobile <CellPhone#>] [-fax <Fax#>] [-iptel <IPPhone#>]
            [-webpg <WebPage>] [-title <Title>] [-dept <Department>]
            [-company <Company>] [-mgr <Manager>] [-hmdir <HomeDir>]
            [-hmdrv <DriveLtr>:] [-profile <ProfilePath>]
            [-loscr <ScriptPath>] [-mustchpwd {yes | no}]
            [-canchpwd {yes | no}] [-reversiblepwd {yes | no}]
            [-pwdneverexpires {yes | no}]
            [-acctexpires <NumDays>] [-disabled {yes | no}] 
            [{-s <Server> | -d <Domain>}] [-u <UserName>] 
            [-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]

Parameters:

Value                   Description
<UserDN ...>            Required/stdin. Distinguished names (DNs)
                        of one or more users to modify.
                        If target objects are omitted they
                        will be taken from standard input (stdin)
                        to support piping of output from another command
                        to input of this command.
-upn <UPN>              Sets the UPN value to <UPN>.
-fn <FirstName>         Sets user first name to <FirstName>.
-mi <Initial>           Sets user middle initial to <Initial>.
-ln <LastName>          Sets user last name to <LastName>.
-display <DisplayName>  Sets user display name to <DisplayName>.
-empid <EmployeeID>     Sets user employee ID to <EmployeeID>.
-pwd {<Password> | *}   Resets user password to <Password>. If *, then
                        you are prompted for a password.
-desc <Description>     Sets user description to <Description>.
-office <Office>        Sets user office location to <Office>.
-tel <Phone#>           Sets user telephone# to <Phone#>.
-email <Email>          Sets user e-mail address to <Email>.
-hometel <HomePhone#>   Sets user home phone# to <HomePhone#>.
-pager <Pager#>         Sets user pager# to <Pager#>.
-mobile <CellPhone#>    Sets user mobile# to <CellPhone#>.
-fax <Fax#>             Sets user fax# to <Fax#>.
-iptel <IPPhone#>       Sets user IP phone# to <IPPhone#>.
-webpg <WebPage>        Sets user web page URL to <WebPage>.
-title <Title>          Sets user title to <Title>.
-dept <Department>      Sets user department to <Department>.
-company <Company>      Sets user company info to <Company>.
-mgr <Manager>          Sets user's manager to <Manager>.
-hmdir <HomeDir>        Sets user home directory to <HomeDir>. If this is
                        UNC path, then a drive letter to be mapped to
                        this path must also be specified through -hmdrv.
-hmdrv <DriveLtr>:      Sets user home drive letter to <DriveLtr>:
-profile <ProfilePath>  Sets user's profile path to <ProfilePath>.
-loscr <ScriptPath>     Sets user's logon script path to <ScriptPath>.
-mustchpwd {yes | no}   Sets whether the user must change his password (yes)
                        or not (no) at his next logon.
-canchpwd {yes | no}    Sets whether the user can change his password (yes)
                        or not (no). This setting should be "yes"
                        if the -mustchpwd setting is "yes".
-reversiblepwd {yes | no}
                        Sets whether the user password should be stored using
                        reversible encryption (yes) or not (no).
-pwdneverexpires {yes | no}
                        Sets whether the user's password never expires (yes)
                        or not (no).
-acctexpires <NumDays>  Sets user account to expire in <NumDays> days from
                        today. A value of 0 sets expiration at the end of
                        today.
                        A positive value sets expiration in the future.
                        A negative value sets expiration in the past.
                        A string value of "never" sets the account 
                        to never expire.
-disabled {yes | no}    Sets whether the user account is disabled (yes)
                        or not (no).
{-s <Server> | -d <Domain>}
                        -s <Server> connects to the domain controller (DC)
                        with name <Server>.
                        -d <Domain> connects to a DC in domain <Domain>.
                        Default: a DC in the logon domain.
-u <UserName>           Connect as <UserName>. Default: the logged in user.
                        User name can be: user name, domain\user name,
                        or user principal name (UPN).
-p <Password>           Password for the user <UserName>. If * then prompt
                        for password.
-c                      Continuous operation mode. Reports errors but
                        continues with next object in argument list
                        when multiple target objects are specified.
                        Without this option, the command exits on the
                        first error.
-q                      Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci}	-uc Specifies that input from or output to pipe is
			formatted in Unicode. 
			-uco Specifies that output to pipe or file is 
			formatted in Unicode. 
			-uci Specifies that input from pipe or file is
			formatted in Unicode.

Remarks:
If a value that you supply contains spaces, use quotation marks 
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names). 

The special token $username$ (case insensitive) may be used to place the
SAM account name in the value of -webpg, -profile, -hmdir, and
-email parameter.
For example, if the target user DN is
CN=Jane Doe,CN=users,CN=microsoft,CN=com and the SAM account name
attribute is "janed," the -hmdir parameter can have the following
substitution:

-hmdir \users\$username$\home

The value of the -hmdir parameter is modified to the following value:

- hmdir \users\janed\home

Examples:
To reset a user's password:

    dsmod user "CN=John Doe,CN=Users,DC=microsoft,DC=com"
    -pwd A1b2C3d4 -mustchpwd yes

To reset multiple user passwords to a common password
and force them to change their passwords the next time they logon:

    dsmod user "CN=John Doe,CN=Users,DC=microsoft,DC=com"
    "CN=Jane Doe,CN=Users,DC=microsoft,DC=com" -pwd A1b2C3d4 -mustchpwd yes

To disable multiple user accounts at the same time:

    dsmod user "CN=John Doe,CN=Users,DC=microsoft,DC=com"
    "CN=Jane Doe,CN=Users,DC=microsoft,DC=com" -disabled yes

To modify the profile path of multiple users to a common path using the
$username$ token:

dsmod user "CN=John Doe,CN=Users,DC=microsoft,DC=com"
"CN=Jane Doe,CN=Users,DC=microsoft,DC=com" -profile \users\$username$\profile
See also:
dsmod computer /? - help for modifying an existing computer in the directory.
dsmod contact /? - help for modifying an existing contact in the directory.
dsmod group /? - help for modifying an existing group in the directory.
dsmod ou /? - help for modifying an existing ou in the directory.
dsmod server /? - help for modifying an existing domain controller in the
directory.
dsmod user /? - help for modifying an existing user in the directory.
dsmod quota /? - help for modifying an existing quota specification in the
directory
dsmod partition /? - help for modifying an existing partition in the
directory

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsmod failed:The parameter is incorrect.
type dsmod /? for help.

 

Back to DSMOD

 

dsmod quota
help for modifying an existing quota specification in the
Modifies attributes of one or more existing quota specifications in the
directory. A quota specification determines the maximum number of directory
objects a given security principal can own in a specific directory partition.
dsmod quota <QuotaDN ...> [-qlimit <Value>]
[-desc <Description>] [{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]
<QuotaDN ...>         Specifies the distinguished names of one or more quota
                      specifications to modify. If values are omitted, they
                      are obtained through standard input (stdin) to support
                      piping of output from another command to input of this
                      command.
-qlimit <Value>
                      Specifies the number of objects within the
                      directory partition that can be owned by the security
                      principal to which the quota specification is assigned.
                      To specify an unlimited quota, use -1.
-desc <Description>   Sets the description of the quota specification to 
                      <Description>.
{-s <Server> | -d <Domain>}
                      Connects to a specified remote server or domain. By
                      default, the computer is connected to a domain
                      controller in the logon domain.
-u <UserName>         Specifies the user name with which the user logs on to
                      a remote server. By default, -u uses the user name with
                      which the user logged on. You can use any of the
                      following formats to specify a user name:
                        user name (for example, Linda)
                        domain\user name (for example, widgets\Linda)
                        user principal name (UPN)
                          (for example, Linda@widgets.microsoft.com)
-p {<Password> | *}   Specifies to use either a password or a * to log on to
                      a remote server. If you type *, you are prompted for a
                      password.
-c                    Specifies continuous operation mode. Errors are
                      reported, but the process continues with the next
                      object in the argument list when you specify multiple
                      target objects. If you do not use -c, the command quits
                      after the first error occurs.
-q                    Suppresses all output to standard output (quiet mode).
{-uc | -uco | -uci}   Specifies that output or input data is formatted in
                      Unicode. 
                      -uc   Specifies a Unicode format for input from or
                            output to a pipe (|).
                      -uco  Specifies a Unicode format for output to a
                            pipe (|) or a file.
                      -uci  Specifies a Unicode format for input from a
                            pipe (|) or a file.
Dsmod quota only supports a subset of commonly used object class attributes.

