1. Creating Groups with DSAdd
The DSAdd command, lets you add objects to
Active Directory. To add a group, type the following
command:
dsadd group GroupDN
where GroupDN is the distinguished name
(DN) of the group, such as “CN=Finance
Managers,OU=Groups,DC=contoso,DC=com.” Be certain to surround the DN
with quotes if the DN includes spaces.
For example, to create a new global security group named
Marketing in the Groups OU of the contoso.com domain, the command
would be:
dsadd group "CN=Marketing,OU=Groups,DC=contoso,DC=com" -samid Marketing -secgrp
yes -scope g
You can also provide the GroupDN parameter
in one of the following ways:
-
By piping a list of DNs from another command such as
DSQuery.
-
By typing each DN on the command line, separated by
spaces.
-
By leaving the DN parameter empty, at which point you can
type the DNs one at a time at the keyboard console of the command
prompt. Press Enter after each DN. After the last DN, press
Ctrl+Z, and then press Enter.
Each of these three options allows you to generate multiple
groups simultaneously with DSAdd. You can also use the
DSAdd command with more than one GroupDN on the
command line, each separated by a space, to generate multiple
groups.
The DSAdd command can also configure attributes of the
groups you create with the following optional
parameters:
-
-secgrp { yes | no
} Specifies group type: security
(yes) or distribution
(no).
-
-scope { l | g | u
} Determines the group scope: domain local
(l), global (g), or
universal (u).
-
-samid
Name Specifies
the sAMAccountName of the group. If not
specified, the name of the group from its DN is used. It is
recommended that the sAMAccountName and the
group name be the same, so you do not need to include this
parameter when using DSAdd.
-
-desc
Description
Configures the group’s description.
-
-members
MemberDN Adds
members to the group. Members are specified by their DNs in a
space-separated list.
-
-member of GroupDN … Makes the new group a member of one or more
existing groups. The groups are specified by their DNs in a
space-separated list.
2. Importing Groups with CSVDE
The following example shows a .csv file that will create
a group, Marketing, and populate the group with two initial members,
Linda Mitchell and Scott Mitchell.
objectClass,sAMAccountName,DN,member
group,Marketing,"CN=Marketing,OU=Groups,DC=contoso,DC=com",
"CN=Linda Mitchell,OU=User Accounts,DC=contoso,DC=com;
CN=Scott Mitchell,OU=User Accounts,DC=contoso,DC=com"
The .csv file is two lines. The first line contains the
attribute names, and the second line contains the values for the new
group, Marketing. The second line is wrapped for
presentation in this text.
Take note of the use of quotation marks in the preceding example. Quotation
marks are required when an attribute includes a comma; without
quotation marks, the comma would be interpreted as a delimiter. The DN
of the group includes commas, so it must be surrounded by quotation
marks. In the case of a multivalued attribute such as
member, each value is separated by a
semicolon—there are two values in member in the
example. The entire member attribute is
surrounded by quotation marks, not each individual value of the
member attribute.
You can import this file into Active Directory by using the
command:
csvde -i -f "filename" [-k]
The -i parameter specifies import mode.
Without it, CSVDE uses export mode. The -f
parameter precedes the filename, and the -k
parameter ensures that processing continues even if errors are
encountered, such as if the object already exists or the member cannot
be found.
3. Importing Groups with LDIFDE
LDAP Data Interchange Format Data Exchange (LDIFDE), is a tool
that imports and exports files in the Lightweight Directory Access
Protocol Data Interchange Format (LDIF) format. LDIF files are text
files within which operations are specified by a block of lines
separated by a blank line. Each operation begins with the DN of the
object that is the target of the operation. The next line,
changeType, specifies the type of operation:
add, modify, or
delete.
The following LDIF file creates two groups, Finance and Research, in the Groups OU of the
contoso.com domain:
DN: CN=Finance,OU=Groups,DC=contoso,DC=com
changeType: add
CN: Finance
description: Finance Users
objectClass: group
sAMAccountName: Finance
DN: CN=Research,OU=Groups,DC=contoso,DC=com
changeType: add
CN: Research
description: Research Users
objectClass: group
sAMAccountName: Research
Convention would suggest saving the file with an .ldf extension—for example, Groups.ldf. To import the
groups into the directory, issue the Ldifde.exe command, as shown
here:
ldifde -i -f groups.ldf -k
The -i parameter specifies import mode.
Without it, LDIFDE uses export mode. The -f
parameter precedes the filename, and the -k
parameter ensures that processing continues even if errors are
encountered, such as if the object already exists.
