Doug Vitale Tech Blog

Network administration commands for Microsoft Windows and Active Directory

Administrators of Windows servers frequently utilize the graphical tools provided within the Windows Server interface to configure network parameters and administer Microsoft’s proprietary network directory service, Active Directory. These tools take the form of snap-ins for the Microsoft Management Console (MMC) and include Active Directory Users and Computers, Active Directory Sites and Services, Active Directory Domains and Trusts, the Group Policy Management Console, and others (see images below). The capabilities offered by these tools allow administrators to create, edit, and delete Active Directory objects and features such as users, computers, organizational units (OUs), domains, permissions, trusts, etc.

Active Directory Administrative Center

Active Directory Administrative Center on Windows Server 2008

Group Policy Management Console

Group Policy Management Console on Windows Server 2008

While there are many networking commands that are shared by diverse operating systems, Microsoft has created some that apply only to Windows. Consequently, there are many options available for Windows administrators (perhaps with Linux/Unix experience) who prefer to work in text-based, command line environments. With a little practice this approach can result in time savings and the ability to include tool functionality in scripts. For example, it can be faster to type a command or two than to click and launch the Server Manager or Administrative Tools or the other aforementioned GUI tools. Additionally, with Windows PowerShell you can script common network administration tasks making use of the graphical tools’ command line equivalents.

What follows is a listing of Windows-only commands focusing on the subject of Windows network administration. In other words, these commands can be used for the purposes of viewing, creating, and modifying network settings and the properties of Active Directory objects. You can launch them in either the Windows command prompt (cmd.exe) or in Windows PowerShell.

This page should prove especially useful for those studying to become Microsoft Certified Solutions Experts (MCSE).

If you are looking for a particular command, use your browser’s search function (Ctrl+F) to find it.

Jump to:

  • adprep

adprep

Extends the Active Directory schema and updates permissions as necessary to prepare a forest and domain for upgrades to a higher functional level.

For further details on Adprep, see Microsoft TechNet’s Running Adprep.exe.

Default adprep syntax

adprep {/forestprep | /domainprep | /domainprep /gpprep | /rodcprep | /wssg | /silent }

adprep options

Description

adprep /domainprep Prepares a domain for the introduction of domain controller running at a higher functional level. You run this command after the forestprep command finishes and after the changes replicate to all the domain controllers in the forest. Run this command in each domain where you plan to add upgraded domain controllers. You must run this command on the domain controller that holds the infrastructure operations master role for the domain. You must be a member of the Domain Admins group to run this command.
adprep /domainprep /gpprep Performs similar updates as domainprep. However, this command also provides updates that are necessary to enable Resultant Set of Policy (RSOP) Planning Mode functionality. Run this command after the forestprep command finishes and after the changes replicate to all domain controllers in the forest. You must run this command on the infrastructure master for the domain.
adprep /forestprep Prepares a forest for the introduction of domain controllers running at a higher functional level. You run this command only once in the forest. You must run this command on the domain controller that holds the schema operations master role (also known as flexible single master operations or FSMO) for the forest. The account to run this command be a member of all the following groups: Enterprise Admins group, Schema Admins group, and Domain Admins group of the domain that hosts the schema master.
adprep Help Displays the adprep help message.
adprep quit Returns to the prior menu.
adprep /rodcprep Updates permissions on application directory partitions to enable replication of the partitions to read-only domain controllers (RODCs). This operation runs remotely; it contacts the infrastructure master in each domain to update the permissions. You need to run this command only once in the forest. However, you can rerun this command any time if it fails to complete successfully because an infrastructure master is not available. You can run this command on any computer in the forest. You must be a member of the Enterprise Admins group to run this command. This command is optional. Run it only if you want to install a read-only domain controller (RODC).
adprep /wssg Returns an expanded set of exit codes, instead of just 0 (Success) and 1 (Failure).
adprep ? Displays the adprep help message.

.

↑ Up to command list

adprep examples

adprep /forestprep

adprep /domainprep

adprep /rodcprep

↑ Up to command list

dcdiag

Analyzes the state of domain controllers in a forest or enterprise and reports any problems to help in troubleshooting. As an end-user reporting program, dcdiag is a command-line tool that encapsulates detailed knowledge of how to identify abnormal behavior in the system, and consists of a framework for executing tests and a series of tests to verify different functional areas of the system. You must run the dcdiag command from an elevated command prompt.

Default dcdiag syntax

dcdiag [/s:<DomainController>] [/n:<NamingContext>] [/u:<Domain>\<UserName> /p:{* | <Password> | ""}] [{/a | /e}] [{/q | /v}] [/i] [/f:<LogFile>] [/c [/skip:<Test>]] [/test:<Test>] [/fix] [{/h | /?}] [/ReplSource:<SourceDomainController>]

Default ‘dcdiag /test:DNS’ syntax

dcdiag /test:DNS [/DnsBasic | /DnsForwarders | /DnsDelegation | /DnsDynamicUpdate | /DnsRecordRegistration | /DnsResolveExtName [/DnsInternetName:] | /DnsAll] [/f:] [/x:] [/xsl: or ] [/s:] [/e] [/v]

dcdiag options

Description

dcdiag /a Tests all the servers on this site.
dcdiag /c Comprehensive. Runs all tests except DCPromo and RegisterInDNS, including non-default tests. Optionally, you can use this parameter with the /skip parameter to skip specified tests. The following tests are not run by default: Topology, CutoffServers, and OutboundSecureChannels.
dcdiag /e Tests all the servers in the enterprise. Overrides /a.
dcdiag /f:<LogFile> Redirects all output to the specified log file.
dcdiag /fix Affects the MachineAccount test only. This parameter causes the test to fix the Service Principal Names (SPNs) on the Machine Account object of the domain controller.
dcdiag /h Displays help at the command prompt.
dcdiag /i Ignores superfluous error messages.
dcdiag /n:<NamingContext> Uses NamingContext as the naming context to test. You can specify domains in NetBIOS, Domain Name System (DNS), or distinguished name format.
dcdiag /q Quiet. Prints only error messages.
dcdiag /ReplSource:<SourceDomainController> Tests the connection between the domain controller on which you run the command and the source domain controller. (This parameter is used for the CheckSecurityError test.) SourceDomainController is the DNS name, NetBIOS name, or distinguished name of a real or potential server that will be the source domain controller for replication, as represented by a real or potential connection object.
dcdiag /s:<DomainController> Tests the connection between the domain controller on which you run the command and the source domain controller. (This parameter is used for the CheckSecurityError test.) SourceDomainController is the DNS name, NetBIOS name, or distinguished name of a real or potential server that will be the source domain controller for replication, as represented by a real or potential connection object.
dcdiag /skip:<Test> Skips the specified test. You should not specify this parameter in the same command with the /test parameter. The only test that you cannot skip is Connectivity.
dcdiag /test:<Test> Runs this test only. The Connectivity test, which you cannot skip, is also run. You should not have this parameter in the same command with the /skip parameter.
dcdiag /test:advertising Checks whether each domain controller advertises itself in the roles that it should be capable of performing. This test fails if the Netlogon service has stopped or failed to start.
dcdiag /test:CheckSDRefDom Checks that all application directory partitions have appropriate security descriptor reference domains.
dcdiag /test:CheckSecurityError Reports on the overall health of replication with respect to Active Directory security. You can perform this test against one or all domain controllers in an enterprise. When the test finishes, dcdiag presents a summary of the results, along with detailed information for each domain controller tested and the diagnosis of security errors that the test reported.
dcdiag /test:CheckSecurityError /ReplSource:<SourceDomainController> This argument checks the ability to create a replication link between a real or potential source domain controller (SourceDomainController) and the local domain controller.
dcdiag /test:Connectivity Checks if domain controllers are registered in DNS, if they can be pinged and if they have LDAP or remote procedure call (RPC) connectivity. This domain controller test cannot be skipped.
dcdiag /test:CrossRefValidation Checks the validity of cross-references.
dcdiag /test:CutoffServers Checks for any server that is not receiving replications because its partners are not running.
dcdiag /test:DCpromo Tests the existing DNS infrastructure for any computer that you want to promote to be a domain controller, and reports whether any modifications to the existing DNS infrastructure are required. The required argument is /DnsDomain:Active_Directory_Domain_DNS_Name. If the infrastructure is sufficient, you can promote the computer to a domain controller in the domain specified in the parameter /DnsDomain:Active_Directory_Domain_DNS_Name. One of the following arguments is required: /ChildDomain, /NewForest, /NewTree, /ReplicaDC.
dcdiag /test:DNS <DNSTest> Performs the specified DNS test. If no test is specified, defaults to /DnsAll.
dcdiag /test:DNS /DnsAll Performs all tests, except for the /DnsResolveExtName test, and generates a report.
dcdiag /test:DNS /DnsBasic Performs basic DNS tests, including network connectivity, DNS client configuration, service availability, and zone existence.
dcdiag /test:DNS /DnsDelegation Performs the /DnsBasic tests, and also checks for proper delegations.
dcdiag /test:DNS /DnsDynamicUpdate Performs /DnsBasic tests, and also determines if dynamic update is enabled in the Active Directory zone.
dcdiag /test:DNS /DnsForwarders Performs the /DnsBasic tests, and also checks the configuration of forwarders.
dcdiag /test:DNS /DnsRecordRegistration Performs the /DnsBasic tests, and also checks if the address (A), canonical name (CNAME) and well-known service (SRV) resource records are registered. In addition, creates an inventory report based on the test results.
dcdiag /test:DNS /DnsResolveExtName[/DnsInternetName: <InternetName >] Performs the /DnsBasic tests, and also attempts to resolve InternetName. If /DnsInternetName is not specified, attempts to resolve the name http://www.microsoft.com. If /DnsInternetName is specified, attempts to resolve the Internet name supplied by the user.
dcdiag /test:DNS /e Runs all tests specified by /test:DNS against all domain controllers in the Active Directory forest. Run times for DNS tests can be significant in large enterprises when the /e parameter is used. Domain controllers and DNS servers that are offline will increase run time as a result of long-time out periods for RPC and other protocols.
dcdiag /test:DNS /f:<LogFile> Redirects all output to LogFile.
dcdiag /test:DNS /v Verbose. Presents extended information about successful test results, in addition to information about errors and warnings. Use the /v switch when errors or warnings are reported in the summary table.
dcdiag /test:DNS /x:<XMLLog.xml> Redirects all output to XMLLog.xml.
dcdiag /test:DNS /xsl:<XSLFile.xsl> or <XSLTFile.xslt< Adds the processing instructions that reference the specified stylesheet.
dcdiag /test:frsevent Checks to see if there are errors in the file replication system. Faulty replication of the SYSVOL share can cause policy problems.
dcdiag /test:frssysvol Checks that the file replication system (FRS) system volume (SYSVOL) is ready.
dcdiag /test:FSMOCheck Checks that the domain controller can contact a Kerberos Key Distribution Center (KDC), a time server, a preferred time server, a primary domain controller (PDC), and a global catalog server. This test does not test any of the servers for operations master roles.
dcdiag /test:Intersite Checks for failures that would prevent or temporarily hold up intersite replication and predicts how long it would take for the Knowledge Consistency Checker (KCC) to recover.
dcdiag /test:kccevent Checks that the KCC is completing without errors.
dcdiag /test:KnowsOfRoleHolders Checks whether the domain controller can contact the servers that hold the five operations master roles (also known as flexible single master operations (FSMO) roles).
dcdiag /test:MachineAccount Checks whether the machine account has properly registered and that the services are advertised. Use the /RecreateMachineAccount parameter to attempt a repair if the local machine account is missing. Use the /FixMachineAccount parameter if the machine account flags are incorrect.
dcdiag /test:NCSecDesc Checks that the security descriptors on the naming context heads have appropriate permissions for replication.
dcdiag /test:NetLogons Checks that the appropriate logon privileges exist to allow replication to proceed.
dcdiag /test:ObjectsReplicated Checks that the Machine Account and Directory System Agent (DSA) objects have replicated. You can use the /objectdn:dn parameter with the /n:nc parameter to specify an additional object to check.
dcdiag /test:OutboundSecureChannels Checks that secure channels exist from all of the domain controllers in the domain to the domains that are specified by the /testdomain parameter. The /nositerestriction parameter prevents dcdiag from limiting the test to the domain controllers in the site.
dcdiag /test:RegisterInDNS Tests whether this domain controller can register the Domain Controller Locator DNS records. These records must be present in DNS for other computers to locate this domain controller for the Active_Directory_Domain_DNS_Name domain. This parameter reports whether any modifications to the existing DNS infrastructure are required. The required argument is /DnsDomain:Active_Directory_Domain_DNS_Name.
dcdiag /test:Replications Checks for timely replication and any replication errors between domain controllers.
dcdiag /test:RidManager Checks whether the relative identifier (RID) master is accessible and if it contains the proper information.
dcdiag /test:Services Checks whether the appropriate domain controller services are running.
dcdiag /test:systemlog Checks that the system is running without errors.
dcdiag /test:Topology Checks that the KCC has generated a fully connected topology for all domain controllers.
dcdiag /test:VerifyEnterpriseReferences Checks that specified system references are intact for the FRS and replication infrastructure across all objects in the enterprise on each domain controller.
dcdiag /test:VerifyReferences Checks that certain system references are intact for the FRS and replication infrastructure.
dcdiag /test:VerifyReplicas Checks that all application directory partitions are fully instantiated on all replica servers.
dcdiag /u:<Domain>\<UserName> /p:{* | <Password> | “”} Uses Domain\UserName. Dcdiag uses the current credentials of the user (or process) that is logged on. If alternate credentials are needed, use the following options to provide those credentials for binding with Password as the password: quotation marks (“”) for an empty or null password, or the wildcard character (*) to prompt for the password.
dcdiag /v Verbose. Prints extended information.
dcdiag /? Displays help at the command prompt.

.

↑ Up to command list

dcdiag examples

dcdiag /s:woodgrovebank-DC1 \administrator password /e

↑ Up to command list

dcgpofix

Recreates the default Group Policy Objects (GPOs) for a domain. The dcgpofix command is available in Windows Server 2008 R2 and Windows Server 2008, except on Server Core installations.

Default dcgpofix syntax

DCGPOFix [/ignoreschema] [/target: {Domain | DC | Both}] [/?]

dcgpofix options

Description

dcgpofix /ignoreschema Ignores the version of the Active Directory schema when you run this command. Otherwise, the command only works on the same schema version as the Windows version in which the command was shipped.
dcgpofix /target {Domain | DC | Both} Specifies which GPO to restore. You can restore the Default Domain Policy GPO, the Default Domain Controllers GPO, or both.
dcgpofix /? Displays the dcgpofix help message.

.

↑ Up to command list

dcgpofix examples

dcgpofix /ignoreschema /target:Domain

dcgpofix /ignoreschema /target:DC

↑ Up to command list

dcpromo

Installs or removes Active Directory Domain Services (AD DS). In other words, dcpromo promotes or demotes domain controllers.

Default dcpromo syntax

dcpromo [/answer[:<filename>] | /unattend[:<filename<] | /unattend | /adv] /uninstallBinaries [/CreateDCAccount | /UseExistingAccount:Attach] /? /?[:{Promotion | CreateDCAccount | UseExistingAccount | Demotion}]

dcpromo options

Description

dcpromo /AdministratorPassword:”administrator password” Specifies a local administrator account password when AD DS is removed from a domain controller. The default is an empty password.
dcpromo /adv Performs an Install From Media (IFM) operation.
dcpromo /AllowDomainControllerReinstall:{Yes | No | NoAndNoPromptEither} Specifies whether to continue installing this domain controller, despite the fact that another domain controller account with the same name is detected. Use Yes only if you are sure that the account is not currently used by another domain controller. The default is No.
dcpromo /AllowDomainReinstall:{Yes | No | NoAndNoPromptEither} Specifies whether an existing domain is recreated. The default is No.
dcpromo /answer[:<filename>] Specifies an answer file that contains installation parameters and values.
dcpromo /ApplicationPartitionsToReplicate:”” Specifies the application directory partitions that dcpromo will replicate. Use the following format:

"partition1" "partition2" "partitionN"

Use * to replicate all application directory partitions.

dcpromo /AutoConfigDNS:{Yes | No} Specifies whether the DNS Server service should be installed. The default is automatically computed (based on the environment). This parameter has been renamed to InstallDNS.
dcpromo /ChildName:”child_domain_name” Specifies the single-label Domain Name System (DNS) name of the child domain.
dcpromo /ConfirmGc:{Yes | No}:”child_domain_name” Specifies whether you want the domain controller to be a global catalog server.
dcpromo /CreateDCAccount Creates a read-only domain controller (RODC) account. Only a member of the Domain Admins group or the Enterprise Admins group can run this command.
dcpromo /CreateDNSDelegation: { Yes | No} Indicates whether to create a DNS delegation that references the new DNS server that you are installing along with the domain controller. Valid for Active Directory–integrated DNS only. The default is computed automatically based on the environment.
dcpromo /CriticalReplicationOnly:{Yes | No} Specifies whether the AD DS installation operation performs only critical replication before reboot and then continues, skipping the noncritical (and potentially lengthy) portion of replication. The noncritical replication happens after the installation finishes and the computer reboots. The default is No.
dcpromo /DatabasePath:”path_to_database_files” Specifies the fully qualified, non–Universal Naming Convention (UNC) path to a directory on a fixed disk of the local computer that contains the domain database, for example, %SYSTEMROOT%\NTDS\NTDS which is the default.
dcpromo /DCAccountName:”name of the domain controller to create” Specifies the name of the RODC account that you are creating.
dcpromo /DelegatedAdmin:”name of user or group” Specifies the name of the user or group that will install and administer the RODC.
dcpromo /DemoteFSMO:{Yes | No} Indicates that (forced) demotion should continue even if an operations master role is discovered on domain controller from which AD DS is being removed. The default is No.
dcpromo /DNSDelegationPassword:”password” Specifies the password for the user name (account credentials) for creating DNS delegation.
dcpromo /DNSDelegationUserName:”user_name” Specifies the user name (account credentials) for creating DNS delegation.
dcpromo /DNSOnNetwork:{Yes | No} Specifies whether DNS service is available on the network. This parameter is used only when the IP setting of the network adapter for this computer is not configured with the name of a DNS server for name resolution. No indicates that a DNS server will be installed on this computer for name resolution. Otherwise, the IP settings of the network adapter must be configured with a DNS server name first. The default is Yes.
dcpromo /DomainLevel:{0 | 2 | 3 | 4} Specifies the domain functional level during the creation of a new domain. A value of 0 specifies Windows 2000. A value of 2 specifies Windows Server 2003. A value of 3 specifies Windows Server 2008. A value of 4 specifies Windows Server 2008 R2. The domain functional level cannot be lower than the forest functional level, but it can be higher. The default is automatically computed and set to the existing forest functional level or the value that is set for /ForestLevel.
dcpromo /DomainNetBiosName:”domain_NetBIOS_name” Assigns a NetBIOS name to the new domain.
dcpromo /ForestLevel:{0 | 2 | 3 | 4} Specifies the forest functional level when you create a new forest. A value of 0 specifies Windows 2000. A value of 2 specifies Windows Server 2003. A value of 3 specifies Windows Server 2008. A value of 4 specifies Windows Server 2008 R2. The default forest functional level in Windows Server 2008 when you create a new forest is Windows 2000 (0). The default forest functional level in Windows Server 2008 R2 when you create a new forest is Windows Server 2003 (2).

Do not use this parameter when you install a domain controller in an existing forest.

dcpromo /IgnoreIsLastDcInDomainMismatch:{Yes | No} Used in conjunction with /IsLastDCInDomain. This parameter specifies whether dcpromo ignores any inconsistency that it detects with the value that you specify for /IsLastDCInDomain. For example, if you specify /IsLastDCInDomain:Yes but dcpromo detects that there is actually another active domain controller in the domain, you can specify /IgnoreIsLastDcInDomainMismatch:Yes to have dcpromo continue the removal of AD DS from the domain controller despite the inconsistency that it has detected. Similarly, if you specify /IsLastDCInDomain:No but dcpromo cannot detect that another domain controller is in the domain, you can specify /IgnoreIsLastDcInDomainMismatch:Yes to have dcpromo continue to remove AD DS from the domain controller.

The default is No. The default causes the wizard to prompt the user to continue, and it causes the command-line tool to exit with an error.

dcpromo /IgnoreIsLastDNSServerForZone:{Yes | No} Specifies whether to continue the removal of AD DS despite the fact that the domain controller is the last DNS server for one or more of the Active Directory–integrated DNS zones that it hosts. The default is No.
dcpromo /InstallDNS:{Yes | No} Specifies whether the DNS Server service should be installed. The default is automatically computed based on the environment. This parameter replaces /AutoConfigDNS.
dcpromo /IsLastDCInDomain:{Yes | No} Specifies whether the computer from which AD DS is being removed is the last domain controller in the domain. The default is No.
dcpromo /LogPath:”path_to_log_files” Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer that contains the domain log files, for example, C:\Windows\Logs. The default is %SYSTEMROOT%\NTDS.
dcpromo /NewDomain:{Tree | Child | Forest} Indicates the type of domain that you want to create: a new domain tree in an existing forest, a child of an existing domain, or a new forest. The default is new forest.
dcpromo /NewDomainDNSName:”DNS_name_of_domain” Specifies the fully qualified domain name (FQDN) for the new domain.
dcpromo /ParentDomainDNSName:”DNS_name_of_domain” Specifies the FQDN of an existing parent domain. You use this parameter when you install a child domain.
dcpromo /Password:”password” Specifies the password that corresponds to the user name that is used to install the domain controller. Use this parameter in conjunction with the UserName parameter. Use * to prompt the user to supply a password.
dcpromo /PasswordReplicationAllowed:{“security_principal” | None} Specifies the names of user accounts, group accounts, and computer accounts whose passwords can be replicated to this RODC. Use None if you want to keep the value empty. By default, only the Allowed RODC Password Replication Group is allowed, and it is originally created empty.
dcpromo /PasswordReplicationDenied:{“security_principal” | None} Specifies the names of user accounts, group accounts, and computer accounts whose passwords are not to be replicated to this RODC. Use None if you do not want to deny the replication of credentials of any users or computers.

Denied by default:

  • Administrators
  • Server Operators
  • Backup Operators
  • Account Operators
  • Denied RODC Password Replication Group

The Denied RODC Password Replication Group includes:

  • Cert Publishers
  • Domain Admins
  • Enterprise Admins
  • Enterprise Domain Controllers
  • Enterprise Read-Only Domain Controllers
  • Group Policy Creator Owners
  • krbtgt account
  • Schema Admins

dcpromo /RebootOnCompletion:{Yes | No}Specifies whether to restart the computer upon completion of the command, regardless of success. The default is Yes.dcpromo /RebootOnSuccess:{Yes | No | NoAndNoPromptEither}Specifies whether to restart the computer upon successful completion of the command. The default is Yes.dcpromo /RemoveApplicationPartitions:{Yes | No}Specifies whether to remove application partitions during the removal of AD DS from a domain controller. The default is No.dcpromo /RemoveDNSDelegation:{ | No}Specifies whether to remove DNS delegations that point to this DNS server from the parent DNS zone. The default is Yes.dcpromo /ReplicaDomainDNSName:”DNS_name_of_domain”Specifies the FQDN of the domain in which you want to install an additional domain controller.dcpromo /ReplicaOrNewDomain:{<Replica> | ReadOnlyReplica | Domain}Specifies whether to install an additional domain controller (a writable domain controller or an RODC) or to create a new domain. The default is to install an additional writable domain controller.dcpromo /ReplicationSourceDC:”DNS_name_of_DC”Indicates the FQDN of the partner domain controller from which you replicate the domain information.dcpromo /ReplicationSourcePath:”replication_source_path”Indicates the location of the installation media that will be used to install a new domain controller.dcpromo /RetainDCMetadata:{Yes | No}Retains domain controller metadata in the domain after AD DS removal to allow a delegated administrator to remove AD DS from an RODC. The default is No.dcpromo /SafeModeAdminPassword:”password”Supplies the password for the administrator account when the computer is started in Safe Mode or a variant of Safe Mode, such as Directory Services Restore Mode. The default is an empty password. You must supply a password.dcpromo /SiteName:”site_name”Specifies the name of an existing site where you can place the new domain controller. The default value depends on the type of installation. For a new forest, the default is Default-First-Site-Name. For all other installations, the default is the site that is associated with the subnet that includes the IP address of this server. If no such site exists, the default is the site of the replication source domain controller.dcpromo /SkipAutoConfigDnsSkips automatic configuration of DNS client settings, forwarders, and root hints. This parameter is in effect only if the DNS Server service is already installed.dcpromo /Syskey:{none | system key}Specifies the system key for the media from which you replicate the data. The default is none.dcpromo /SysVolPath:”path_to_database_file”Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer, for example, %SYSTEMROOT%\SYSVOL which is the default.dcpromo /TransferIMRoleIfNecessary:{Yes | No}Specifies whether to transfer the infrastructure master operations master role (also known as flexible single master operations or FSMO) to the domain controller that you are creating—in case it is currently hosted on a global catalog server—and you do not plan to make the domain controller that you are creating a global catalog server. Use Yes to transfer the infrastructure master role to the domain controller that you are creating in case the transfer is needed; in this case, make sure to use /ConfirmGC:No. Use No if you want the infrastructure master role to remain where it currently is. The default is No.dcpromo /unattendSpecifies an unattended installation in which you provide installation parameters and values at the command line.dcpromo /unattend[:<filename>]Specifies an answer file that contains installation parameters and values. This command provides the same function as /answer[:<filename>].dcpromo /UninstallBinariesUninstalls AD DS binaries.dcpromo /UseExistingAccount:AttachAttaches a server to an existing RODC account. A member of the Domain Admins group or a delegated user can run this command.dcpromo /UserDomain:”domain_name”Specifies the domain name for the user name (account credentials) for installing a domain controller. Use this parameter in conjunction with the UserName parameter.dcpromo /UserName:”user_name”Specifies the user name (account credentials) for the operation. If no value is specified, the credentials of the current user are used for the operation.dcpromo /?Displays help for dcpromo parameters.dcpromo /?[:{Promotion | CreateDCAccount | UseExistingAccount | Demotion}]Displays parameters that apply to the dcpromo operation. For example, dcpromo /?:Promotion displays all of the parameters that you can use for a promotion operation.

.

↑ Up to command list

dcpromo examples

dcpromo /answer:NewForestInstallation

dcpromo /unattend /InstallDns:yes /ParentDomainDNSName:woodgrove.com /replicaOrNewDomain:domain /newDomain:child /newDomainDnsName:east.woodgrove.com /childName:east /DomainNetbiosName:east /databasePath:"e:\ntds" /logPath:"e:\ntdslogs" /sysvolpath:"g:\sysvol" /safeModeAdminPassword:FH#3573.cK /forestLevel:2 /domainLevel:2 /rebootOnCompletion:yes

dcpromo /unattend /InstallDns:yes /confirmGC:yes /replicaOrNewDomain:replica /databasePath:"e:\ntds" /logPath:"e:\ntdslogs" /sysvolpath:"g:\sysvol" /safeModeAdminPassword:M6$,U8Gvx4 /rebootOnCompletion:yes

↑ Up to command list

dnscmd

A command-line interface for managing DNS servers. This utility is useful in scripting batch files to help automate routine DNS management tasks, or to perform simple unattended setup and configuration of new DNS servers on your network.

Default dnscmd syntax

dnscmd <ServerName> <command> [<command parameters>]

dnscmd options

Description

dnscmd [<ServerName>] /ageallrecords <ZoneName>[<NodeName>] | [/tree]|[/f] Sets the current time on all time stamps in a zone or node.

<ServerName>

Specifies the DNS server that the administrator plans to manage, represented by IP address, fully qualified domain name (FQDN), or Host name. If this parameter is omitted, the local server is used.

<ZoneName>

Specifies the FQDN of the zone.

<NodeName>

Specifies a specific node or subtree in the zone. NodeName specifies the node or subtree in the zone using the following: @ for root zone or FQDN, the FQDN of a node (the name with a period (.) at the end), single label for the name relative to the zone root.

/tree

Specifies that all child nodes also receive the time stamp.

/f

Runs the command without asking for confirmation.

dnscmd [<ServerName>] /clearcache Clears the DNS cache memory of resource records on the specified DNS server.
dnscmd [<ServerName>] /config <Parameter> Modifies the configuration of the specified server.
dnscmd [<ServerName>] /config /addressanswerlimit [0|5-28] Specifies the maximum number of host records that a DNS server can send in response to a query. The value can be zero (0), or it can be in the range of 5 through 28 records. The default value is zero (0).
dnscmd /config /aging <ZoneName> Enables or disables scavenging in a specific zone.
dnscmd /config /allownsrecordsautocreation <ZoneName> [<Value>] Overrides the DNS server’s name server (NS) resource record autocreation setting. Name server (NS) resource records that were previously registered for this zone are not affected. Therefore, you must remove them manually if you do not want them.
dnscmd /config /allowupdate <ZoneName> Determines whether the specified zone accepts dynamic updates.
dnscmd [<ServerName>] /config /bindsecondaries[0|1] Changes the format of the zone transfer so that it can achieve maximum compression and efficiency. However, this format is not compatible with earlier versions of Berkeley Internet Name Domain (BIND). 0 uses maximum compression. This format is compatible with BIND versions 4.9.4 and later only. 1 sends only one resource record per message to non-Microsoft DNS servers. This format is compatible with BIND versions earlier than 4.9.4. This is the default setting.
dnscmd [<ServerName>] /config /bootmethod[0|1|2|3] Determines the source from which the DNS server gets its configuration information.

0

Clears the source of configuration information.

1

Loads from the BIND file that is located in the DNS directory, which is %systemroot%\System32\DNS by default.

2

Loads from the registry.