If a value that you use contains spaces, use quotation marks around the text
(for example, "CN=DC2,OU=Domain Controllers,DC=Microsoft,DC=Com").
dsmod computer /? - help for modifying an existing computer in the directory.
dsmod contact /? - help for modifying an existing contact in the directory.
dsmod group /? - help for modifying an existing group in the directory.
dsmod ou /? - help for modifying an existing ou in the directory.
dsmod server /? - help for modifying an existing domain controller in the
directory.
dsmod user /? - help for modifying an existing user in the directory.
dsmod quota /? - help for modifying an existing quota specification in the
directory
dsmod partition /? - help for modifying an existing partition in the
directory

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsmod failed:The parameter is incorrect.
type dsmod /? for help.

 

Back to DSMOD

 

dsmod partition
help for modifying an existing partition in the
Modifies attributes of one or more existing partitions in the directory.

dsmod partition <PartitionDN...> [-qdefault <Value>] 
[-qtmbstnwt <Percent>] [{-s <Server> | -d <Domain>}]
[-u <UserName>] [-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]
<PartitionDN...>      Specifies the distinguished names of one or more
                      partition objects to modify. If values are omitted,
                      they are obtained through standard input (stdin) to
                      support piping of output from another command as
                      input of this command.
-qdefault <Value>     Specifies that the default quota for the directory 
                      partition be set to Value. The default quota will
                      apply to any security principal (user, group, computer,
                      or InetOrgPerson) who owns an object in the directory
                      partition and for whom more specific quota
                      specification exists. Enter -1 to specify an unlimited
                      quota.
-qtmbstawt <Percent>  Sets the percentage by which tombstone object count
                      should be reduced when calculating quota usage. The
                      percentage is specified by <Percent> and must be
                      between 0 and 100. For example, a value of 25 means
                      that a tombstone object counts as 25, or 1/4, of a
                      normal object when calculating quota usage. If a user
                      were assigned a quota of 100, that user could own a
                      maximum of 100 normal objects or 400 tombstone objects
                      in Active Directory.
{-s <Server> | -d <Domain>}
                      Connects to a specified remote server or domain. By
                      default, the computer is connected to a domain
                      controller in the logon domain.
-u <UserName>         Specifies the user name with which the user logs on to
                      a remote server. By default, -u uses the user name with
                      which the user logged on. You can use any of the
                      following formats to specify a user name:
                        user name (for example, Linda)
                        domain\user name (for example, widgets\Linda)
                        user principal name (UPN)
                          (for example, Linda@widgets.microsoft.com)
-p {<Password> | *}   Specifies to use either a password or a * to log on to
                      a remote server. If you type *, you are prompted for a
                      password.
-c                    Specifies continuous operation mode. Errors are
                      reported, but the process continues with the next
                      object in the argument list when you specify multiple
                      target objects. If you do not use -c, the command quits
                      after the first error occurs.
-q                    Suppresses all output to standard output (quiet mode).
{-uc | -uco | -uci}   Specifies that output or input data is formatted in
                      Unicode. 
                      -uc   Specifies a Unicode format for input from or
                            output to a pipe (|).
                      -uco  Specifies a Unicode format for output to a
                            pipe (|) or a file.
                      -uci  Specifies a Unicode format for input from a
                            pipe (|) or a file.
Dsmod quota only supports a subset of commonly used object class attributes.

If a value that you use contains spaces, use quotation marks around the text
(for example, "CN=DC2,OU=Domain Controllers,DC=Microsoft,DC=Com").

The default quota applies to any security principal (for example, user,
group, computer, or InetOrgPerson) that creates an object in the directory
partition when no quota specification exists that covers the security
principal.

The default quota for a given directory partition is an attribute
(ms-DS-Default-Quota) of a special container of class
ms-DS-Quota-Container, as specified by CN=NTDS
Quotas,DirectoryParitionRootDN.

The tombstone quota weight for a given directory partition (set with the
-qtmbstnwt option) is an attribute (ms-DS-Tombstone-Quota-Factor)
of a special container of class (ms-DS-Quota-Container), as
specified by CN=NTDS Quotas,NCRootDN.
dsmod computer /? - help for modifying an existing computer in the directory.
dsmod contact /? - help for modifying an existing contact in the directory.
dsmod group /? - help for modifying an existing group in the directory.
dsmod ou /? - help for modifying an existing ou in the directory.
dsmod server /? - help for modifying an existing domain controller in the
directory.
dsmod user /? - help for modifying an existing user in the directory.
dsmod quota /? - help for modifying an existing quota specification in the
directory
dsmod partition /? - help for modifying an existing partition in the
directory

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsmod failed:The parameter is incorrect.
type dsmod /? for help.

 

Back to DSMOD

 

 

Back to the top of this page

 

 

DSMOVE

Description:  This command moves or renames an object within the directory.

Syntax:     dsmove <ObjectDN>
                [-newparent <ParentDN>] 
                [-newname <NewName>]
                [{-s <Server> | -d <Domain>}] 
                [-u <UserName>] 
                [-p {<Password> | *}]
                [-q]
		[{-uc | -uco | -uci}]

Parameters:

Value                   Description
<ObjectDN>              Required/stdin. Distinguished name (DN) 
                        of object to move or rename.
                        If this parameter is omitted it
                        will be taken from standard input (stdin).
-newparent <ParentDN>   DN of the new parent location to which object
                        should be moved.
-newname <NewName>      New relative distinguished name (RDN) value
                        to which object should be renamed.
{-s <Server> | -d <Domain>}
                        -s <Server> connects to the domain controller (DC)
                        with name <Server>.
                        -d <Domain> connects to a DC in domain <Domain>.
                        Default: a DC in the logon domain.
-u <UserName>           Connect as <UserName>. Default: the logged in user.
                        User name can be: user name, domain\user name,
                        or user principal name (UPN).
-p <Password>           Password for the user <UserName>.
                        If * is used, then the command prompts for a
                        password.
-q                      Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci}	-uc Specifies that input from or output to pipe is
			formatted in Unicode. 
			-uco Specifies that output to pipe or file is 
			formatted in Unicode. 
			-uci Specifies that input from pipe or file is
			formatted in Unicode.

Remarks:
If a value that you supply contains spaces, use quotation marks 
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names). 

Commas that are not used as separators in distinguished names must be
escaped with the backslash ("\") character
(for example, "CN=Company\, Inc.,CN=Users,DC=microsoft,DC=com").
Backslashes used in distinguished names must be escaped with a backslash
(for example,
"CN=Sales\\ Latin America,OU=Distribution Lists,DC=microsoft,DC=com").

Examples:
The user object for the user Jane Doe can be renamed to Jane Jones
with the following command:

    dsmove "cn=Jane Doe,ou=sales,dc=microsoft,dc=com" -newname "Jane Jones"

The same user can be moved from the Sales organization to the Marketing
organization with the following command:

    dsmove "cn=Jane Doe,ou=sales,dc=microsoft,dc=com"
    -newparent ou=Marketing,dc=microsoft,dc=com

The rename and move operations for the user can be combined with the
following command:

    dsmove "cn=Jane Doe,ou=sales,dc=microsoft,dc=com"
    -newparent ou=Marketing,dc=microsoft,dc=com -newname "Jane Jones"

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.

 

 

Back to the top of this page

 

 

DSQUERY

Description: This tool's commands suite allow you to query the directory
according to specified criteria. Each of the following dsquery commands finds
objects of a specific object type, with the exception of dsquery *, which can
query for any type of object:

dsquery_computer - finds computers in the directory.
dsquery_contact - finds contacts in the directory.
dsquery_subnet - finds subnets in the directory.
dsquery_group - finds groups in the directory.
dsquery_ou - finds organizational units in the directory.
dsquery_site - finds sites in the directory.
dsquery_server - finds domain controllers in the directory.
dsquery_user - finds users in the directory.
dsquery_quota - finds quota specifications in the directory.
dsquery_partition - finds partitions in the directory.
dsquery * - finds any object in the directory by using a generic LDAP query.

For help on a specific command, type "dsquery <ObjectType> /?" where
<ObjectType> is one of the supported object types shown above.
For example, dsquery ou /?.