Modifying Group Membership with LDIFDE
LDIFDE can also be used to modify existing objects in Active
Directory, using LDIF operations with a
changeType of modify. To
add two members to the Finance group, the LDIF file would
be:
dn: CN=Finance,OU=Groups,DC=contoso,DC=com
changeType: modify
add: member
member: CN=April Stewart,OU=User Accounts,dc=contoso,dc=com
member: CN=Mike Fitzmaurice,OU=User Accounts,dc=contoso,dc=com
-
The changeType is set to
modify, and then the change operation is
specified: add objects to the
member attribute. Each new member is then
listed on a separate line that begins with the
member attribute name. The change operation is
terminated with a line containing a single dash. Changing the third
line to the following would remove the two specified members from
the group:
delete: member
4. Retrieving Group Membership with DSGet
There is no option in the Active Directory Users
And Computers snap-in to list all the members of a group including
nested members. You can see only direct members of a group on the
group’s Members tab. Similarly, there is no way to list all the
groups to which a user or computer belongs, including
nested groups. You can see only direct membership on the user’s or
computer’s Member Of tab.
The DSGet command lets you retrieve a complete list of a group’s
membership, including nested members, with the following
syntax:
dsget group "GroupDN" -members [-expand]
The -expand parameter performs the magic of
expanding nested groups’ members.
Similarly, the DSGet command can be used to retrieve a complete
list of groups to which a user or computer belongs, again by using the
-expand parameter in the following
commands:
dsget user "UserDN" -memberof [-expand]
dsget computer "ComputerDN" -memberof [-expand]
The -memberOf parameter returns the value
of the user’s or computer’s memberOf attribute,
showing the groups to which the object directly belongs. When you add
the -expand parameter, those groups are searched
recursively, producing an exhaustive list of all groups to which the
object belongs in the domain.
5. Changing Group Membership with DSMod
The DSMod command was applied in Lesson 1 to modify the scope
and type of a group. The command’s basic syntax is:
dsmod group "GroupDN" [options]
You can use options such as -samid and
-desc to modify the
sAMAccountName and
description attributes of the group. Most useful,
however, are the options that allow you to modify a group’s
membership:
As with all DS commands, Member DN is the
distinguished name of another Active Directory object, surrounded by
quotes if the DN includes spaces. Multiple Member
DN entries can be included, separated by spaces. For
example, to add Mike Danseglio to the Research group, the DSMod
command would be:
dsmod group "CN=Research,OU=Groups,DC=contoso,DC=com"
-addmbr "CN=Mike Danseglio,OU=User Accounts,DC=contoso,DC=com"
6. Copying Group Membership
You can use DSGet in combination with DSMod to copy group membership. In the following example, the DSGet
command is used to get information about all the members of the Sales
group, and then, by piping that list to DSMod, add those users to the
Marketing group:
dsget group "CN=Sales,OU=Groups,DC=contoso,DC=com" -members |
dsmod group "CN=Marketing,OU=Groups,DC=contoso,DC=com" -addmbr
Notice the use of piping. The “output” of DSGet (distinguished
names of members of the first group) is piped, using the pipe symbol
(“|”), to act as the input for the DNs that are omitted after the
-addmbr parameter.
Similarly, the DSGet and DSMod commands can work together to
copy the group membership of one object, such as a user, to another
object:
dsget user "Source User DN" -memberof | dsmod group -addmbr "Target User DN"
7. Moving and Renaming Groups with DSMove
You can move and rename groups in Active Directory Users And
Computers by right-clicking the group and then clicking the Move or
the Rename command.
The DSMove command, enables you to move or
rename an object within a domain. You cannot use it to move objects
between domains. Its basic syntax is:
dsmove ObjectDN [-newname NewName] [-newparent TargetOUDN]
The object is specified by using its distinguished name in the
ObjectDN parameter.
To rename the object, specify its new common name as the value
of the -newname parameter. To move an object to a
new location, specify the distinguished name of the target container
as the value of the -newparent
parameter.
For example, to change the name of the Marketing group to Public
Relations, type:
dsmove "CN=Marketing,OU=Groups,DC=contoso,DC=com" -newname "Public Relations"
To then move that renamed group to the Marketing OU,
type:
dsmove "CN=Public Relations,OU=Groups,DC=contoso,DC=com" -newparent
"OU=Marketing,DC=contoso,DC=com"
Note
YOU’RE NOT LIMITED TO THE COMMAND
LINE
You can also move or rename a group in the Active Directory
Users And Computers snap-in by right-clicking the group and choosing
Move or Rename from the context menu.