3

Loads from AD DS and the registry. This is the default setting.

dnscmd [<ServerName>] /config /defaultagingstate[0|1] Determines whether the DNS scavenging feature is enabled by default on newly created zones. 0 disables scavenging. This is the default setting. 1 enables scavenging.
dnscmd [<ServerName>] /config /defaultnorefreshinterval[0x1-0xFFFFFFFF|0xA8] Sets a period of time in which no refreshes are accepted for dynamically updated records. Zones on the server inherit this value automatically. To change the default value, type a value in the range of 0×1-0xFFFFFFFF. The default value from the server is 0xA8.
dnscmd [<ServerName>] /config /defaultrefreshinterval [0x1-0xFFFFFFFF|0xA8] Sets a period of time that is allowed for dynamic updates to DNS records. Zones on the server inherit this value automatically. To change the default value, type a value in the range of 0×1-0xFFFFFFFF. The default value from the server is 0xA8.
dnscmd [<ServerName>] /config /disableautoreversezones [0|1] Enables or disables the automatic creation of reverse lookup zones. Reverse lookup zones provide resolution of Internet Protocol (IP) addresses to DNS domain names. 0 enables the automatic creation of reverse lookup zones. This is the default setting. 1 disables the automatic creation of reverse lookup zones.
dnscmd [<ServerName>] /config /disablensrecordsautocreation {0|1} Specifies whether the DNS server automatically creates name server (NS) resource records for zones that it hosts. 0 automatically creates name server (NS) resource records for zones that the DNS server hosts. 1 does not automatically create name server (NS) resource records for zones that the DNS server hosts.
dnscmd [<ServerName>] /config /dspollinginterval 0-30 Specifies how often the DNS server polls AD DS for changes in Active Directory–integrated zones.
dnscmd [<ServerName>] /config /dstombstoneinterval [1-30] The amount of time in seconds to retain deleted records in AD DS.
dnscmd [<ServerName>] /config /ednscachetimeout [<seconds>] Specifies the number of seconds that Extended DNS (EDNS) information is cached. The minimum value is 3600, and the maximum value is 15,724,800. The default value is 604,800 seconds (one week).
dnscmd [<ServerName>] /config /enableednsprobes {0|1} Enables or disables the server to probe other servers to determine if they support EDNS. 0 disables active support for EDNS probes. 1 enables active support for EDNS probes.
dnscmd [<ServerName>] /config /enablednssec {0|1} Enables or disables support for DNS Security Extensions (DNSSEC). 0 disables DNSSEC. 1 enables DNSSEC.
dnscmd [<ServerName>] /config /enableglobalnamessupport {0|1} Enables or disables support for the GlobalNames zone. The GlobalNames zone supports resolution of single-label DNS names across a forest. 0 disables support for the GlobalNames zone. When you set the value of this command to 0, the DNS Server service does not resolve single-label names in the GlobalNames zone. 1 enables support for the GlobalNames zone. When you set the value of this command to 1, the DNS Server service resolves single-label names in the GlobalNames zone.
dnscmd [<ServerName>] /config /enableglobalqueryblocklist {0|1} Enables or disables support for the global query block list that blocks name resolution for names in the list. The DNS Server service creates and enables the global query block list by default when the service starts the first time. To view the current global query block list, use the dnscmd /info /globalqueryblocklist command.
dnscmd [<ServerName>] /config /eventloglevel [0|1|2|4] Determines which events are logged in the DNS server log in Event Viewer. 0 logs no events. 1 logs only errors. 2 logs only errors and warnings. 4 logs errors, warnings, and informational events. This is the default setting.
dnscmd [<ServerName>] /config /forwarddelegations [0|1] Determines how the DNS server handles a query for a delegated subzone. These queries can be sent either to the subzone that is referred to in the query or to the list of forwarders that is named for the DNS server. Entries in the setting are used only when forwarding is enabled. 0 automatically sends queries that refer to delegated subzones to the appropriate subzone. This is the default setting. 1 forwards queries that refer to the delegated subzone to the existing forwarders.
dnscmd /config /forwarderslave <ZoneName> Overrides the DNS server /isslave setting.
dnscmd /config /forwardertimeout <ZoneName> Determines how many seconds a DNS zone waits for a forwarder to respond before trying another forwarder. This value overrides the value that is set at the server level.
dnscmd [<ServerName>] /config /forwardingtimeout [<seconds>] Determines how many seconds (0×1-0xFFFFFFFF) a DNS server waits for a forwarder to respond before trying another forwarder. The default value is 0×5, which is 5 seconds.
dnscmd [<ServerName>] /config /globalneamesqueryorder {0|1} Specifies whether the DNS Server service looks first in the GlobalNames zone or local zones when it resolves names. When set to 0, the DNS Server service attempts to resolve names by querying the GlobalNames zone before it queries the zones for which it is authoritative. When set to 1, the DNS Server service attempts to resolve names by querying the zones for which it is authoritative before it queries the GlobalNames zone.
dnscmd [<ServerName>] /config /globalqueryblocklist[[<name> [<name>]…] Replaces the current global query block list with a list of the names that you specify. If you do not specify any names, this command clears the block list. By default, the global query block list contains the following items: isatap and wpad. The DNS Server service can remove either or both of these names when it starts the first time, if it finds these names in an existing zone.
dnscmd [<ServerName>] /config /isslave [0|1] Determines how the DNS server responds when queries that it forwards receive no response. 0 specifies that the DNS server is not a subordinate (also known as a slave). If the forwarder does not respond, the DNS server attempts to resolve the query itself. This is the default setting. 1 specifies that the DNS server is a subordinate. If the forwarder does not respond, the DNS server terminates the search and sends a failure message to the resolver.
dnscmd [<ServerName>] /config /localnetpriority [0|1] Determines the order in which host records are returned when the DNS server has multiple host records for the same name. 0 returns the records in the order in which they are listed in the DNS database. 1 returns the records that have similar IP network addresses first. This is the default setting.
dnscmd [<ServerName>] /config /logfilemaxsize [<size>] Specifies the maximum size in bytes (0×10000-0xFFFFFFFF) of the Dns.log file. When the file reaches its maximum size, DNS overwrites the oldest events. The default size is 0×400000, which is 4 megabytes.
dnscmd [<ServerName>] /config /logfilepath [<Path+LogFileName>] Specifies the path of the Dns.log file. The default path is %systemroot%\System32\Dns\Dns.log. You can specify a different path by using the format Path+LogFileName.
dnscmd [<ServerName>] /config /logipfilterlist <IPAddress> [,<IPAddress>...] Specifies which packets are logged in the debug log file. The entries are a list of IP addresses. Only packets going to and from the IP addresses in the list are logged.
dnscmd [<ServerName>] /config /loglevel [<EventType>] Determines which types of events are recorded in the Dns.log file. Each event type is represented by a hexadecimal number. If you want more than one event in the log, use hexadecimal addition to add the values, and then enter the sum.

0×0

The DNS server does not create a log. This is the default entry.

0×10

Logs queries.

0×10

Logs notifications.

0×20

Logs updates.

0xFE

Logs nonquery transactions.

0×100

Logs question transactions.

0×200

Logs answers.

0×1000

Logs send packets.

0×2000

Logs receive packets.

0×4000

Logs User Datagram Protocol (UDP) packets.

0×8000

Logs Transmission Control Protocol (TCP) packets.

0xFFFF

Logs all packets.

0×10000

Logs Active Directory write transactions.

0×20000

Logs Active Directory update transactions.

0×1000000

Logs full packets.

0×80000000

Logs write-through transactions.

dnscmd [<ServerName>] /config /maxcachesize Specifies the maximum size, in kilobytes (KB), of the DNS server’s memory cache.
dnscmd [<ServerName>] /config /maxcachettl [<seconds>] Determines how many seconds (0×0-0xFFFFFFFF) a record is saved in the cache. If the 0×0 setting is used, the DNS server does not cache records. The default setting is 0×15180 (86,400 seconds or 1 day).
dnscmd [<ServerName>] /config /maxnegativecachettl [<seconds>] Specifies how many seconds (0×1-0xFFFFFFFF) an entry that records a negative answer to a query remains stored in the DNS cache. The default setting is 0×384 (900 seconds).
dnscmd [<ServerName>] /config /namecheckflag [0|1|2|3] Specifies which character standard is used when checking DNS names.

0

Uses ANSI characters that comply with Internet Engineering Task Force (IETF) Request for Comments (RFCs).

1

Uses ANSI characters that do not necessarily comply with IETF RFCs.

2

Uses multibyte UCS Transformation Format 8 (UTF-8) characters. This is the default setting.

3

Uses all characters.

dnscmd [<ServerName>] /config /norecursion [0|1] Determines whether a DNS server performs recursive name resolution. When set to 0, the DNS server performs recursive name resolution if it is requested in a query. This is the default setting. When set to 1, the DNS server does not perform recursive name resolution.
dnscmd /config /norefreshinterval <ZoneName> Sets a time interval for a zone during which no refreshes can dynamically update DNS records in a specified zone.
dnscmd [<ServerName>] /config /notcp This parameter is obsolete, and it has no effect in current versions of Windows Server.
dnscmd [<ServerName>] /config /recursionretry [<seconds>] Determines the number of seconds (0×1-0xFFFFFFFF) that a DNS server waits before again trying to contact a remote server. The default setting is 0×3 (three seconds). This value should be increased when recursion occurs over a slow wide area network (WAN) link.
dnscmd [<ServerName>] /config /recursiontimeout [<seconds>] Determines the number of seconds (0×1-0xFFFFFFFF) that a DNS server waits before discontinuing attempts to contact a remote server. The settings range from 0×1 through 0xFFFFFFFF. The default setting is 0xF (15 seconds). This value should be increased when recursion occurs over a slow WAN link.
dnscmd /config /refreshinterval <ZoneName> Sets a time interval for a zone during which refreshes can dynamically update DNS records in a specified zone.
dnscmd [<ServerName>] /config /roundrobin [0|1] Determines the order in which host records are returned when a server has multiple host records for the same name. When set to 0, the DNS server does not use round robin. Instead, it returns the first record to every query. When set to 1, the DNS server rotates among the records that it returns from the top to the bottom of the list of matching records. This is the default setting.
dnscmd [<ServerName>] /config /rpcprotocol [0x0|0x1|0x2|0x4|0xFFFFFFFF] Specifies the protocol that remote procedure call (RPC) uses when it makes a connection from the DNS server.

0×0

Disables RPC for DNS.

0×1

Uses TCP/IP.

0×2

Uses named pipes.

0×4

Uses local procedure call (LPC).

0xFFFFFFFF

All protocols. This is the default setting.

dnscmd [<ServerName>] /config /scavenginginterval [<hours>] Determines whether the scavenging feature for the DNS server is enabled, and sets the number of hours (0×0-0xFFFFFFFF) between scavenging cycles. The default setting is 0×0, which disables scavenging for the DNS server. A setting greater than 0×0 enables scavenging for the server and sets the number of hours between scavenging cycles.
dnscmd [<ServerName>] /config /secureresponses [0|1] Determines whether DNS filters records that are saved in a cache. 0 saves all responses to name queries to a cache. This is the default setting. 1 saves only the records that belong to the same DNS subtree to a cache.
dnscmd /config /securesecondaries <ZoneName> Determines which secondary servers can receive zone updates from the master server for this zone.
dnscmd [<ServerName>] /config /sendport [<port>] Specifies the port number (0×0-0xFFFFFFFF) that DNS uses to send recursive queries to other DNS servers. The default setting is 0×0, which means that the port number is selected randomly.
dnscmd [<ServerName>] /config /serverlevelplugindll[<DllPath>] Specifies the path of a custom plug-in. When DllPath specifies the fully qualified path name of a valid DNS server plug-in, the DNS server calls functions in the plug-in to resolve name queries that are outside the scope of all locally hosted zones. If a queried name is out of the scope of the plug-in, the DNS server performs name resolution using forwarding or recursion, as configured. If DllPath is not specified, the DNS server ceases to use a custom plug-in if a custom plug-in was previously configured.
dnscmd [<ServerName>] /config /strictfileparsing [0|1] Determines a DNS server’s behavior when it encounters an erroneous record while loading a zone. When set to 0, the DNS server continues to load the zone even if the server encounters an erroneous record. The error is recorded in the DNS log. This is the default setting. When set to 1, the DNS server stops loading the zone, and it records the error in the DNS log.
dnscmd [<ServerName>] /config /updateoptions <RecordValue> Prohibits dynamic updates of specified types of records. If you want more than one record type to be prohibited in the log, use hexadecimal addition to add the values, and then enter the sum.

0×0

Does not restrict any record types.

0×1

Excludes start of authority (SOA) resource records.

0×2

Excludes name server (NS) resource records.

0×4

Excludes delegation of name server (NS) resource records.

0×8

Excludes server host records.

0×100

During secure dynamic update, excludes start of authority (SOA) resource records.

0×200

During secure dynamic update, excludes root name server (NS) resource records.

0x30F

During standard dynamic update, excludes name server (NS) resource records, start of authority (SOA) resource records, and server host records. During secure dynamic update, excludes root name server (NS) resource records and start of authority (SOA) resource records. Allows delegations and server host updates.

0×400

During secure dynamic update, excludes delegation name server (NS) resource records.

0×800

During secure dynamic update, excludes server host records.

0×1000000

Excludes delegation signer (DS) records.

0×80000000

Disables DNS dynamic update.

dnscmd [<ServerName>] /config /writeauthorityns [0|1] Determines when the DNS server writes name server (NS) resource records in the Authority section of a response. 0 writes name server (NS) resource records in the Authority section of referrals only. This setting complies with RFC 1034, “Domain names—concepts and facilities,” and with RFC 2181, “Clarifications to the DNS Specification.” This is the default setting. 1 writes name server (NS) resource records in the Authority section of all successful authoritative responses.
dnscmd [<ServerName>] /config /xfrconnecttimeout [<seconds>] Determines the number of seconds (0×0-0xFFFFFFFF) a primary DNS server waits for a transfer response from its secondary server. The default value is 0x1E (30 seconds). After the time-out value expires, the connection is terminated.
dnscmd [<ServerName>] /createbuiltindirectorypartitions [/forest] [/alldomains] Creates a DNS application directory partition. When DNS is installed, an application directory partition for the service is created at the forest and domain levels. Use this command to create DNS application directory partitions that were deleted or never created. With no parameter, this command creates a built-in DNS directory partition for the domain.
dnscmd [<ServerName>] /createdirectorypartition <PartitionFQDN> Creates a DNS application directory partition. When DNS is installed, an application directory partition for the service is created at the forest and domain levels. This operation creates additional DNS application directory partitions
dnscmd [<ServerName>] /deletedirectorypartition <PartitionFQDN> Removes an existing DNS application directory partition.
dnscmd [<ServerName>] /directorypartitioninfo <PartitionFQDN> [/detail] Lists information about a specified DNS application directory partition. /detail lists all information about the application directory partition.
dnscmd [<ServerName>] /enlistdirectorypartition <PartitionFQDN> Adds the DNS server to the specified directory partition’s replica set.
dnscmd [<ServerName>] /enumdirectorypartitions [/custom] Lists the DNS application directory partitions for the specified server. /custom lists only user-created directory partitions.
dnscmd [<ServerName>] /enumrecords <ZoneName> <NodeName> Lists the resource records of a specified node in a DNS zone.

<ServerName>

Specifies the DNS server that you plan to manage, represented by IP address, FQDN, or host name. If this parameter is omitted, the local server is used.

/enumrecords

Lists resource records in the specified zone.

<ZoneName>

Specifies the name of the zone to which the resource records belong.

<NodeName>

Specifies the name of the node of the resource records.

dnscmd /enumrecords /additional Includes all additional information about the listed resource records.
dnscmd /enumrecords /authority Includes authoritative data.
dnscmd /enumrecords /child Lists only the resource records of a specified child domain.
dnscmd /enumrecords /continue Lists only the resource records with their type and data.
dnscmd /enumrecords /detail Lists all information about the resource records.
dnscmd /enumrecords /glue Includes glue data.
dnscmd /enumrecords /node Lists only the resource records of the specified node.
dnscmd /enumrecords /startchild <ChildName> Begins the list at the specified child domain.
dnscmd /enumrecords /type <RRData> Specifies the type of data to be listed.
dnscmd /enumrecords /type <RRType> Specifies the type of resource records to be listed.
dnscmd [<ServerName>] /enumzones Lists the zones that exist on the specified DNS server. ServerName specifies the DNS server to manage, represented by IP address, FQDN, or host name. If this parameter is omitted, the local server is used. The /enumzones parameters act as filters on the list of zones. If no filters are specified, a complete list of zones is returned. When a filter is specified, only the zones that meet that filter’s criteria are included in the returned list of zones.
dnscmd /enumzones /auto-created Lists the zones that were created automatically during the DNS server installation.
dnscmd /enumzones /cache Lists only the zones that are loaded into the cache.
dnscmd /enumzones /customdirectorypartition Lists all zones that are stored in a user-defined application directory partition.
dnscmd /enumzones /directorypartition <PartitionFQDN> Lists all zones that are stored in the specified directory partition.
dnscmd /enumzones /domaindirectorypartition Lists zones that are stored in the domain directory partition.
dnscmd /enumzones /ds Lists Active Directory–integrated zones.
dnscmd /enumzones /file Lists zones that are backed by files.
dnscmd /enumzones /forestdirectorypartition Lists zones that are stored in the forest DNS application directory partition.
dnscmd /enumzones /forward Lists forward lookup zones.
dnscmd /enumzones /forwarder Lists zones that forward unresolved queries to another DNS server.
dnscmd /enumzones /legacydirectorypartition Lists all zones that are stored in the domain directory partition.
dnscmd /enumzones /primary Lists all zones that are either standard primary zones or Active Directory–integrated zones.
dnscmd /enumzones /reverse Lists reverse lookup zones.
dnscmd /enumzones /secondary Lists all standard secondary zones.
dnscmd /enumzones /stub Lists all stub zones.
dnscmd [<ServerName>] /exportsettings Creates a text file that lists the configuration details of a DNS server. The text file is named DnsSettings.txt and is located in the %systemroot%\system32\dns directory of the server.
dnscmd [<ServerName>] /info [<Setting>] Displays settings from the DNS section of the registry of the specified server: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters. If a setting is not specified, a report of common settings is returned. This command displays registry settings that are at the DNS server level. To display zone-level registry settings, use the dnscmd /zoneinfo command. To see a list of settings that can be displayed with this command, see the dnscmd /config description.
dnscmd [<ServerName>] /ipvalidate <Context> [<ZoneName>] [[<IPAddress>]…] Tests whether an IP address identifies a functioning DNS server or whether the DNS server can act as a forwarder, a root hint server, or a master server for a specific zone. <Context> specifies the type of test to perform. You can specify any of the following tests:

/dnsservers

Tests that the computers with the addresses you specify are functioning DNS servers.

/forwarders

Tests that the addresses you specify identify DNS servers that can act as forwarders.

/roothints

Tests that the addresses you specify identify DNS servers that can act as root hint name servers.

/zonemasters

Tests that the addresses you specify identify DNS servers that are master servers for ZoneName.

dnscmd [<ServerName>] /nodedelete <ZoneName> <NodeName> [[</tree>] [/f] Deletes all records for a specified host. /tree deletes all the child records. /f executes the command without asking for confirmation.
dnscmd [<ServerName>] /recordadd <ZoneName> <NodeName> <RRType> <RRData> Adds a record to a specified zone in a DNS server. <RRData> specifies the type of data to be listed. <RRType> specifies the type of record to be added.
dnscmd [<ServerName>] /recorddelete <ZoneName> <NodeName> <RRType> <RRData> [/f] Deletes a resource record from a specified zone. <RRData> specifies the type of data to be listed. <RRType> specifies the type of record to be added. /f executes the command without asking for confirmation. If you specify a data type and you do not specify a type of resource record data, all records with that specific data type for the specified node are deleted.
dnscmd [<ServerName>] /resetforwarders [<IPAddress> [,<IPAddress>]…][/timeout <TimeOut>] [/slave|/noslave] Selects or resets the IP addresses to which the DNS server forwards DNS queries when it cannot resolve them locally. By default, a DNS server performs iterative queries when it cannot resolve a query. Setting IP addresses by using the resetforwarders command causes the DNS server to perform recursive queries to the DNS servers at the specified IP addresses. If the forwarders do not resolve the query, the DNS server can then perform its own iterative queries.

If the /slave parameter is used, the DNS server does not perform its own iterative queries. This means that the DNS server forwards unresolved queries only to the DNS servers in the list, and it does not attempt iterative queries if the forwarders do not resolve them. It is more efficient to set one IP address as a forwarder for a DNS server. You can use the /resetforwarders command for internal servers in a network to forward their unresolved queries to one DNS server that has an external connection.

Listing a forwarder’s IP address twice causes the DNS server to attempt to forward to that server twice.

<ServerName>

Specifies the DNS server to manage, represented by IP address, FQDN, or host name. If this parameter is omitted, the local server is used.

<IPAddress>

Lists the IP addresses to which the DNS server forwards unresolved queries.

/timeout <TimeOut>

Sets the number of seconds that the DNS server waits for a response from the forwarder. By default, this value is five seconds.

/slave|/noslave

Determines whether the DNS server performs its own iterative queries if the forwarder fails to resolve a query. /slave prevents the DNS server from performing its own iterative queries if the forwarder fails to resolve a query. /noslave allows the DNS server to perform its own iterative queries if the forwarder fails to resolve a query. This is the default setting.

dnscmd [<ServerName>] /resetlistenaddresses [<ListenAddress>] Specifies the IP addresses on a server that listens for DNS client requests. By default, all IP addresses on a DNS server listen for client DNS requests. <ListenAddress> specifies an IP address on the DNS server that listens for DNS client requests. If no listen address is specified, all IP addresses on the server listen for client requests.
dnscmd [<ServerName>] /startscavenging Tells a DNS server to attempt an immediate search for stale resource records in a specified DNS server. Successful completion of this command starts a scavenge immediately. Although the command to start the scavenge appears to complete successfully, the scavenge does not start unless the following preconditions are met: scavenging is enabled for both the server and the zone, the zone is started, and the resource records have a time stamp.
dnscmd [<ServerName>] /statistics [<StatID>] [/clear] Displays or clears data for a specified DNS server. The /statistics command displays counters that begin on the DNS server when it is started or resumed.<StatID> specifies which statistic or combination of statistics to display. An identification number is used to identify a statistic. If no statistic ID number is specified, all statistics display. The following is a list of numbers that can be specified and the corresponding statistic that displays:

00000001

Time

00000002

Query

00000004

Query2

00000008

Recurse

00000010

Master

00000020

Secondary

00000040

WINS

00000100

Update

00000200

SkwanSec

00000400

Ds

00010000

Memory

00100000

PacketMem

00040000

Dbase

00080000

Records

00200000

NbstatMem

/clear resets the specified statistics counter to zero.dnscmd [<ServerName>] /unenlistdirectorypartition <PartitionFQDN>Removes the DNS server from the specified directory partition’s replica set.dnscmd [<ServerName>] /writebackfiles [<ZoneName>]Checks the DNS server memory for changes, and writes them to persistent storage. The /writebackfiles command updates all dirty zones or a specified zone. A zone is “dirty” when there are changes in memory that have not yet been written to persistent storage. This is a server-level operation that checks all zones. <ZoneName> specifies the name of the zone to be updated.dnscmd [<ServerName>] /zoneadd <ZoneName> <ZoneTyp> [/dp <FQDN>| {/domain|/enterprise|/legacy}]Adds a zone to the DNS server. <ZoneType> specifies the type of zone to create. Each zone type has different required parameters:

/dsforwarder

Specifies that the created Active Directory–integrated zone forwards unresolved queries to another DNS server.

/dsprimary

Creates an Active Directory–integrated zone.

/dsstub [<MasterIPAddress[> [<MasterIPAddress[>...]

Creates an Active Directory–integrated stub zone.

/forwarder <MasterIPAddress[> [<MasterIPAddress[>]… /file <FileName>

Specifies that the created zone forwards unresolved queries to another DNS server.

/primary /file

Creates a standard primary zone, and specifies the name of the file that will store the zone information.

/secondary <MasterIPAddress[> [<MasterIPAddress[>...]

Creates a standard secondary zone.

/stub <MasterIPAddress[> [<MasterIPAddress[>...] /file <FileName>

Creates a file-backed stub zone.

/domain

Stores the zone on the domain directory partition.

/dp

Specifies the directory partition on which to store the zone.

/enterprise

Stores the zone on the enterprise directory partition.

<FQDN>

Specifies FQDN of the directory partition.

/legacy

Stores the zone on a legacy directory partition.dnscmd [<ServerName>] /zonechangedirectorypartition <ZoneName>] {[<NewPartitionName>] | [<ZoneType>] }Changes the directory partition on which the specified zone resides. <ZoneType> specifies the type of directory partition that the zone will be moved to and can be one of the following:

/domain

Moves the zone to the built-in domain directory partition.

/forest

Moves the zone to the built-in forest directory partition.

/legacy

Moves the zone to the directory partition that is created for pre–Active Directory domain controllers. These directory partitions are not necessary for native mode.dnscmd [<ServerName>] /zonedelete <ZoneName> [/dsdel] [/f]Deletes a specified zone. /dsdel deletes the zone from AD DS. /f runs the command without asking for confirmation.dnscmd [<ServerName>] /zoneexport <ZoneName> <ZoneExportFile>Creates a text file that lists the resource records of a specified zone. The /zoneexport operation creates a file of resource records for an Active Directory–integrated zone for troubleshooting purposes. By default, the file that this command creates is placed in the DNS directory, which is by default %systemroot%/System32/Dns.dnscmd [<ServerName>] /zoneinfo <ZoneName> [<Setting>]Displays settings from the section of the registry of the specified zone: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\Zones\<ZoneName>. To see a list of settings that you can display with this command, see the dnscmd /config command. If you do not specify a setting, all settings are returned.dnscmd [<ServerName>] /zonepause <ZoneName>Pauses the specified zone, which then ignores query requests. To resume a zone and make it available after it has been paused, use the dnscmd /zoneresume command.dnscmd [<ServerName>] /zoneprint <ZoneName>Lists the records in a zone.dnscmd <ServerName> /zonerefresh <ZoneName>Forces a secondary DNS zone to update from the master zone. The /zonerefresh command forces a check of the version number in the master server’s start of authority (SOA) resource record. If the version number on the master server is higher than the secondary server’s version number, a zone transfer is initiated that updates the secondary server. If the version number is the same, no zone transfer occurs. The forced check occurs by default every 15 minutes. To change the default, use the dnscmd config refreshinterval command.dnscmd <ServerName> /zonereload <ZoneName>Copies zone information from its source. If the zone is Active Directory–integrated, it reloads from AD DS. If the zone is a standard file-backed zone, it reloads from a file.dnscmd <ServerName> /zoneresetmasters <ZoneName> [/local] [<IPAddress> [<IPAddress>]…]Resets the IP addresses of the master server that provides zone transfer information to a secondary zone. This value is originally set when the secondary zone is created. Use the /zoneresetmasters command on the secondary server. This value has no effect if it is set on the master DNS server. /local sets a local master list. This parameter is used for Active Directory–integrated zones. <IPAddress> is the IP addresses of the master servers of the secondary zone.dnscmd [<ServerName>] /zoneresetscavengers <ZoneName> [<IPAddress> [<IPAddress>]…]Changes the IP addresses of the servers that can scavenge the specified zone. By default, all servers that host a zone can scavenge that zone. If a zone is hosted on more than one DNS server, you can use this command to reduce the number of times a zone is scavenged. Scavenging must be enabled on the DNS server and zone that is affected by this command. <IPAddress> lists the IP addresses of the servers that can perform the scavenge. If this parameter is omitted, all servers that host this zone can scavenge it.dnscmd [<ServerName>] /zoneresetsecondaries <ZoneName> {/noxfr | /nonsecure | /securens | /securelist <SecurityIPAddresses>}Specifies whether all or only some of the secondary servers requesting an update get an update. Use the /zoneresetsecondaries command on the master server to specify how it responds to zone transfer requests from secondary servers.

/nonsecure

Specifies that all zone transfer requests are granted.

/noxfr

Specifies that no zone transfers are allowed.

/securelist

Specifies that zone transfers are granted only to the list of servers. This parameter must be followed by an IP address or addresses that the master server uses.

/securens

Specifies that only the server that is listed in the name server (NS) resource record for the zone is granted a transfer.

<SecurityIPAddresses>

Lists the IP addresses that receive zone transfers from the master server. This parameter is used only with the /securelist parameter.dnscmd [<ServerName>] /zoneresetsecondaries <ZoneName> {/nonotify | /notify | /notifylist <NotifyIPAddresses>}Specifies that a change notification is sent only to certain secondary servers:

/nonotify

Specifies that no change notifications are sent to secondary servers.

/notify

Specifies that change notifications are sent to all secondary servers.

/notifylist

Specifies that change notifications are sent to only the list of servers. This command must be followed by an IP address or addresses that the master server uses.

<NotifyIPAddresses>

Specifies the IP address or addresses of the secondary server or servers to which change notifications are sent. This list is used only with the /notifylist parameter.dnscmd [<ServerName>] /zoneresettype <ZoneName> <ZoneType> [/overwrite_mem | /overwrite_ds]Changes the type of the zone. <ZoneType> specifies the type of zone to create. Setting the zone type as /dsforwarder creates a zone that performs conditional forwarding.

Each type has different required parameters:

/dsforwarder

Specifies that the created Active Directory–integrated zone forwards unresolved queries to another DNS server.

/dsprimary

Creates an Active Directory–integrated zone.

/dsstub <<MasterIPAddress>[,<MasterIPAddress>...]

Creates an Active Directory–integrated stub zone.

/forwarder <MasterIPAddress>[,<MasterIPAddress>]… /file<FileName>

Specifies that the created zone forwards unresolved queries to another DNS server.

/primary /file <FileName>

Creates a standard primary zone.

/secondary <MasterIPAddress> [,<MasterIPAddress>...]

Creates a standard secondary zone.

/stub <MasterIPAddress>[,<MasterIPAddress>...] /file <FileName>

Creates a file-backed stub zone.

/overwrite_ds

Overwrites existing data in AD DS.

/overwrite_mem

Overwrites DNS data from data in AD DS.dnscmd <ServerName> /zoneresume <ZoneName>Starts a specified zone that was previously paused. You can use this operation to reverse the dnscmd /zonepause operation.dnscmd <ServerName> /zoneupdatefromds <ZoneName>Updates the specified Active Directory–integrated zone from AD DS. Active Directory–integrated zones perform this update by default every five minutes. To change this parameter, use the dnscmd config dspollingintervalcommand.dnscmd <ServerName> /zonewriteback <ZoneName>Checks DNS server memory for changes that are relevant to a specified zone, and writes them to persistent storage. This is a zone-level operation. You can update all zones on a DNS server with the dnscmd /writebackfiles operation.

.

↑ Up to command list

dnscmd examples

Set the current time on a time stamp to resource records:

dnscmd woodgrovebank.com /ageallrecords test.woodgrovebank.com

See a complete list of zones on your DNS server:

dnscmd woodgrovebank.com /enumzones

Clear the DNS cache memory of resource records on the specified DNS server:

dnscmd dnssvr1.woodgrovebank.com /clearcache

List the resource records of a specified node in a DNS zone and include all additional information about the listed resource records:

dnscmd /enumrecords test.woodgrovebank.com test /additional

Display a list of autocreated zones that are also reverse lookup zones on the DNS server:

dnscmd woodgrovebank.com /enumzones /auto-created /reverse

Display the IsSlave setting from a DNS server:

dnscmd woodgrovebank.com /info isslave

Display the RecursionTimeout setting from a DNS server:

dnscmd woodgrovebank.com /info recursiontimeout

Delete the records in a node:

dnscmd woodgrovebank.com /nodedelete test.woodgrovebank.com node /tree

Delete the records in a node using the host:

dnscmd woodgrovebank.com /NodeDelete test.woodgrovebank.com host /F

Display time statistics for a DNS server:

dnscmd woodgrovebank.com /statistics 00000001

Display NbstatMem statistics for a DNS server:

dnscmd woodgrovebank.com /statistics 00200000

Delete the test.reskit.com zone from a server:

dnscmd woodgrovebank.com /zonedelete test.woodgrovebank.com

Export the resource record list from the test.reskit.com zone on the reskit.com DNS server:

dnscmd woodgrovebank.com /zoneexport test.woodgrovebank.com test.reskit.com.dns

Display the values in the RefreshInterval entry in the registry:

dnscmd woodgrovebank.com/zoneinfo test.woodgrovebank.com refreshinterval

Display the values in the Aging entry in the registry:

dnscmd woodgrovebank.com /zoneinfo test.woodgrovebank.com aging

Test whether an IP address identifies a functioning DNS server or whether the DNS server can act as a forwarder, a root hint server, or a master server for a specific zone:

dnscmd dnssvr1.woodgrovebank.com /ipvalidate /dnsservers 10.0.0.1 10.0.0.2

dnscmd dnssvr1.woodgrovebank.com /ipvalidate /zonemasters corp.woodgrovebank.com 10.0.0.2

Adds the record to the specified zone in a DNS server:

dnscmd dnssvr1.woodgrovebank.com /recordadd test A 10.0.0.5

dnscmd /recordadd test.woodgrovebank.com test MX 10 mailserver.test.woodgrovebank.com

Specify IP addresses 10.0.0.1 on DNSSVR1 to listen for DNS client requests.

dnscmd dnssvr1.woodgrovebank.com /resetlistenaddresses 10.0.0.1

Tell DNSSVR1 to attempt an immediate search for stale resource records:

dnscmd dnssvr1.woodgrovebank.com /startscavenging

Add a standard primary zone to DNSSVR1:

dnscmd dnssvr1.woodgrovebank.com /zoneadd woodgrovebank.com /dsprimary

Add a standard secondary zone to DNSSVR1:

dnscmd dnssvr1.woodgrovebank.com /zoneadd secondtest.woodgrovebank.com /secondary 10.0.0.2

Force a secondary DNS zone to update from the master zone:

dnscmd dnssvr1.woodgrovebank.com /zonerefresh test.woodgrovebank.com

Copy zone information from its source:

dnscmd dnssvr1.woodgrovebank.com /zonereload test.woodgrovebank.com

Reset the IP addresses of the master server that provides zone transfer information to a secondary zone:

dnscmd dnssvr1.woodgrovebank.com /zoneresetmasters test.woodgrovebank.com 10.0.0.1

Change the IP addresses of the servers that can scavenge the specified zone:

dnscmd dnssvr1.woodgrovebank.com /zoneresetscavengeservers test.woodgrovebank.com 10.0.0.1 10.0.0.2

Specify a list of IP addresses of secondary servers to which a master server responds when it is asked for a zone transfer:

dnscmd dnssvr1.woodgrovebank.com /zoneresetsecondaries test.woodgrovebank.com /noxfr /nonotify

dnscmd dnssvr1.woodgrovebank.com /zoneresetsecondaries test.woodgrovebank.com /securelist 11.0.0.2

Change the type of the zone:

dnscmd dnssvr1.woodgrovebank.com /zoneresettype test.woodgrovebank.com /primary /file test.woodgrovebank.com.dns

dnscmd dnssvr1.woodgrovebank.com /zoneresettype second.woodgrovebank.com /secondary 10.0.0.2

↑ Up to command list

dsacls

Displays and changes permissions (access control entries) in the access control lists (ACLs) of objects in Active Directory Domain Services (AD DS). Dsacls is the command-line equivalent of the Security tab in the properties dialog box for an Active Directory object in tools such as Active Directory Users and Computers. You can use either tool to view and change permissions to an Active Directory object. The access control entries (ACEs) that you add by using dsacls must be object-specific permissions that override the default permissions that are defined in the Active Directory schema for that object type. Do not add ACEs unless you are well-informed about security for Active Directory objects.