Remarks:
The dsquery commands help you find objects in the directory that match 
a specified search criterion: the input to dsquery is a search criterion 
and the output is a list of objects matching the search. To get the 
properties of a specific object, use the dsget commands (dsget /?).

The results from a dsquery command can be piped as input to one of the other
directory service command-line tools, such as dsmod, dsget, dsrm or dsmove.

Commas that are not used as separators in distinguished names must be
escaped with the backslash ("\") character
(for example, "CN=Company\, Inc.,CN=Users,DC=microsoft,DC=com"). Backslashes
used in distinguished names must be escaped with a backslash (for example,
"CN=Sales\\ Latin America,OU=Distribution Lists,DC=microsoft,DC=com").


Examples:
To find all computers that have been inactive for the last four weeks and
remove them from the directory:

	dsquery computer -inactive 4 | dsrm

To find all users in the organizational unit
"ou=Marketing,dc=microsoft,dc=com" and add them to the Marketing Staff group:

	dsquery user ou=Marketing,dc=microsoft,dc=com |	dsmod group
        "cn=Marketing Staff,ou=Marketing,dc=microsoft,dc=com" -addmbr

To find all users with names starting with "John" and display his office
number:

	dsquery user -name John* | dsget user -office

To display an arbitrary set of attributes of any given object in the
directory use the dsquery * command. For example, to display the
sAMAccountName, userPrincipalName and department attributes of the object
whose DN is ou=Test,dc=microsoft,dc=com:

	dsquery * ou=Test,dc=microsoft,dc=com -scope base
	-attr sAMAccountName userPrincipalName department

To read all attributes of the object whose DN is ou=Test,dc=microsoft,dc=com:

	dsquery * ou=Test,dc=microsoft,dc=com -scope base -attr *

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.

 

dsquery computer
help for finding computers in the directory.
Description:  Finds computers in the directory matching specified
              search criteria.

Syntax:     dsquery computer [{<StartNode> | forestroot | domainroot}]
            [-o {dn | rdn | samid}] [-scope {subtree | onelevel | base}]
            [-name <Name>] [-desc <Description>] [-samid <SAMName>]
            [-inactive <NumWeeks>] [-stalepwd <NumDays>] [-disabled]
            [{-s <Server> | -d <Domain>}] [-u <UserName>] 
            [-p {<Password> | *}] [-q] [-r] [-gc]
            [-limit <NumObjects>] [{-uc | -uco | -uci}]


Parameters:
Value                       Description
{<StartNode> | forestroot | domainroot}
                            The node where the search will start:
                            forest root, domain root, or a node 
                            whose DN is <StartNode>.
                            Can be "forestroot", "domainroot"
                            or an object DN.
                            If "forestroot" is specified, the search is done
                            via the global catalog. Default: domainroot.
-o {dn | rdn | samid}       Specifies the output format.
                            Default: distinguished name (DN).
-scope {subtree | onelevel | base}
                            Specifies the scope of the search: 
                            subtree rooted at start node (subtree); 
                            immediate children of start node only (onelevel); 
                            the base object represented by start node (base). 
                            Note that subtree and domain scope
                            are essentially the same for any start node
                            unless the start node represents a domain root.
                            If forestroot is specified as <StartNode>,
                            subtree is the only valid scope.
                            Default: subtree.
-name <Name>                Finds computers whose name matches the value
                            given by <Name>, e.g., "jon*" or "*ith"
                            or "j*th".
-desc <Description>         Finds computers whose description matches
                            the value given by <Description>,
                            e.g., "jon*" or "*ith" or "j*th".
-samid <SAMName>            Finds computers whose SAM account name
                            matches the filter given by <SAMName>.
-inactive <NumWeeks>        Finds computers that have been inactive (stale)
                            for at least <NumWeeks> number of weeks.
-stalepwd <NumDays>         Finds computers that have not changed their
                            password for at least <NumDays> number of days.
-disabled                   Finds computers with disabled accounts.
{-s <Server> | -d <Domain>}
                            -s <Server> connects to the domain controller
                            (DC) with name <Server>.
                            -d <Domain> connects to a DC in domain <Domain>.
                            Default: a DC in the logon domain.
-u <UserName>               Connect as <UserName>. Default: the logged in
                            user. User name can be: user name,
                            domain\user name, or user principal name (UPN).
-p <Password>               Password for the user <UserName>.
                            If * then prompt for password.
-q                          Quiet mode: suppress all output to
                            standard output.
-r                          Recurse or follow referrals during search.
                            Default: do not chase referrals during search.
-gc                         Search in the Active Directory global catalog.
-limit <NumObjects>         Specifies the number of objects matching the
                            given criteria to be returned, where <NumObjects>
                            is the number of objects to be returned.
                            If the value of <NumObjects> is 0, all
                            matching objects are returned.
                            If this parameter is not specified, by default
                            the first 100 results are displayed.
{-uc | -uco | -uci}         -uc Specifies that input from or output
                            to pipe is formatted in Unicode. 
                            -uco Specifies that output to pipe or file is 
                            formatted in Unicode. 
                            -uci Specifies that input from pipe or file is
                            formatted in Unicode.

Remarks:
The dsquery commands help you find objects in the directory that match 
a specified search criterion: the input to dsquery is a search criteria 
and the output is a list of objects matching the search. To get the 
properties of a specific object, use the dsget commands (dsget /?).

If a value that you supply contains spaces, use quotation marks 
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names). 

Examples:
To find all computers in the current domain whose name starts with "ms" 
and whose description starts with "desktop", and display their DNs:

    dsquery computer domainroot -name ms* -desc desktop*

To find all computers in the organizational unit (OU) given 
by ou=sales,dc=micrsoft,dc=com and display their DNs:

    dsquery computer ou=sales,dc=microsoft,dc=com

See also:
dsquery computer /? - help for finding computers in the directory.
dsquery contact /? - help for finding contacts in the directory.
dsquery subnet /? - help for finding subnets in the directory.
dsquery group /? - help for finding groups in the directory.
dsquery ou /? - help for finding organizational units in the directory.
dsquery site /? - help for finding sites in the directory.
dsquery server /? - help for finding servers in the directory.
dsquery user /? - help for finding users in the directory.
dsquery quota /? - help for finding quotas in the directory.
dsquery partition /? - help for finding partitions in the directory.
dsquery * /? - help for finding any object in the directory by using a
generic LDAP query.

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsquery failed:The parameter is incorrect.
type dsquery /? for help.

 

Back to DSQUERY

 

dsquery contact
help for finding contacts in the directory.
Description: Finds contacts per given criteria.

Syntax:     dsquery contact [{<StartNode> | forestroot | domainroot}]
            [-o {dn | rdn}] [-scope {subtree | onelevel | base}]
            [-name <Name>] [-desc <Description>] 
            [{-s <Server> | -d <Domain>}] [-u <UserName>] 
            [-p {<Password> | *}] [-q] [-r] [-gc]
            [-limit <NumObjects>] [{-uc | -uco | -uci}]


Parameters
Value               Description
{<StartNode> | forestroot | domainroot}
                    The node where the search will start:
                    forest root, domain root, or a node 
                    whose DN is <StartNode>.
                    Can be "forestroot", "domainroot" or an object DN.
                    If "forestroot" is specified, the search is done
                    via the global catalog. Default: domainroot.
-o {dn | rdn}       Specifies the output format.
                    Default: distinguished name (DN).
-scope {subtree | onelevel | base}
                    Specifies the scope of the search: 
                    subtree rooted at start node (subtree); 
                    immediate children of start node only (onelevel); 
                    the base object represented by start node (base). 
                    Note that subtree and domain scope
                    are essentially the same for any start node
                    unless the start node represents a domain root.
                    If forestroot is specified as <StartNode>,
                    subtree is the only valid scope.
                    Default: subtree.
-name <Name>        Finds all contacts whose name matches the filter
                    given by <Name>, e.g., "jon*" or *ith" or "j*th".
-desc <Description> Finds contacts with descriptions matching the
                    value given by <Description>, e.g., "corp*" or *branch"
                    or "j*th".
{-s <Server> | -d <Domain>}
                    -s <Server> connects to the domain controller (DC)
                    with name <Server>.
                    -d <Domain> connects to a DC in domain <Domain>.
                    Default: a DC in the logon domain.
-u <UserName>       Connect as <UserName>. Default: the logged in
                    user. User name can be: user name,
                    domain\user name, or user principal name (UPN).
-p <Password>       Password for the user <UserName>. If * then prompt for
                    password.
-q                  Quiet mode: suppress all output to standard output.
-r                  Recurse or follow referrals during search. Default: do
                    not chase referrals during search.
-gc                 Search in the Active Directory global catalog.
-limit <NumObjects>
                    Specifies the number of objects matching the given
                    criteria to be returned,
                    where <NumObjects> is the number of objects
                    to be returned. If the value of <NumObjects> is 0, all
                    matching objects are returned. If this parameter is not
                    specified, by default the first 100 results are
                    displayed.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
                    formatted in Unicode. 
                    -uco Specifies that output to pipe or file is 
                    formatted in Unicode. 
                    -uci Specifies that input from pipe or file is
                    formatted in Unicode.

