Image may be NSFW.
Clik here to view.
Understanding Distinguished Names
Active Directory Domain Services (AD DS) uses the Lightweight Directory Access Protocol (LDAP). Every object in AD DS is uniquely identified with a distinguished name (DN). The DN identifies the object, domain, and Organizational Unit (OU) or container where it’s located.
DS commands (such as dsadd, dsmod, and so on) need the DN to identify the object to create, modify, or delete. When the DN is used within a command, it must be enclosed within quotes if it includes spaces. The following table shows the common components of a DN used with DS commands.
|
DN Component |
Description |
|
CN |
CN is short for common name. It’s used to indicate the common name of an object (such as the user’s account name) or the name of a container (such as the Users or Computers containers). |
|
OU |
OU is short for Organizational Unit. When multiple OUs are listed, the top level is listed last. NOTE Nested OUs often give people the most trouble when building the DN. An easy check is to see whether the top-level OU is next to the domain component (dc) and the last child OU is listed first. |
|
DC |
DC is short for domain component. Notice that each portion of the DC must be separate. This is incorrect and results in an error: dc=habib.local. It must be separated as dc=habib, dc=local. |
DSADD Command
Adding Objects with dsadd
You can add objects with the dsadd command. The basic syntax is
dsadd object-type DN
Some common object types you can add are users, computers, groups, and OUs. The fol- lowing table shows the syntax to create specific accounts. Each of these commands cre- ates an account in the habib.local domain, in the East OU nested in the Sales OU.
Note: The dsadd command creates accounts using the same case you use in the command. In other words, you can create an account named joe or an account named Joe, depending on the case you use in the DN. If the DN is lowercase, the account is built with lowercase.
Image may be NSFW.
Clik here to view.
|
dsadd Command |
Comments |
|
Add a group. dsadd group dn -secgroup {yes | no} -scope { l | g | u } C:\>dsadd group “cn=IT Admins, ou=east,ou=sales,dc=habib, dc=local” -secgrp yes -scope g C:\>dsadd group “cn=IT Admins2, ou=east, ou=sales, dc=habib, dc=local” C:\>dsadd group “cn=dl_ printer, ou=east, ou=sales, dc=habib, dc=local” -scope l |
You can add security groups (with -secgroup yes) or distribution groups (with -secgroup no). You add different scopes with the -scope switch. Create domain local groups (with -scope l), create global groups (with -scope g), and create universal groups (with -scope u). TIP The dsadd group command defaults to a global security group so you can omit the -secgroup and -scope switches. The examples add two global security groups (IT Admins and IT Admins2) and one domain local security group (dl_printer). |
|
Add a computer. dsadd computer dn C:\>dsadd computer “cn=PC-1, ou=east, ou=sales, dc=habib, dc=local” |
The example command creates a computer named PC-1 in the sales\east OU. |
Note: You can also identify different properties for any of these objects. For a full list- ing of the properties for any of the objects, use the help command as dsadd user /?, dsadd group /?, or dsadd computer /?.
Filed under: Active Directory, Windows Server 2003, Windows Server 2008 Tagged: Active Directory commands, CN, common name, DC, distinguished names, domain component, DS Commands, dsadd, OU Image may be NSFW.
Clik here to view.
Image may be NSFW.Clik here to view.