To view an ACL, the user must have Read permissions on Active Directory objects. To change an ACL, the user must have Write permissions on the Active Directory object.

Default dsacls syntax

dsacls "[\\<Computer>\]<ObjectDN>" [/A] [/D <PermissionStatement> [<PermissionStatement>]...] [/G <PermissionStatement> [<PermissionStatement>]...] [/I:{T | S | P}] [/N] [/P:{Y | N}] [/R {<User> | <Group>} [{<User> | <Group>}]...] [/S [/T]] [/?]

Default ‘dsacls <PermissionStatement>’ syntax

{ | <Group>}:<Permissions>[;{<ObjectType> | <Property>}][;<InheritedObjectType>]

dsacls options

Description

dsacls /A Adds ownership and auditing information to the results.
dsacls “[\\<Computer>\]<ObjectDN>” Identifies the Active Directory object to investigate. Type the distinguished name of the object. To specify an object on a remote computer, type that computer name followed by the distinguished name. This parameter must be enclosed in quotation marks. For example:

"CN=Jeff Akers,CN=Users,DC=domain,DC=test,DC=Woodgrovebank,DC=com"

or

"\\Server01\CN=Jeff Akers,CN=Users,DC=domain,DC=test,DC=Woodgrovebank,DC=com"

dsacls /D Denies the permissions that you specify to the user or group. You can deny permissions to multiple users in each /D command, for example:

/D Domain1\User1:CCDC Domain1\User2:DC;computer

dsacls /G Grants the permissions that you specify to the user or group. You can grant permissions to multiple users in each /G command, for example:

/G Domain1\User1:CCDC Domain1\User2:DC;computer

dsacls /I:{T | S | P} Specifies the objects to which you are applying the permissions. This parameter determines whether the permissions are inheritable. T is the default and specifies the object and its child objects. S specifies the child objects only and P specifies the object and child objects down to one level only (propagate inheritable permissions to one level only).
dsacls /N Provides that the specified ACE replaces the current ACEs in the ACL. By default, dsacls adds the ACE to the ACL.
dsacls /P:{Y | N} Determines whether the object can inherit permissions from its parent objects. If you omit this parameter, the inheritance properties of the object do not change. This parameter changes a property of the object, not of an ACE. To specify whether an ACE is inheritable, use the /I parameter. Y specifies that the object is protected and cannot inherit permissions. N specifies that the object is not protected and can inherit permissions.
dsacls /R {<User> | <Group>} [{<User> | <Group>}] Deletes all ACEs for the users or groups that you specify. You can specify User as User@Domain or as Domain\User. You can specify Group as Group@Domain or as Domain\Group.

You can delete ACEs for multiple users and groups in a single /R parameter, for example:

/R Domain1\User1 Domain1\User2

dsacls /S Restores the security on the object to the default for that object class as defined in the Active Directory schema.
dsacls /T Restores the security on the tree of objects to the default for each object class. This parameter is valid only with the /S parameter.
dsacls /? Displays the dsacls help message.

.

↑ Up to command list

dsacls examples

Grant generic read (GR) and generic execute (GE) on computer objects in the Desktops OU to Fbaggins:

dsacls "OU=Desktops,OU=BagEnd,DC=woodgrovebank,DC=Com" /G Domain\Fbaggins:GRGE;computer

To remove the ‘List Contents’ permission for the Authenticated Users group on the Sales OU by resetting all the default permissions except ‘List Contents’ which was removed:

dsacls "OU=SalesOU,DC=root,DC=com" /R "Authenticated Users"

dsacls "OU=SalesOU,DC=root,DC=com" /G "Authenticated Users":RCRPLO

‘dsacls <PermissionStatement>’ options

Description

<Group> Specifies the group to whom the rights apply. You can specify Group as Group@Domain or Domain\Group.
<InheritedObjectType> Limits inheritance of the permission to the specified object type. Enter the display name of the object type. If you do not specify an object type, all object types can inherit the permission. You can use this parameter only when permissions are inheritable.

For example, the following command permits all objects types to inherit the permission:

/G Domain\User:CC

In contrast, the following command permits only User objects to inherit the permission:

/G Domain\User:CC;;user

<ObjectType> Limits the permission to the specified object type. Enter the display name of the object type. If you do not specify an object type, the permission applies to all object types.

For example, the following command permits the user to create all types of child objects:

/G Domain\User:CC

In contrast, the following command permits the user to create only child computer objects:

/G Domain\User:CC;computer

<Permissions> Specifies the type of permissions that you are applying. You can specify one or more of the following values (without spaces).

Generic permissions

GA: Generic All

GE: Generic Execute

GR: Generic Read

GW: Generic Write

Specific permissions

CA: Control access. If you do not specify {ObjectType | Property} to define the specific extended right for control access, this permission applies to all meaningful control accesses on the object; otherwise, it applies only to the specific extended right for that object.

CC: Create a child object. If you do not specify {ObjectType | Property} to define a specific child object type, this permission applies to all types of child objects; otherwise, it applies only to the child object type that you specify.

DC: Delete a child object. If you do not specify {ObjectType | Property} to define a specific child object type, this permission applies to all types of child objects; otherwise, it applies only to the child object type that you specify.

DT: Delete an object and all of its child objects.

LC: List the child objects of the object.

LO: List the object access. You can use this permission to grant list access to a specific object if List Children (LC) is not also granted to the parent object. You can also use this permission to deny access to list an object to hide an object if the user or group has LC permission on the parent object.

RC: Read security information.

RP: Read a property. If you do not specify {ObjectType | Property} to define a specific property, this permission applies to all properties of the object; otherwise, it applies only to the property of the object that you specify.

SD: Delete an object.

WD: Change security information.

WO: Change owner information.

WP: Write to a property. If you do not specify {ObjectType | Property} to define a specific property, this permission applies to all properties of the object; otherwise, it applies only to the property of the object that you specify.

WS: Write to a self object. This is meaningful only on group objects and when {ObjectType | Property} is a “member.”

<Property> Limits the permission to the specified property. Enter the display name of the property. If you do not specify a property, the permission applies to all properties.

For example, the following command permits the user to create all types of child objects:

/G Domain\User:CC

In contrast, the following command permits the user to create only child computer objects:

/G Domain\User:CC;computer

<User> Specifies the user to whom the rights apply. You can specify User as User@Domain or Domain\User.

.

↑ Up to command list

‘dsacls <PermissionStatement>’ examples

Grant the permission to delete, read security information, change security information, and change ownership permissions on a User object:

SDRCWDWO;;user

Grant permission to create child objects and delete child objects of a Group object:

CCDC;group;

Grant permissions to read property and write property values on a Telephonenumber property:

RPWP;telephonenumber;

↑ Up to command list

dsadd

The dsadd command creates new objects in Active Directory. It is used in conjunction with these objects: computer, contact, group, ou, quota, and user.

dsadd computer

Adds a single computer account to Active Directory. If a value that you supply contains spaces, use quotation marks around the text, for example, “CN=DC 2,OU=Domain Controllers,DC=woodgrovebank,DC=Com”. If you supply multiple values for a parameter, use spaces to separate the values (for example, a list of distinguished names). New computer accounts are automatically made members of Domain Computers along with any other groups you specify.

Default ‘dsadd computer’ syntax

dsadd computer <ComputerDN> [-samid <SAMName>] [-desc <Description>] [-loc <Location>] [-memberof <GroupDN...>] [{-s <ServerName> | -d <DomainName>}] [-u <UserName>] [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]

‘dsadd computer’ options

Description

dsadd computer <ComputerDN> Specifies the distinguished name of the computer that you want to add, and since you can’t add a computer to a domain without a name, this parameter is required.
dsadd computer -d <Domain> Connects the computer to the domain specified. By default, dsadd connects the computer to the domain controller in the logon domain.
dsadd computer -desc <Description> Specifies the description of the computer that you want to add.
dsadd computer -loc <Location> Specifies the location of the computer that you want to add.
dsadd computer -memberof <GroupDN> Specifies the groups of which you want the computer to be a member.
dsadd computer -p {<Password>|*} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsadd prompts you for a password.
dsadd computer -q Suppresses all output to standard output (quiet mode).
dsadd computer -s <Server> Connects the computer to the server specified.
dsadd computer -samid <SAMName> Specifies to use the Security Accounts Manager (SAM) name as the unique SAM account name for this computer, for example, TESTPC2$. If you do not specify this parameter, then dsadd derives a SAM account name from the value of the common name attribute in ComputerDN.
dsadd computer -u <User> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda), domain\user name (for example, widgets\Linda), and user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com).
dsadd computer -uc Specifies a Unicode format for input from or output to a pipe (|).
dsadd computer -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsadd computer -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsadd computer /? Displays the help message.

.

↑ Up to command list

‘dsadd computer’ examples

dsadd computer cn=client01,cn=computers,dc=woodgrovebank,dc=com

dsadd computer "CN=DCSERVER01,OU=Domain Controllers,DC=woodgrovebank,DC=com" -memberof "CN=Engineering,OU=Eng,DC=woodgrovebank,DC=com"

dsadd computer "CN=DCSERVER01,OU=Domain Controllers,DC=woodgrovebank,DC=com" -memberof "CN=Engineering,OU=Eng,DC=woodgrovebank,DC=com" "CN=Tech,CN=Users,DC=woodgrovebank,DC=com"

↑ Up to command list

dsadd contact

Adds a single contact to Active Directory. If the value that you supply contains spaces, use quotation marks around the text, for example, “CN=Mike Danseglio,CN=Users,DC=woodgrovebank,DC=Com”. This command only supports a subset of commonly used object class attributes.

Default ‘dsadd contact’ syntax

dsadd contact <ContactDN> [-fn <FirstName>] [-mi <Initial>] [-ln <LastName>] [-display <DisplayName>] [-desc <Description>] [-office <Office>] [-tel <PhoneNumber>] [-email <Email>] [-hometel <HomePhoneNumber>] [-pager <PagerNumber>] [-mobile <MobileNumber>] [-fax <FaxNumber>] [-iptel <IPPhoneNumber>] [-title <Title>] [-dept <Department>] [-company <Company>] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]

‘dsadd contact’ options

Description

dsadd contact -company <Company> Specifies the company information of the contact you want to add.
dsadd contact <ContactDN> Specifies the distinguished name of the contact that you want to add, and since you can’t add a contact without a name, this parameter is required.
dsadd contact -d <Domain> Connects to the specified domain. By default, dsadd connects the computer to the domain controller in the logon domain.
dsadd contact -dept <Department> Specifies the department of the contact that you want to add.
dsadd contact -desc <Description> Specifies the description of the contact that you want to add.
dsadd contact -display <DisplayName> Specifies the display name of the contact that you want to add.
dsadd contact -email <Email> Specifies the email address of the contact that you want to add.
dsadd contact -fax <FaxNumber> Specifies the fax number of the contact that you want to add.
dsadd contact -fn <FirstName> Specifies the first name of the contact that you want to add.
dsadd contact -hometel <HomePhoneNumber> Specifies the home telephone number of the contact that you want to add.
dsadd contact -iptel <IPPhoneNumber> Specifies the IP telephone number of the contact that you want to add.
dsadd contact -ln <LastName> Specifies the last name of the contact that you want to add.
dsadd contact -mi <MiddleInitial> Specifies the middle initial of the contact that you want to add.
dsadd contact -mobile <CellPhoneNumber> Specifies the mobile phone number of the contact that you want to add.
dsadd contact -office <Office> Specifies the office location of the contact that you want to add.
dsadd contact -p {<Password>|*} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsadd prompts you for a password.
dsadd contact -pager <PagerNumber> Specifies the pager number of the contact that you want to add.
dsadd contact -q Suppresses all output to standard output (quiet mode).
dsadd contact -s <Server> Connects to the server specified.
dsadd contact -tel <PhoneNumber> Specifies the telephone number of the contact that you want to add.
dsadd contact -title <PhoneNumber> Specifies the title of the contact that you want to add.
dsadd contact -u <UserName> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: username (for example, Linda), domain\username (for example, widgets\Linda), or user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com).
dsadd contact -uc Specifies a Unicode format for input from or output to a pipe (|).
dsadd contact -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsadd contact -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsadd contact /? Displays the help message.

.

↑ Up to command list

‘dsadd contact’ examples

dsadd contact cn=MikeDan,cn=users,dc=woodgrovebank,dc=com

dsadd contact "cn=Frodo Baggins, OU=contacts, DC=hobbiton, DC=com" -fn Frodo -ln Baggins -company "Ring Fellowship, LLC" -email frodo@fellowship.org

↑ Up to command list

dsadd group

Adds a single group to Active Directory. If a value that you supply contains spaces, use quotation marks around the text, for example, “CN=Mike Danseglio,CN=Users,DC=woodgrovebank,DC=Com”. If you supply multiple values for a parameter, use spaces to separate the values, for example, a list of distinguished names. This command only supports a subset of commonly used object class attributes.

Default ‘dsadd group’ syntax

dsadd group <GroupDN> [-secgrp {yes | no}] [-scope {l | g | u}] [-samid <SAMName>] [-desc <Description>] [-memberof <Group> ...] [-members <Member> ...] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]

‘dsadd group’ options

Description

dsadd group -d <Domain> Connects to the domain specified. By default, dsadd connects the computer to the domain controller in the logon domain.
dsadd group -desc <Description> Specifies the description of the group that you want to add.
dsadd group <GroupDN> Specifies the distinguished name of the group that you want to add, and since you can’t add a group to a domain without a name, this parameter is required.
dsadd group -memberof <GroupDN> Specifies the groups of which you want the group you are creating to be a member.
dsadd group -members <Member> Specifies the members to add to the new group.
dsadd group -p {<Password>|*} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsadd prompts you for a password.
dsadd group -q Suppresses all output to standard output (quiet mode).
dsadd group -s <Server> Connects the computer to the server specified.
dsadd group -samid <SAMName> Specifies to use the Security Accounts Manager (SAM) name as the unique SAM account name for this computer, for example, TESTPC2$. If you do not specify this parameter, then dsadd derives a SAM account name from the value of the common name attribute in ComputerDN.
dsadd group -scope {l | g | u} Specifies whether the scope of the group that you want to add is domain local (l), global (g), or universal (u). By default, dsadd sets the scope of the group to global.
dsadd group -secgrp {yes | no} Specifies whether the group that you want to add is a security group (yes) or a distribution group (no). By default, dsadd adds the group as a security group (yes).
dsadd group -u <User> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda), domain\user name (for example, widgets\Linda), and user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com).
dsadd group -uc Specifies a Unicode format for input from or output to a pipe (|).
dsadd group -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsadd group -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsadd group /? Displays the help message.

.

↑ Up to command list

‘dsadd group’ example

dsadd group cn=sales,cn=users,dc=woodgrovebank,dc=com

↑ Up to command list

dsadd ou

Adds a single organizational unit (OU) to Active Directory. If a value that you supply contains spaces, use quotation marks around the text, for example, “OU=Domain Controllers,DC=woodgrovebank,DC=Com”. This command only supports a subset of commonly used object class attributes.

Default ‘dsadd ou’ syntax

dsadd ou <OrganizationalUnitDN> [-desc <Description>] [{-s <Server> | -d <Domain>}][-u <UserName>] [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]

‘dsadd ou’ options

Description

dsadd ou -d <Domain> Connects to the domain specified. By default, dsadd connects the computer to the domain controller in the logon domain.
dsadd ou -desc <Description> Specifies the description of the group that you want to add.
dsadd ou <OrganizationalUnitDN> Specifies the distinguished name of the OU that you want to add, and since you can’t add an OU to a domain without a name, this parameter is required.
dsadd ou -p {<Password>|*} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsadd prompts you for a password.
dsadd ou -q Suppresses all output to standard output (quiet mode).
dsadd ou -s <Server> Connects the computer to the server specified.
dsadd ou -u <User> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda), domain\user name (for example, widgets\Linda), and user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com).
dsadd ou -uc Specifies a Unicode format for input from or output to a pipe (|).
dsadd ou -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsadd ou -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsadd ou /? Displays the help message.

.

↑ Up to command list

‘dsadd ou’ example

dsadd ou ou=test,dc=woodgrovebank,dc=com

↑ Up to command list

dsadd quota

Adds a quota specification to a directory partition. A quota specification determines the maximum number of directory objects that a given security principal can own in a specified directory partition. If a value that you use contains spaces, use quotation marks around the text, for example, “CN=DC 2,OU=Domain Controllers,DC=Woodgrovebank,DC=Com”.

Default ‘dsadd quota’ syntax

dsadd quota -part <PartitionDN> [-rdn <RelativeDistinguishedName>] -acct <Name> -qlimit <Value> [-desc <Description>] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]

‘dsadd quota’ options

Description

dsadd quota -acct <Name> Required. Specifies the security principal (such as a user, group, or computer object, or an InetOrgPerson object) to whom the quota specification applies. You can use any of the following forms for Name: distinguished name (also known as DN) of the security principal or Domain\SAMAccountName of the security principal.
dsadd quota -d <Domain> Connects to the domain specified. By default, dsadd connects the computer to the domain controller in the logon domain.
dsadd quota -desc <Description> Specifies a description for the quota specification that you want to add.
dsadd quota -p {<Password>|*} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsadd prompts you for a password.
dsadd quota -part <PartitionDN> Required. Specifies the distinguished name of the directory partition on which you want to create a quota. If you do not specify the distinguished name, dsadd takes the name from standard input (stdin).
dsadd quota -q Suppresses all output to standard output (quiet mode).
dsadd quota -qlimit <Value> Required. Specifies the number of objects within the directory partition that the security principal can own. To specify an unlimited quota, use -1.
dsadd quota -rdn <RelativeDistinguishedName> Specifies the relative distinguished name of the quota specification that you want to create. If you do not specify -rdn, dsadd sets the name to Domain_AccountName by using the domain and account name of the security principal that the -acct parameter specifies.
dsadd quota -s <Server> Connects the computer to the server specified.
dsadd quota -u <User> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda), domain\user name (for example, widgets\Linda), and user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com).
dsadd quota -uc Specifies a Unicode format for input from or output to a pipe (|).
dsadd quota -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsadd quota -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsadd quota /? Displays the help message.

.

↑ Up to command list

‘dsadd quota’ example

dsdd quota -part CN=configuration,dc=woodgrovebank,dc=com" -acct MikeDan -qlimit 1000

↑ Up to command list

dsadd user

Adds a single user to Active Directory. If a value that you supply contains spaces, use quotation marks around the text, for example, “CN=Mike Danseglio,CN=Users,DC=Woodgrovebank,DC=Com”. If you supply multiple values for a parameter, use spaces to separate the values, for example, a list of distinguished names.

Default ‘dsadd user’ syntax

dsadd user <UserDN> [-samid <SAMName>] [-upn <UPN>] [-fn <FirstName>] [-mi <Initial>] [-ln <LastName>] [-display <DisplayName>] [-empid <EmployeeID>] [-pwd {<Password> | *}] [-desc <Description>] [-memberof <Group>...] [-office <Office>] [-tel <PhoneNumber>] [-email <Email>] [-hometel <HomePhoneNumber>] [-pager <PagerNumber>] [-mobile <CellPhoneNumber>] [-fax <FaxNumber>] [-iptel <IPPhoneNumber>] [-webpg <WebPage>] [-title <Title>] [-dept <Department>] [-company <Company>] [-mgr <Manager>] [-hmdir <HomeDirectory>] [-hmdrv <DriveLetter>:][-profile <ProfilePath>] [-loscr <ScriptPath>] [-mustchpwd {yes | no}] [-canchpwd {yes | no}] [-reversiblepwd {yes | no}] [-pwdneverexpires {yes | no}] [-acctexpires <NumberOfDays>] [-disabled {yes | no}] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]

‘dsadd user’ options

Description

dsadd user -acctexpires <NumberOfDays> Specifies the number of days from today that the user account will expire. A value of 0 sets expiration at the end of today. A positive value sets expiration in the future. A negative value sets expiration in the past. The value never sets the account to never expire. For example, a value of 0 implies that the account expires at the end of today. A value of -5 implies that the account has already expired 5 days ago and sets an expiration date in the past. A value of 5 sets the account expiration date for 5 days in the future.
dsadd user -canchpwd {yes | no} Specifies whether users can change their passwords. The available values are yes and no. By default, users can change their passwords (yes). The value of this parameter must be yes if the value of the -mustchpwd parameter is yes.
dsadd user -company <Company> Specifies the company information of the user you want to add.
dsadd user -d <Domain> Connects to the specified domain. By default, dsadd connects the computer to the domain controller in the logon domain.
dsadd user -dept <Department> Specifies the department of the user that you want to add.
dsadd user -desc <Description> Specifies the description of the user that you want to add.
dsadd user -disabled {yes | no} Specifies whether dsadd disables the user account for logon. The available values are yes or no.
dsadd user -display <DisplayName> Specifies the display name of the user that you want to add.
dsadd user -email <Email> Specifies the email address of the user that you want to add.
dsadd user -empid <EmployeeID> Specifies the employee ID of the user that you want to add.
dsadd user -fax <FaxNumber> Specifies the fax number of the user that you want to add.
dsadd user -fn <FirstName> Specifies the first name of the user that you want to add.
dsadd user -hmdir <HomeDirectory> Specifies the home directory location of the user that you want to add. If you specify HomeDirectory as a Universal Naming Convention (UNC) path, then you must specify a drive letter for dsadd to map to this path using the -hmdrv parameter.
dsadd user -hmddrv <DriveLetter> Specifies the home directory drive letter (for example, E:) of the user that you want to add.
dsadd user -hometel <HomePhoneNumber> Specifies the home telephone number of the user that you want to add.
dsadd user -iptel <IPPhoneNumber> Specifies the IP telephone number of the user that you want to add.
dsadd user -ln <LastName> Specifies the last name of the user that you want to add.
dsadd user -loscr <ScriptPath> Specifies the logon script path of the user that you want to add.
dsadd user -memberof <GroupDN> Specifies the distinguished names of the groups of which you want the user to be a member.
dsadd user -mgr <ManagerDN> Specifies the middle initial of the user that you want to add.
dsadd user -mi <MiddleInitial> Specifies the middle initial of the user that you want to add.
dsadd user -mobile <CellPhoneNumber> Specifies the mobile phone number of the user that you want to add.
dsadd user -mustchpwd {yes | no} Specifies whether users must change their passwords when they next log on. The available values are yes and no. By default, users do not have to change their passwords (no).
dsadd user -office <Office> Specifies the office location of the user that you want to add.
dsadd user -p {<Password>|*} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsadd prompts you for a password.
dsadd user -pager <PagerNumber> Specifies the pager number of the user that you want to add.
dsadd user -profile <ProfilePath> Specifies the profile path of the user that you want to add.
dsadd user -pwd {<Password>|*} Specifies that the password for the user be set to Password or an asterisk (*). If you set the password to *, dsadd prompts you for a user password.
dsadd user -pwdneverexpires {yes | no} Specifies whether the user password never expires. The available values are yes and no. By default, user passwords expire (no).
dsadd user -q Suppresses all output to standard output (quiet mode).
dsadd user -reversiblepwd {yes | no} Specifies whether to store user passwords using reversible encryption. The available values are yes and no. By default, users cannot use reversible encryption (no).
dsadd user -s <Server> Connects to the server specified.
dsadd user -samid <SAMName> Specifies the Security Accounts Manager (SAM) name as the unique SAM account name for this user. If you do not specify the SAM name, dsadd attempts to create the SAM account name by using up to the first 20 characters from the common name (CN) value of UserDN.
dsadd user -tel <PhoneNumber> Specifies the telephone number of the user that you want to add.
dsadd user -title <Title> Specifies the title of the user that you want to add.
dsadd user -u <UserName> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: username (for example, Linda), domain\username (for example, widgets\Linda), or user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com).
dsadd user -uc Specifies a Unicode format for input from or output to a pipe (|).
dsadd user -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsadd user -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsadd user -upn <UPN> Specifies the user principal name of the user that you want to add, for example, Linda@widgets.woodgrovebank.com.
dsadd user <UserDN> Specifies the distinguished name of the user that you want to add, and since you can’t add a user without a name, this parameter is required.
dsadd user -webpg <WebPage> Specifies the web page URL of the user that you want to add.
dsadd user /? Displays the help message.

.

↑ Up to command list

‘dsadd user’ examples

Create an enabled user account named ‘MikeDan’ in the default Users container of woodgrovebank.com:

dsadd user cn=MikeDan,cn=users,dc=woodgrovebank,dc=com -disabled no

Create an enabled user account named ‘MikeDan’ in the default Users container of woodgrovebank.com with the password Password1:

dsadd user CN=MikeDan,CN=Users,DC=Widgets,DC=Woodgrovebank,DC=Com -pwd Password1 -disabled no

Create an enabled user account named John Smith with a password of C^h3Bdo9# that must be changed at first logon, in an organizational unit (OU) named SouthEmployees in a domain named woodgrovebank.com:

dsadd user “cn=John Smith,ou=SouthEmployees,dc=Woodgrovebank,dc=com” -disabled no –pwd C^h3Bdo9# -mustchpwd yes

Create the same account, set it to never expire, and make it a member of the Janitors group in the same OU:

dsadd user “cn=John Smith,ou=SouthEmployees,dc=Woodgrovebank,dc=com” -disabled no –pwd C^h3Bdo9# -mustchpwd yes -memberof cn=janitors,ou=SouthEmployees,dc=Woodgrovebank,dc=com -acctexpires never

↑ Up to command list

dsamain

Exposes Active Directory data that is stored in a snapshot or backup as a Lightweight Directory Access Protocol (LDAP) server.

Default dsamain syntax

dsamain /dbpath <filepath> [/logpath <path>] [/adlds] /ldapPort <number> [/sslPort <number>] [/gcport <number>] [/gcSslport <number>] [/allowUpgrade] [/allowNonAdminAccess]

dsamain options

Description

dsamain /adlds Opens an AD LDS database. You must specify this parameter if you are exposing an AD LDS database. You must not specify this parameter if you are exposing an AD DS database or if dsamain fails.
dsamain /allowNonAdminAccess Allows nonadministrators to access data in the directory. If this option is not specified, only Domain Admins and Enterprise Admins from the target domain can access the data. Use this parameter to expose data from a domain that no longer exists.
dsamain /allowupgrade Allows an upgrade to the database file. This is useful for opening earlier versions of databases or snapshots. The file must be on writable media.
dsamain /dbpath <filepath> Specifies the file path to the database file. <filepath> must point to the database file, which might be on read-only media, such as a mounted snapshot; in a backup; or on another server, such as a domain controller or an AD LDS server. The database must be in a consistent state; that is, the Extensible Storage Engine (ESE) logs must be replayed. If you run the ntdsutil snapshot subcommand or if you run Windows Server Backup on a server running Windows Server 2008, the resulting snapshot or backup will be in a consistent state.

For the dbpath parameter, you must specify a mounted snapshot or a backup that you want to view along with the complete path to the Ntds.dit file, for example:

/dbpath E:\$SNAP_200704181137_VOLUMED$\WINDOWS\NTDS\ntds.dit

Only the LDAP port is required. If you do not specify the other ports, they use LDAP+1, LDAP+2, and LDAP+3, respectively. For example, if you specify LDAP port 41389 without specifying other port values, the LDAP-SSL port uses port 41390 by default, and so on.

You cannot specify ports that are currently in use. If you run the command on a domain controller, specify different ports than those that are used by the local domain controller, for example:

dsamain /dbpath <filepath> /ldapport 51389 /sslport 51636 /gcport 53268 /gcsslport 53269

dsamain /gcport <number> Specifies the global catalog port number. This parameter applies only to an AD DS database.
dsamain /gcsslport:<number> Specifies the global catalog SSL port number. This parameter applies only to an AD DS database.
dsamain Help Shows the help message at the command prompt.
dsamain /ldapPort <number> Specifies the LDAP port value. Use this same port value when you use a tool such as Ldp.exe to view that data.
dsamain /logpath <path> Specifies the path to a writable folder where the log files are created. If the path is not specified, the TEMP folder is used.
dsamain /sslPort <number> Specifies the Secure Sockets Layer (SSL) port value.
dsamain /quit Shows the help message at the command prompt.
dsamain /? Shows the help message at the command prompt.

.

↑ Up to command list

dsamain example

Exposes the data in a snapshot $SNAP_200704181137 as an LDAP server, using LDAP port 51389:

E:\$SNAP_200704181137_VOLUMED$\WINDOWS\NTDS\ntds.dit /ldapport 51389

↑ Up to command list

dsdbutil

Performs database maintenance of the Active Directory Domain Services (AD DS) store, facilitates configuration of Active Directory Lightweight Directory Services (AD LDS) communication ports, and views AD LDS instances that are installed on a computer.

For most of the dsdbutil commands, you only need to type the first few characters of the command name instead than the entire command. For example, you can type either of the following commands to activate an AD LDS instance named instance1:

activate instance instance1

ac i instance1

dsdbutil options

Description

Activate Instance %s

short form: ac i %s

Sets NTDS or a specific AD LDS instance as the active instance.
authoritative restore

short form: au r

Authoritatively restores the Active Directory database or AD LDS instance.
Change Service Account %s1 %s2 Changes an AD DS and AD LDS service account to user name %s1 and password %s2. Use NULL for a blank password and an asterisk (*) to enter a password from the console.
files

short form: f

Manages AD DS and AD LDS database files.
ifm

short form: i

Creates installation media for writable (full) and read-only domain controllers (RODCs) and instances of AD LDS.
Help Shows help at the command prompt.
LDAP port %d Configures a Lightweight Directory Access Protocol (LDAP) port for an AD LDS instance.
List instances

Short form: li i

Lists all AD LDS instances that are installed on this computer.
Popups off

Short form: po off

Disables popups.
Popups on

Short form: po on

Enables popups.
Quit Quits this command.
semantic database analysis

short form: sem d a

Checks semantics.
snapshot

short form: sn

Manages snapshots.
? Shows the help message at the command prompt.

.

↑ Up to command list

dsdbutil authoritative restore

Restores domain controllers to a specific point in time, and marks objects in Active Directory as being authoritative with respect to their replication partners. In forests that have a functional level of Windows Server 2003, Windows Server 2003 interim, or Windows Server 2008, this subcommand also restores back-links for links that were created after the functional level was raised. For example, the member attributes of groups to which a restored user object belongs are updated. The authoritative restore subcommand creates an LDAP Data Interchange Format (LDIF) file that can be used to restore back-links for links that were created before the functional level was raised.

Before you can run the authoritative restore subcommand, you need to set NTDS or an AD LDS instance as the active instance for ntdsutil. For example, if the AD LDS instance that you want to restore is named instance 1, type the following command at the ntdsutil: prompt before you run the authoritative restore subcommand, and then press ENTER:

ac in instance 1

At the authoritative restore: prompt, type any of the parameters listed in the syntax below.

Default ‘dsdbutil authoritative restore’ syntax

{create ldif file(s) from %s | list nc crs | restore object %s | restore object verinc %d |restore subtree %s | restore subtree %s verinc %d}

‘dsdbutil authoritative restore’ options

Description

authoritative restore: create ldif file(s) from %s This option creates an ldif file of link updates from the Ntdsutil-generated text file that is named in %s. This file can be used to update back-links on objects in a domain other than the domain of the restored object. For example, this file can be used to restore group membership for a user where the group belongs to a different domain than the user.
authoritative restore: %d A numeric value that overrides the default value of 100,000. The version number of the object or database being authoritatively restored will be increased by this value times the number of days since backup.
authoritative restore: Help Shows help at the command prompt.
authoritative restore: List NC CRs Lists partitions and cross-references. You need the cross-reference of an application directory partition to restore it.
authoritative restore: quit Takes you back to the previous menu, or exits the utility.
authoritative restore: restore object %s Marks object %s as being authoritative. This option also generates a text file that contains the distinguished name of the restored object and an LDIF file that can be used to restore back-links for objects that are being authoritatively restored (such as group memberships of users).
authoritative restore: restore object %s verinc %d Marks object %s as being authoritative and updates links as described in restore object %s; also increments the version number by %d times the number of days since backup. Use this option only to authoritatively restore over a previous, incorrect authoritative restore, such as an authoritative restore from a backup that contains the problem that you want to restore.
authoritative restore: restore subtree %s Marks subtree %s (and all children of the subtree) as being authoritative. This option also generates a text file that contains the distinguished names of the restored objects and an LDIF file that can be used to restore back-links for objects that are being authoritatively restored (such as group memberships of users).
authoritative restore: %s An alphanumeric variable, either a distinguished name for a restored object or subtree, or a file name for a text file that is used to create an LDIF file.
authoritative restore: Toggle recycled objects flag Sets the flag to allow undeletion or authoritative restore of recycled objects. This parameter is available only if Active Directory Recycle Bin is enabled. This is not recommended and can result in lost linked values after undeletion or authoritative restore.
authoritative restore: ? Shows the help message at the command prompt.

.