Remarks:
The dsquery commands help you find objects in the directory that match 
a specified search criterion: the input to dsquery is a search criteria 
and the output is a list of objects matching the search. To get the 
properties of a specific object, use the dsget commands (dsget /?).

If a value that you supply contains spaces, use quotation marks 
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).

See also:
dsquery computer /? - help for finding computers in the directory.
dsquery contact /? - help for finding contacts in the directory.
dsquery subnet /? - help for finding subnets in the directory.
dsquery group /? - help for finding groups in the directory.
dsquery ou /? - help for finding organizational units in the directory.
dsquery site /? - help for finding sites in the directory.
dsquery server /? - help for finding servers in the directory.
dsquery user /? - help for finding users in the directory.
dsquery quota /? - help for finding quotas in the directory.
dsquery partition /? - help for finding partitions in the directory.
dsquery * /? - help for finding any object in the directory by using a
generic LDAP query.

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsquery failed:The parameter is incorrect.
type dsquery /? for help.

 

Back to DSQUERY

 

dsquery subnet
help for finding subnets in the directory.
Description:  Finds subnets in the directory per given criteria.

Syntax:     dsquery subnet [-o {dn | rdn}] [-name <Name>]
            [-desc <Description>] [-loc <Location>] [-site <SiteName>]
            [{-s <Server> | -d <Domain>}] [-u <UserName>]
            [-p {<Password> | *}] [-q] [-r] [-gc]
            [-limit <NumObjects>] [{-uc | -uco | -uci}]

Parameters:
Value               Description
-o {dn | rdn}       Specifies the output format.
                    Default: distinguished name (DN).
-name <Name>        Find subnets whose name matches the value given
                    by <Name>, e.g., "10.23.*" or "12.2.*".
-desc <Description> Find subnets whose description matches the value
                    given by <Description>, e.g., "corp*" or "*nch"
                    or "j*th".
-loc <Location>     Find subnets whose location matches the value
                    given by <Location>.
-site <SiteName>    Find subnets that are part of site <SiteName>.
{-s <Server> | -d <Domain>}
                    -s <Server> connects to the domain controller (DC)
                    with name <Server>.
                    -d <Domain> connects to a DC in domain <Domain>.
                    Default: a DC in the logon domain.
-u <UserName>       Connect as <UserName>. Default: the logged in
                    user. User name can be: user name,
                    domain\user name, or user principal name (UPN).
-p <Password>       Password for the user <UserName>. If * then prompt for
                    password.
-q                  Quiet mode: suppress all output to standard output.
-r                  Recurse or follow referrals during search. Default: do
                    not chase referrals during search.
-gc                 Search in the Active Directory global catalog.
-limit <NumObjects> Specifies the number of objects matching the given
                    criteria to be returned, where <NumObjects>
                    is the number of objects to be returned.
                    If the value of <NumObjects> is 0,
                    all matching objects are returned.
                    If this parameter is not specified,
                    by default the first 100 results are displayed.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
                    formatted in Unicode. 
                    -uco Specifies that output to pipe or file is 
                    formatted in Unicode. 
                    -uci Specifies that input from pipe or file is
                    formatted in Unicode.

Remarks:
The dsquery commands help you find objects in the directory that match 
a specified search criterion: the input to dsquery is a search criteria 
and the output is a list of objects matching the search. To get the 
properties of a specific object, use the dsget commands (dsget /?).

If a value that you supply contains spaces, use quotation marks 
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names). 

Examples:
To find all subnets with the network IP address starting with 123.12:

    dsquery subnet -name 123.12.*

To find all subnets in the site whose name is "Latin-America",
and display their names as Relative Distinguished Names (RDNs):

    dsquery subnet -o rdn -site Latin-America

To list the names (RDNs) of all subnets defined in the directory:

    dsquery subnet -o rdn

dsquery failed:The parameter is incorrect.
type dsquery /? for help.

 

Back to DSQUERY

 

dsquery group
help for finding groups in the directory.
Description:  Finds groups in the directory per given criteria.

Syntax:     dsquery group [{<StartNode> | forestroot | domainroot}]
            [-o {dn | rdn | samid}] [-scope {subtree | onelevel | base}]
            [-name <Name>] [-desc <Description>] [-samid <SAMName>]
            [{-s <Server> | -d <Domain>}] [-u <UserName>]
            [-p {<Password> | *}] [-q] [-r] [-gc]
            [-limit <NumObjects>] [{-uc | -uco | -uci}]

Parameters:
Value                       Description
{<StartNode> | forestroot | domainroot}
                            The node where the search will start:
                            forest root, domain root, or a node 
                            whose DN is <StartNode>.
                            Can be "forestroot", "domainroot" or an
                            object DN. If "forestroot" is specified,
                            the search is done via the global catalog.
                            Default: domainroot.
-o {dn | rdn | samid}	    Specifies the output format.
                            Default: distinguished name (DN).
-scope {subtree | onelevel | base}
                            Specifies the scope of the search: 
                            subtree rooted at start node (subtree); 
                            immediate children of start node only (onelevel); 
                            the base object represented by start node (base). 
                            Note that subtree and domain scope
                            are essentially the same for any start node
                            unless the start node represents a domain root.
                            If forestroot is specified as <StartNode>,
                            subtree is the only valid scope.
                            Default: subtree.
-name <Name>                Find groups whose name matches the value given
                            by <Name>, e.g., "jon*" or "*ith"
                            or "j*th".
-desc <Description>         Find groups whose description matches the value
                            given by <Description>, e.g., "jon*" or "*ith"
                            or "j*th".
-samid <SAMName>            Find groups whose SAM account name matches the
                            value given by <SAMName>.
{-s <Server> | -d <Domain>}
                            -s <Server> connects to the domain controller
                            (DC) with name <Server>.
                            -d <Domain> connects to a DC in domain <Domain>.
                            Default: a DC in the logon domain.
-u <UserName>               Connect as <UserName>. Default: the logged in
                            user. User name can be: user name,
                            domain\user name, or user principal name (UPN).
-p <Password>               Password for the user <UserName>.
                            If * is specified, then you are prompted for
                            a password.
-q                          Quiet mode: suppress all output to
                            standard output.
-r                          Recurse or follow referrals during search.
                            Default: do not chase referrals during search.
-gc                         Search in the Active Directory global catalog.
-limit <NumObjects>         Specifies the number of objects matching the
                            given criteria to be returned, where <NumObjects>
                            is the number of objects to be returned.
                            If the value of <NumObjects> is 0,
                            all matching objects are returned.
                            If this parameter is not specified,
                            by default the first 100 results are displayed.
{-uc | -uco | -uci}         -uc Specifies that input from or output
                            to pipe is formatted in Unicode. 
                            -uco Specifies that output to pipe or file is 
                            formatted in Unicode. 
                            -uci Specifies that input from pipe or file is
                            formatted in Unicode.

Remarks:
The dsquery commands help you find objects in the directory that match 
a specified search criterion: the input to dsquery is a search criteria 
and the output is a list of objects matching the search. To get the 
properties of a specific object, use the dsget commands (dsget /?).

If a value that you supply contains spaces, use quotation marks 
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names). 


Examples:
To find all groups in the current domain whose name starts 
with "ms" and whose description starts with "admin", 
and display their DNs:

    dsquery group domainroot -name ms* -desc admin*

Find all groups in the domain given by dc=microsoft,dc=com 
and display their DNs:

    dsquery group dc=microsoft,dc=com


See also:
dsquery computer /? - help for finding computers in the directory.
dsquery contact /? - help for finding contacts in the directory.
dsquery subnet /? - help for finding subnets in the directory.
dsquery group /? - help for finding groups in the directory.
dsquery ou /? - help for finding organizational units in the directory.
dsquery site /? - help for finding sites in the directory.
dsquery server /? - help for finding servers in the directory.
dsquery user /? - help for finding users in the directory.
dsquery quota /? - help for finding quotas in the directory.
dsquery partition /? - help for finding partitions in the directory.
dsquery * /? - help for finding any object in the directory by using a
generic LDAP query.

