DSMod - CMD

Overview

DSMod is a command-line tool used in Windows to modify properties of existing Directory Service objects in Active Directory (AD). This command is widely utilized in administrative scripts and tasks, particularly for managing large numbers of AD objects efficiently. It can modify various objects, including users, groups, computers, contacts, and organizational units.

Syntax

The general syntax for the DSMod command is:

dsmod <object_type> <object_dn> [<options>]
  • <object_type>: Type of AD object (user, group, computer, contact, ou)
  • <object_dn>: Distinguished name of the object to modify
  • <options>: Commands specific to the type of object being modified

Usage Syntax for Common Object Types:

  • User: 
    dsmod user <UserDN> [-disabled {yes | no}]
  • Group: 
    dsmod group <GroupDN> [-addmbr <UserDN>]
  • Computer: 
    dsmod computer <ComputerDN> [-desc <description>]

Options/Flags

  • -disabled {yes | no}: Enables or disables the user account.
  • -addmbr <UserDN>: Adds a member to the specified group.
  • -desc <description>: Sets or modifies the description for the object.

Each option impacts the specified AD object according to the parameters set, providing a flexible way of updating object attributes.

Examples

Example 1: Disabling a User Account

dsmod user "CN=John Doe,OU=Users,DC=example,DC=com" -disabled yes

Example 2: Adding a User to a Group

dsmod group "CN=Developers,OU=Groups,DC=example,DC=com" -addmbr "CN=Jane Doe,OU=Users,DC=example,DC=com"

Example 3: Modifying a Computer Description

dsmod computer "CN=WS01,OU=Computers,DC=example,DC=com" -desc "Workstation 01 in Accounting"

Common Issues

  • Permission Errors: Ensure you have adequate permissions to modify AD objects.
  • Syntax Errors: Double-check the distinguished names and command syntax.
  • Object Not Found: Verify the object exists in AD with the correct DN.

Integration

DSMod can be integrated with other commands for comprehensive AD management tasks. For example, combining DSQuery and DSMod:

for /f "tokens=*" %i in ('dsquery user -name Smith*') do dsmod user %i -disabled yes

This script finds all users whose names start with “Smith” and disables their accounts.

  • DSAdd: Adds objects to Active Directory.
  • DSQuery: Queries AD for different objects.
  • DSGet: Retrieves specified properties of an object from AD.

For more detailed information, refer to the official documentation on Microsoft’s website.