↑ Up to command list

‘dsdbutil authoritative restore’ examples

List the directory partitions on a domain controller and their cross-references:

authoritative restore: list nc crs

dsdbutil files

Provides commands for managing the directory service data and log files. The data file is called Ntds.dit. Before you can run the files subcommand, set NTDS or an AD LDS instance as the active instance for Ntdsutil. For example, if the AD LDS instance that you want to restore is named instance 1, type the following command at the ntdsutil: prompt before you run the authoritative restore subcommand, and then press ENTER:

ac in instance 1

You must stop the AD DS or AD LDS service before you can run the files subcommand. To stop AD DS, click Start, click Server Manager. In the console tree, double-click Configuration, and then click Services. In the details pane, right-click Active Directory Domain Services, and then click Stop.

AD DS is implemented on top of an indexed sequential access method (ISAM) table manager. This is the same table manager used by Microsoft Exchange Server, File Replication Service (FRS), the security configuration editor, Active Directory Certificate Services (AD CS), Windows Internet Name Service (WINS), and other Windows components. The version of the database that Windows 2000, Windows Server 2003, and Windows Server 2008 use is called the extensible storage engine (ESENT).

ESENT is a transacted database system that uses log files to support rollback semantics to ensure that transactions are committed to the database. Ideally, the database and log files should be located on separate drives to improve performance and support recovery of the data if a disk fails.

ESENT provides its own tool for certain database file management functions, called esentutl.exe, which is also installed in the systemroot\System32 folder. Several of the Ntdsutil file management commands invoke Esentutl, reducing the need to learn the tool’s command-line arguments. In the cases where Ntdsutil invokes Esentutl, it brings up a separate window configured with a large history so that you can scroll back to see all of the Esentutl progress indicators.

At the file maintenance: prompt, type any of the parameters listed in the syntax below.

Default ‘dsdbutil files’ syntax

[checkpoint] [checksum] [compact to %s] [dump page %d] [header] [info] [integrity] [logfile %s] [metadata] [move DB to %s] [move logs to %s] [recover] [set backup exclusion key] [set default folder security] [set path backup %s] [set path db %s] [set path logs %s] [set path working dir %s] [space usage]

‘dsdbutil files’ options

Description

file maintenance: checkpoint Dumps the Jet database checkpoint file (edb.chk). This option is intended for use only by support personnel.
file maintenance: checksum Performs Jet database physical integrity check.
file maintenance: compact to %s (where %s identifies an empty target directory) Invokes esentutl.exe to compact the existing data file and writes the compacted file to the specified directory. The directory can be remote, that is, mapped by means of the net use command or similar means. After compaction is complete, archive the old data file and move the newly compacted file back to the original location of the data file. ESENT supports online compaction, but this compaction only rearranges pages within the data file and does not release space back to the file system. (The directory service invokes online compaction regularly.)
file maintenance: dump page %d Dumps the Jet database page number specified as %d. This option is intended for use only by support personnel.
file maintenance: header Writes the header of the Ntds.dit data file to the screen. This command can help support personnel analyze database problems.
file maintenance: Help Shows the help message at the command prompt.
file maintenance: info Analyzes and reports the free space for the disks that are installed in the system, reads the registry, and then reports the sizes of the data and log files (the directory service maintains the registry, which identifies the location of the data files, log files, and directory service working directory.)
file maintenance: integrity Invokes Esentutl.exe to perform an integrity check on the data file, which can detect low-level database corruption. It reads every byte of your data file; thus it can take a long time to process large databases. Note that you should always run recover before performing an integrity check.
file maintenance: logfile %s Dumps the Jet log file %s, where %s can be the absolute path or just the log file name in the Logs folder. This option is intended for use only by support personnel.
file maintenance: metadata Dumps the Jet database metadata. This option is intended for use only by support personnel.
file maintenance: move DB to %s (where >em>%s identifies a target directory) Moves the Ntds.dit data file to the new directory specified by %s and updates the registry so that, upon service restart, the directory service uses the new location.
file maintenance: move logs to %s (where >em>%s identifies a target directory) Moves the directory service log files to the new directory specified by %s, and updates the registry so that, upon service restart, the directory service uses the new location.
file maintenance: quit Takes you back to the previous menu or exits the utility.
file maintenance: recover Invokes Esentutl.exe to perform a soft recovery of the database. Soft recovery scans the log files and ensures all committed transactions therein are also reflected in the data file. Logs are used to ensure committed transactions are not lost if your system fails or if you have unexpected power loss. In essence, transaction data is written first to a log file and then to the data file. When you restart after failure, you can rerun the log to reproduce the transactions that were committed but hadn’t made it to the data file.
file maintenance: set backup exclusion key Sets the backup exclusion key for the AD DS or AD LDS instance. This option is intended for use only by support personnel.
file maintenance: set default folder security Resets security on the NTDS folder to default values.
file maintenance: set path backup %s (where %s identifies a target directory) Sets the disk-to-disk backup target to the directory specified by %s. The directory service can be configured to perform an online, disk-to-disk backup at scheduled intervals.
file maintenance: set path db %s (where %s identifies a target directory) Updates the part of the registry that identifies the location and file name of the data file. Use this command only to rebuild a domain controller that has lost its data file and that is not being restored by means of normal restoration procedures.
file maintenance: set path logs %s (where %s identifies a target directory) Updates the part of the registry that identifies the location of the log files. Use this command only if you are rebuilding a domain controller that has lost its log files and is not being restored by means of normal restoration procedures.
file maintenance: set path working dir %s (where %s identifies a target directory) Sets the part of the registry that identifies the directory service’s working directory to the directory specified by %s.
file maintenance: space usage Dumps the Jet database space usage.
file maintenance: ? Shows the help message at the command prompt.

.

↑ Up to command list

‘dsdbutil files’ examples

Perform a Jet database physical integrity check:

file maintenance: checksum

Compact the Active Directory database and write the compacted file to a folder named C:\Windows\NTDS_Old:

file maintenance: compact to C:\Windows\NTDS_Old

↑ Up to command list

dsdbutil ifm

Creates installation media for writable (full) domain controllers, read-only domain controllers (RODCs), and instances of Active Directory Lightweight Directory Services (AD LDS). Before you run ifm, you must set an active instance of a directory that Ntdsutil is to use. You can either specify “ntds” to set AD DS as the active instance or you can specify the name of an AD LDS instance. For more information about how to set an active instance, see ntdsutil. For more information, see Installing AD DS from Media.

For more about generating installation media and using it to install an additional domain controller, see Installing an Additional Domain Controller by Using IFM.

You can run the ifm subcommand on a writable domain controller to create installation media for an RODC. Ntdsutil removes any cached secrets, such as passwords, from RODC installation media. You can also create installation media for an RODC by running the ifm subcommand on another RODC in that domain. However, to generate installation media for a writable domain controller, you must use another writable domain controller as the source of the installation media.

You cannot run the ifm subcommand on a domain controller that runs Windows Server 2003. You cannot use a domain controller that runs Windows Server 2003 to create installation media for a domain controller that runs Windows Server 2008, or the reverse.

You can use a 32-bit domain controller that runs Windows Server 2008 to generate installation media for a 64-bit domain controller that runs Windows Server 2008, and the reverse.

When you create installation media for a domain controller, the ifm subcommand stores the installation media in a subfolder named Active Directory after the subcommand completes. You must specify this same subfolder name when you install AD DS on another domain controller.

The IFM process creates a temp database in the %TMP% folder. You need at least 110% of the size of the AD DS or AD LDS database free on the drive where the %TMP% folder is in order for the operation to succeed. You can redirect the %TMP% folder to another disk on the server in order to use more space.

Default ‘dsdbutil ifm’ syntax

ifm {create full %s | create rodc %s | create sysvol full %s | create sysvol rodc %s} [quit]

‘dsdbutil ifm’ options

Description

ifm: create full %s Creates installation media for a writable Active Directory domain controller or an AD LDS instance in the %s folder. You can specify only this parameter for an AD LDS instance.
ifm: create rodc %s Creates installation media for an RODC in the %s folder. You can use this command only with AD DS.
ifm: Create Sysvol Full %s Creates installation media for a writable domain controller with SYSVOL in the %s folder. In order for the additional domain controller to use the SYSVOL folder on the IFM media as a replication source during the installation, you must run this command on a domain controller that runs Windows Server 2008 with SP2 or later or Windows Server 2008 R2.
ifm: Create Sysvol RODC %s Creates installation media for an RODC with SYSVOL in the %s folder. In order for the additional domain controller to use the SYSVOL folder on the IFM media as a replication source during the installation, you must run this command on a domain controller that runs Windows Server 2008 with SP2 or later or Windows Server 2008 R2.
ifm: Help Shows the help message at the command prompt.
ifm: quit Returns to the prior menu.
ifm: ? Shows the help message at the command prompt.

.

↑ Up to command list

‘dsdbutil ifm’ examples

Creates RODC installation in a folder named Installation Media on drive C:

create rodc "C:\Installation Media"

Creates writable domain controller installation media in a folder named InstallationMedia on drive C:

create full C:\InstallationMedia

↑ Up to command list

dsdbutil semantic database analysis

Verifies the integrity of Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) database files with respect to Active Directory semantics.

Unlike the file management commands described earlier, which test the integrity of the database with respect to the ESENT database semantics, the semantic analysis analyzes the data with respect to Active Directory semantics. It generates reports on the number of records present, including deleted and phantom records.

Before you can run the semantic database analysis subcommand, you need to set NTDS or an AD LDS instance as the active instance for Ntdsutil. For example, if the AD LDS instance that you want to restore is named instance1, type the following command at the ntdsutil: prompt before you run the authoritative restore subcommand:

ac in instance1

You have to stop the AD DS or AD LDS service before you can run the semantic database analysis subcommand. To stop AD DS, click Start, click Server Manager. In the console tree, double-click Configuration, and then click Services. In the details pane, right-click Active Directory Domain Services, and then click Stop.

At the semantic checker: prompt, type any of the parameters that are listed in the syntax below.

Default ‘dsdbutil semantic database analysis’ syntax

[get %d] [{go | go fixup}] [verbose %s] [{check quota | rebuild quota}]

‘dsdbutil semantic database analysis’ options

Description

semantic checker: check quota Integrity-checks the quota-tracking table (object owner quotas). This command checks whether the quota table is correct by trying to open the quota-tracking table and getting column information for each predefined column name.
semantic checker: get %d Retrieves record number %d from the Ntds.dit.
semantic checker: go Starts the semantic analysis of the Ntds.dit or AD LDS instance with no fixup. A report is generated and written to a file named dsdit.dmp.n, in the current directory, where n is an integer that is incremented each time that you carry out the command.
semantic checker: go fixup Starts the semantic checker with fixup.
semantic checker: Help Shows the help message at the command prompt.
semantic checker: quit Takes you back to the previous menu, or exits the utility.
semantic checker: rebuild quota Forces asynchronous rebuild of the quota-tracking table.
semantic checker: ? Shows the help message at the command prompt.

.

↑ Up to command list

‘dsdbutil semantic database analysis’ examples

Turns on verbose mode logging:

semantic checker: verbose on

Starts the semantic analysis of Ntds.dit with no fixup:

semantic checker: go

↑ Up to command list

dsdbutil snapshot

Manages snapshots of the volumes that contain the Active Directory database and log files, which you can view on a domain controller without starting in Directory Services Restore Mode (DSRM). You can also run the snapshot subcommand on an Active Directory Lightweight Directory Services (AD LDS) server. In the command-line tool ntdsutil.exe, you can use the snapshot subcommand to manage the snapshots, but you must use dsamain.exe to expose the snapshot as a Lightweight Directory Access Protocol (LDAP) server.

Before you can run the snapshot subcommand, you must run the activate instance subcommand in ntdsutil to set an active instance. You are not required to run the snapshot subcommand to use dsamain.exe. Instead, you can use a backup of the AD DS or AD LDS database or another domain controller or AD LDS server. Running the snapshot subcommand simply provides convenient data input for dsamain.exe.

Default ‘dsdbutil snapshot’ syntax

activate instance %s [create] [delete %s] [unmount %s] [list all] [list mounted ] [mount %s] [quit]

‘dsdbutil snapshot’ options

Description

snapshot: activate instance %s Sets an active instance for the command. You can either specify “ntds” to set AD DS as the active instance or you can specify the name of an AD LDS instance.
snapshot: create Creates a snapshot.
snapshot: delete %s Deletes a snapshot with globally unique identifier (GUID) %s. Use * to delete all snapshots.
snapshot: Help Shows the help message at the command prompt.
snapshot: list all Lists all mounted snapshots. You can run this command to obtain an index number for a mounted snapshot. You can then use the index number, instead of a (GUID), to mount or unmount a snapshot.
snapshot: list mounted Lists mounted snapshots. You can run this command to obtain an index number for a mounted snapshot. You can then use the index number instead of a (GUID) to mount or unmount a snapshot.
snapshot: quit Returns to the prior menu.
snapshot: mount %s Mounts a snapshot with (GUID) %s. You can refer to an index number of any mounted snapshot instead of its GUID.
snapshot: unmount %s Unmounts a snapshot with (GUID) %s. Use * to unmount all mounted snapshots.
snapshot: ? Shows the help message at the command prompt.

.

↑ Up to command list

‘dsdbutil snapshot’ examples

Set NTDS as the active instance:

ntdsutil: activate instance ntds

Set NTDS as the active instance:

ntdsutil: ac in ntds

Mount a snapshot with its (GUID):

snapshot: mount {8ec8ff74-c0d7-435a-b6b1-54ef185926be}</p?

Unmount the same snapshot:

snapshot: unmount {8ec8ff74-c0d7-435a-b6b1-54ef185926be}

List the mounted snapshots:

snapshot: list mounted

↑ Up to command list

dsget

Displays the selected properties of a specific object in Active Directory. It is used in conjunction with these objects: computer, contact, group, ou, partition, quota, server, site, subnet, and user.

dsget computer

Displays the properties of a computer in Active Directory. There are two variations of this command. The first variation displays the properties of multiple computers. The second variation displays the membership information of a single computer. If you do not supply a target object at the command prompt, dsget obtains the target object from standard input (stdin). Dsget can accept standard input from the keyboard, from a redirected file, or as piped output from another command. To mark the end of standard input data from the keyboard or in a redirected file, use the end-of-file character (CTRL+Z).

Default ‘dsget computer’ syntax

>dsget computer <ComputerDN> [-dn] [-samid] [-sid] [-desc] [-loc] [-disabled] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}] [-part <PartitionDN> [-qlimit] [-qused]]

dsget computer <ComputerDN> [-memberof [-expand]] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]

‘dsget computer’ options

Description

dsget computer -c Reports errors, but continues with the next object in the argument list when you specify multiple target objects (continuous operation mode). If you do not supply this parameter, dsget exits when the first error occurs.
dsget computer <ComputerDN> (first variation) Required. Specifies the distinguished names of the computer object list that you want to view. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command.
dsget computer <ComputerDN> (second variation) Required. Specifies the distinguished name of the single computer you want to view.
dsget computer -d <Domain> Connects the computer to the domain that you specify. By default, dsget connects the computer to the domain controller in the logon domain.
dsget computer -desc Displays the descriptions of the computers.
dsget computer -disabled Displays the status of the computer accounts. Yes indicates that the account is disabled and no indicates that the account is enabled.
dsget computer -dn Displays the distinguished names of the computers.
dsget computer -expand Displays the recursively expanded list of groups of which the computer is a member. This option takes the immediate group membership list of the computer, as returned by the -memberof parameter, and then recursively expands each group in this list to determine its group memberships as well to arrive at a complete closure set of the groups.
dsget computer -l Displays entries in a list format. By default, dsget displays entries in a table format.
dsget computer -loc Displays the locations of the computers.
dsget computer -memberof Displays the immediate list of groups of which the computer is a member. This takes a single target object only as input parameter (the second variation of the dsget computer command).
dsget computer -p {<Password> | *} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsget prompts you for a password.
dsget computer -part <PartitionDN> Connects to the directory partition with the distinguished name of PartitionDN.
dsget computer -q Suppresses all output to standard output (quiet mode).
dsget computer -qlimit Displays the effective quota of the computer in the directory partition that you specify for the -part parameter.
dsget computer -qused Displays how much of its quota a computer has used in the directory partition that you specify for the -part parameter.
dsget computer -s <Server> Connects the computer to the remote server that you specify. By default, dsget connects the computer to the domain controller in the logon domain.
dsget computer -samid Displays the Security Account Manager (SAM) account names of the computers that you specify.
dsget computer -sid Displays the computer security IDs (SIDs).
dsget computer -u <UserName> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda)domain\user name (for example, widgets\Linda), or user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com).
dsget computer -uc Specifies a Unicode format for input from or output to a pipe (|).
dsget computer -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsget computer -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsget computer ? Shows the help message at the command prompt.

.

↑ Up to command list

‘dsget computer’ examples

Display the descriptions of all computers in an organizational unit (OU) named Test whose name starts with “tst”:

dsquery computer OU=Test,DC=Woodgrovebank,DC=Com -name tst* | dsget computer -desc

Display the list of groups, recursively expanded, to which the MyDBServer computer belongs:

dsget computer CN=MyDBServer,CN=computers,DC=Woodgrovebank,DC=Com -memberof -expand

↑ Up to command list

dsget contact

Displays the properties of a contact in Active Directory.

Default ‘dsget contact’ syntax

dsget contact <ContactDN> [-fn <FirstName>] [-mi <Initial>] [-ln <LastName>] [-display <DisplayName>] [-desc <Description>] [-office <Office>] [-tel <PhoneNumber>] [-email <Email>] [-hometel <HomePhoneNumber>] [-pager <PagerNumber>] [-mobile <MobileNumber>] [-fax <FaxNumber>] [-iptel <IPPhoneNumber>] [-title <Title>] [-dept <Department>] [-company <Company>] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]

‘dsget contact’ options

Description

dsget contact -c Reports errors, but continues with the next object in the argument list when you specify multiple target objects (continuous operation mode). If you do not specify this parameter, dsget contact exits when the first error occurs.
dsget contact -company <Company> Specifies the company information of the contact you want to view.
dsget contact <ContactDN> Specifies the distinguished name of the contact that you want to view, and since you can’t add a contact without a name, this parameter is required.
dsget contact -d <Domain> Connects to the specified domain. By default, dsget connects the computer to the domain controller in the logon domain.
dsget contact -dept <Department> Specifies the department of the contact that you want to view.
dsget contact -desc <Description> Specifies the description of the contact that you want to view.
dsget contact -display <DisplayName> Specifies the display name of the contact that you want to view.
dsget contact -email <Email> Specifies the email address of the contact that you want to view.
dsget contact -fax <FaxNumber> Specifies the fax number of the contact that you want to view.
dsget contact -fn <FirstName> Specifies the first name of the contact that you want to view.
dsget contact -hometel <HomePhoneNumber> Specifies the home telephone number of the contact that you want to view.
dsget contact -iptel <IPPhoneNumber> Specifies the IP telephone number of the contact that you want to view.
dsget contact -l Displays entries in a list. By default, dsget displays entries in a table.
dsget contact -ln <LastName> Specifies the last name of the contact that you want to view.
dsget contact -mi <MiddleInitial> Specifies the middle initial of the contact that you want to view.
dsget contact -mobile <CellPhoneNumber> Specifies the mobile phone number of the contact that you want to view.
dsget contact -office <Office> Specifies the office location of the contact that you want to view.
dsget contact -p {<Password>|*} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsget prompts you for a password.
dsget contact -pager <PagerNumber> Specifies the pager number of the contact that you want to view.
dsget contact -q Suppresses all output to standard output (quiet mode).
dsget contact -s <Server> Connects to the server specified. By default, dsget connects the computer to the domain controller in the logon domain.
dsget contact -tel <PhoneNumber> Specifies the telephone number of the contact that you want to view.
dsget contact -title <PhoneNumber> Specifies the title of the contact that you want to view.
dsget contact -u <UserName> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: username (for example, Linda), domain\username (for example, widgets\Linda), or user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com).
dsget contact -uc Specifies a Unicode format for input from or output to a pipe (|).
dsget contact -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsget contact -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsget contact /? Displays the help message.

.

↑ Up to command list

‘dsget contact’ examples

Display the description and phone numbers for contacts Mike Danseglio and Don Funk:

dsget contact "CN=Mike Danseglio,OU=Contacts,DC=Woodgrovebank,DC=Com" "CN=Don Funk,OU=Contacts,DC=Woodgrovebank,DC=Com" -desc -tel

↑ Up to command list

dsget group

Displays the properties of a group in the directory, including its members. There are two variations of this command. The first variation allows you to view the properties of multiple groups. The second variation displays the group membership information of a single group.

Default ‘dsget group’ syntax

dsget group <GroupDN> [-dn] [-samid] [-sid] [-desc] [-secgrp] [-scope] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}] [-part <PartitionDN> [-qlimit] [-qused]]

dsget group >GroupDN> [{-memberof | -members}] [-expand] [{-s >Server> | -d >Domain>}] [-u >UserName>] [-p {>Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]

‘dsget group’ options

Description

dsget group -d <Domain> Connects to the domain specified. By default, dsget connects the computer to the domain controller in the logon domain.
dsget group -desc <Description> Specifies the description of the group that you want to add.
dsget group -dn Displays that distinguished names of the groups.
dsget group -expand For the -memberof parameter, displays the recursively expanded list of groups in which the group is a member. This option takes the immediate membership list of the group, and then also recursively expands each group in this list to determine its group memberships to arrive at a complete closure set of the groups.

For the -members parameter, displays the recursively expanded list of members of the group. This parameter takes the immediate list of members of the group and then also recursively expands each group in this list to determine its group memberships to arrive at a complete closure set of the members.

dsget group <GroupDN> (first variation) Specifies the distinguished name of the group that you want to view, and since you can’t view a group without a name, this parameter is required.
dsget group <GroupDN> (second variation) Required. Specifies the distinguished name of the group that you want to view.
dsget group -memberof Displays the immediate list of groups of which the group is a member.
dsget group -members Displays the immediate list of members of the group.
dsget group -p {<Password>|*} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsget prompts you for a password.
dsget group -part <PartitionDN> Connects a computer to the directory partition with the distinguished name of PartitionDN.
dsget group -q Suppresses all output to standard output (quiet mode).
dsget group -s <Server> Connects the computer to the server specified.
dsget group -samid Displays the Security Account Manager (SAM) account names of the groups.
dsget group -scope Displays information about whether group scopes are local, global, or universal.
dsget group -secgrp Displays whether groups are security groups (yes) or distribution groups (no).
dsget group -sid Displays the group security IDs (SIDs).
dsget group -u <UserName> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda), domain\user name (for example, widgets\Linda), and user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com).
dsget group -uc Specifies a Unicode format for input from or output to a pipe (|).
dsget group -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsget group -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsget group /? Displays the help message.

.

↑ Up to command list

‘dsget group’ examples

Display the descriptions of all groups in an organizational unit (OU) named Test whose names start with “adm”:

dsquery group OU=Test,DC=Woodgrovebank,DC=Com -name adm* | dsget group -desc

Display the list of members, recursively expanded, of the Backup Operators group:

dsget group "CN=Backup Operators,OU=Test,DC=Woodgrovebank,DC=Com" -members -expand

↑ Up to command list

dsget ou

Displays the properties of an organizational unit (OU) in Active Directory. If you do not supply a target object at the command prompt, dsget obtains the target object from standard input (stdin). Dsget can accept stdin from the keyboard, from a redirected file, or as piped output from another command. To mark the end of stdin data from the keyboard or in a redirected file, use the end-of-file character (CTRL+Z).

Default ‘dsget ou’ syntax

dsget ou <OrganizationalUnitDN> ...[-dn] [-desc] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]

‘dsget ou’ options

Description

dsget ou -c Reports errors, but continues with the next object in the argument list when you specify multiple target objects (continuous operation mode). If you do not supply this parameter, dsget exits when the first error occurs.
dsget ou -d <Domain> Connects to the domain specified. By default, dsget connects the computer to the domain controller in the logon domain.
dsget ou -desc <Description> Specifies the description of the group that you want to view.
dsget ou -dn Displays the distinguished names of the OUs.
dsget ou -l Displays entries in a list. By default, dsget displays entries in a table.
dsget ou <OrganizationalUnitDN> Specifies the distinguished name of the OU that you want to view, and since you can’t view an OU without a name, this parameter is required.
dsget ou -p {<Password>|*} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsget prompts you for a password.
dsget ou -q Suppresses all output to standard output (quiet mode).
dsget ou -s <Server> Connects the computer to the server specified.
dsget ou -u <UserName> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda), domain\user name (for example, widgets\Linda), and user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com).
dsget ou -uc Specifies a Unicode format for input from or output to a pipe (|).
dsget ou -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsget ou -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsget ou /? Displays the help message.

.

↑ Up to command list

‘dsget ou’ examples

Display the descriptions of all OUs in the current domain:

dsquery ou domainroot | dsget ou -desc

↑ Up to command list

dsget partition

Displays the properties of a directory partition. If you do not supply a target object at the command prompt, dsget obtains the target object from standard input (stdin). Dsget can accept stdin from the keyboard, from a redirected file, or as piped output from another command. To mark the end of stdin data from the keyboard or in a redirected file, use the end-of-file character (CTRL+Z). If you specify -topobjowner, that parameter overrides any other parameters that you specify. Consequently, dsget displays only the results of -topobjowner.

Default ‘dsget partition’ syntax

dsget partition <ObjectDN> ... [-dn] [-qdefault] [-qtmbstnwt] [-topobjowner <Display>] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]

‘dsget partition’ options

Description

dsget partition -c Reports errors, but continues with the next object in the argument list when you specify multiple target objects (continuous operation mode). If you do not supply this parameter, dsget exits when the first error occurs.
dsget partition -d <domain> Connects a computer to the domain that you specify. By default, dsget connects the computer to the domain controller in the logon domain.
dsget partition -dn Displays the distinguished names of the directory partition objects.
dsget partition -l Displays entries in a list. By default, dsget displays entries in a table.
dsget partition <ObjectDN> Required. Specifies the distinguished names of the partition objects to view. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command.
dsget partition -p{ <Password> | *} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsget prompts you for a password.
dsget partition -q Suppresses all output to standard output (quiet mode).
dsget partition -qdefault Displays the default quota that applies to any security principal (for example, user, group, computer, or iNetOrg person) If no specific quota specification governs that security principal, dsget partition creates an object in the directory partition. An unlimited quota appears as “-1″.
dsget partition -qtmbstnwt Displays the percent by which the tombstone object count should be reduced when calculating quota usage.
dsget partition -s <Server> Connects a computer to the remote server that you specify. By default, dsget connects the computer to the domain controller in the logon domain.
dsget partition -topobjowner <Display> Displays a sorted list of the security principals that own the most objects in the specified directory partition This parameter also displays the number of directory objects that those security principals own. Display specifies the number of accounts to display in the list. To display all object owners, use 0 as the value of this parameter. If you do not specify Display, the number of principals that this parameter list defaults to 10.
dsget partition -u <UserName> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda), domain\user name (for example, widgets\Linda), or user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com
dsget partition -uc Specifies a Unicode format for input from or output to a pipe (|).
dsget partition -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsget partition -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsget partition /? Displays help at the command prompt.

.

↑ Up to command list

dsget partition example

dsquery server -forest -part application* | dsget server -part | dsget partition -topjobowner 3

↑ Up to command list

dsget quota

Displays the properties of a quota specification defined in Active Directory. A quota specification determines the maximum number of directory objects that a security principal can own in a directory partition that you specify.

Default ‘dsget quota’ syntax

dsget quota <ObjectDN> [-dn] [-acct] [-qlimit] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]

‘dsget quota’ options

Description

dsget quota -acct Displays the distinguished names of the accounts to which the quotas are assigned.
dsget quota -c Reports errors, but continues with the next object in the argument list when you specify multiple target objects (continuous operation mode). If you do not supply this parameter, dsget exits when the first error occurs.
dsget quota -d <domain> Connects a computer to the domain that you specify. By default, dsget connects the computer to the domain controller in the logon domain.
dsget quota -dn Displays the distinguished names of the quota objects.
dsget quota -l Displays entries in a list. By default, dsget displays entries in a table.
dsget quota <ObjectDN> Required. Specifies the distinguished names of the partition objects to view. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command.
dsget quota -p{ <Password> | *} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsget prompts you for a password.
dsget quota -q Suppresses all output to standard output (quiet mode).
dsget quota -qlimit Displays the quota limits for the specified quotas. An unlimited quota appears as “-1“.
dsget quota -s <Server> Connects a computer to the remote server that you specify. By default, dsget connects the computer to the domain controller in the logon domain.
dsget quota -u <UserName> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda), domain\user name (for example, widgets\Linda), or user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com
dsget quota -uc Specifies a Unicode format for input from or output to a pipe (|).
dsget quota -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsget quota -uco Specifies a Unicode format for output to a pipe (|) or a file.
/? Displays help at the command prompt.

.

↑ Up to command list

dsget quota example

dsget quota "CN=quota 1,dc=marketing,dc=northwindtraders,dc=com" -acct -qlimit

↑ Up to command list

dsget server

Displays the properties of a domain controller defined in the directory. There are three variations of this command. The first variation displays the general properties of a domain controller that you specify. The second variation displays a list of the security principals that own the largest number of directory objects on the domain controller that you specify. The third variation displays the distinguished names of the directory partitions on the server that you specify.

Default ‘dsget server’ syntax

dsget server <ServerDN> [-dn] [-desc] [-dnsname] [-site] [-isgc] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]

dsget server <ServerDN> [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}] [-topobjowner <Display>]

dsget server <ServerDN> [{-s <Server> | -d <Domain>}][-u <UserName>] [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}][-part <PartitionDN>]

‘dsget server’ options

Description

dsget server -c Reports errors, but continues with the next object in the argument list when you specify multiple target objects (continuous operation mode). If you do not supply this parameter, dsget exits when the first error occurs.
dsget server -d <domain> Connects a computer to the domain that you specify. By default, dsget connects the computer to the domain controller in the logon domain.
dsget server -desc Displays the descriptions of the servers.
dsget server -dn Displays the distinguished names of the servers.
dsget server -dnsname Displays the Domain Name System (DNS) host names of the servers.
dsget server -isgc Displays whether a server is a global catalog server (yes) or not (no).
dsget server -l Displays entries in a list. By default, dsget displays entries in a table.
dsget server -p{ <Password> | *} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsget prompts you for a password.
dsget server -part <PartitionDN> Connects to the directory partition with the distinguished name of PartitionDN.
dsget server -q Suppresses all output to standard output (quiet mode).
dsget server -s <Server> Connects a computer to the remote server that you specify. By default, dsget connects the computer to the domain controller in the logon domain.
dsget server <ServerDN> Required. Specifies the list of server object distinguished names to view. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command.
dsget server -site Displays the site name to which the server belongs.
dsget server -topobjowner <Display> Displays a sorted list of the security principals (such as users, computers, security groups, and inetOrgPersons) that own the largest number of directory objects across all directory partitions on the server and the number of directory objects that they own. The number of accounts to display in the list is specified by Display. To display all object owners, use 0 as the value of this parameter. If you do not specify Display, the number of principals that this parameter lists is 10 by default.
dsget server -u <UserName> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda), domain\user name (for example, widgets\Linda), or user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com
dsget server -uc Specifies a Unicode format for input from or output to a pipe (|).
dsget server -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsget server -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsget server /? Displays help at the command prompt.

.

↑ Up to command list

dsget server example

Find all domain controllers for domain widgets.woodgrovebank.com and then display their DNS host names and site names:

dsquery server -domain widgets.woodgrovebank.com | dsget server -dnsname -site

Determine if domain controller named DC1 is also a global catalog server:

dsget server CN=DC1,CN=Servers,CN=Site10,CN=Sites,CN=Configuration,DC=Woodgrovebank,DC=Com -isgc

Show the distinguished names of the directory partitions on a domain controller named DC1:

dsget server CN=DC1,CN=Servers,CN=Site10,CN=Sites,CN=Configuration,DC=Woodgrovebank,DC=Com -part

Show the top five security principals that own the most objects on the domain controller DC1.widgets.woodgrovebank.com:

dsget server CN=DC1,CN=widgets,DC=Woodgrovebank,DC=com -topobjowner 5

↑ Up to command list

dsget site

Displays the properties of a site in Active Directory.