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsquery failed:The parameter is incorrect.
type dsquery /? for help.

 

Back to DSQUERY

 

dsquery ou
help for finding organizational units in the directory.
Description: Finds organizational units (OUs) in the directory according to
specified criteria.

Syntax:     dsquery ou [{<StartNode> | forestroot | domainroot}]
            [-o {dn | rdn}] [-scope {subtree | onelevel | base}]
            [-name <Name>] [-desc <Description>] 
            [{-s <Server> | -d <Domain>}] [-u <UserName>]
            [-p {<Password> | *}] [-q] [-r] [-gc]
            [-limit <NumObjects>] [{-uc | -uco | -uci}]

Parameters:

Value                   Description
{<StartNode> | forestroot | domainroot}
                        The node where the search will start:
                        forest root, domain root, or a node 
                        whose DN is <StartNode>.
                        Can be "forestroot", "domainroot" or an object DN.
                        If "forestroot" is specified, the search is done
                        via the global catalog. Default: domainroot.
-o {dn | rdn}           Specifies the output format.
                        Default: distinguished name (DN).
-scope {subtree | onelevel | base}
                        Specifies the scope of the search: 
                        subtree rooted at start node (subtree); 
                        immediate children of start node only (onelevel); 
                        the base object represented by start node (base). 
                        Note that subtree and domain scope
                        are essentially the same for any start node
                        unless the start node represents a domain root.
                        If forestroot is specified as <StartNode>,
                        subtree is the only valid scope.
                        Default: subtree.
-name <Name>            Find organizational units (OUs) whose name 
                        matches the value given by <Name>,
                        e.g., "jon*" or "*ith" or "j*th".
-desc <Description>     Find OUs whose description matches the value
                        given by <Description>, e.g., "jon*" or "*ith"
                        or "j*th".
{-s <Server> | -d <Domain>}
                        -s <Server> connects to the domain controller (DC)
                        with name <Server>.
                        -d <Domain> connects to a DC in domain <Domain>.
                        Default: a DC in the logon domain.
-u <UserName>           Connect as <UserName>. Default: the logged in
                        user. User name can be: user name,
                        domain\user name, or user principal name (UPN).
-p <Password>           Password for the user <UserName>.
                        If * then prompt for password.
-q                      Quiet mode: suppress all output to standard output.
-r                      Recurse or follow referrals during search.
                        Default: do not chase referrals during search.
-gc                     Search in the Active Directory global catalog.
-limit <NumObjects>     Specifies the number of objects matching
                        the given criteria to be returned, where
                        <NumObjects> is the number of objects
                        to be returned.
                        If the value of <NumObjects> is 0, all
                        matching objects are returned.
                        If this parameter is not specified,
                        by default the first 100 results are displayed.
{-uc | -uco | -uci}	-uc Specifies that input from or output to pipe is
                        formatted in Unicode. 
                        -uco Specifies that output to pipe or file is 
                        formatted in Unicode. 
                        -uci Specifies that input from pipe or file is
                        formatted in Unicode.

Remarks:
The dsquery commands help you find objects in the directory that match 
a specified search criterion: the input to dsquery is a search criteria 
and the output is a list of objects matching the search. To get the 
properties of a specific object, use the dsget commands (dsget /?).

If a value that you supply contains spaces, use quotation marks 
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names). 


Examples:
To find all OUs in the current domain whose name starts with "ms"
and whose description starts with "sales", and display their DNs:

    dsquery ou domainroot -name ms* -desc sales*

To find all OUs in the domain given by dc=microsoft,dc=com and display their
DNs:

    dsquery ou dc=microsoft,dc=com

See also:
dsquery computer /? - help for finding computers in the directory.
dsquery contact /? - help for finding contacts in the directory.
dsquery subnet /? - help for finding subnets in the directory.
dsquery group /? - help for finding groups in the directory.
dsquery ou /? - help for finding organizational units in the directory.
dsquery site /? - help for finding sites in the directory.
dsquery server /? - help for finding servers in the directory.
dsquery user /? - help for finding users in the directory.
dsquery quota /? - help for finding quotas in the directory.
dsquery partition /? - help for finding partitions in the directory.
dsquery * /? - help for finding any object in the directory by using a
generic LDAP query.

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsquery failed:The parameter is incorrect.
type dsquery /? for help.

 

Back to DSQUERY

 

dsquery site
help for finding sites in the directory.
Description:  Finds sites in the directory per given criteria.

Syntax:     dsquery site [-o {dn | rdn}] [-name <Name>]
            [-desc <Description>] [{-s <Server> | -d <Domain>}]
            [-u <UserName>] [-p {<Password> | *}] [-q]
            [-r] [-gc] [-limit <NumObjects>] [{-uc | -uco | -uci}]

Parameters:
Value               Description
-o {dn | rdn}       Specifies the output format.
                    Default: distinguished name (DN).
-name <Name>        Finds subnets whose name matches the value given
                    by <Name>, e.g., "NA*" or "Europe*".
-desc <Description> Finds subnets whose description matches the filter
                    given by <Description>, e.g., "corp*" or "*nch"
                    or "j*th".
{-s <Server> | -d <Domain>}
                    -s <Server> connects to the domain controller (DC)
                    with name <Server>.
                    -d <Domain> connects to a DC in domain <Domain>.
                    Default: a DC in the logon domain.
-u <UserName>       Connect as <UserName>. Default: the logged in
                    user. User name can be: user name,
                    domain\user name, or user principal name (UPN).
-p <Password>       Password for the user <UserName>. If * then prompt for
                    password.
-q                  Quiet mode: suppress all output to standard output.
-r                  Recurse or follow referrals during search. Default: do
                    not chase referrals during search.
-gc                 Search in the Active Directory global catalog.
-limit <NumObjects> Specifies the number of objects matching the given
                    criteria to be returned, where <NumObjects>
                    is the number of objects to be returned.
                    If the value of <NumObjects> is 0,
                    all matching objects are returned.
                    If this parameter is not specified,
                    by default the first 100 results are displayed.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
                    formatted in Unicode. 
                    -uco Specifies that output to pipe or file is 
                    formatted in Unicode. 
                    -uci Specifies that input from pipe or file is
                    formatted in Unicode.

Remarks:
The dsquery commands help you find objects in the directory that match 
a specified search criterion: the input to dsquery is a search criteria 
and the output is a list of objects matching the search. To get the 
properties of a specific object, use the dsget commands (dsget /?).

If a value that you supply contains spaces, use quotation marks 
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).

Examples:
To find all sites in North America with name starting with "north"
and display their DNs:

    dsquery site -name north*

To list the distinguished names (RDNs) of all sites defined in the directory:

    dsquery site -o rdn


See also:
dsquery computer /? - help for finding computers in the directory.
dsquery contact /? - help for finding contacts in the directory.
dsquery subnet /? - help for finding subnets in the directory.
dsquery group /? - help for finding groups in the directory.
dsquery ou /? - help for finding organizational units in the directory.
dsquery site /? - help for finding sites in the directory.
dsquery server /? - help for finding servers in the directory.
dsquery user /? - help for finding users in the directory.
dsquery quota /? - help for finding quotas in the directory.
dsquery partition /? - help for finding partitions in the directory.
dsquery * /? - help for finding any object in the directory by using a
generic LDAP query.

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsquery failed:The parameter is incorrect.
type dsquery /? for help.

 

Back to DSQUERY

 

dsquery server
help for finding servers in the directory.
Description: Finds domain controllers according to specified search criteria.

Syntax:     dsquery server [-o {dn | rdn}] [-forest] 
            [-domain <DomainName>] [-site <SiteName>]
            [-name <Name>] [-desc <Description>]
            [-hasfsmo {schema | name | infr | pdc | rid}] [-isgc]
            [{-s <Server> | -d <Domain>}] [-u <UserName>]
            [-p {<Password> | *}] [-q] [-r] [-gc]
            [-limit <NumObjects>] [{-uc | -uco | -uci}]

Parameters:
Value                   Description
-o {dn | rdn}           Specifies output format.
                        Default: distinguished name (DN).
-forest                 Finds all domain controllers (DCs) in the current
                        forest.
-domain <DomainName>    Finds all DCs in the domain with a DNS name
                        matching <DomainName>.
-site <SiteName>        Finds all DCs that are part of site <SiteName>.
-name <Name>            Finds DCs with names matching the value given
                        by <Name>, e.g., "NA*" or "Europe*" or "j*th".
-desc <Description>     Finds DCs with descriptions matching the value
                        given by <Description>, e.g., "corp*" or "j*th".
-hasfsmo {schema | name | infr | pdc | rid}
                        Finds the DC that holds the specified 
                        Flexible Single-master Operation (FSMO) role.
                        (For the "infr," "pdc" and "rid" FSMO roles,
                        if no domain is specified with the -domain
                        parameter, the current domain is used.)
-isgc                   Find all DCs that are also global
                        catalog servers (GCs) in the scope specified
                        (if the -forest, -domain or -site parameters
                        are not specified, then find all GCs in the current
                        domain are used).
{-s <Server> | -d <Domain>}
                        -s <Server> connects to the domain controller (DC)
                        with name <Server>.
                        -d <Domain> connects to a DC in domain <Domain>.
                        Default: a DC in the logon domain.
-u <UserName>           Connect as <UserName>. Default: the logged in
                        user. User name can be: user name,
                        domain\user name, or user principal name (UPN).
-p <Password>           Password for the user <UserName>.
                        If * then prompt for password.
-q                      Quiet mode: suppress all output to standard output.
-r                      Recurse or follow referrals during search.
                        Default: do not chase referrals during search.
-gc                     Search in the Active Directory global catalog.
-limit <NumObjects>     Specifies the number of objects matching the given
                        criteria to be returned, where <NumObjects> is the
                        number of objects to be returned. If the value of
                        <NumObjects> is 0, all matching objects are returned.
                        If this parameter is not specified,
                        by default the first 100 results are displayed.
{-uc | -uco | -uci}	-uc Specifies that input from or output to pipe is
                        formatted in Unicode. 
                        -uco Specifies that output to pipe or file is 
                        formatted in Unicode. 
                        -uci Specifies that input from pipe or file is
                        formatted in Unicode.

Remarks:
The dsquery commands help you find objects in the directory that match 
a specified search criterion: the input to dsquery is a search criteria 
and the output is a list of objects matching the search. To get the 
properties of a specific object, use the dsget commands (dsget /?).

If a value that you supply contains spaces, use quotation marks 
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names). 

Examples:
To find all DCs in the current domain:

    dsquery server

To find all DCs in the forest and display their
Relative Distinguished Names:

    dsquery server -o rdn -forest

To find all DCs in the site whose name is "Latin-America", and display their
Relative Distinguished Names:

    dsquery server -o rdn -site Latin-America

Find the DC in the forest that holds the schema FSMO role:
    
    dsquery server -forest -hasfsmo schema

Find all DCs in the domain example.microsoft.com that are
global catalog servers:

    dsquery server -domain example.microsoft.com -isgc

Find all DCs in the current domain that hold a copy of a given directory
partition called "ApplicationSales":

    dsquery server -part "Application*"
See also:
dsquery computer /? - help for finding computers in the directory.
dsquery contact /? - help for finding contacts in the directory.
dsquery subnet /? - help for finding subnets in the directory.
dsquery group /? - help for finding groups in the directory.
dsquery ou /? - help for finding organizational units in the directory.
dsquery site /? - help for finding sites in the directory.
dsquery server /? - help for finding servers in the directory.
dsquery user /? - help for finding users in the directory.
dsquery quota /? - help for finding quotas in the directory.
dsquery partition /? - help for finding partitions in the directory.
dsquery * /? - help for finding any object in the directory by using a
generic LDAP query.

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsquery failed:The parameter is incorrect.
type dsquery /? for help.

 

Back to DSQUERY

 

dsquery user
help for finding users in the directory.
Description:  Finds users in the directory per given criteria.

Syntax:     dsquery user [{<StartNode> | forestroot | domainroot}]
            [-o {dn | rdn | upn | samid}]
            [-scope {subtree | onelevel | base}]
            [-name <Name>] [-desc <Description>] [-upn <UPN>]
            [-samid <SAMName>] [-inactive <NumWeeks>] [-stalepwd <NumDays>]
            [-disabled] [{-s <Server> | -d <Domain>}] [-u <UserName>]
            [-p {<Password> | *}] [-q] [-r] [-gc] [-limit <NumObjects>]
	    [{-uc | -uco | -uci}]

Parameters:
Value                       Description
{<StartNode> | forestroot | domainroot}
                            The node where the search will start:
                            forest root, domain root, or a node 
                            whose DN is <StartNode>.
                            Can be "forestroot", "domainroot" or an
                            object DN. If "forestroot" is specified,
                            the search is done via the global catalog.
                            Default: domainroot.
-o {dn | rdn | upn | samid}
                            Specifies the output format. 
                            Default: distinguished name (DN).
-scope {subtree | onelevel | base}
                            Specifies the scope of the search: 
                            subtree rooted at start node (subtree); 
                            immediate children of start node only (onelevel); 
                            the base object represented by start node (base). 
                            Note that subtree and domain scope
                            are essentially the same for any start node
                            unless the start node represents a domain root.
                            If forestroot is specified as <StartNode>,
                            subtree is the only valid scope.
                            Default: subtree.
-name <Name>                Finds users whose name matches the filter
                            given by <Name>, e.g., "jon*" or "*ith"
                            or "j*th".
-desc <Description>         Finds users whose description matches the
                            filter given by <Description>, e.g., "jon*" or
                            "*ith" or "j*th".
-upn <UPN>                  Finds users whose UPN matches the filter given
                            by <UPN>.
-samid <SAMName>            Finds users whose SAM account name matches the
                            filter given by <SAMName>.
-inactive <NumWeeks>        Finds users that have been inactive
                            (not logged on) for at least <NumWeeks>
                            number of weeks.
-stalepwd <NumDays>         Finds users that have not changed their password
                            for at least <NumDays> number of days.
-disabled                   Finds users whose account is disabled.
{-s <Server> | -d <Domain>}
                            -s <Server> connects to the domain controller
                            (DC) with name <Server>.
                            -d <Domain> connects to a DC in domain <Domain>.
                            Default: a DC in the logon domain.
-u <UserName>               Connect as <UserName>. Default: the logged in
                            user. User name can be: user name,
                            domain\user name, or user principal name (UPN).
-p <Password>               Password for the user <UserName>.
                            If * is specified, then you are prompted
                            for a password.
-q                          Quiet mode: suppress all output to
                            standard output.
-r                          Recurse or follow referrals during search.
                            Default: do not chase referrals during search.
-gc                         Search in the Active Directory global catalog.
-limit <NumObjects>         Specifies the number of objects matching the
                            given criteria to be returned, where <NumObjects>
                            is the number of objects to be returned.
                            If the value of <NumObjects> is 0, all
                            matching objects are returned. If this parameter
                            is not specified, by default the first
                            100 results are displayed.
{-uc | -uco | -uci}         -uc Specifies that input from or output to pipe
                            is formatted in Unicode. 
                            -uco Specifies that output to pipe or file is 
                            formatted in Unicode. 
                            -uci Specifies that input from pipe or file is
                            formatted in Unicode.

Remarks:
The dsquery commands help you find objects in the directory that match 
a specified search criterion: the input to dsquery is a search criteria 
and the output is a list of objects matching the search. To get the 
properties of a specific object, use the dsget commands (dsget /?).

If a value that you supply contains spaces, use quotation marks 
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names). 

Examples:
To find all users in a given organizational unit (OU) 
whose name starts with "jon" and whose account has been disabled 
for logon and display their user principal names (UPNs):

    dsquery user ou=Test,dc=microsoft,dc=com -o upn -name jon* -disabled

To find all users in only the current domain, whose names end with "smith"
and who have been inactive for 3 weeks or more, and display their DNs:

    dsquery user domainroot -name *smith -inactive 3

To find all users in the OU given by ou=sales,dc=microsoft,dc=com and display
their UPNs:

    dsquery user ou=sales,dc=microsoft,dc=com -o upn

See also:
dsquery computer /? - help for finding computers in the directory.
dsquery contact /? - help for finding contacts in the directory.
dsquery subnet /? - help for finding subnets in the directory.
dsquery group /? - help for finding groups in the directory.
dsquery ou /? - help for finding organizational units in the directory.
dsquery site /? - help for finding sites in the directory.
dsquery server /? - help for finding servers in the directory.
dsquery user /? - help for finding users in the directory.
dsquery quota /? - help for finding quotas in the directory.
dsquery partition /? - help for finding partitions in the directory.
dsquery * /? - help for finding any object in the directory by using a
generic LDAP query.