Default ‘dsget site’ syntax

dsget site <SiteCN> [-dn] [-desc] [-autotopology] [-cachegroups] [-prefGCsite] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]

‘dsget site’ options

Description

dsget site -autotopology Displays whether automatic intersite topology generation is enabled (yes) or disabled (no) for specified sites.
dsget site -c Reports errors, but continues with the next object in the argument list when you specify multiple target objects (continuous operation mode). If you do not supply this parameter, dsget exits when the first error occurs.
dsget site -cachegroups Displays whether caching of universal group memberships for this site is enabled (yes) or disabled (no) to support logons that do not check the global catalog.
dsget site -d <domain> Connects a computer to the domain that you specify. By default, dsget connects the computer to the domain controller in the logon domain.
dsget site -desc Displays the descriptions of the sites.
dsget site -dn Displays the distinguished names of the sites.
dsget site -l Displays entries in a list. By default, dsget displays entries in a table.
dsget site -p{ <Password> | *} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsget prompts you for a password.
dsget site -prefGCsite Displays the name of the preferred global catalog site used to refresh universal group membership caching for the domain controllers of this site, if universal group membership caching has been enabled.
dsget site -q Suppresses all output to standard output (quiet mode).
dsget site -s <Server> Connects a computer to the remote server that you specify. By default, dsget connects the computer to the domain controller in the logon domain.
dsget site <SiteDN> Required. Specifies the common name of one or more sites that you want to view. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command.
dsget site -u <UserName> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda), domain\user name (for example, widgets\Linda), or user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com
dsget site -uc Specifies a Unicode format for input from or output to a pipe (|).
dsget site -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsget site -uco Specifies a Unicode format for output to a pipe (|) or a file.
? Displays help at the command prompt.

.

↑ Up to command list

dsget site example

dsquery site | dsget site -dn -desc

↑ Up to command list

dsget subnet

Displays the properties of a subnet in Active Directory.

Default ‘dsget subnet’ syntax

dsget subnet <SubnetDN> [-dn] [-desc] [-loc] [-site] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]

‘dsget subnet’ options

Description

dsget subnet -c Reports errors, but continues with the next object in the argument list when you specify multiple target objects (continuous operation mode). If you do not supply this parameter, dsget exits when the first error occurs.
dsget subnet -d <domain> Connects a computer to the domain that you specify. By default, dsget connects the computer to the domain controller in the logon domain.
dsget subnet -desc Displays the descriptions of the sites.
dsget subnet -dn Displays the distinguished names of the sites.
dsget subnet -l Displays entries in a list. By default, dsget displays entries in a table.
dsget subnet -loc Displays the subnet locations.
dsget subnet -p{ <Password> | *} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsget prompts you for a password.
dsget subnet -q Suppresses all output to standard output (quiet mode).
dsget subnet -s <Server> Connects a computer to the remote server that you specify. By default, dsget connects the computer to the domain controller in the logon domain.
dsget subnet <SubnetDN> Required. Specifies the common names of one or more subnets that you want to view..
dsget subnet -site Displays the site names associated with the subnets.
dsget subnet -u <UserName> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda), domain\user name (for example, widgets\Linda), or user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com
dsget subnet -uc Specifies a Unicode format for input from or output to a pipe (|).
dsget subnet -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsget subnet -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsget subnet /? Displays help at the command prompt.

.

↑ Up to command list

dsget subnet example

Display all properties for the subnets 206.73.118.0/24 and 207.209.68.0/24:

dsget subnet "206.73.118.0/24" "207.209.68.0/24"

↑ Up to command list

dsget user

Displays the properties of a user in the directory. There are two variations of this command. The first variation displays the properties of multiple users. The second variation displays the group membership information of a single user. If you do not specify property parameters for dsget user, the default user properties that appear are distinguished name, SAM account name, and description.

The DN’s passed (or piped or redirected) to the dsget command must have embedded comma, backslash, and quote characters escaped with the backslash escape character. For example, the common name “cn=Smith, Jim” should be converted into “cn=Smith\, Jim”. All DN values retrieved by the dsquery command properly escape all comma and backslash characters, but not any quote characters. For this reason, if any Distinguished Names have embedded quote characters in any of the components (such as the common name), the following will raise an error:

dsquery user -limit 0 | dsget user -samid

A workaround is to redirect the output of dsquery to a text file. For example:

dsquery user -limit 0 > users.txt

Then replace all embedded ” characters in the file with \” (not the leading and trailing quotes in each line). Then pipe this modified file to the dsget command:

type users.txt | dsget user -samid

Default ‘dsget user’ syntax

dsget user <UserDN> [-dn] [-samid] [-sid] [-upn] [-fn] [-mi] [-ln] [-display] [-empid] [-desc] [-office] [-tel] [-email] [-hometel] [-pager] [-mobile] [-fax] [-iptel] [-webpg] [-title] [-dept] [-company] [-mgr] [-hmdir] [-hmdrv] [-profile] [-loscr] [-mustchpwd] [-canchpwd] [-pwdneverexpires] [-disabled] [-acctexpires] [-reversiblepwd] [{-uc | -uco | -uci}] [-part <PartitionDN> [-qlimit] [-qused]]

dsget user <UserDN> [-memberof] [-expand][{-uc | -uco | -uci}]

‘dsget user’ options

Description

dsquery user -acctexpires Displays the dates when user accounts expire. If the accounts never expire, this command returns never.
dsquery user -canchpwd Displays whether users can change their password (yes) or not (no). The -canchpwd parameter estimates whether a user can change his password based on the way that it interprets the access control lists (ACLs) on the user object. To know for certain whether a user can change a password, that user must try to change it. This non-authoritative answer is not specific to dsget user. It is also inherent in the User Properties dialog box in Active Directory Users and Computers in Microsoft Management Console (MMC).
dsquery user -company Displays the company information of the users.
dsquery user -dept Displays the departments of the users.
dsquery user -desc Displays the descriptions of the users.
dsquery user -disabled Displays whether user accounts are disabled for logon (yes) or not (no).
dsquery user -display Displays the display names of the users.
dsquery user -dn Displays the distinguished names of the users.
dsquery user -email Displays the email addresses of the users.
dsquery user -empid Displays the employee IDs of the users.
dsquery user -expand Displays the recursively expanded list of groups of which the user is a member. This option takes the immediate group membership list of the user, and then recursively expands each group in this list to determine its group memberships as well to arrive at a complete closure set of the groups.
dsquery user -fax ;”>Displays the fax numbers of the users.
dsquery user -fn Displays the first names of the users.
dsquery user -full Displays the full names of the users.
dsquery user -hmdir Displays the drive letter to which the home directory of the user is mapped to if the home directory path is a UNC path.
dsquery user -hmdrv Displays the user’s home drive letter if home directory is a UNC path.
dsquery user -hometel Displays the home telephone numbers of the users.
dsquery user -iptel Displays the user IP phone numbers.
dsquery user -ln Displays the last names of the users.
dsquery user -loscr Displays the user logon script paths.
dsquery user -memberof Displays the immediate list of groups of which the user is a member.
dsquery user -mgr Displays the managers of the users.
dsquery user -mi Displays the middle initials of the users.
dsquery user -mobile Displays the mobile phone numbers of the users.
dsquery user -mustchpwd Displays whether users must change their passwords at the time of next logon (yes) or not (no).
dsquery user -office Displays the office locations of the users.
dsquery user -pager Displays the pager numbers of the users.
dsquery user -part <PartitionDN> Connects a computer to the directory partition with the distinguished name of PartitionDN.
dsquery user -profile Displays the user profile paths.
dsquery user -pwdneverexpires Displays whether the user password never expires (yes) or not (no).
dsquery user -qlimit Displays the effective quota of the user within the directory partition that you specify with the -part parameter.
dsquery user -qused Displays how much of the quota the user has used within the specified directory partition that you specify with the -part parameter.
dsquery user -reversiblepwd Displays whether the user passwords are allowed to be stored using reversible encryption (yes) or not (no).
dsquery user -samid Displays the Security Account Manager (SAM) account names of the users.
dsquery user -sid Displays the user security identifiers (SIDs).
dsquery user -tel Displays the telephone numbers of the users.
dsquery user -title Displays the titles of the users.
dsquery user -uc Specifies a Unicode format for input from or output to a pipe (|).
dsquery user -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsquery user -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsquery user -upn Displays the user principal names (UPNs) of the users.
dsquery user <UserDN> (first variation) Required. Displays the distinguished names of the user objects that you want to view. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command. Compare this parameter with UserDN in the second variation.
dsquery user <UserDN> (second variation) Required. Displays the distinguished name of the user whose group membership you want to view.
dsquery user -webpg Displays the user Web page URLs.
dsquery user /? Displays help at the command prompt.

.

↑ Up to command list

dsget user examples

Find all users in an organizational unit (OU) named Test whose name starts with “jon” and show their descriptions:

dsquery user OU=Test,dc=ms,dc=tld -name jon* | dsget user -desc

Show the list of groups, recursively expanded, to which the user Samwise Gamgee belongs:

dsget user "CN=Samwise Gamgee,CN=users,dc=ms,dc=tld" -memberof -expand

Display members of a group sorted by department:

dsquery group -name {group_name} |dsget group -members |dsget user -samid -display -dept |sort /+50

↑ Up to command list

dsmgmt

Facilitates managing Active Directory Lightweight Directory Services (AD LDS) application partitions, managing and controlling flexible single master operations (FSMO), and cleaning up metadata that is left behind by abandoned Active Directory domain controllers and AD LDS instances (abandoned domain controllers and AD LDS instances are those that are removed from the network without being uninstalled). Dsmgmt is available if you have the AD LDS server role installed.

For most of the dsmgmt commands, you only need to type the first few characters of the command name instead than the entire command. For example, you can type either of the following commands to manage configurable settings:

configurable settings

co s

dsmgmt options

Description

configurable settings

Short form: co s

Manages configurable settings.
DS behavior

Short form: ds b

Views and modifies AD DS and AD LDS behavior.
Help Displays help at the command prompt.
group membership evaluation

Short form: g m e

Evaluates SIDs in a token for a specified user or group.
LDAP policies Manages LDAP protocol policies.
local roles

Short form: lo r

Manages local administrative roles on a read-only domain controller (RODC).
metadata cleanup

Short form: m c

Cleans up objects of decommissioned servers.
partition management

Short form: pa m

Manages directory partitions.
Popups off

Short form: po off

Disables popups.
Popups on

Short form: po on

Enables popups.
Quit Quits dsmgmt.
roles

Short form: r

Manages operations master roles.
security account management

Short form: sec a m

Manages Security Account Database and duplicate SID cleanup.
set DSRM password

Short form: set d p

Resets the Directory Services Restore Mode (DSRM) administrator password.
? Displays help at the command prompt.

.

↑ Up to command list

dsmgmt configurable settings

Aids in modifying the time to live (TTL) of dynamic data that is stored in Active Directory Domain Services (AD DS). At the configurable setting: prompt, type any of the parameters listed in the syntax below. Before you can run other configurable settings subcommand parameters, you need to connect to a specific AD DS or AD LDS instance by using the connections parameter.

Default ‘dsmgmt configurable settings’ syntax

connections

{cancel changes | commit changes} {list | set %s1 to %s2 | show values}

‘dsmgmt configurable settings’ options

Description

configurable setting: cancel changes Cancels the changes that are made but not yet committed.
configurable setting: commit changes Commits the changes made to the server.
configurable setting: connections Invokes the server connections submenu.
configurable setting: Help Displays Help at the command prompt.
configurable setting: list Lists the names of the supported configurable settings.
configurable setting: quit Takes you back to the previous menu, or exits the utility.
configurable setting: set %s1 to %s2 Sets the configurable settings %s1 to the value %s2.
configurable setting: show values Displays values of configurable settings.

.

↑ Up to command list

‘dsmgmt configurable settings’ examples

Change the value of a configurable setting named DynamicObjectDefaultTTL to 172800 seconds (two days):

configurable setting: set DynamicObjectDefaultTTL to 172800

Show the current values of configurable settings:

configurable setting: show values

↑ Up to command list

dsmgmt DS behavior

Manages password operations over unsecured connections. You can allow or deny password operations over unsecured connections and list the current setting. As a best security practice, you should not disable strong encryption in a production environment. Strong encryption ensures that passwords are transmitted only across secure channels. For test environments only, you can disable strong encryption.

Default ‘dsmgmt DS behavior’ syntax

connections

[{allow passwd op on unsecured connection | deny passwd op on unsecured connection | list current ds-behavior}]

‘dsmgmt DS behavior’ options

Description

AD DS/LDS behavior: allow passwd op on unsecured connection Modifies AD DS or AD LDS behavior to allow password operations over an unsecured connection.
AD DS/LDS behavior: connections Invokes the server connections submenu. Before you can run the DS behavior subcommand, you need to connect to a specific AD Ds or AD LDS instance by using the connections parameter.
AD DS/LDS behavior: deny passwd op on unsecured connection Modifies AD DS or AD LDS behavior to deny password operations over an unsecured connection.
AD DS/LDS behavior: Help Displays Help at the command prompt.
AD DS/LDS behavior: list current ds-behavior Lists current behavior for the AD DS or AD LDS instance.
AD DS/LDS behavior: quit Takes you back to the previous menu, or exits the utility.
AD DS/LDS behavior: ? Displays Help at the command prompt.

.

↑ Up to command list

‘dsmgmt DS behavior’ examples

Deny password operations over unsecured connections:

AD DS/LDS behavior: deny passwd op on unsecured connection

↑ Up to command list

dsmgmt group membership evaluation

Generates a report with information about group memberships for a user. Active Directory environments that contain complex group structures can encounter problems with access token limitation during authentication. This problem can result in the inability of a user to log on or access resources. By analyzing the results of the report, you can identify the source of the problem.

Default ‘dsmgmt group membership evaluation’ syntax

[clear credentials] [run %s1 %s2] [set account dc %s] [set credentials %s1 %s2 %s3] [set global catalog %s] [set resource dc %s] [verbose %s]

‘dsmgmt group membership evaluation’ options

Description

group membership evaluation: clear credentials Clears credentials that were used for a prior connection.
group membership evaluation: Help Displays Help at the command prompt.
group membership evaluation: quit Takes you back to the previous menu, or exits the utility.
group membership evaluation: run %s1 %s2 Runs token evaluation for the principal %s2 in domain %s1.
group membership evaluation: set account dc %s Specifies the domain controller used in the account domain. The account domain is the domain that includes the user account. If you do not specify a domain controller, the tool automatically locates one.
group membership evaluation: set credentials %s1 %s2 %s3 Sets connection credentials as domain %s1, user %s2, and password %s3.
group membership evaluation: set global catalog %s Specifies which global catalog server to use. If you do not specify a global catalog, ntdsutil.exe automatically locates one.
group membership evaluation: set resource dc %s Specifies the domain controller used in the resource domain. Use this parameter only if the user and computer on which the logon is being attempted are in different domains. If the user and computer belong to different domains, the resource groups of the computer must also be enumerated.
group membership evaluation: verbose %s Turns verbose mode on or off.
group membership evaluation: ? Displays Help at the command prompt.

.

↑ Up to command list

‘dsmgmt group membership evaluation’ examples

  1. At the ntdsutil: prompt, type group membership evaluation, and then press ENTER.
  2. Type set account dc , where is the actual name of a domain controller in your domain that you want to use to obtain the accounts global group memberships, and then press ENTER.
  3. Type set globcal catalog , where is the actual name of a domain controller in your domain acting as a global catalog server that you want to use to obtain the accounts universal group memberships, and then press ENTER.
  4. Type set resource dc <dcname>, where <dcname> is the actual name of a domain controller in your domain that you want to use to obtain the accounts local group memberships, and then press ENTER.
  5. Type run corp.cpandl.com tonipoe, and then press ENTER.
  6. Ntdsutil outputs a tab-separated-value file (.tsv) with a specific name. That file is located in the folder from which you started Ntdsutil. The file name is reported by Ntdsutil. To access the file, type quit, and then press ENTER twice.
  7. Type dir *.tsv to see a list of the tab-separated-value files in the current folder.
  8. You can open the file in a spreadsheet program or a text file viewer. For example, to open a file named tonipoe-20090514203117.tsv in Notepad, type notepad tonipoe-20090514203117.tsv, and then press ENTER.

↑ Up to command list

dsmgmt LDAP policies

Sets the Lightweight Directory Access Protocol (LDAP) administration limits for the Default-Query Policy object. At the LDAP policies: prompt, type any of the parameters listed in the syntax below.

Default ‘dsmgmt LDAP policies’ syntax

connections

{cancel changes | commit changes} {list | set %s1 to %s2 | show values}

‘dsmgmt LDAP policies’ options

Description

ldap policy: cancel changes Cancels any uncommitted modifications of the LDAP administration limits to the default query policy.
ldap policy: commit changes Commits all modifications of the LDAP administration limits to the default query policy.
ldap policy: connections Invokes the Server connections submenu.
ldap policy: Help Displays help at the command prompt.
ldap policy: list Lists all supported LDAP administration limits for the domain controller.
ldap policy: quit Takes you back to the previous menu, or exits the utility.
ldap policy: set %s1 to %s2 Sets the value of the LDAP administration limit %s1 to the value %s2. The following administration limits are supported (default values are noted in parentheses).

InitRecvTimeout

Initial receive time-out (120 seconds).

MaxConnections

Maximum number of open connections (5000).

MaxConnIdleTime

Maximum amount of time a connection can be idle (900 seconds).

MaxNotificationPerConnection

Maximum number of notifications that a client can request for a given connection (5).

MaxPageSize

Maximum page size supported for LDAP responses (1000 records).

MaxQueryDuration

Maximum length of time the domain controller can execute a query (120 seconds).

MaxTempTableSize

Maximum size of temporary storage allocated to execute queries (10,000 records).

MaxResultSetSize

Maximum size of the LDAP Result Set (262144 bytes).

MaxPoolThreads

Maximum number of threads created by the domain controller for query execution (4 per processor).

MaxDatagramRecv

Maximum number of datagrams that can be processed by the domain controller simultaneously (1024).

MaxReceiveBuffer

The maximum size, in bytes, of a request that the server will accept (10,485,760 bytes).

MaxValRange

The maximum number of values that can be retrieved from a multivalued attribute in a single search request (1500 values). This policy is available only in Windows Server 2003 and Windows Server 2008.

ldap policy: show values Shows the current and proposed values for the LDAP administration limits.
ldap policy: ? Displays help at the command prompt.

.

↑ Up to command list

‘dsmgmt LDAP policies’ examples

Show the current LDAP policy values:

ldap policy: show values

↑ Up to command list

dsmgmt local roles

Manages Administrator Role Separation for a read-only domain controller (RODC). Administrator role separation provides a nonadministrative user with the permissions to install and administer an RODC, without granting that user permissions to do any other type of domain administration. You can use this subcommand only with the AD DS server role because AD LDS does not include RODCs.

By default, the local roles subcommand is performed on the RODC where you run the command. If you need to connect to a different RODC, use the connections parameter.

Default ‘dsmgmt local roles’ syntax

connections

{add %s1 %s2 | remove %s1 %s2} [list roles] [show roles]

‘dsmgmt local roles’ options

Description

local roles: add %s1 %s2 Adds an account %s1 to the local role %s2.
local roles: connections Invokes the server connections submenu.
local roles: Help Displays help at the command prompt.
local roles: list roles List defined local roles. These roles correspond to the various Built-in groups, such as Administrators, Backup Operators, Server Operators, and so on. Each RODC stores in its registry a list of accounts that should be considered members of those groups (roles) on that RODC. This list of accounts supplements any members of those groups stored in the directory. For example, suppose the BUILTIN\Administrators group stored in the directory contains a single member, the Domain Admins group. Suppose also that on a particular RODC, fabrikam\MikeDan is listed in the Administrators local role. Then on that RODC, both MikeDan and anyone in the Domain Admins group are considered to be Administrators.
local roles: quit Takes you back to the previous menu, or exits the utility.
local roles: remove %s1 %s2 Removes an account %s1 from the local role %s2.
local roles: show roles Shows local role members.
local roles: ? Displays help at the command prompt.

.

↑ Up to command list

‘dsmgmt local roles’ examples

Add a user account named MikeDan from the Woodgrovebank domain to the administrators local role on an RODC:

add WOODGROVEBANK\MikeDan administrators

↑ Up to command list

dsmgmt metadata cleanup

Cleans up metadata for failed domain controllers. When a failed domain controller stores the only copy of one or more domains or application directory partitions (also called “naming contexts”), metadata cleanup can also be used to clean up metadata for selected domains or application directory partitions. In this version of Ntdsutil.exe, metadata cleanup also removes File Replication Service (FRS) connections and attempts to transfer or seize any operations master roles (also known as flexible single master operations or FSMO roles) that the retired domain controller holds.

Do not delete the metadata of existing domains and domain controllers.

At the metadata cleanup: prompt, type any of the parameters listed in the syntax below.

Default ‘dsmgmt metadata cleanup’ syntax

connections

[select operation target] {remove selected domain | remove selected naming context |remove selected server | remove selected server %s | remove selected server %s1 on %s2}

‘dsmgmt metadata cleanup’ options

Description

metadata cleanup: connections Invokes the Server connections submenu.
metadata cleanup: Help Displays help at the command prompt.
metadata cleanup: remove selected domain Removes the metadata associated with the domain that is selected in the Select operation target submenu.
metadata cleanup: remove selected naming context Removes the metadata associated with the Naming Context that is selected in the Select operation target submenu.
metadata cleanup: remove selected server Removes the metadata associated with the domain controller that is selected in the Select operation target submenu. This parameter also removes FRS metadata and tries to transfer or seize operations master roles.
metadata cleanup: remove selected server %s Removes directory and FRS metadata for the disabled server %s from the directory on localhost, and attempts to transfer or seize any operations master roles that are held by server %s to localhost. This parameter also removes FRS metadata and tries to transfer or seize operations master roles.
metadata cleanup: remove selected server %s1 on %s2 Connects to server %s2, removes directory and FRS metadata for server %s1 from the directory on server %s2, and attempts to transfer or seize any operations master roles held by server %s1 to server %s2. This parameter also removes FRS metadata and tries to transfer or seize operations master roles.
metadata cleanup: quit Takes you back to the previous menu, or exits the utility.
metadata cleanup: select operation target Invokes the Select operation target submenu.
metadata cleanup: ? Displays help at the command prompt.

.

↑ Up to command list

‘dsmgmt metadata cleanup’ example

Remove metadata for a server named RODC1:

metadata cleanup: remove selected server RODC1

↑ Up to command list

dsmgmt partition management

Manages directory partitions for Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS).

Default ‘dsmgmt partition management’ syntax

connections

[select operation target] [add nc replica %s1 %s2] [create nc %s1 %s2] [create nc %s1 %s2 %s3] [delete nc %s] [list] [list nc information %s] [list nc replicas %s] [precreate %s1 %s2] [remove nc replica %s1 %s2] [set nc reference domain %s1 %s2] [set nc replication notification delay %s %d1 %d2]

‘dsmgmt partition management’ options

Description

partition management: add nc replica %s1 %s2 Adds the Active Directory domain controller or AD LDS instance with full Domain Name System (DNS) name %s2 to the replica set for the application directory partition with distinguished name %s1. If you specify “NULL” for %s2, then this command uses the currently connected Active Directory domain controller or AD LDS instance.
partition management: connections Invokes the server connections submenu.
partition management: create nc %s1 %s2 Creates the application directory partition with distinguished name %s1, on the Active Directory domain controller or AD LDS instance with full DNS name %s2. If you specify “NULL” for %s2, this command uses the currently connected Active Directory domain controller. Use this command only with AD DS. For AD LDS, use create nc %s1 %s2 %s3.
partition management: create nc %s1 %s2 %s3 Creates the AD LDS application directory partition with distinguished name %s1 of object class %s2 on a computer named %s3. You should annotate the %s3 value with the Lightweight Directory Access Protocol (LDAP) port number. For example, type adam1.fabrikam.com:389. If you specify “NULL” for %s3, this command uses the currently connected AD LDS instance.
partition management: delete nc %s Completely removes the application directory partition or precreated cross-reference with distinguished name %s from AD DS or AD LDS.
partition management: Help Displays help at the command prompt.
partition management: list Lists known naming contexts.
partition management: list nc information %s Shows the reference domain and replication delays for the application directory partition with distinguished name %s.
partition management: list nc replicas %s Shows the list of Active Directory domain controllers or AD LDS instances in the replica set for the application directory partition with distinguished name %s.
partition management: precreate %s1 %s2 Precreates a cross-reference object for the domain or application directory partition with distinguished name %s1, allowing a server with DNS name %s2 to be promoted as an Active Directory domain controller for the domain or create the application directory partition. This can also be used to precreate cross-reference objects for application directory partitions for AD LDS. For AD LDS, %2 should be hostname:ldapPort:ldapSslPort, such as adam1.fabrikam.com:389:636.
partition management: quit Takes you back to the previous menu, or exits the utility.
partition management: remove nc replica %s1 %s2 Deletes the AD DS or AD LDS instance with DNS name %s2 from the replica set of the application directory partition with distinguished name %s1. If you specify “NULL” for %s2, this command uses the currently connected Active Directory domain controller or AD LDS instance.
partition management: select operation target Invokes the Select operation target submenu.
partition management: set nc reference domain %s1 %s2 Sets the reference domain of application directory partition with distinguished name %s1 to domain with distinguished name %s2.
partition management: set nc replication notification delay %s %d1 %d2 Sets the notification delays of directory partition with distinguished name %s to %d1 and %d2 seconds, where %d1 is the delay between notifying the first Active Directory domain controller or AD LDS instance of changes and %d2 is the delay of notifying subsequent Active Directory domain controllers or AD LDS instances of changes. If you specify -1 in either %d1 or %d2, this command will not modify the corresponding delay (in case you are trying to modify only one delay). If you specify any other negative number, the command will delete the delay. Delays are always set on the naming master.
partition management: ? Displays help at the command prompt.

.

↑ Up to command list

‘dsmgmt partition management’ examples

Create an application directory partition named AppPartition in the woodgrovebank.com domain:

  1. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click ‘Run as administrator’.
  2. Type: ntdsutil
  3. Type: Ac in ntds
  4. Type: partition management
  5. Type: connections
  6. Type: Connect to server DC_Name
  7. Type: quit
  8. Type: list
  9. The following partitions will be listed:0 CN=Configuration,DC=Woodgrovebank,DC=com1 DC=Woodgrovebank,DC=com

    2 CN=Schema,CN=Configuration,DC=Woodgrovebank,DC=com

    3 DC=DomainDnsZones,DC=Woodgrovebank,DC=com

    4 DC=ForestDnsZones,DC=Woodgrovebank,DC=com

  10. At the partition management prompt, type: create nc dc=AppPartition,dc=woodgrovebank,dc=com ConDc1.woodgrovebank.com
  11. Run the list command again to refresh the list of partitions.

↑ Up to command list

dsmgmt roles

Seizes and transfers operations master roles (also known as flexible single master operations or FSMO roles). At the roles: prompt, type any of the parameters listed in the syntax below.

Do not make a server an operations master role owner by means of seizure commands if the real role holder exists on the network. Doing this can create irreconcilable conflicts for key system data. If an operations master role owner is temporarily unavailable, do not make another domain controller the role owner. This can result in a situation in which two computers function as the role owner, which might cause irreconcilable conflicts for key system data.

Default ‘dsmgmt roles’ syntax

connections

[select operation target] [{seize naming master | seize infrastructure master | seize PDC | seize RID master | seize schema master}] [{transfer naming master | transfer infrastructure master | transfer PDC | transfer RID master | transfer schema master}]

‘dsmgmt roles’ options

Description

fsmo maintenance: connections Invokes the Server connections submenu.
fsmo maintenance: Help Displays help at the command prompt.
fsmo maintenance: quit Takes you back to the previous menu, or exits the utility.
fsmo maintenance: seize naming master Forces the domain controller to which you are connected to claim ownership of the domain naming master operations master role without regard to the data associated with the role. Use only for recovery purposes.
fsmo maintenance: seize infrastructure master Forces the domain controller to which you are connected to claim ownership of the infrastructure operations master role without regard to the data associated with the role. Use only for recovery purposes.
fsmo maintenance: seize PDC Forces the domain controller to which you are connected to claim ownership of the primary domain controller (PDC) emulator operations master role without regard to the data associated with the role. Use only for recovery purposes.
fsmo maintenance: seize RID master Forces the domain controller to which you are connected to claim ownership of the relative ID (RID) operations master role without regard to the data associated with the role. Use only for recovery purposes.
fsmo maintenance: seize schema master Forces the domain controller to which you are connected to claim ownership of the schema operations master role without regard to the data associated with the role. Use only for recovery purposes.
fsmo maintenance: transfer naming master Invokes the Instructs the domain controller to which you are connected to obtain the domain naming master role by means of controlled transfer.
fsmo maintenance: transfer infrastructure master Instructs the domain controller to which you are connected to obtain the infrastructure operations master role by means of controlled transfer.
fsmo maintenance: transfer PDC Instructs the domain controller to which you are connected to obtain the PDC emulator operations master role by means of controlled transfer.
fsmo maintenance: transfer RID master Instructs the domain controller to which you are connected to obtain the RID operations master role by means of controlled transfer.
fsmo maintenance: transfer schema master Instructs the domain controller to which you are connected to obtain the schema operations master role by means of controlled transfer.
fsmo maintenance: ? Displays help at the command prompt.

.

↑ Up to command list

‘dsmgmt roles’ examples

Transfer the PDC emulator master role to the domain controller that you are currently connected to:

fsmo maintenance: transfer PDC

↑ Up to command list

dsmgmt security account management

Manages security identifiers (SIDs). At the security account maintenance: prompt, type any of the parameters listed in the syntax below.

Default ‘dsmgmt security account management’ syntax

[{check duplicate SID | cleanup duplicate SID}] [connect to server %s] [log file %s]

‘dsmgmt security account management’ options

Description

Security Account Maintenance: check duplicate SID Checks the Security Accounts Manager (SAM) database for any objects that have duplicate SIDs but does not delete any of the duplicates.
Security Account Maintenance: cleanup duplicate SID Deletes all objects that have duplicate SIDs and logs these entries into the log file.
Security Account Maintenance: connect to server %s Connects to the server, NetBIOS name, or Domain Name System (DNS) host name. You must connect to a specific domain controller before you can check for or clean up duplicate SIDs.
Security Account Maintenance: Help Displays Help at the command prompt.
Security Account Maintenance: log file %s Sets the log file name to %s. If you do not explicitly set a log file name, the default log file name is dupsid.log.
Security Account Maintenance: quit Takes you back to the previous menu, or exits the utility.
Security Account Maintenance: ? Displays Help at the command prompt.

.

↑ Up to command list

‘dsmgmt security account management’ examples

Connect to a domain controller named DC1:

security account maintenance: connect to DC1

Check for duplicate SIDs on a domain controller named DC1:

security account maintenance: check duplicate SID

↑ Up to command list

dsmgmt set DSRM password

Resets the Directory Services Restore Mode (DSRM) password on a domain controller. At the Reset DSRM Administrator Password: prompt, type any of the parameters listed in the syntax below.

Default ‘dsmgmt set DSRM password’ syntax

Reset Password on server %s

‘dsmgmt set DSRM password’ options

Description

Reset DSRM Administrator Password: Help Displays Help at the command prompt.
Reset DSRM Administrator Password: Reset Password on server %s Prompts for a new DSRM password for a domain controller. Use NULL as the domain controller name to reset the DSRM password on the current server. %s stands for an alphanumeric variable, such as a domain or domain controller name.After you enter this parameter, the Please type password for DS Restore Mode Administrator Account: prompt appears. At this prompt, type the desired new DSRM password.
Reset DSRM Administrator Password: Sync from domain account %s Perform one-time password synchronization from the specified user name %s from this Active Directory domain to the DSRM administrator account on the local computer. This parameter is available on domain controllers that run Windows Server 2008 R2 or Windows Server 2008 with Service Pack 3 or later or have installed hotfix 961320.
Reset DSRM Administrator Password: quit Takes you back to the previous menu, or exits the utility.
Reset DSRM Administrator Password: ? Displays Help at the command prompt.

.

↑ Up to command list

‘dsmgmt set DSRM password’ examples

Reset the DSRM password on a domain controller named DC2:

Reset DSRM Administrator Password: reset password on server DC2

↑ Up to command list

dsmod

Modifies an existing object of a specific type in the directory. Dsmod does not support the addition of security principals in one forest to groups that are located in another forest when a forest trust exists between both forests. You can use Active Directory Users and Computers to add security principals across a forest trust.

dsmod computer

Modifies attributes of one or more existing computers in the directory.

Default ‘dsmod computer’ syntax

dsmod computer <ComputerDN> ... [-desc <Description>] [-loc <Location>] [-disabled {yes | no}] [-reset] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]

‘dsmod computer’ options

Description

dsmod computer -c Reports errors, but continues with the next object in the argument list when you specify multiple target objects (continuous operation mode). If you do not supply this parameter, dsmod exits when the first error occurs.
dsmod computer <ComputerDN> Required. Specifies the distinguished names of one or more computers that you want to modify. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command.
dsmod computer -d <Domain> Connects the computer to the domain that you specify. By default, dsmod connects the computer to the domain controller in the logon domain.
dsmod computer -desc Specifies the description of the computer object that you want to modify.
dsmod computer -disabled Displays the status of the computer accounts. Yes indicates that the account is disabled and no indicates that the account is enabled.
dsmod computer -loc Displays the locations of the computers.
dsmod computer -p {<Password> | *} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsget prompts you for a password.
dsmod computer -q Suppresses all output to standard output (quiet mode).
dsmod computer -reset Resets computer accounts.
dsmod computer -s <Server> Connects the computer to the remote server that you specify. By default, dsmod connects the computer to the domain controller in the logon domain.
dsmod computer -u <UserName> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda)domain\user name (for example, widgets\Linda), or user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com).
dsmod computer -uc Specifies a Unicode format for input from or output to a pipe (|).
dsmod computer -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsmod computer -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsmod computer ? Shows the help message at the command prompt.