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsquery failed:The parameter is incorrect.
type dsquery /? for help.

 

Back to DSQUERY

 

dsquery quota
help for finding quotas in the directory.
Quota specifications in the directory that match the specified search
criteria. A quota specification determines the maximum number of directory objects a
given security principal can own in a specific directory partition. If the
predefined search criteria in this command is insufficient, then use the more
general version of the query command, dsquery *.
dsquery quota startnode {domain root | <ObjectDN>} [-o {dn | rdn}]
[-acct <Name>] [-qlimit <Filter>] [-desc <Description>]
[{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [-r]
[-limit <NumberOfObjects>] [{-uc | -uco | -uci}]
startnode {domain root | <ObjectDN>}
                        Required. Specifies where the search should begin.
                        Use ObjectDN to specify the distinguished name (also
                        known as DN), or use domainroot to specify the root
                        of the current domain.
-o {dn | rdn}           Specifies the output format. The default format is
                        distinguished name (dn).
-acct <Name>            Finds the quota specifications assigned to the
                        security principal (user, group, computer, or
                        InetOrgPerson) as represented by Name. The -acct
                        option can be provided in the form of the
                        distinguished name of the security principal or the
                        Domain\SAMAccountName of the security principal.
-qlimit <Filter>        Finds the quota specifications whose limit matches
                        Filter.
-desc <Description>     Searches for quota specifications that have a
                        description attribute that matches Description
                        (for example, "jon*" or "*ith" or "j*th").
{-s <Server> | -d <Domain>}
                        Connects to a specified remote server or domain. By
                        default, the computer is connected to a domain
                        controller in the logon domain.
-u <UserName>           Specifies the user name with which the user logs on
                        to a remote server. By default, -u uses the user name
                        with which the user logged on. You can use any of the
                        following formats to specify a user name:
                          user name (for example, Linda)
                          domain\user name (for example, widgets\Linda)
                          user principal name (UPN)
                            (for example, Linda@widgets.microsoft.com)
-p {<Password> | *}     Specifies to use either a password or a * to log on
                        to a remote server. If you type *, you are prompted
                        for a password.
-q                      Suppresses all output to standard output (quiet
                        mode).
-r                      Specifies that the search use recursion or follow
                        referrals during search. By default, the search does
                        not follow referrals.
-limit <NumberOfObjects>
                        Specifies the number of objects that match the given
                        criteria to be returned. If the value of
                        NumberOfObjects is 0, all matching objects are
                        returned. If this parameter is not specified, the
                        first 100 results are displayed by default.
{-uc | -uco | -uci}     Specifies that output or input data is formatted in
                        Unicode, as follows:
                        -uc   Specifies a Unicode format for input from or
                              output to a pipe (|).
                        -uco  Specifies a Unicode format for output to a
                              pipe (|) or a file.
                         -uci Specifies a Unicode format for input from a
                              pipe (|) or a file.
The results from a dsquery search can be piped as input to one of the other
directory service command-line tools, such as dsget, dsmod, dsmove, dsrm, or
to an additional dsquery search.

If a value that you use contains spaces, use quotation marks around the text
(for example, "CN=Linda,CN=Users,DC=Microsoft,DC=Com").

If you use multiple values for a parameter, use spaces to separate the values
(for example, a list of distinguished names).

If you do not specify any search filter options (that is, -forest, -domain,
-site, -name, -desc, -hasfsmo, -isgc), the default search criterion is to
find all servers in the current domain, as represented by an appropriate LDAP
search filter.

When you specify values for Description, you can use the wildcard 
character (*) (for example, "NA*," "*BR," and "NA*BA").

Any value for Filter that you specify with qlimit is read as a string.
You must always use quotation marks around this parameter. Any value ranges
you specify using <=, =, or >= must also be inside quotation marks
(for example, -qlimit "=100", -qlimit "<=99", -qlimit ">=101").
To find quotas with no limit, use "-1". To find all quotas not equal 
to unlimited, use ">=-1".
To list all of the quota specifications in the current domain, type:
type:

     dsquery quota domainroot



To list all users whose name begins with "Jon" that have quotas
assigned to them, type:

     dsquery user -name jon* | dsquery quota domainroot -acct |
     dsget quota -acct

See also:
dsquery computer /? - help for finding computers in the directory.
dsquery contact /? - help for finding contacts in the directory.
dsquery subnet /? - help for finding subnets in the directory.
dsquery group /? - help for finding groups in the directory.
dsquery ou /? - help for finding organizational units in the directory.
dsquery site /? - help for finding sites in the directory.
dsquery server /? - help for finding servers in the directory.
dsquery user /? - help for finding users in the directory.
dsquery quota /? - help for finding quotas in the directory.
dsquery partition /? - help for finding partitions in the directory.
dsquery * /? - help for finding any object in the directory by using a
generic LDAP query.

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsquery failed:The parameter is incorrect.
type dsquery /? for help.

 

Back to DSQUERY

 

dsquery partition
help for finding partitions in the directory.
Finds partition objects in the directory that match the specified search
criteria. If the predefined search criteria in this command is 
insufficient, then use the more general version of the query command, 
dsquery *.
dsquery partition [-o {dn | rdn}] [-part <Filter>] [-desc <Description>]
[{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] 
[-q] [-r] [-limit <NumberOfObjects>] [{-uc | -uco | -uci}]
-o {dn | rdn}           Specifies the output format. The default format is
                        distinguished name (dn).
-part <Filter>          Finds partition specifications whose common name (CN) 
                        matches the filter given by Filter.
{-s <Server> | -d <Domain>}
                        Connects to a specified remote server or domain. By
                        default, the computer is connected to a domain
                        controller in the logon domain.
-u <UserName>           Specifies the user name with which the user logs on
                        to a remote server. By default, -u uses the user name
                        with which the user logged on. You can use any of the
                        following formats to specify a user name:
                          user name (for example, Linda)
                          domain\user name (for example, widgets\Linda)
                          user principal name (UPN)
                            (for example, Linda@widgets.microsoft.com)
-p {<Password> | *}     Specifies to use either a password or a * to log on
                        to a remote server. If you type *, you are prompted
                        for a password.
-q                      Suppresses all output to standard output (quiet
                        mode).
-r                      Specifies that the search use recursion or follow
                        referrals during search. By default, the search does
                        not follow referrals.
-limit <NumberOfObjects>
                        Specifies the number of objects that match the given
                        criteria to be returned. If the value of
                        NumberOfObjects is 0, all matching objects are
                        returned. If this parameter is not specified, the
                        first 100 results are displayed by default.
{-uc | -uco | -uci}     Specifies that output or input data is formatted in
                        Unicode, as follows:
                        -uc   Specifies a Unicode format for input from or
                              output to a pipe (|).
                        -uco  Specifies a Unicode format for output to a
                              pipe (|) or a file.
                         -uci Specifies a Unicode format for input from a
                              pipe (|) or a file.
The results from a dsquery search can be piped as input to one of the other
directory service command-line tools, such as dsget, dsmod, dsmove, dsrm, or
to an additional dsquery search.

If a value that you use contains spaces, use quotation marks around the text
(for example, "CN=Linda,CN=Users,DC=Microsoft,DC=Com").

If you use multiple values for a parameter, use spaces to separate the values
(for example, a list of distinguished names).

If you do not specify any search filter options (that is, -forest, -domain,
-site, -name, -desc, -hasfsmo, -isgc), the default search criterion is to
find all servers in the current domain, as represented by an appropriate LDAP
search filter.

When you specify values for Description, you can use the wildcard character
(*) (for example, "NA*," "*BR," and "NA*BA").
To list the DNs of all directory partitions in the forest, type:

     dsquery partition

To list the DNs of all directory partitions in the forest whose common names
start with SQL, type:

     dsquery partition -part SQL*
See also:
dsquery computer /? - help for finding computers in the directory.
dsquery contact /? - help for finding contacts in the directory.
dsquery subnet /? - help for finding subnets in the directory.
dsquery group /? - help for finding groups in the directory.
dsquery ou /? - help for finding organizational units in the directory.
dsquery site /? - help for finding sites in the directory.
dsquery server /? - help for finding servers in the directory.
dsquery user /? - help for finding users in the directory.
dsquery quota /? - help for finding quotas in the directory.
dsquery partition /? - help for finding partitions in the directory.
dsquery * /? - help for finding any object in the directory by using a
generic LDAP query.