.

↑ Up to command list

‘dsmod computer’ examples

Disable multiple computer accounts:

dsmod computer CN=MemberServer1,CN=Computers,DC=Microsoft,DC=Com CN=MemberServer2,CN=Computers,DC=Microsoft,DC=Com -disabled yes

Reset multiple computer accounts:

dsmod computer CN=MemberServer1,CN=Computers,DC=Microsoft,DC=Com CN=MemberServer2,CN=Computers,DC=Microsoft,DC=Com -reset

↑ Up to command list

dsmod contact

Modifies attributes of one or more existing contacts in the directory.

Default ‘dsmod contact’ syntax

dsmod contact <ContactDN> ... [-fn <FirstName>] [-mi <Initial>] [-ln <LastName>] [-display <DisplayName>] [-desc <Description>] [-office <Office>] [-tel <PhoneNumber>] [-email <Email>] [-hometel <HomePhoneNumber>] [-pager <PagerNumber>] [-mobile <CellPhoneNumber>] [-fax <FaxNumber>] [-iptel <IPPhoneNumber>] [-title <Title>] [-dept <Department>] [-company <Company>] [{-s <Server> | -d <Domain>}] [-u <UserName>][-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]

‘dsmod contact’ options

Description

dsmod contact -c Reports errors, but continues with the next object in the argument list when you specify multiple target objects (continuous operation mode). If you do not supply this parameter, dsmod exits when the first error occurs.
dsmod contact -company <Company> Specifies the company information of the contact that you want to modify.
dsmod contact <ContactDN> Specifies the distinguished name of the contact that you want to modify, and since you can’t modify a contact without a name, this parameter is required.
dsmod contact -d <Domain> Connects to the specified domain. By default, dsmod connects the computer to the domain controller in the logon domain.
dsmod contact -dept <Department> Specifies the department of the contact that you want to modify.
dsmod contact -desc <Description> Specifies the description of the contact that you want to modify.
dsmod contact -display <DisplayName> Specifies the display name of the contact that you want to modify.
dsmod contact -email <Email> Specifies the e-mail address of the contact that you want to modify.
dsmod contact -fax <FaxNumber> Specifies the fax number of the contact that you want to modify.
dsmod contact -fn <FirstName> Specifies the first name of the contact that you want to modify.
dsmod contact -hometel <HomePhoneNumber> Specifies the home telephone number of the contact that you want to modify.
dsmod contact -iptel <IPPhoneNumber> Specifies the IP phone number of the contact that you want to modify.
dsmod contact -ln <LastName> Specifies the last name of the contact that you want to modify.
dsmod contact -mi <MiddleInitial> Specifies the middle initial of the contact that you want to modify.
dsmod contact -mobile <CellPhoneNumber> Specifies the mobile number of the contact that you want to modify.
dsmod contact -office <Office> Specifies the office location of the contact that you want to modify.
dsmod contact -p {<Password>|*} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsmod prompts you for a password.
dsmod contact -pager <PagerNumber> Specifies the pager number of the contact that you want to modify.
dsmod contact -q Suppresses all output to standard output (quiet mode).
dsmod contact -s <Server> Connects to the server specified. By default, dsmod connects the computer to the domain controller in the logon domain.
dsmod contact -tel <PhoneNumber> Specifies the telephone number of the contact that you want to modify.
dsmod contact -title <PhoneNumber> Specifies the title of the contact that you want to modify.
dsmod contact -u <UserName> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: username (for example, Linda), domain\username (for example, widgets\Linda), or user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com).
dsmod contact -uc Specifies a Unicode format for input from or output to a pipe (|).
dsmod contact -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsmod contact -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsmod contact /? Displays the help message.

.

↑ Up to command list

‘dsmod contact’ examples

Set the company information of multiple contacts:

dsmod contact "CN=Mike Danseglio,OU=Contacts,DC=Woodgrovebank,DC=Com" "CN=Denise Smith,OU=Contacts,DC=Woodgrovebank,DC=Com" -company Woodgrove Bank

↑ Up to command list

dsmod group

Modifies attributes of one or more existing groups in the directory.

Default ‘dsmod group’ syntax

dsmod group <GroupDN> ... [-samid <SAMName>] [-desc <Description>] [-secgrp {yes | no}] [-scope {l | g | u}] [{-addmbr | -rmmbr | -chmbr} <MemberDN> ...] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]

‘dsmod group’ options

Description

dsmod group -addmbr <MemberDN> Specifies to add members to a group. MemberDN specifies the members that the operation affects. MemberDN specifies the distinguished names of one or more members for AD DS to add to the group that GroupDN specifies. You must give each member a distinguished name, for example, CN=Mike Danseglio,OU=Users,DC=Woodgrovebank,DC=Com. The list of members must follow the -addmbr parameters. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command. If you use GroupDN and MemberDN together, then dsmod takes only one parameter from stdin, which requires you to specify at least one parameter at the command prompt.
dsmod group -c Reports errors, but continues with the next object in the argument list when you specify multiple target objects (continuous operation mode). If you do not supply this parameter, dsmod exits when the first error occurs.
dsmod group -chmbr <MemberDN> Specifies to replace members in a group. MemberDN specifies the members that the operation affects. MemberDN specifies the distinguished names of one or more members for AD DS to replace in the group that GroupDN specifies. You must give each member a distinguished name, for example, CN=Mike Danseglio,OU=Users,DC=Woodgrovebank,DC=Com. The list of members must follow the -addmbr parameters. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command. If you use GroupDN and MemberDN together, then dsmod takes only one parameter from stdin, which requires you to specify at least one parameter at the command prompt.
dsmod group -d <Domain> Connects to the domain specified. By default, dsmod connects the computer to the domain controller in the logon domain.
dsmod group -desc <Description> Specifies the descriptions of the groups that you want to modify.
dsmod group <GroupDN> Specifies the distinguished name of the group that you want to view, and since you can’t modify a group without a name, this parameter is required.
dsmod group -p {<Password>|*} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsmod prompts you for a password.
dsmod group -q Suppresses all output to standard output (quiet mode).
dsmod group -rmmbr <MemberDN> Specifies to remove members from a group. MemberDN specifies the members that the operation affects. MemberDN specifies the distinguished names of one or more members for AD DS to remove from the group that GroupDN specifies. You must give each member a distinguished name, for example, CN=Mike Danseglio,OU=Users,DC=Woodgrovebank,DC=Com. The list of members must follow the -addmbr parameters. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command. If you use GroupDN and MemberDN together, then dsmod takes only one parameter from stdin, which requires you to specify at least one parameter at the command prompt.
dsmod group -s <Server> Connects the computer to the server specified.
dsmod group -samid Specifies the Security Account Manager (SAM) account names of the groups that you want to modify.
dsmod group -scope Sets the scope of the groups that you want to modify to local, global, or universal. If the domain is in mixed mode, then AD DS does not support universal scope. Also, it is not possible to convert a domain local group to a global group, or vice versa.
dsmod group -secgrp Sets the group types to security group (yes) or distribution group (no).
dsmod group -u <UserName> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda), domain\user name (for example, widgets\Linda), and user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com).
dsmod group -uc Specifies a Unicode format for input from or output to a pipe (|).
dsmod group -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsmod group -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsmod group /? Displays the help message.

.

↑ Up to command list

‘dsmod group’ example

Add the user Mike Danseglio to all administrator distribution list groups:

dsquery group "OU=Distribution Lists,DC=Woodgrovebank,DC=com" -name adm* | dsmod group -addmbr "CN=Mike Danseglio,CN=Users,DC=Woodgrovebank,DC=com"

Add all members of the US Info group to the Canada Info group:

dsget group "CN=US INFO,OU=Distribution Lists,DC=Woodgrovebank,DC=com" -members | dsmod group "CN=CANADA INFO,OU=Distribution Lists,DC=Woodgrovebank,DC=com" -addmbr

Convert the group type of several groups from security to nonsecurity:

dsmod group "CN=US Info,OU=Distribution Lists,DC=Woodgrovebank,DC=Com" "CN=Canada Info,OU=Distribution Lists,DC=Woodgrovebank,DC=Com" "CN=Mexico Info,OU=Distribution Lists,DC=Woodgrovebank,DC=Com" -secgrp no

Add two new members to the group “CN=US Info,OU=Distribution Lists,DC=Woodgrovebank,DC=Com”:

dsmod group "CN=US Info,OU=Distribution Lists,DC=Woodgrovebank,DC=Com" -addmbr "CN=Mike Danseglio,CN=Users,DC=Woodgrovebank,DC=Com" "CN=Legal,OU=Distribution Lists,DC=Woodgrovebank,DC=Com" "CN=Denise Smith,CN=Users,DC=Woodgrovebank,DC=Com"

Add all users from the Marketing organizational unit (OU) to the existing group Marketing Staff:

dsquery user OU=Marketing,DC=Woodgrovebank,DC=Com | dsmod group "CN=Marketing Staff,OU=Marketing,DC=Woodgrovebank,DC=Com" -addmbr

Remove users in the Marketing organizational unit (OU) from the existing group Marketing Staff:

dsquery user OU=Marketing,DC=Woodgrovebank,DC=Com | dsmod group "CN=Marketing Staff,OU=Marketing,DC=Woodgrovebank,DC=Com" -rmmbr

Delete two members from the existing group “CN=US Info,OU=Distribution Lists,DC=Woodgrovebank,DC=Com”:

dsmod group "CN=US Info,OU=Distribution Lists,DC=Woodgrovebank,DC=Com" -rmmbr "CN=Mike Danseglio,CN=Users,DC=Woodgrovebank,DC=Com" "CN=Legal,OU=Distribution Lists,DC=Woodgrovebank,DC=Com"

↑ Up to command list

dsmod ou

Modifies attributes of one or more existing organizational units (OUs) in the directory.

Default ‘dsmod ou’ syntax

dsmod ou <OrganizationalUnitDN> [-desc <Description>] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]

‘dsmod ou’ options

Description

dsmod ou -c Reports errors, but continues with the next object in the argument list when you supply multiple target objects (continuous operation mode). If you do not supply this parameter, dsmod exits when the first error occurs.
dsmod ou -d <Domain> Connects to the domain specified. By default, dsmod connects the computer to the domain controller in the logon domain.
dsmod ou -desc <Description> Specifies the description of the OU that you want to modify.
dsmod ou <OrganizationalUnitDN> Specifies the distinguished name of the OU that you want to modify, and since you can’t modify an OU without a name, this parameter is required.
dsmod ou -p {<Password>|*} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsmod prompts you for a password.
dsmod ou -q Suppresses all output to standard output (quiet mode).
dsmod ou -s <Server> Connects the computer to the server specified.
dsmod ou -u <UserName> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda), domain\user name (for example, widgets\Linda), and user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com).
dsmod ou -uc Specifies a Unicode format for input from or output to a pipe (|).
dsmod ou -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsmod ou -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsmod ou /? Displays the help message.

.

↑ Up to command list

‘dsmod ou’ example

Change the description of several OUs simultaneously:

dsmod ou "OU=Domain Controllers,DC=Contoso,DC=Com" "OU=Resources,DC=Contoso,DC=Com" "OU=Troubleshooting,DC=Contoso,DC=Com" -desc "This is a test OU"

↑ Up to command list

dsmod partition

Modifies attributes of one or more existing partitions in the directory. The tombstone quota weight for a given directory partition (set with the -qtmbstnwt option) is an attribute (that is, ms-DS-Tombstone-Quota-Factor) of a special container of class (that is, ms-DS-Quota-Container), specified by CN=NTDS Quotas,<DirectoryPartitionRootDN>.

Default ‘dsmod partition’ syntax

dsmod partition <PartitionDN> ... [-qdefault <Value>] [-qtmbstnwt <Percent>] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]

‘dsmod partition’ options

Description

dsmod partition -c Reports errors, but continues with the next object in the argument list when you specify multiple target objects specified (continuous operation mode). If you do not supply this parameter, dsmod exits when the first error occurs.
dsmod partition -d <domain> Connects a computer to the domain that you specify. By default, dsmod connects the computer to the domain controller in the logon domain.
dsmod partition <PartitionDN> Specifies the distinguished names of one or more directory partitions that you want to modify. If values are omitted, they are obtained through standard input (STDIN) to support piping of output from another command to input of this command.
dsmod partition -p{ <Password> | *} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsmod prompts you for a password.
dsmod partition -q Suppresses all output to standard output (quiet mode).
dsmod partition -qdefault <value> Specifies that the default quota for the directory partition be set to value. The default quota applies to any security principal (user, group, computer or inetOrgPerson) who owns an object in the directory partition, if no quota specification exists that governs the security principal. To specify an unlimited quota, use a value of -1.
dsmod partition -qtmbstnwt <Percent> Required. Sets the percentage by which tombstone object count should be reduced when calculating quota usage. You must specify a value between 0 and 100 for percent. For example, a value of 25 means that a tombstone object counts as 25% of a normal object when AD DS calculates quota use. If you assign a quota of 100 to a user, that user can own a maximum of 100 normal objects or 400 tombstone objects in AD DS.
dsmod partition -s <Server> Connects a computer to the remote server that you specify. By default, dsmod connects the computer to the domain controller in the logon domain.
dsmod partition -u <UserName> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda), domain\user name (for example, widgets\Linda), or user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com
dsmod partition -uc Specifies a Unicode format for input from or output to a pipe (|).
dsmod partition -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsmod partition -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsmod partition /? Displays help at the command prompt.

.

↑ Up to command list

dsmod partition example

Change the default quota limit for a directory partition named NC1 to a value of 1000:

dsmod partition NC1 -qdefault 1000

↑ Up to command list

dsmod quota

Modifies attributes of one or more existing quota specifications in the directory.

Default ‘dsmod quota’ syntax

dsmod quota <QuotaDN> ... [-qlimit <Value>] [-desc <Description>] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]

‘dsmod quota’ options

Description

dsmod quota -c Reports errors, but continues with the next object in the argument list when you specify multiple target objects (continuous operation mode). If you do not supply this parameter, dsmod quits after the first error occurs.
dsmod quota -d <domain> Connects a computer to the domain that you specify. By default, dsmod connects the computer to the domain controller in the logon domain.
dsmod quota -desc <Description> Specifies the description of the quota specification that you want to modify.
dsmod quota -p{ <Password> | *} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsmod prompts you for a password.
dsmod quota -q Suppresses all output to standard output (quiet mode).
dsmod quota -qlimit <Value> Displays the quota limits for the specified quotas. An unlimited quota appears as “-1“.
dsmod quota <QuotaDN> Required. Specifies the distinguished names of one or more quota specifications that you want to modify. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command.
dsmod quota -s <Server> Connects a computer to the remote server that you specify. By default, dsmod connects the computer to the domain controller in the logon domain.
dsmod quota -u <UserName> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda), domain\user name (for example, widgets\Linda), or user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com
dsmod quota -uc Specifies a Unicode format for input from or output to a pipe (|).
dsmod quota -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsmod quota -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsmod quota /? Displays help at the command prompt.

.

↑ Up to command list

dsmod quota example

Change the quota limit for a quota named DN1 to a value of 100:

dsmod quota DN1 -qlimit 100

↑ Up to command list

dsmod server

Modifies properties of a domain controller.

Default ‘dsmod server’ syntax

dsmod server <ServerDN> ... [-desc <Description>] [-isgc {yes | no}] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]

‘dsmod server’ options

Description

dsmod server -c Reports errors, but continues with the next object in the argument list when you specify multiple target objects (continuous operation mode). If you do not supply this parameter, dsmod exits when the first error occurs.
dsmod server -d <domain> Connects a computer to the domain that you specify. By default, dsmod connects the computer to the domain controller in the logon domain.
dsmod server -desc Specifies the description of the server that you want to modify.
dsmod server -isgc {yes | no} Adds the global catalog to (yes) or removes it from (no) a domain controller.
dsmod server -p{ <Password> | *} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsmod prompts you for a password.
dsmod server -q Suppresses all output to standard output (quiet mode).
dsmod server -s <Server> Connects a computer to the remote server that you specify. By default, dsmod connects the computer to the domain controller in the logon domain.
dsmod server <ServerDN> Required. Specifies the distinguished names of one or more servers that you want to modify. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command.
dsmod server -u <UserName> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda), domain\user name (for example, widgets\Linda), or user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com
dsmod server -uc Specifies a Unicode format for input from or output to a pipe (|).
dsmod server -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsmod server -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsmod server /? Displays help at the command prompt.

.

↑ Up to command list

dsmod server example

Configure the domain controllers CORPDC1 and CORPDC9 to become global catalog servers:

dsmod server "CN=CORPDC1,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,DC=Microsoft,DC=Com" "CN=CORPDC9,CN=Servers,CN=Site2,CN=Sites,CN=Configuration,DC=Microsoft,DC=Com" -isgc yes

↑ Up to command list

dsmod user

Modifies attributes of one or more existing users in the directory. You can use the token $username$ (case insensitive) to replace the Security Accounts Manager (SAM) account name in the value of the -webpg, -profile, -hmdir, and -email parameters. For example, if a SAM account name is Denise, you can use either of the following formats for the -hmdir location parameter:

-hmdir \users\Denise\home

-hmdir \users\$username$\home

Default ‘dsmod user’ syntax

dsmod user <UserDN> ... [-upn <UPN>] [-fn <FirstName>] [-mi <Initial>] [-ln <LastName>] [-display <DisplayName>] [-empid <EmployeeID>] [-pwd (<Password> | *)] [-desc <Description>] [-office <Office>] [-tel <PhoneNumber>] [-email <E-mailAddress>] [-hometel <HomePhoneNumber>] [-pager <PagerNumber>] [-mobile <CellPhoneNumber>] [-fax <FaxNumber>] [-iptel <IPPhoneNumber>] [-webpg <WebPage>] [-title <Title>] [-dept <Department>] [-company <Company>] [-mgr <Manager>] [-hmdir <HomeDirectory>] [-hmdrv <DriveLetter>:] [-profile <ProfilePath>] [-loscr <ScriptPath>] [-mustchpwd {yes | no}] [-canchpwd {yes | no}] [-reversiblepwd {yes | no}] [-pwdneverexpires {yes | no}] [-acctexpires <NumberOfDays>] [-disabled {yes | no}] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}][-c] [-q] [{-uc | -uco | -uci}]

‘dsmod user’ options

Description

dsmod user -acctexpires <NumberOfDays> Specifies the number of days from today that the user accounts expire. A value of 0 sets expiration at the end of today. A positive value sets expiration in the future. A negative value sets expiration in the past. The value of never sets the account to never expire. For example, a value of 0 specifies that the account expires at the end of today. A value of -5 specifies that the account expires 5 days in the past. A value of 5 specifies that the account expires 5 days in the future.
dsmod user -c Reports errors, but continues with the next object in the argument list when you specify multiple target objects (continuous operation mode). If you do not supply this parameter, dsmod exits when the first error occurs.
dsmod user -canchpwd {yes | no} Specifies whether users can change their passwords. The available values are yes and no. Yes indicates that users can change their passwords and no indicates that they cannot change their passwords. The value of this parameter must be yes if the value of the -mustchpwdparameter is yes.
dsmod user -company <Company> Specifies the company information of the user objects you want to modify.
dsmod user -d <Domain> Connects a computer to the domain that you specify. By default, dsmod connects the computer to the domain controller in the logon domain.
dsmod user -dept <Department> Specifies the departments of the user objects you want to modify.
dsmod user -desc <Description> Specifies the descriptions of the user objects you want to modify.
dsmod user -disabled {yes | no} Specifies whether AD DS disables user accounts for logon. The available values are yes and no. Yes indicates that AD DS disables user accounts for logon and no indicates that AD DS does not disable user accounts for logon.
dsmod user -display <DisplayName> Specifies the display names of the user objects you want to modify.
dsmod user -email <Email> Specifies the e-mail addresses of the user objects you want to modify.
dsmod user -empid <EmployeeID> Specifies the employee IDs of the user objects you want to modify.
dsmod user -fax <FaxNumber> Specifies the fax numbers of the user objects you want to modify.
dsmod user -fn <FirstName> Specifies the first names of the user objects you want to modify.
dsmod user -hmdir <HomeDirectory> Specifies the home directory locations of the user objects you want to modify. If HomeDirectory is given as a UNC name, you must specify a mapped drive to this path by using the -hmdrv parameter.
dsmod user -hmdrv <DriveLetter> Specifies the home directory drive letters (for example, E:) of the user objects you want to modify.
dsmod user -hometel <HomePhoneNumber> Specifies the home telephone numbers of the user objects you want to modify.
dsmod user -iptel <IPPhoneNumber> Specifies the IP phone numbers of the user objects you want to modify.
dsmod user -ln <LastName> Specifies the last names of the user objects you want to modify.
dsmod user -loscr <ScriptPath> Specifies the logon script paths of the user objects you want to modify.
dsmod user -mgr <Manager> Specifies the distinguished names of the managers of the user objects you want to modify. You can only use the distinguished name format to specify the manager.
dsmod user -mi <Initial> Specifies the middle initials of the user objects you want to modify.
dsmod user -mobile <CellPhoneNumber> Specifies the cell numbers of the user objects you want to modify.
dsmod user -mustchpwd { yes| no} Specifies whether users must change their passwords when they next log on. The available values are yes and no. Yes indicates that users must change their passwords and no indicates that they do not have to change their passwords.
dsmod user -office <Office> Specifies the office locations of the user objects you want to modify.
dsmod user -p {<Password> | *} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsmod prompts you for a password.
dsmod user -pager <PagerNumber> Specifies the pager numbers of the user objects you want to modify.
dsmod user -profile <ProfilePath> Specifies the profile paths of the user objects you want to modify.
dsmod user -pwd {<Password> | *} Resets the passwords for the users that you want to modify as Password or an asterisk (*). If you type *, AD DS prompts you for a user password.
dsmod user -pwdneverexpires Specifies whether user accounts never expire. The available values are yes and no. Yes indicates that user passwords never expire and no indicates that user passwords do expire.
dsmod user -q Suppresses all output to standard output (quiet mode).
dsmod user -reversiblepwd {yes | no} Specifies whether AD DS stores user passwords by using reversible encryption. The available values are yes and no. Yes indicates that AD DS stores user passwords by using reversible encryption and no indicates that AD DS does not store user passwords by using reversible encryption.
dsmod user -s <Server> Connects a computer to the remote server that you specify. By default, dsmod connects the computer to the domain controller in the logon domain.
dsmod user -tel <PhoneNumber> Specifies the telephone numbers of the user objects you want to modify.
dsmod user -title <Title> Specifies the titles of the user objects you want to modify.
dsmod user -u <User> (first variation) Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda), domain\user name (for example, widgets\Linda), or user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com)
dsmod user -uc Specifies a Unicode format for input from or output to a pipe (|).
dsmod user -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsmod user -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsmod user -upn <UPN> Specifies the user principal names (UPNs) of the users that you want to modify, for example, Linda@widgets.woodgrovebank.com.
dsmod user <UserDN> Required. Specifies the distinguished names of the users that you want to modify. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command.
dsmod user -webpg <WebPage> Specifies the Web page URLs of the user objects you want to modify.
dsmod user /? Displays help at the command prompt.

.

↑ Up to command list

dsmod user examples

Reset the password for Don Funk and force him to change his password when he next logs on:

dsmod user "CN=Don Funk,CN=Users,DC=Woodgrovebank,DC=Com" -pwd A1b2C3d4 -mustchpwd yes

Reset multiple user passwords to a common password and force users to change their passwords when they next log on:

dsmod user "CN=Don Funk,CN=Users,DC=Woodgrovebank,DC=Com" "CN=Denise Smith,CN=Users,DC=Woodgrovebank,DC=Com" -pwd A1b2C3d4 -mustchpwd yes

Disable multiple user accounts simultaneously:

dsmod user "CN=Don Funk,CN=Users,DC=Woodgrovebank,DC=Com" "CN=Denise Smith,CN=Users,DC=Woodgrovebank,DC=Com" -disabled yes

Modify the profile path of multiple users to a common path using the $username$ token:

dsmod user "CN=Don Funk,CN=Users,DC=Woodgrovebank,DC=Com" "CN=Denise Smith,CN=Users,DC=Woodgrovebank,DC=Com" -profile \users\$username$\profile

↑ Up to command list

dsmove

Moves a single object, within a domain, from its current location in the directory to a new location, or renames a single object without moving it in the directory tree.

Default dsmove syntax

dsmove <ObjectDN> [-newname <NewRDN>] [-newparent <ParentDN>] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]

dsmove options

Description

dsmove -d <domain> Connects a computer to the domain that you specify. By default, dsmove connects the computer to the domain controller in the logon domain.
dsmove -newname <NewRDN> Renames the object that you specify with a new relative distinguished name.
dsmove -newparent <ParentDN> Specifies a new location for the object that you want to move. To specify the new location, you supply the distinguished name of the object’s new parent.
dsmove <ObjectDN> Required. Specifies the distinguished name of the object that you want to move or rename. If the value is omitted, it is obtained through standard input (stdin) to support piping of output from another command to input of this command.
dsmove -p {<Password> | *} Specifies to use a password or an asterisk (*) to log on to a remote server. If you type *, dsmove prompts you for a password.
dsmove -q Suppresses all output to standard output (quiet mode).
dsmove -s <Server> Connects a computer to the remote server that you specify. By default, dsmove connects the computer to the domain controller in the logon domain.
dsmove -u <UserName> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda), domain\user name (for example, widgets\Linda), or user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com)
dsmove -uc Specifies a Unicode format for input from or output to a pipe (|).
dsmove -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsmove -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsmove /? Displays help at the command prompt.

↑ Up to command list

dsmove examples

Rename a user object from Kim Akers to Kim Rall:

dsmove "CN=Kim Akers,OU=Sales,DC=Woodgrovebank,DC=Com" -newname "Kim Ralls"

Move the user object for Kim Akers from the Sales organization to the Marketing organization:

dsmove "CN=Kim Akers,OU=Sales,DC=Woodgrovebank,DC=Com" -newparent OU=Marketing,DC=Woodgrovebank,DC=Com

Combine these rename and move operations:

dsmove "CN=Kim Akers,OU=Sales,DC=Woodgrovebank,DC=Com" -newparent OU=Marketing,DC=Woodgrovebank,DC=Com -newname "Kim Ralls"

↑ Up to command list

dsquery

Queries the directory by using search criteria that you specify. Each of the dsquery commands finds objects of a specific object type, with the exception of dsquery *, which can query for any type of object. It is used in conjunction with these objects: computer, contact, group, ou, partition, quota, server, site, and user. You cannot use dsquery to query attributes, only for objects according to their attributes. You must use it together with dsget to aquire the attribute of each user object you choose via dsquery.

The results from a dsquery search can be piped as input to one of the other directory service command-line tools, such as dsget, dsmod, dsmove, and dsrm.

dsquery computer

Finds computers in the directory that match search criteria that you specify.

Default ‘dsquery computer’ syntax

dsquery computer [{<StartNode> | forestroot | domainroot}] [-o {dn | rdn | samid}] [-scope {subtree | onelevel | base}] [-name <Name>] [-desc <Description>] [-samid <SAMName>] [-inactive <NumberOfWeeks>] [-stalepwd <NumberOfDays>] [-disabled] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [-r] [-gc] [-limit <NumberOfObjects>] [{-uc | -uco | -uci}]

‘dsquery computer’ options

Description

dsquery computer -d <Domain> Connects the computer to the domain that you specify. By default, dsget connects the computer to the domain controller in the logon domain.
dsquery computer -desc Searches for computers whose description attributes match <Description>. For example, “jon*”, “*ith”, or “j*th”.
dsquery computer -disabled Searches for all computers whose accounts are disabled.
dsquery computer -gc Specifies that the search use the Active Directory global catalog.
dsquery computer -inactive <NumberOfWeeks> Searches for computers that have been inactive (stale) for the number of weeks that you specify.
dsquery computer -limit <NumberOfObjects> Specifies the number of objects to return that matches the criteria that you specify. If you specify a value of 0 for NumberOfObjects, this parameter returns all matching objects. If you do not specify this parameter, dsquery displays the first 100 results by default.
dsquery computer -name <Name> Searches for computers whose name attributes (value of CN attribute) matches Name. For example, “jon*” or “*ith” or “j*th”.
dsquery computer -o {dn | rdn | samid} Specifies the format that dsquery uses to display the search results. A dn value displays the distinguished name of each entry. An rdn value displays the relative distinguished name of each entry. A samid value displays the Security Accounts Manager (SAM) account name of each entry. The default value is dn.
dsquery computer -p {<Password> | *} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsquery prompts you for a password.
dsquery computer -q Suppresses all output to standard output (quiet mode).
dsquery computer -r Specifies that the search use recursion or follow referrals during search. By default, the search will not follow referrals.
dsquery computer -s <Server> Connects the computer to the remote server that you specify. By default, dsquery connects the computer to the domain controller in the logon domain.
dsquery computer -samid <SAMName> Searches for computers whose SAM account names match SAMName.
dsquery computer -scope {subtree | onelevel | base} Specifies the scope of the search. A subtree value specifies a subtree that is rooted at the start node in the console tree. A onelevel value specifies the immediate children of the start node only. A base value specifies the single object that the start node represents. If you specify forestroot as the start node (<StartNode>), subtree is the only valid scope. The default value is subtree.
dsquery computer -stalepwd <NumberOfDays> Searches for computers whose passwords have not changed for the number of days specified.
dsquery computer {<StartNode> | forestroot | domainroot} Specifies the node in the console tree where the search starts. You can specify the forest root (forestroot), domain root (domainroot), or distinguished name of a node as the StartNode. If you specify forestroot, dsquery searches by using the global catalog. The default value is domainroot.
dsquery computer -u <UserName> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda)domain\user name (for example, widgets\Linda), or user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com).
dsquery computer -uc Specifies a Unicode format for input from or output to a pipe (|).
dsquery computer -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsquery computer -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsquery computer ? Shows the help message at the command prompt.

.

↑ Up to command list

‘dsquery computer’ examples

Find all computers in the current domain whose names start with “ms” and whose descriptions start with “desktop”:

dsquery computer domainroot -name ms* -desc desktop*

Find all computers in the organizational unit (OU) that you specify in OU=Sales,dc=woodgrovebank,DC=Com, and then display their distinguished names:

dsquery computer OU=Sales,DC=woodgrovebank,DC=Com

↑ Up to command list

dsquery contact

Finds contacts in the directory that match search criteria that you specify.

Default ‘dsquery contact’ syntax

dsquery contact [{<StartNode> | forestroot | domainroot}] [-o {dn | rdn}] [-scope {subtree | onelevel | base}] [-name <Name>] [-desc <Description>] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [-r] [-gc] [-limit <NumberOfObjects>] [{-uc | -uco | -uci}]

‘dsquery contact’ options

Description

dsquery contact -d <Domain> Connects the computer to the domain that you specify. By default, dsquery connects the computer to the domain controller in the logon domain.
dsquery contact -desc <Description> Searches for contacts whose description attributes match <Description>. For example, “jon*”, “*ith”, or “j*th”.
dsquery contact -gc Specifies that the search use the Active Directory global catalog.
dsquery contact -limit <NumberOfObjects> Specifies the number of objects to return that matches the criteria that you specify. If you specify a value of 0 for NumberOfObjects, this parameter returns all matching objects. If you do not specify this parameter, dsquery displays the first 100 results by default.
dsquery contact -name <Name> Searches for contacts whose name attributes (value of CN attribute) matches Name. For example, “jon*” or “*ith” or “j*th”.
dsquery contact -o {dn | rdn} Specifies the format that dsquery uses to display the search results. A dn value displays the distinguished name of each entry. An rdn value displays the relative distinguished name of each entry.
dsquery contact -p {<Password> | *} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsquery prompts you for a password.
dsquery contact -q Suppresses all output to standard output (quiet mode).
dsquery contact -r Specifies that the search use recursion or follow referrals during search. By default, the search will not follow referrals.
dsquery contact -s <Server> Connects the computer to the remote server that you specify. By default, dsquery connects the computer to the domain controller in the logon domain.
dsquery contact -scope {subtree | onelevel | base} Specifies the scope of the search. A subtree value specifies a subtree that is rooted at the start node in the console tree. A onelevel value specifies the immediate children of the start node only. A base value specifies the single object that the start node represents. If you specify forestroot as the start node (<StartNode>), subtree is the only valid scope. The default value is subtree.
dsquery contact {<StartNode> | forestroot | domainroot} Specifies the node in the console tree where the search starts. You can specify the forest root (forestroot), domain root (domainroot), or distinguished name of a node as the StartNode. If you specify forestroot, dsquery searches by using the global catalog. The default value is domainroot.
dsquery contact -u <UserName> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda)domain\user name (for example, widgets\Linda), or user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com).
dsquery contact -uc Specifies a Unicode format for input from or output to a pipe (|).
dsquery contact -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsquery contact -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsquery contact ? Shows the help message at the command prompt.

.

↑ Up to command list

‘dsquery contact’ examples

Find all contacts in the current domain whose names start with “te”, and then display their distinguished names:

dsquery contact domainroot -name te*

Find all contacts in the organizational unit (OU) that you specify in OU=Sales,DC=woodgrovebank,DC=Com, and then display their distinguished names:

dsquery contact OU=Sales,DC=woodgrovebank,DC=Com

↑ Up to command list

dsquery group

Finds groups in the directory that match the search criteria that you specify. If the predefined search criteria in this command are insufficient, use the more general version of the query command, dsquery *.

Default ‘dsquery group’ syntax

dsquery group [{<StartNode> | forestroot | domainroot}] [-o {dn | rdn | samid}] [-scope {subtree | onelevel | base}] [-name <Filter>] [-desc <Filter>] [-samid <Filter>] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [-r] [-gc] [-limit <NumberOfObjects>] [{-uc | -uco | -uci}]

‘dsquery group’ options

Description

dsquery group -d <Domain> Connects the computer to the domain that you specify. By default, dsquery connects the computer to the domain controller in the logon domain.
dsquery group -desc <Description> Searches for groups whose description attributes match <Description>. For example, “jon*”, “*ith”, or “j*th”.
dsquery group -gc Specifies that the search use the Active Directory global catalog.
dsquery group -limit <NumberOfObjects> Specifies the number of objects to return that matches the criteria that you specify. If you specify a value of 0 for NumberOfObjects, this parameter returns all matching objects. If you do not specify this parameter, dsquery displays the first 100 results by default.
dsquery group -name <Name> Searches for contacts whose name attributes (value of CN attribute) matches Name. For example, “jon*” or “*ith” or “j*th”.
dsquery group -o {dn | rdn | samid} Specifies the format that dsquery uses to display the search results. A dn value displays the distinguished name of each entry. An rdn value displays the relative distinguished name of each entry. A samid value displays the Security Accounts Manager (SAM) account name of each entry. The default value is dn.
dsquery group -p {<Password> | *} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsquery prompts you for a password.
dsquery group -q Suppresses all output to standard output (quiet mode).
dsquery group -r Specifies that the search use recursion or follow referrals during search. By default, the search will not follow referrals.
dsquery group -s <Server> Connects the computer to the remote server that you specify. By default, dsquery connects the computer to the domain controller in the logon domain.
dsquery group -samid <SAMName> Connects the computer to the remote server that you specify. By default, dsquery connects the computer to the domain controller in the logon domain.
dsquery group -scope {subtree | onelevel | base} Specifies the scope of the search. A subtree value specifies a subtree that is rooted at the start node in the console tree. A onelevel value specifies the immediate children of the start node only. A base value specifies the single object that the start node represents. If you specify forestroot as the start node (<StartNode>), subtree is the only valid scope. The default value is subtree.
dsquery group {<StartNode> | forestroot | domainroot} Specifies the node in the console tree where the search starts. You can specify the forest root (forestroot), domain root (domainroot), or distinguished name of a node as the StartNode. If you specify forestroot, dsquery searches by using the global catalog. The default value is domainroot.
dsquery group -u <UserName> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda)domain\user name (for example, widgets\Linda), or user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com).
dsquery group -uc Specifies a Unicode format for input from or output to a pipe (|).
dsquery group -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsquery group -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsquery group ? Shows the help message at the command prompt.

.

↑ Up to command list

‘dsquery group’ examples

Find all groups in the current domain whose names start with “ms” and whose descriptions start with “admin”, and then display their distinguished names:

dsquery group domainroot -name ms* -desc admin*

Find all groups in the domain DC=Woodgrovebank,DC=Com, and then display their distinguished names:

dsquery group DC=Woodgrovebank,DC=Com

↑ Up to command list

dsquery ou

Finds organizational units (OUs) in the directory that match the search criteria that you specify. If the predefined search criteria in this command are insufficient, use the more general version of the query command, dsquery *.

Default ‘dsquery ou’ syntax

dsquery ou [{<StartNode> | forestroot | domainroot}] [-o {dn | rdn}][-scope {subtree | onelevel | base}][-name <Name>] [-desc <Description>] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [-r] [-gc] [-limit <NumberOfObjects>] [{-uc | -uco | -uci}]

‘dsquery group’ options

Description

dsquery ou -d <Domain> Connects the computer to the domain that you specify. By default, dsquery connects the computer to the domain controller in the logon domain.
dsquery ou -desc <Description> Searches for OUs whose description attributes match <Description>. For example, “jon*”, “*ith”, or “j*th”.
dsquery ou -gc Specifies that the search use the Active Directory global catalog.
dsquery ou -limit <NumberOfObjects> Specifies the number of objects to return that matches the criteria that you specify. If you specify a value of 0 for NumberOfObjects, this parameter returns all matching objects. If you do not specify this parameter, dsquery displays the first 100 results by default.
dsquery ou -name <Name> Searches for OUs whose name attributes (value of CN attribute) matches Name. For example, “jon*” or “*ith” or “j*th”.
dsquery ou -o {dn | rdn} Specifies the format that dsquery uses to display the search results. A dn value displays the distinguished name of each entry. An rdn value displays the relative distinguished name of each entry.
dsquery ou -p {<Password> | *} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsquery prompts you for a password.
dsquery ou -q Suppresses all output to standard output (quiet mode).
dsquery ou -r Specifies that the search use recursion or follow referrals during search. By default, the search will not follow referrals.
dsquery ou -s <Server> Connects the computer to the remote server that you specify. By default, dsquery connects the computer to the domain controller in the logon domain.
dsquery ou -scope {subtree | onelevel | base} Specifies the scope of the search. A subtree value specifies a subtree that is rooted at the start node in the console tree. A onelevel value specifies the immediate children of the start node only. A base value specifies the single object that the start node represents. If you specify forestroot as the start node (<StartNode>), subtree is the only valid scope. The default value is subtree.
dsquery ou {<StartNode> | forestroot | domainroot} Specifies the node in the console tree where the search starts. You can specify the forest root (forestroot), domain root (domainroot), or distinguished name of a node as the StartNode. If you specify forestroot, dsquery searches by using the global catalog. The default value is domainroot.
dsquery ou -u <UserName> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda)domain\user name (for example, widgets\Linda), or user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com).
dsquery ou -uc Specifies a Unicode format for input from or output to a pipe (|).
dsquery ou -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsquery ou -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsquery ou ? Shows the help message at the command prompt.

.

↑ Up to command list

‘dsquery ou’ example

Find all OUs in the current domain whose names start with “ms” and whose descriptions start with “sales,” and then display their distinguished names:

dsquery ou domainroot -name ms* -desc sales*

Find all OUs in the domain that you specify in DC=Woodgrovebank,DC=Com, and then display their distinguished names:

dsquery ou DC=Woodgrovebank,DC=Com

↑ Up to command list

dsquery partition

Finds partition objects in the directory that match the search criteria that you specify. If the predefined search criteria in this command are insufficient, then use the more general version of the query command, dsquery *.

Default ‘dsquery partition’ syntax

dsquery partition [-o {dn | rdn}] [-part <Filter>] [{-s <Server> | -d <Domain>}][-u <UserName>] [-p {<Password> | *}] [-q] [-r] [-gc] [-limit <NumberOfObjects>] [{-uc | -uco | -uci}]

‘dsquery partition’ options

Description

dsquery partition -d <Domain> Connects the computer to the domain that you specify. By default, dsquery connects the computer to the domain controller in the logon domain.
dsquery partition -gc Specifies that the search use the Active Directory global catalog.
dsquery partition -limit <NumberOfObjects> Specifies the number of objects to return that matches the criteria that you specify. If you specify a value of 0 for NumberOfObjects, this parameter returns all matching objects. If you do not specify this parameter, dsquery displays the first 100 results by default.
dsquery partition -o {dn | rdn} Specifies the format that dsquery uses to display the search results. A dn value displays the distinguished name of each entry. An rdn value displays the relative distinguished name of each entry.
dsquery partition -p {<Password> | *} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsquery prompts you for a password.
dsquery partition -part <Filter> Searches for partitions whose common name (CN) matches the filter value specified.
dsquery partition -q Suppresses all output to standard output (quiet mode).
dsquery partition -r Specifies that the search use recursion or follow referrals during search. By default, the search will not follow referrals.
dsquery partition -s <Server> Connects the computer to the remote server that you specify. By default, dsquery connects the computer to the domain controller in the logon domain.
dsquery partition -u <UserName> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda)domain\user name (for example, widgets\Linda), or user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com).
dsquery partition -uc Specifies a Unicode format for input from or output to a pipe (|).
dsquery partition -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsquery partition -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsquery partition ? Shows the help message at the command prompt.

.

↑ Up to command list

dsquery partition examples

List the distinguished names of all directory partitions in the current forest:

dsquery partition

List the distinguished names of all directory partitions in the forest whose common name begins with SQL:

dsquery -part SQL*

↑ Up to command list

dsquery quota

Finds quota specifications in the directory that match the search criteria that you specify. A quota specification determines the maximum number of directory objects that a security principal can own in a directory partition that you specify. If the predefined search criteria in this command are insufficient, use the more general version of the query command, dsquery *.

Default ‘dsquery quota’ syntax

dsquery quota {domainroot | <ObjectDN>} [-o {dn | rdn}] [-acct <Name>] [-qlimit <<Filter>] [-desc <Description>] [{-s <<Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [-r] [-gc] [-limit <NumberOfObjects>] [{-uc | -uco | -uci}]

‘dsquery quota’ options

Description

dsquery quota -acct <Name> Specifies to find the quota specifications that are assigned to the security principal (user, group, computer, or InetOrgPerson) that Name represents. You can use the distinguished name of the security principal or the Domain\SAMAccountName of the security principal to specify the -acct parameter.
dsquery quota -d <domain> Connects a computer to the domain that you specify. By default, dsquery connects the computer to the domain controller in the logon domain.
dsquery quota -desc <Description> Searches for quota objects that have description attributes that match Description, for example, “jon*”, “*ith”, or “j*th”.
dsquery quota {domainroot | <ObjectDN>} Required. Specifies where the search begins. Use ObjectDN to specify the distinguished name (also known as DN) or use domainroot to specify the root of the current domain
dsquery quota -gc Specifies that the search use the Active Directory global catalog.
dsquery quota -limit <NumberOfObjects> Specifies the number of objects to return that matches the criteria that you specify. If you specify a value of 0 for NumberOfObjects, this parameter returns all matching objects. If you do not specify this parameter, dsquery displays the first 100 results by default.
dsquery quota -o {dn | rdn} Specifies the format that dsquery uses to display the search results. Dn displays the distinguished name of each entry. This is the default value. Rdn displays the relative distinguished name of each entry.
dsquery quota -p{ <Password> | *} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsquery prompts you for a password.
dsquery quota -q Suppresses all output to standard output (quiet mode).
dsquery quota -qlimit <Filter> Specifies to find quota specifications whose limit matches Filter.
dsquery quota -s <Server> Connects a computer to the remote server that you specify. By default, dsquery connects the computer to the domain controller in the logon domain.
dsquery quota -u <UserName> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda), domain\user name (for example, widgets\Linda), or user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com
dsquery quota -uc Specifies a Unicode format for input from or output to a pipe (|).
dsquery quota -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsquery quota -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsquery quota /? Displays help at the command prompt.

.

↑ Up to command list

‘dsquery quota’ examples

List the accounts in the current domain that have quota specifications assigned to them:

dsquery quota domainroot

List users named Jon in the SALES domain partition:

dsquery user -name jon* | dsquery quota domainroot -acct

↑ Up to command list

dsquery server

Finds domain controllers that match search criteria that you specify. If the predefined search criteria in this command are insufficient, use the more general version of the query command, dsquery *.

Default ‘dsquery server’ syntax

dsquery server [-o {dn | rdn}] [-forest] [-domain <DomainName>] [-site <SiteName>] [-name <Name>] [-desc <Description>] [-hasfsmo {schema | name | infr | pdc | rid}] [-isgc] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [-r] [-gc] [-limit <NumberOfObjects>] [{-uc | -uco | -uci}]

‘dsquery server’ options

Description

dsquery server -d <domain> Connects a computer to the domain that you specify. By default, dsquery connects the computer to the domain controller in the logon domain.
dsquery server -desc <Description> Searches for server objects whose description attributes match Description. For example, “jon*”, “*ith”, or “j*th”.
dsquery server -domain <DomainName> Searches for all domain controllers (server objects) that are part of the domain whose Domain Name System (DNS) names you specify in DomainName. Search displays all domain controllers in the current domain by default.
dsquery server -forest Searches for all domain controllers (server objects) that are part of the current forest.
dsquery server -gc Specifies that the search use the Active Directory global catalog.
dsquery server [-hasfsmo {schema | name | infr | pdc | rid} Searches for the domain controller (server object) that holds the operations master role that you specify.

infr: Specifies the infrastructure master of the domain that you specify in the -domain parameter or the current domain if you do not specify the -domain parameter.

name: Specifies the domain naming master of the forest.

pdc: Specifies the primary domain controller (PDC) role owner of the domain that you specify in the -domain parameter or the current domain if you do not specify the -domain parameter.

rid: Specifies the relative identifier master (RID master) of the domain that you specify in the -domain parameter or the current domain if you do not specify the -domain parameter.

schema: Specifies the schema master of the forest.

If you do not specify a rid value in the -domain parameter, rid uses the current domain.dsquery server -isgcSearches for all domain controllers (server objects) that are global catalog servers in the scope specified by any of the -forest, -domain, or -site scope parameters. If you specify none of those scope parameters, this parameter finds all global catalogs that are in the current domain.dsquery server -limit <NumberOfObjects>Specifies the number of objects to return that matches the criteria that you specify. If you specify a value of 0 for NumberOfObjects, this parameter returns all matching objects. If you do not specify this parameter, dsquery displays the first 100 results by default.dsquery server -name <Name>Searches for server objects whose name attributes (value of CN attribute) match Name. For example, “jon*”, “*ith”, or “j*th”.dsquery server -o {dn | rdn}Specifies the format that dsquery uses to display the search results. A dn value displays the distinguished name of each entry. An rdn value displays the relative distinguished name of each entry. The default value is dn.dsquery server -qSuppresses all output to standard output (quiet mode).dsquery server -rSpecifies that the search use recursion or follow referrals during search. By default, the search will not follow referrals during search.dsquery server -s <Server>Connects a computer to the remote server that you specify. By default, dsquery connects the computer to the domain controller in the logon domain.dsquery server -site <SiteName>Searches for all domain controllers (server objects) that are part of the site specified.dsquery server -u <UserName>Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda), domain\user name (for example, widgets\Linda), or user principal name (UPN) (for example, Linda@widgets.woodgrovebank.comdsquery server -ucSpecifies a Unicode format for input from or output to a pipe (|).dsquery server -uciSpecifies a Unicode format for input from a pipe (|) or a file.dsquery server -ucoSpecifies a Unicode format for output to a pipe (|) or a file.dsquery server /?Displays help at the command prompt.

.

↑ Up to command list

‘dsquery server’ examples

Find all domain controllers in the current domain:

dsquery server

Find all domain controllers in the forest and then display their relative distinguished names:

dsquery server -o rdn -forest

Find all domain controllers in the site whose names are United States and then display their relative distinguished names:

dsquery server -o rdn -site United States

Find the domain controller in the forest that holds the schema operations master role:

dsquery server –forest –hasfsmo schema

Find all domain controllers in the domain widgets.woodgrovebank.com that are global catalog servers:

dsquery server –domain widgets.woodgrovebank.com -isgc

↑ Up to command list

dsquery site

Finds sites in the directory that match the search criteria that you specify. If the predefined search criteria in this command are insufficient, use the more general version of the query command, dsquery *.

Default ‘dsquery site’ syntax

dsquery site [-o {dn | rdn}] [-name <Name>] [-desc <Description>] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [-r] [-gc] [-limit <NumberOfObjects>] [{-uc | -uco | -uci}]

‘dsquery site’ options

Description

dsquery site -d <domain> Connects a computer to the domain that you specify. By default, dsquery connects the computer to the domain controller in the logon domain.
dsquery site -desc <Description> Searches for sites whose description attributes match . For example, “corp*” or “*nch”.
dsquery site -gc Specifies that the search use the Active Directory global catalog.
dsquery site -limit <NumberOfObjects> Specifies the number of objects to return that matches the criteria that you specify. If you specify a value of 0 for NumberOfObjects, this parameter returns all matching objects. If you do not specify this parameter, dsquery displays the first 100 results by default.
dsquery site -name <Name> Searches for server objects whose name attributes (value of CN attribute) match Name. For example, “jon*”, “*ith”, or “j*th”.
dsquery site -o {dn | rdn} Specifies the format that dsquery uses to display the search results. A dn value displays the distinguished name of each entry. An rdn value displays the relative distinguished name of each entry. The default value is dn.
dsquery site -q Suppresses all output to standard output (quiet mode).
dsquery site -r Specifies that the search use recursion or follow referrals during search. By default, the search will not follow referrals during search.
dsquery site -s <Server> Connects a computer to the remote server that you specify. By default, dsquery connects the computer to the domain controller in the logon domain.
dsquery site -u <UserName> Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda), domain\user name (for example, widgets\Linda), or user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com
dsquery site -uc Specifies a Unicode format for input from or output to a pipe (|).
dsquery site -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsquery site -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsquery site /? Displays help at the command prompt.

.

↑ Up to command list

dsquery site examples

Find all sites in North America with names that start with “north” and then display their distinguished names:

dsquery site -name north*

List the relative distinguished names of all sites that are defined in the directory:

dsquery site -o rdn

↑ Up to command list

dsquery user

Finds users in the directory who match the search criteria that you specify. If the predefined search criteria in this command are insufficient, use the more general version of the query command, dsquery *.

Default ‘dsquery user’ syntax

dsquery user [{<StartNode> | forestroot | domainroot}] [-o {dn | rdn | upn | samid}] [-scope {subtree | onelevel | base}] [-name <Name>] [-desc <Description>] [-upn <UPN>] [-samid <SAMName>] [-inactive <NumberOfWeeks>] [-stalepwd <NumberOfDays>] [-disabled] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [-r] [-gc] [-limit <NumberOfObjects>] [{-uc | -uco | -uci}]

‘dsquery user’ options

Description

dsquery user -desc <Description> Searches for users whose description attributes match . For example, “jon*”, “*ith”, or “j*th”.
dsquery user -disabled Searches for users who have disabled accounts.
dsquery user -gc Specifies that the search use the Active Directory global catalog.
dsquery user -inactive <NumberOfWeeks> Searches for users who have been inactive (stale) for at least the number of weeks that you specify.
dsquery user -limit <NumberOfObjects> Specifies the number of objects to return that matches the criteria that you specify. If you specify a value of 0 for NumberOfObjects, this parameter returns all matching objects. If you do not specify this parameter, dsquery displays the first 100 results by default.
dsquery user -name <Name> Searches for users whose name attributes match. For example, “jon*”, “*ith”, or “j*th”.
dsquery user [-o {dn | rdn | upn | samid} Specifies the format in which the list of entries found by the search will be displayed. A dn value displays the distinguished name of each entry. An rdn value displays the relative distinguished name of each entry. A upn value displays the user principal name of each entry. A samid value displays the SAM account name of each entry. By default, the dn format is used.
dsquery user -r Specifies that the search use recursion or follow referrals. By default, the search does not follow referrals during search.
dsquery user -s <Server> Connects a computer to the remote server that you specify. By default, dsquery connects the computer to the domain controller in the logon domain.
dsquery user -samid <SAMName> Searches for users whose SAM account name matches SAMName.
dsquery user -scope {subtree | onelevel | base} Specifies the scope of the search. A subtree value specifies a subtree that is rooted at the start node in the console tree. A onelevel value specifies the immediate children of the start node only. A base value specifies the single object that the start node represents. If you specify forestroot as the start node (), subtree is the only valid scope. The default value is subtree.
dsquery user -stalepwd {subtree | onelevel | base} Searches for users who have not changed their passwords for at least the number of days that you specify.
dsquery user {<StartNode> | forestroot | domainroot} Specifies the node in the console tree where the search starts. You can specify the forest root (forestroot), domain root (domainroot), or distinguished name of a node as the start node (StartNode). If you specify forestroot, dsquery searches by using the global catalog. The default value is domainroot.
dsquery user -uc Specifies a Unicode format for input from or output to a pipe (|).
dsquery user -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsquery user -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsquery user -upn <UPN> Searches for users whose UPN attribute matches the UPN specified.
dsquery user /? Displays help at the command prompt.

.

↑ Up to command list

dsquery user examples

Display the UPNs of all users in an organizational unit (OU) that you specify whose names start with “Jon” and whose accounts are disabled for logon:

dsquery user OU=Test,DC=Woodgrovebank,DC=Com -o upn -name jon* -disabled

Display the distinguished names of all users in the current domain only whose names end with “Smith” and who have been inactive for three weeks or more:

dsquery user domainroot -name *smith -inactive 3

Display the UPNs of all users in the OU that you specify in OU=Sales,DC=Woodgrovebank,DC=Com:

dsquery user OU=Sales,DC=Woodgrovebank,DC=Com -o upn

↑ Up to command list

dsquery *

Finds any objects in the directory according to criteria using a Lightweight Directory Access Protocol (LDAP) query.

Default ‘dsquery *’ syntax

dsquery * [{<StartNode> | forestroot | domainroot}] [-scope {subtree | onelevel | base}] [-filter <LDAPFilter>] [-attr {<AttributeList> | *}] [-attrsonly] [-l][{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [-r] [-gc] [-limit <NumberOfObjects>] [{-uc | -uco | -uci}]

‘dsquery user’ options

Description

dsquery * -attr {<AttributeList> | *} Specifies that the semicolon separated LDAP display names included in AttributeList for each entry in the result set. If you specify the value of this parameter as a wildcard character (*), this parameter displays all attributes that are present on the object in the result set. In addition, if you specify a *, this parameter uses the default output format (a list), regardless of whether you specify the -l parameter. The default AttributeList is a distinguished name.
dsquery * -attrsonly Specifies to display only the attribute types that are present on the entries in the result set, not their values. The default is to display both the attribute type and the value.
dsquery * -filter <LDAPFilter> Specifies to use an explicit search filter, LDAPFilter, in the LDAP search filter format. For example, a valid search filter is (&(objectCategory=Person)(sn=smith*)). The default value for LDAPFilter is (objectClass=*).
dsquery * -gc Specifies that the search use the Active Directory global catalog.
dsquery * -l Displays entries in a list. By default, dsquery displays entries in a table.
dsquery * -limit <NumberOfObjects> Specifies the number of objects to return that matches the criteria that you specify. If you specify a value of 0 for NumberOfObjects, this parameter returns all matching objects. If you do not specify this parameter, dsquery displays the first 100 results by default.
dsquery * -p {<Password> | *} Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsquery prompts you for a password.
dsquery * -q Suppresses all output to standard output (quiet mode).
dsquery * -r Specifies that the search use recursion or follow referrals. By default, the search does not follow referrals during search.
dsquery * -s <Server> Connects a computer to the remote server that you specify. By default, dsquery connects the computer to the domain controller in the logon domain.
dsquery * -scope {subtree | onelevel | base} Specifies the scope of the search. A subtree value specifies a subtree that is rooted at the start node in the console tree. A onelevel value specifies the immediate children of the start node only. A base value specifies the single object that the start node represents. If you specify forestroot as the start node (), subtree is the only valid scope. The default value is subtree.
dsquery * {<StartNode> | forestroot | domainroot} Specifies the node in the console tree where the search starts. You can specify the forest root (forestroot), domain root (domainroot), or distinguished name of a node as the start node (StartNode). If you specify forestroot, dsquery searches by using the global catalog. The default value is domainroot.
dsquery * -u <UserName> Specifies the user name with which user will log on to the remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda), domain\user name (for example, widgets\Linda), or user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com).
dsquery * -uc Specifies a Unicode format for input from or output to a pipe (|).
dsquery * -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsquery * -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsquery * /? Displays help at the command prompt.

.

↑ Up to command list

‘dsquery *’ examples

Display, in table format, the Security Accounts Manager (SAM) account names, user principal names, and departments of all users in the current domain whose SAM account names begin with “Jon”:

dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(sAMAccountName=Jon*)) -attr sAMAccountName userPrincipalName department

Read the SAM account names, user principal names (UPNs), and department attributes of the object whose distinguished name is OU=Test,DC=Contoso,DC=Com:

dsquery * OU=Test,DC=Woodgrovebank,DC=Com -scope base -attr sAMAccountName userPrincipalName department

Read all attributes of the object whose distinguished name is OU=Test,DC=Woodgrovebank,DC=Com:

dsquery * OU=Test,DC=Woodgrovebank,DC=Com -scope base -attr *

↑ Up to command list

dsrm

Deletes an object of a specific type or any general object from the directory.

Default dsrm syntax

dsrm <ObjectDN> ... [-subtree [-exclude]] [-noprompt] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}][-c][-q][{-uc | -uco | -uci}]

dsrm options

Description

dsrm -c Reports errors, but continues with the next object in the argument list when you specify multiple target objects (continuous operation mode). If you do not supply this parameter, dsrm exits when the first error occurs.
dsrm -d <Domain> Connects a computer to the domain that you specify. By default, dsrm connects the computer to the domain controller in the logon domain.
dsrm -noprompt Sets the optional silent mode, which prevents prompts that ask you to confirm deletion of each object. By default, dsrm prompts you to confirm each deletion.
dsrm <ObjectDN> Required. Specifies the distinguished names of objects to delete. If no value is entered at the command prompt, the value will be obtained through standard input.
dsrm -p {<Password> | *} Required. Specifies the distinguished names of objects to delete. If no value is entered at the command prompt, the value will be obtained through standard input.
dsrm -q Suppresses all output to standard output (quiet mode).
dsrm -s <Server> Connects a computer to the remote server that you specify. By default, dsrm connects the computer to the domain controller in the logon domain.
dsrm -subtree <-exclude> Specifies that both the object and all objects contained in the subtree under that object should be deleted. If you specify the -exclude parameter, you must also specify the -subtree parameter. When you specify both parameters, dsrm excludes from deletion the base object that the ObjectDN parameter supplies when it deletes the objects under the subtree. By default, dsrm deletes only the base object specified.
dsrm -u <UserName> Specifies the user name with which user will log on to the remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: user name (for example, Linda), domain\user name (for example, widgets\Linda), or user principal name (UPN) (for example, Linda@widgets.woodgrovebank.com).
dsrm -uc Specifies a Unicode format for input from or output to a pipe (|).
dsrm -uci Specifies a Unicode format for input from a pipe (|) or a file.
dsrm -uco Specifies a Unicode format for output to a pipe (|) or a file.
dsrm /? Displays help at the command prompt.

.

↑ Up to command list

dsrm examples

Remove an organizational unit (OU) named Marketing and all the objects under that OU:

dsrm -subtree -noprompt -c OU=Marketing,DC=Woodgrovebank,DC=Com

Remove all objects under an OU named Marketing, but leave the OU intact:

dsrm -subtree -exclude -noprompt -c "OU=Marketing,DC=Woodgrovebank,DC=Com"

↑ Up to command list

getmac

Returns the media access control (MAC) address and list of network protocols associated with each address for all network cards in each computer, either locally or across a network.

Default getmac syntax

getmac[.exe][/s <Computer> [/u <Domain\User> [/p <Password>]]][/fo {TABLE | LIST | CSV}][/nh][/v]

getmac options

Description

getmac /fo {TABLE | LIST | CSV} Specifies the format to use for the query output. Valid values are TABLE, LIST, and CSV. The default format for output is TABLE.
getmac /nh Suppresses column header in output. Valid when the /fo parameter is set to TABLE or CSV.
getmac /p <Password> Specifies the password of the user account that is specified in the /u parameter.
getmac /s <Computer> Specifies the name or IP address of a remote computer (do not use backslashes). The default is the local computer.
getmac /u <Domain>\<User> Runs the command with the account permissions of the user specified by User or Domain\User. The default is the permissions of the current logged on user on the computer issuing the command.
getmac /v Specifies that the output display verbose information.
getmac /? Displays the Help message at the command prompt.

.

↑ Up to command list

getmac examples

getmac /fo table /nh /v

getmac /s srvmain

getmac /s srvmain /u maindom\hiropln

getmac /s srvmain /u maindom\hiropln /p p@ssW23

getmac /s srvmain /u maindom\hiropln /p p@ssW23 /fo list /v

getmac /s srvmain /u maindom\hiropln /p p@ssW23 /fo table /nh

↑ Up to command list

gpfixup

Fix domain name dependencies in Group Policy Objects (GPOs) and Group Policy links after a domain rename operation.

Default getmac syntax

Gpfixup [/v]

[/olddns:<OLDDNSNAME> /newdns:<NEWDNSNAME>]

[/oldnb:<OLDFLATNAME> /newnb:<NEWFLATNAME>]

[/dc:<DCNAME>] [/sionly]

[/user:<USERNAME> [/pwd:{<PASSWORD>|*}]] [/?]

gpfixup options

Description

gpfixup /dc:<DCNAME> Connect to the domain controller named DCNAME (a DNS name or a NetBIOS name). DCNAME must host a writable replica of the domain directory partition as indicated by the DNS name NEWDNSNAME by using /newdns, or by the NetBIOS name NEWFLATNAME by using /newnb.

If this parameter is not used, connect to any domain controller in the renamed domain indicated by NEWDNSNAME or NEWFLATNAME.

gpfixup /newdns:<NEWDNSNAME> Specifies the new DNS name of the renamed domain as NEWDNSNAME when the domain rename operation changes the DNS name of a domain. You can use this parameter only if you also use the /olddns parameter to specify the old domain DNS name.
gpfixup /newnb:<NEWFLATNAME> Specifies the new NetBIOS name of the renamed domain as NEWFLATNAME when the domain rename operation changes the NetBIOS name of a domain. You can use this parameter only if you use the /oldnb parameter to specify the old domain NetBIOS name.
gpfixup /olddns:<OLDDNSNAME> Specifies the old DNS name of the renamed domain as OLDDNSNAME when the domain rename operation changes the DNS name of a domain. You can use this parameter only if you also use the /newdns parameter to specify a new domain DNS name.
gpfixup /oldnb:<OLDFLATNAME> Specifies the old NetBIOS name of the renamed domain as OLDFLATNAME when the domain rename operation changes the NetBIOS name of a domain. You can use this parameter only if you use the /newnb parameter to specify a new domain NetBIOS name.
gpfixup /pwd:{<PASSWORD>|*} Specifies the password for the other security context indicated by using /user. If * is specified instead of a password, you are prompted for a password.
gpfixup /sionly Performs only the Group Policy fix that relates to managed software installation (the Software Installation extension for Group Policy). Skip the actions that fix Group Policy links and the SYSVOL paths in GPOs.
gpfixup /user:<USERNAME> Runs this command in the security context of the user specified, where USERNAME is in the format domain\user. If this parameter is not used, runs this command as the logged in user.
gpfixup /v Displays detailed status messages. If this parameter is not used, only error messages or a summary status message of SUCCESS or FAILURE appears.
gpfixup /? Displays the Help message at the command prompt.

.

↑ Up to command list

gpfixup examples

This example assumes that you have already performed a domain rename operation in which you changed the DNS name from OldDnsName to NewDnsName, and the NetBIOS name from OldNetBIOSName to NewNetBIOSName. You use the gpfixup command to connect to the domain controller named DcDnsName and repair GPOs and Group Policy links by updating the old domain name embedded in the GPOs and links. Status and error output is saved to a file that is named gpfixup.log.

gpfixup /olddns: OldDnsName /newdns:NewDnsName /oldnb:OldNetBIOSName /newnb:NewNetBIOSName /dc:DcDnsName 2>&1 >gpfixup.log

This example is the same as the previous one, except that it assumes the NetBIOS name of the domain was not initially changed during the domain rename operation when OldDnsName was renamed to NewDnsName.

gpfixup /olddns: OldDnsName /newdns:NewDnsName /dc:MyDcDnsName 2>&1 >gpfixup.log

↑ Up to command list

gpresult

Displays the Resultant Set of Policy (RSoP) information for a remote user and computer. Gpresult displays the resulting set of policy settings that were enforced on the computer for the specified user when the user logged on. Except when you use /?, you must include an output option, either /r, /v, /z, /x, or /h.