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsquery failed:The parameter is incorrect.
type dsquery /? for help.

 

Back to DSQUERY

 

dsquery *
help for finding any object in the directory by using a generic LDAP query.
Description:  Finds any objects in the directory according to criteria.

Syntax:     dsquery * [{<StartNode> | forestroot | domainroot}]
            [-scope {subtree | onelevel | base}] [-filter <LDAPFilter>]
            [-attr {<AttrList> | *}] [-attrsonly] [-l]
            [{-s <Server> | -d <Domain>}] [-u <UserName>]
            [-p {<Password> | *}] [-q] [-r] [-gc]
	    [{-uc | -uco | -uci}]

Parameters:
Value                       Description
{<StartNode> | forestroot | domainroot}
                            The node where the search will start:
                            forest root, domain root, or a node 
                            whose DN is <StartNode>.
                            Can be "forestroot", "domainroot" or an object
                            DN.
                            If "forestroot" is specified, the search is done
                            via the global catalog. Default: domainroot.
-scope {subtree | onelevel | base}
                            Specifies the scope of the search: 
                            subtree rooted at start node (subtree); 
                            immediate children of start node only (onelevel); 
                            the base object represented by start node (base). 
                            Note that subtree and domain scope
                            are essentially the same for any start node
                            unless the start node represents a domain root.
                            If forestroot is specified as <StartNode>,
                            subtree is the only valid scope.
                            Default: subtree.
-filter <LDAPFilter>        Specifies that the search use the explicit 
                            LDAP search filter <LDAPFilter> specified in the
                            LDAP search filter format for searching. 
                            Default:(objectCategory=*).The search filter
                            string must be enclosed in double quotes.
-attr {<AttrList> | *}      If <AttrList>, specifies a space-separated list
                            of LDAP display names to be returned for 
                            each entry in the result set.
                            If *, specifies all attributes present on 
                            the objects in the result set.
                            Default: distinguishedName.
-attrsonly                  Shows only the attribute types present on
                            the entries in the result set but not
                            their values.
                            Default: shows both attribute type and value.
-l                          Shows the entries in the search result set
                            in a list format. Default: table format.
{-s <Server> | -d <Domain>}
                            -s <Server> connects to the domain controller
                            (DC) with name <Server>.
                            -d <Domain> connects to a DC in domain <Domain>.
                            Default: a DC in the logon domain.
-u <UserName>               Connect as <UserName>. Default: the logged in
                            user. User name can be: user name,
                            domain\user name, or user principal name (UPN).
-p <Password>               Password for the user <UserName>. If * then you
                            are prompted for a password.
-q                          Quiet mode: suppress all output to standard
                            output.
-r                          Recurse or follow referrals during search.
                            Default: do not chase referrals during search.
-gc                         Search in the Active Directory global catalog.
-limit <NumObjects>         Specifies the number of objects matching the
                            given criteria to be returned, where <NumObjects>
                            is the number of objects to be returned.
                            If the value of <NumObjects> is 0, all matching
                            objects are returned. If this parameter is not
                            specified, by default the first 100 results are
                            displayed.
{-uc | -uco | -uci}         -uc Specifies that input from or output to pipe
                            is formatted in Unicode. 
                            -uco Specifies that output to pipe or file is 
                            formatted in Unicode. 
                            -uci Specifies that input from pipe or file is
                            formatted in Unicode.

Remarks:
The dsquery commands help you find objects in the directory that match 
a specified search criterion: the input to dsquery is a search criteria 
and the output is a list of objects matching the search. To get the 
properties of a specific object, use the dsget commands (dsget /?).

A user-entered value containing spaces or semicolons must be enclosed in
quotes (""). Multiple user-entered values must be separated using commas
(for example, a list of attribute types).


Examples:
To find all users in the current domain only whose SAM account name begins
with the string "jon" and display their SAM account name,
User Principal Name (UPN) and department in table format:

dsquery * domainroot 
-filter "(&(objectCategory=Person)(objectClass=User)(sAMAccountName=jon*))"
-attr sAMAccountName userPrincipalName department

To read the sAMAccountName, userPrincipalName and department attributes of
the object whose DN is ou=Test,dc=microsoft,dc=com:

Dsquery * ou=Test,dc=microsoft,dc=com -scope base
-attr sAMAccountName userPrincipalName department

To read all attributes of the object whose DN is ou=Test,dc=microsoft,dc=com:

Dsquery * ou=Test,dc=microsoft,dc=com -scope base -attr *

See also:
dsquery computer /? - help for finding computers in the directory.
dsquery contact /? - help for finding contacts in the directory.
dsquery subnet /? - help for finding subnets in the directory.
dsquery group /? - help for finding groups in the directory.
dsquery ou /? - help for finding organizational units in the directory.
dsquery site /? - help for finding sites in the directory.
dsquery server /? - help for finding servers in the directory.
dsquery user /? - help for finding users in the directory.
dsquery quota /? - help for finding quotas in the directory.
dsquery partition /? - help for finding partitions in the directory.
dsquery * /? - help for finding any object in the directory by using
a generic LDAP query.

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsquery failed:The parameter is incorrect.
type dsquery /? for help.

 

Back to DSQUERY

 

 

Back to the top of this page

 

 

DSRM

Description: This command deletes objects from the directory.

Syntax:     dsrm <ObjectDN ...> [-noprompt] [-subtree [-exclude]]
            [{-s <Server> | -d <Domain>}] [-u <UserName>]
            [-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]

Parameters:
Value               Description
<ObjectDN ...>      Required/stdin. List of one or more 
                    distinguished names (DNs) of objects to delete.
                    If this parameter is omitted it is
                    taken from standard input (stdin).
-noprompt           Silent mode: do not prompt for delete confirmation.
-subtree [-exclude] Delete object and all objects in the subtree under it.
                    -exclude excludes the object itself
                    when deleting its subtree.
{-s <Server> | -d <Domain>}
                    -s <Server> connects to the domain controller (DC) with
                    name <Server>.
                    -d <Domain> connects to a DC in domain <Domain>.
                    Default: a DC in the logon domain.
-u <UserName>       Connect as <UserName>. Default: the logged in user.
                    User name can be: user name, domain\user name,
                    or user principal name (UPN).
-p {<Password> | *}
                    Password for the user <UserName>. If * is used,
                    then the command prompts you for the password.
-c                  Continuous operation mode: report errors but continue
                    with next object in argument list when multiple
                    target objects are specified.
		    Without this option, command exits on first error.
-q                  Quiet mode: suppress all output to standard output.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe is
                    formatted in Unicode. 
                    -uco Specifies that output to pipe or file is 
                    formatted in Unicode. 
                    -uci Specifies that input from pipe or file is
                    formatted in Unicode.

Remarks:
If a value that you supply contains spaces, use quotation marks 
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names). 

Commas that are not used as separators in distinguished names must be
escaped with the backslash ("\") character
(for example, "CN=Company\, Inc.,CN=Users,DC=microsoft,DC=com").
Backslashes used in distinguished names must be escaped with a backslash
(for example,
"CN=Sales\\ Latin America,OU=Distribution Lists,DC=microsoft,DC=com").

Examples:
To remove an organizational unit (OU) called "Marketing" and all the objects
under that OU, use the following command:

dsrm -subtree -noprompt -c ou=Marketing,dc=microsoft,dc=com

To remove all objects under the OU called "Marketing" but leave
the OU intact, use the following command with the -exclude parameter:

dsrm -subtree -exclude -noprompt -c "ou=Marketing,dc=microsoft,dc=com"

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.

 

 

Back to the top of this page

 

More detailed descriptions on Microsoft's Windows Server 2003 Directory Service command line tools can be found here

 

This HTML help file was generated by:
ADSHelp.bat, Version 2.10 for Windows 2003 Server
Written by Rob van der Woude
http://www.robvanderwoude.com
 
Text find and replace script by TechNet Script Center's Hey, Scripting Guy!


page last modified: 2015-07-28; loaded in 0.0020 seconds