Default gpresult syntax

gpresult [/s <COMPUTER> [/u <USERNAME> [/p [<PASSWORD>]]]] [/user [<TARGETDOMAIN>\]<TARGETUSER>] [/scope {user | computer}] {/r | /v | /z | [/x | /h] <FILENAME> [/f] | /?}

gpresult options

Description

gpresult /f Forces gpresult to overwrite the file name that is specified in the /x or /h option.
gpresult /h <FileName> Saves the report in HTML format at the location and with the file name that is specified by the FILENAME parameter. Cannot be used with /u, /p, /r, /v, or /z.
gpresult /p [<Password>] Specifies the password of the user account that is provided in the /u parameter. If /p is omitted, gpresult prompts for the password. Cannot be used with /x or /h.
gpresult /r Displays RSoP summary data.
gpresult /s <Computer> Specifies the name or IP address of a remote computer. Do not use backslashes. The default is the local computer.
gpresult /scope {user | computer} Displays RSoP data for either the user or the computer. If /scope is omitted, gpresult displays RSoP data for both the user and the computer.
gpresult /u <UserName< Uses the credentials of the specified user to run the command. The default user is the user who is logged on to the computer that issues the command.
gpresult /user [<TargetDomain>\]<TargetUser< Specifies the remote user whose RSoP data is to be displayed.
gpresult /v Displays verbose policy information. This includes detailed settings that were applied with a precedence of 1. Because /v produces lots of information, it is useful to redirect output to a text file (for example, gpresult/v >policy.txt).
gpresult /x <FileName> Saves the report in XML format at the location and with the file name that is specified by the FILENAME parameter. Cannot be used with /u, /p, /r, /v, or /z.
gpresult /z Displays all available information about Group Policy. This includes detailed settings that were applied with a precedence of 1 and higher. Because /z produces lots of information, it is useful to redirect output to a text file (for example, gpresult/z >policy.txt).
gpresult /? Displays Help at the command prompt.

.

↑ Up to command list

gpresult examples

Retrieve RSoP data for the remote user targetusername of the computer srvmain, and displays RSoP data about the user only. The command is run with the credentials of the user maindom\hiropln, and p@ssW23 is entered as the password for that user.

gpresult /s srvmain /u maindom\hiropln /p p@ssW23 /user targetusername /scope user /r

Save all available information about Group Policy for the remote user targetusername of the computer srvmain to a file that is named policy.txt. No data is included about the computer. The command is run with the credentials of the user maindom\hiropln, and p@ssW23 is entered as the password for that user.

gpresult /s srvmain /u maindom\hiropln /p p@ssW23 /user targetusername /z > policy.txt

Display RSoP data for the computer srvmain and the logged-on user. Data is included about both the user and the computer. The command is run with the credentials of the user maindom\hiropln, and p@ssW23 is entered as the password for that user.

gpresult /s srvmain /u maindom\hiropln /p p@ssW23 /r

↑ Up to command list

gpupdate

Updates Group Policy settings.

Default gpupdate syntax

gpupdate [/target:{Computer | User}] [/force] [/wait:<VALUE>] [/logoff] [/boot] [/sync] [/?]

gpupdate options

Description

gpupdate /boot Causes a computer restart after the Group Policy settings are applied. This is required for those Group Policy client-side extensions that do not process policy on a background update cycle but do process policy at computer startup. Examples include computer-targeted Software Installation. This option has no effect if there are no extensions called that require a restart.
gpupdate /force Reapplies all policy settings by by forcing a background update of all Group Policy settings, regardless of whether they have changed since last update. By default, gpupdate without /force only applies settings that have changed.
gpupdate /logoff Causes a logoff after the Group Policy settings are updated. This is required for those Group Policy client-side extensions that do not process policy on a background update cycle but do process policy when a user logs on. Examples include user-targeted Software Installation and Folder Redirection. This option has no effect if there are no extensions called that require a logoff.
gpupdate /sync Causes the next foreground policy application to be done synchronously. Foreground policy is applied at computer boot and user logon. You can specify this for the user, computer, or both, by using the /target parameter. The /force and /wait parameters are ignored if you specify them.
gpupdate /target:{Computer | User} Updates only User or only Computer Group Policy settings.
gpupdate /wait:<VALUE< Sets the number of seconds to wait for policy processing to finish before returning to the command prompt. When the time limit is exceeded, the command prompt appears, but policy processing continues. The default value is 600 seconds. The value 0 means not to wait. The value -1 means to wait indefinitely.

In a script, by using this command with a time limit specified, you can run gpupdate and continue with commands that do not depend upon the completion of gpupdate. Alternatively, you can use this command with no time limit specified to let gpupdate finish running before other commands that depend on it are run.

gpupdate /? Displays Help at the command prompt.

.

↑ Up to command list

gpupdate examples

Re-apply all Computer-specific Group Policy settings whether they have changed since last update and have the computer reboot to finish the process:

gpupdate /target:computer /force /boot

↑ Up to command list

ipconfig

The ipconfig command is addressed on the Troubleshooting network connectivity commands page.

Ldifde

Creates, modifies, and deletes directory objects. You can also use ldifde to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory Domain Services (AD DS) with data from other directory services. More guidance on using Ldifde is available here and here.

Default Ldifde syntax

Ldifde [-i] [-f <FileName>] [-s <ServerName>] [-c <String1> <String2>] [-v] [-j <Path>] [-t <PortNumber>] [-d <BaseDN>] [-r <LDAPFilter>] [-p <Scope>] [-l <LDAPAttributeList>] [-o <LDAPAttributeList>] [-g] [-m] [-n] [-k] [-a <UserDistinguishedName> <Password>] [-b <UserName> <Domain> <Password>] [-?]

Ldifde options

Description

Ldifde -a <UserDistinguishedName> <Password> Sets the command to run using the specified distinguished name and password. By default, the command uses the credentials of the user who is currently logged on to the network.
Ldifde -b <UserDistinguishedName> <Domain> <Password> Sets the command to run using the domain and credentials. By default, the command will run using the credentials of the user currently logged on to the network.
Ldifde -c <String1> <String2> Replaces all occurrences of String1 with String2. Generally, you use this parameter when you import data from one domain to another and you must replace the distinguished name of the export domain (String1) with the distinguished name of the import domain (String2).
Ldifde -d <BaseDN> Sets the distinguished name of the search base for data export.
Ldifde -f <FileName> Identifies the import or export file name.
Ldifde -g Omits paged searches.
Ldifde -i Specifies to use the import mode. The default mode is export.
Ldifde -j <Path> Sets the log file location. The default location is the current path.
Ldifde -k Ignores errors during an import operation and continues processing. This parameter ignores all of the following errors:

  • The object is already a member of the group.
  • The operation has an object class violation. This violation means that the specified object class does not exist, if the object being imported has no other attributes.
  • The object already exists.
  • The operation has a constraint violation.
  • The attribute or value already exists.
  • The operation found no such object.
Ldifde -l <LDAPAttributeList> Sets the list of attributes to return in the results of an export query. If you do not specify this parameter, the search returns all attributes.
Ldifde -m Omits attributes that apply only to Active Directory objects, such as the ObjectGUID, objectSID, pwdLastSet and samAccountType attributes.
Ldifde -n Omits the export of binary values.
Ldifde -o <LDAPAttributeList> Omits the export of binary values.
Ldifde -p <Scope> Sets the search scope. The valid search scope options are Base, OneLevel, or SubTree.
Ldifde -r <LDAPFilter> Creates an LDAP search filter for data export. For example, to export all users with a surname that you specify, you can use the following filter:

-r (and(objectClass=User)(sn=Surname))

Ldifde -s <ServerName> Specifies the domain controller to perform the import or export operation. By default, Ldifde runs on the domain controller on which Ldifde is installed.
Ldifde -t <PortNumber> Specifies a Lightweight Directory Access Protocol (LDAP) port number. The default LDAP port number is 389. The global catalog port number is 3268.
Ldifde -v Sets verbose mode.

.

↑ Up to command list

Ldifde examples

Retrieve only the distinguished name, common name, first name, surname, and telephone number for user objects in the woodgrovebank.com domain to a file named ldifde.txt in the c:\ldifde folder:

Ldifde -d dc=woodgrovebank,dc=com -r (objectClass=User) -l distinguishedname,cn,givenname,sn,telephone –f ldifde.txt

Selectively omit the object creation date and time and the object globally unique identifier (GUID):

Ldifde -d dc=woodgrovebank,dc=com -r (objectClass=User) -o whenCreated,objectGUID –f ldifde.txt

The following example shows an LDAP Data Interchange Format (LDIF) import file format that uses the add value:

DN: CN=SampleUser,DC=DomainName

changetype: add

CN: SampleUser

description: DescriptionOfFile

objectClass: User

sAMAccountName: SampleUser

When you create the LDIF import file to use with the Ldifde command, use a changeType value to define the type of changes that the import file will contain. The following changeType values are valid: add (specifies that new content is contained in the import file), delete (specifies that content has been deleted in the import file), and modify (specifies that existing content has been modified in the import file).

↑ Up to command list

netdiag

The netdiag command-line diagnostic tool helps to isolate networking and connectivity problems by performing a series of tests to determine the state of your network client. These tests and the key network status information that they expose give network administrators and support personnel a more direct means of identifying and isolating network problems. Moreover, because this tool does not require parameters or switches to be specified, support personnel and network administrators can focus on analyzing the output rather than on training users how to use the tool.

The netdiag tool gathers static network information and tests the network driver, protocol driver, send/receive capability, and well-known target accessibility. It can be used by network administrators in conjunction with the Scheduler service to generate reports at regularly scheduled intervals.

Default netdiag syntax

netdiag [/q] [/v] [/l] [/debug] [/d:DomainName] [/fix] [/DcAccountEnum] [/test:TestName] [/skip:TestName] [/?]

netdiag options

Description

netdiag /d: <DomainName> Finds a domain controller in the specified domain.
netdiag /DcAccountEnum Enumerates domain controller computer accounts.
netdiag /debug Specifies more verbose output. With this parameter, netdiag takes a few minutes to complete.
netdiag /fix Fixes minor problems.
netdiag /l Sends output to Netdiag.log. This log file is created in the same directory where netdiag.exe was run.
netdiag /q Specifies quiet output (errors only).
netdiag /skip: <TestName> Skips the test specified by TestName (see list of supported tests in the /test rows below). Nonskippable tests will still run.
netdiag /test: <TestName> Runs only the test(s) specified. Nonskippable tests are still run.
netdiag /test: Autonet Automatic Private IP Addressing (APIPA) address test. Tests whether APIPA is in use for the network adapters.
netdiag /test: Bindings Bindings test. Lists all bindings, including interface name, lower module name, upper module name, whether the binding is currently enabled, and the owner of the binding.
netdiag /test: Browser Redirector and Browser test. Lists the protocols bound to the Browser service and the redirector.
netdiag /test: DcList Domain controller list test. Obtains a list of domain controllers for the domain.
netdiag /test: DefGw Default gateway test. Attempts to contact each configured default gateway.
netdiag /test: DNS DNS test. Tests the availability of the configured DNS servers and verifies the current client’s DNS registrations.
netdiag /test: DsGetDc Domain controller discovery test. First finds a generic domain controller from directory service, then finds the primary domain controller. Then, finds a Windows 2000 domain controller (DC). If the tested domain is the primary domain, checks whether the domain GUID stored in Local Security Authority (LSA) is the same as the domain GUID stored in the DC. If not, the test returns a fatal error; if the /fix option is on, DsGetDC tries to fix the GUID in LSA.
netdiag /test: IpConfig IP address configuration test. Enumerates the TCP/IP configuration information for each network adapter.
netdiag /test: IpLoopBk IP address loopback ping test. Pings the IP loopback address of 127.0.0.1 for each adapter.
netdiag /test: IPSec Internet Protocol Security (IPsec) test. Tests whether IPsec is enabled and displays a list of active IPsec policies for the computer.
netdiag /test: IPX IPX test. Lists statistics for the IPX protocol installed on the computer.
netdiag /test: Kerberos Kerberos test. Checks whether the Kerberos package information is up-to-date.
netdiag /test: Ldap Lightweight Directory Access Protocol (LDAP) test. Contacts all available domain controllers and determines which LDAP authentication protocol is in use.
netdiag /test: Member Domain membership test. Checks to confirm details of the primary domain, including computer role, domain name, and domain GUID. Checks to see if NetLogon service is started, adds the primary domain to the domain list, and queries the primary domain security identifier (SID).
netdiag /test: Modem Modem diagnostics test. Lists configuration information for each modem found.
netdiag /test: NbtNm NetBT name test. Similar to the nbtstat -n command. It checks that the workstation service name <00> is equal to the computer name. It also checks that the messenger service name <03>, and server service name <20> are present on all interfaces and that none of these names are in conflict.
netdiag /test: Ndis Netcard queries test. Lists the network adapter configuration details, including the adapter name, configuration, media, globally unique identifier (GUID), and statistics. If this test shows an unresponsive network adapter, the remaining tests are aborted.
netdiag /test: NetBTTransports NetBT transports test. Lists the transport protocols that are bound to NetBT.
netdiag /test: Netstat Netstat information test. Lists protocol statistics and current TCP/IP connections.
netdiag /test: Netware Netware test. Queries the nearest Netware server for current login information.
netdiag /test: Route Routing table test. Lists static routes and whether they are persistent.
netdiag /test: Trust Trust relationship test. Tests trust relationships to the primary domain only if the computer is a member workstation, member server, or a Backup Domain Controller (BDC) domain controller that is not a PDC emulator. Checks that the primary domain security identifier (SID) is correct. Contacts an active DC. Connects to the SAM server on the DC. Uses the domain SID to open the domain to verify whether the domain SID is correct. Queries info of the secure channel for the primary domain. If the computer is a BDCDC, reconnects to the PDC emulator. If the computer is a member workstation or server, sets secure channel to each DC on the DC list for this domain.
netdiag /test: WAN Wide Area Network (WAN) configuration test. Lists settings and status on each COM port currently in use.
netdiag /test: WINS Windows Internet Name Service (WINS) service test. Tests the availability of the configured WINS server and the validity of the client registrations.
netdiag /test: Winsock Winsock test. Lists protocols and ports available to the WinSock service.

.

↑ Up to command list

netdiag examples

Netdiag will test a domain controller in the specified domain, provide verbose output and perform minor fixes:

netdiag /d: woodgrovebank.com /v /fix

The default tests that the netdiag command will perform are listed in order of processing:

  • Netcard queries test
  • IpConfig test
  • Autoconfiguration test (APIPA)
  • Default gateway test
  • NetBT name test
  • WINS Service test
  • Domain membership test
  • NetBT transports test
  • Autonet address test (APIPA)
  • IP loopback ping test
  • Default gateway test
  • NetBT name test
  • Winsock test
  • DNS test
  • Redir and Browser test
  • DC discovery test
  • DC list test
  • Trust relationship test
  • Kerberos test
  • LDAP test
  • Bindings test
  • WAN configuration test
  • Modem configuration test
  • IP Security test

↑ Up to command list

netdom

Enables administrators to manage Active Directory domains and trust relationships from the command prompt.

You can use netdom to:

  • Join a computer that runs Windows XP Professional, Windows Vista, or Windows 7 to a Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, or Windows NT 4.0 domain.
  • Manage computer accounts for domain member workstations and member servers.
  • Establish and manage one-way or two-way trust relationships between domains. A trust relationship is a defined affiliation between domains that enables pass-through authentication. A one-way trust relationship between two domains means that one domain (the trusting domain) allows users who have accounts on the other domain (the trusted domain), access to its resources. In two-way trusts, each domain treats the users from the trusted (and trusting) domain as its own users.
  • Verify or reset the secure channel for the following configurations: member workstations and servers, backup domain controllers (BDCs) in a Windows NT 4.0 domain, and specific Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, or Windows 2000 replicas.

Default netdom syntax

NetDom [] [{/d: | /domain:} ] []

NetDom help

netdom add

Adds a workstation or server account to the domain.

Default ‘netdom add’ syntax

netdom add <Computer> {/d: | /domain:} <Domain> [{/ud: | /userd:}[ <Domain>\]<User> {/pd: | /passwordD:}{ <Password>|*}] [{/s: | /server:} <Server>] [/ou: <OUPath>] [/dc] [/help | /?]

‘netdom add’ options

Description

netdom add <Computer> Specifies the name of the computer that you want to add.
netdom add {/d: | /domain:} <Domain> Specifies the domain in which to create the account. If you do not specify this parameter, netdom add will use the domain that the current computer belongs to.
netdom add /dc Specifies that a domain controller’s machine account is to be created. This makes it possible for the computer accounts for new AD DS domain controllers, and new Windows NT 4.0 backup domain controllers (BDCs) to be pre-created. If installing a new Windows NT 4.0 BDC into an existing Windows 2000 or Windows Server 2003 domain, the computer account must be pre-created. This parameter cannot be used with the /ou parameter.
netdom add {/help | /?} Displays help at the command prompt.
netdom add /ou: <OUPath> Specifies the organizational unit (OU) under which to create the account. You must use the full RFC 1779 distinguished name of the OU. If you do not specify this parameter, netdom add creates the account under the default OU for computer objects for that domain.
netdom add {/pd: | /passwordD:}{ <Password>|*} Specifies the password of the user account that you specify in the /ud or /userd parameter. If you specify the value of this parameter as a wildcard character (*), this parameter prompts you for the password.
netdom add {/s: | /server:} <Server> Specifies the name of a domain controller that performs the add operation.
netdom add {/ud: | /userd:}[ <Domain>\] Specifies the user account that makes the connection with the domain that you specify in the /d or /domain parameter. If you do not specify this parameter, netdom add uses the current user account.

.

↑ Up to command list

‘netdom add’ examples

Add the workstation mywksta to the Windows Server 2003 domain devgroup.example.com in the OU Dsys/workstations:

netdom add/d:devgroup.example.com mywksta /OU:OU=Dsys,OU=Workstations,DC=woodgrovebank,DC=com

↑ Up to command list

netdom computername

Manages the primary and alternate names for a computer. This command can safely rename Active Directory domain controllers as well as member servers.

Default ‘netdom computername’ syntax

netdom computername <Computer> [usero:<User> [/passwordo:[<Password>|*]] [userd:<User> [/passwordd:[<Password>|*]] {/add:<NewAltDNSName> | /remove:<AltDNSName> | /makeprimary:<ComputerDNSName> | /enumerate[:{ALTERNATENAMES | PRIMARYNAME | ALLNAMES}] | /verify | {/help | /?}}

‘netdom computername’ options

Description

netdom computername /add:<NewAltDNSName> Specifies to create a new alternate name. You must specify a fully qualified domain name, which is the computer name followed by the primary Domain Name System (DNS) suffix, such as comp1.example.com.
netdom computername <Computer> Specifies the name of the computer that you want to add.
netdom computername /enumerate[:{ALTERNATENAMES | PRIMARYNAME | ALLNAMES}] Lists the primary name or any alternate names. ALTERNATENAMES lists the alternate names only, PRIMARYNAME (default) lists the primary name only, and ALLNAMES lists the primary and any alternate names.
netdom computername {/help | /?} Displays help at the command prompt.
netdom computername /makeprimary:<ComputerDNSName< Specifies to make an existing alternate name into the primary name. You must specify a fully qualified domain name, which is the computer name followed by the primary DNS suffix, such as comp1.example.com.
netdom computername /passwordD:[<Password> | *] Specifies the password that you want to use for the Destination domain. If you specify the value of this parameter as a wildcard character (*), this parameter prompts you for the password.
netdom computername /passwordO:[<Password> | *] Specifies the password that you want to use for the Originating domain. If you specify the value of this parameter as a wildcard character (*), this parameter prompts you for the password.
netdom computername /remove:<AltDNSName< Specifies to delete an existing alternate name. You must specify fully qualified domain name, which is the computer name followed by the primary DNS suffix, such as comp1.example.com.
netdom computername /userD:[<Domain\]<UserName> Specifies the user account that you want to use for the Destination domain.
netdom computername /userO:[<Domain\]<UserName> Specifies the user account that you want to use for the Originating domain.
netdom computername /verify Checks if there is a DNS record and a service principal name (SPN) for each computer name.

.

↑ Up to command list

‘netdom computername’ examples

Give an alternate name for the domain controller DC in the example.com domain:

netdom computername dc /add:altDC.example.com

Rename the domain controller DC to altDC in the example.com domain:

netdom computername dc /makeprimary:altdc.example.com

↑ Up to command list

netdom join

Joins a workstation or member server to a domain. The act of joining a computer to a domain creates an account for the computer on the domain, if it does not already exist.

Default ‘netdom join’ syntax

netdom join <Computer> {/d: | /domain:}<Domain> [/ou:<OUPath>] [{/ud: | /userd:}[<Domain>\]<User> [{/pd: | /passwordd:}{<Password>|*}]] [{/uo: | /usero}<User> [{/po: | /passwordo}{<Password>|*}] [/reboot[:,Delay>]] [/help | /?]

‘netdom join’ options

Description

netdom join <Computer> Specifies the name of the computer that you want to join to the domain.
netdom join {/d: | /domain:}<Domain> Specifies the domain that you want to join the computer to. If you do not specify this parameter, then netdom join uses the domain to which the current computer belongs.
netdom join {/help | /?} Displays help at the command prompt.
netdom join /ou:<OUPath> Specifies the organizational unit (OU) under which you want to create the account. You must specify the full RFC 1779 distinguished name of the OU. If you do not specify this parameter, netdom join creates the account under the default OU for computer objects for that domain.
netdom join {/pd: | /passwordD:}{<Password>|*} Specifies the password of the user account that you specify in the /ud or /userd parameter. If you specify the value of this parameter as a wildcard character (*), this parameter prompts you for the password.
netdom join {/po: | /passwordO}{<Password>|*} Specifies the password of the user account that you specify in the /uo or /usero parameter. If you specify the value of this parameter as a wildcard character (*), this parameter prompts you for the password.
netdom join /reboot[:<Delay>] Specifies to shut down the computer and automatically reboot after the join operation has completed. The Delay value is the number of seconds before automatic shutdown occurs. The default delay value is 20 seconds.
netdom join {/ud: | /userD:}[<Domain>\]<User> Specifies the user account that makes the connection with the domain that you specify in the /d or /domain parameter. If you do not specify this parameter, netdom join uses the current user account.
netdom join {/uo: | /userO}<User> Specifies the user account that makes the connection with the computer that you want to join to the domain. If you do not specify this parameter, netdom join uses the current user account.

.

↑ Up to command list

‘netdom join’ examples

Join mywksta to the devgroup.woodgrovebank.com domain in the Dsys/workstations OU:

netdom join /d:devgroup.woodgrovebank.com mywksta /OU:OU=Dsys,OU=Workstations,DC=devgroup,DC=woodgrovebank,DC=com

↑ Up to command list

netdom move

Moves a workstation or member server to a new domain. The act of moving a computer to a new domain creates an account for the computer on the domain, if it does not already exist.

Default ‘netdom move’ syntax

netdom move <Computer> {/d: | /domain:}<Domain> [/ou:<OUPath>] [{/ud: | /userd}[<Domain>\]<User> [{/pd: | /passwordd}{<Password>|*}] [{/uo: | /usero}[<Domain>\]<User> [{/po: | /passwordo}{<Password>|*}]] [{/uf: | /userf}[<Domain>\]<User> [{/pf: | /passwordf}{<Password>|*}]] [/reboot[:<Delay>]] [{/help | /?}]

‘netdom move’ options

Description

netdom move <Computer> Specifies the name of the computer that you want to move.
netdom move {/d: | /domain:}<Domain> Specifies the domain to which you want to move the account. If you do not specify the parameter, then netdom move uses the domain to which the current computer belongs.
netdom move {/help | /?} Displays help at the command prompt.
netdom move /ou:<OUPath> Specifies the organizational unit (OU) under which to create the account. This must be the full RFC 1779 distinguished name of the OU. If you do not specify this parameter, netdom move creates the account under the default OU for computer objects for that domain.
netdom move {/pd: | /passwordD:}{<Password>|*} Specifies the password of the user account that you specify in the /ud or /userd parameter. If you specify the value of this parameter as a wildcard character (*), this parameter prompts you for the password.
netdom move {/po: | /passwordO}{<Password>|*} Specifies the password of the user account that you specify in the /uo or /usero parameter. If you specify the value of this parameter as a wildcard character (*), this parameter prompts you for the password.
netdom move /reboot[:<Delay>] Specifies to shut down and automatically restart the computer after the move has completed. The delay value is the number of seconds before automatic shutdown occurs. The default delay value is 20 seconds.
netdom move {/ud: | /userd:}[<Domain>\]<User> Specifies the user account that makes the connection with the domain that you specify in the /d or /domain parameter. If you do not specify this parameter, netdom move uses the current user account.
netdom move {/uf: | /userf:}<User> Specifies the user account to make the connection with the computer’s former domain (of which the computer had been a member prior to the move). This parameter is used to disable the old computer account.
netdom move {/uo: | /usero}<User> Specifies the user account to make the connection with the computer that you want to move. If you do not specify this parameter, netdom move uses the current user account.

.

↑ Up to command list

‘netdom move’ examples

Move mywksta from its current domain into the ‘mydomain’ domain:

netdom move /d:mydomain mywksta /ud:mydomain\admin /pd:password

↑ Up to command list

netdom movent4bdc

Renames a Windows NT 4.0 backup domain controller to reflect a domain name change. This can assist in Windows NT 4.0 domain renaming efforts.

Default ‘netdom movent4bdc’ syntax

netdom movent4bdc <Computer> [{/d: | /domain:}<Domain>] [/reboot[:<Delay>]] [{/help | /?}]

‘netdom movent4bdc’ options

Description

netdom movent4bdc <Computer> Specifies the name of the backup domain controller that you want to rename.
netdom movent4bdc {/d: | /domain:}<Domain> Specifies the new name of the domain.
netdom movent4bdc {/help | /?} Displays help at the command prompt.
netdom movent4bdc /reboot[:<Delay>] Specifies to shut down and automatically restart the computer after the rename operation completes. The delay value is the number of seconds before automatic shutdown occurs. The default delay value is 20 seconds.

.

↑ Up to command list

‘netdom movent4bdc’ examples

Join myBDC to the Windows NT 4.0 domain WoodGroveBank:

netdom mybdc moveNT4BDC /domain:WoodGroveBank

↑ Up to command list

netdom query

Queries the domain for information such as membership and trust. You can use netdom query with the /verify and /reset parameters to perform the verify and reset operations together. You can pipe the output of the netdom query to the netdom verify or netdom reset operations.

Default ‘netdom query’ syntax

netdom query {/d: | /domain:}<Domain> [{/s: | /server:}<Server>] [{/ud: | /userd:}[<Domain>\]<User> {/pd: | /passwordd}{<Password>|*}] [/verify] [/reset] [/direct] {WORKSTATION|SERVER|DC|OU|PDC|FSMO|TRUST} [{/help | /?}]

‘netdom query’ options

Description

netdom query {/d: | /domain:}<Domain> Specifies the domain to query for the information. If you do not specify this parameter, then netdom query uses the domain to which the current computer belongs.
netdom query /direct Indicates that the query for trust relationships returns only direct trust relationships, rather than direct and indirect relationships. This parameter is valid only when you specify Domain in the /d parameter.
netdom query {/help | /?} Displays help at the command prompt.
netdom query {/pd: | /passwordD}{<PAssword>|*} Specifies the password of the user account that you specify in the /ud or /userd parameter. If you specify the value of this parameter as a wildcard character (*), this parameter prompts you for the password.
netdom query /reset Specifies resynchronization of the secure channel secrets for all enumerated memberships or trusts that are currently broken. The /reset parameter implies the /verify parameter. Unless the user is an enterprise-level administrator, the user might not be able to reset all enumerated trusts or memberships.
netdom query {/s: | /server:}<Server> Specifies the name of the domain controller that performs the query.
netdom query {/ud: | /userd:}[<Domain>\<User>] Specifies the user account that makes the connection with the domain that you specify in the /d or /domain parameter. If you do not specify this parameter, netdom query uses the current user account.
netdom query /verify Specifies verification of the secure channel secrets for all enumerated memberships or trusts, and then displays them. Only users who are enterprise-level administrators can verify all secure channel secrets.
netdom query {WORKSTATION|SERVER|DC|OU|PDC|FSMO|TRUST} Specifies the type of list to generate. Valid options are:

WORKSTATION: Queries the domain for the list of workstations.

SERVER: Queries the domain for the list of servers.

DC: Queries the domain for the list of domain controllers.

OU: Queries the domain for the list of OUs under which the user that you specify can create a computer object.

PDC: Queries the domain for the current primary domain controller.

FSMO: Queries the domain for the current list of operations master role holders. These role holders are also known as flexible single master operations (FSMO).

TRUST: Queries the domain for the list of its trusts.

.

↑ Up to command list

‘netdom query’ examples

List all the workstations in the domain NorthAmerica:

netdom query /d:Northamerica WORKSTATION

List all the domain controllers in the domain NorthAmerica:

netdom query /d:Northamerica DC

List all the OUs in devgroup.example.com:

netdom query /d:devgroup.example.com OU

List the PDC for NorthAmerica:

netdom query /d:Northamerica PDC

List the current PDC emulator for devgroup.example.com:

netdom query /d:devgroup.example.com FSMO

List all servers and verify secure channel secret:

netdom query /d:Northamerica SERVER /verify

List all workstations and reset any unsynchronized secure channel secrets:

netdom query /d:Northamerica WORKSTATION /reset

List all the direct trust relationships for the domain NorthAmerica:

netdom query /d:Northamerica /Ud:Northamerica\admin DOMAIN /Direct

List all the direct and indirect trust relationships for the domain NorthAmerica:

netdom query /d:Northamerica /Ud:Northamerica\admin DOMAIN

List all trust relationships and check their status:

netdom query /d:devgroup.example.com DOMAIN /verify

↑ Up to command list

netdom remove

Removes a workstation or server from the domain.

Default ‘netdom remove’ syntax

netdom remove <Computer> {/d: | /domain:}<Domain> [{/ud: | /userd:}[<Domain>\]<User> [{/pd: | /passwordd}{<Password>|*}]] [{/uo: | /usero}<User> [{/po: |/passwordo}{<Password>|*}]] [/reboot[:<Delay>]] [{/help | /?}]

‘netdom remove’ options

Description

netdom remove <Computer> Specifies the name of the computer that you want to remove.
netdom remove {/d: | /domain:}<Domain> Specifies the domain from which you want to remove the computer. If you do not specify this parameter, then netdom remove uses the domain that the current computer belongs to.
netdom remove {/pd: | /passwordD}{<Password>|*} Specifies the password of the user account that you specify in the /ud or /userd parameter. If you specify the value of this parameter as a wildcard character (*), this parameter prompts you for the password.
netdom remove {/po: |/passwordO}{<Password>|*} Specifies the password of the user account that you specify in the /uo or /usero parameter. If you specify the value of this parameter as a wildcard character (*), this parameter prompts you for the password.
netdom remove /reboot[:<Delay>] Specifies to shut down and automatically restart the computer after the remove operation completes. The delay value is the number of seconds before automatic shutdown occurs. The default delay value is 20 seconds.
netdom remove {/ud: | /userd:}[ <Domain>\]<User> Specifies the user account that makes the connection with the domain that you specify in the /d or /domain parameter. If you do not specify this parameter, then netdom remove uses the current user account.
netdom remove {/uo: | /usero}<User> Specifies the user account to make the connection with the computer that you want to remove. If you do not specify this parameter, then netdom remove uses the current user account.

.

↑ Up to command list

‘netdom remove’ examples

Remove mywksta from the mydomain domain and make the workstation a part of a workgroup:

netdom remove /d:mydomain mywksta /ud:mydomain\admin /pd:password

↑ Up to command list

netdom renamecomputer

Renames a domain computer and its corresponding domain account. Use this command to rename domain workstations and member servers only. To rename domain controllers, use the netdom computername command (renaming a DC with renamecomputer may cause the DC to no longer function as a domain controller on the network).

Default ‘netdom renamecomputer’ syntax

netdom renamecomputer <Computer> /newname:<NewComputerName> /userd:[<Domain>\]<UserName> [/passwordd:[<Password> | *]] /usero:[<Domain>\]<UserName> [/passwordo:[<Password> | *]] [/reboot[:<Delay>]] [{/help | /?}]

‘netdom renamecomputer’ options

Description

netdom renamecomputer <Computer> Specifies the name of the computer that you want to rename.
netdom renamecomputer /force[:<Delay>] Bypasses the prompt for confirmation.
netdom renamecomputer {/help | /?} Displays help at the command prompt.
netdom renamecomputer /newname:<NewComputerName> Specifies the new name of the computer.
netdom renamecomputer /passwordD:[<password> | *] Specifies the password of the user account that you specify in the /ud or /userd parameter. If you specify the value of this parameter as a wildcard character (*), this parameter prompts you for the password.
netdom renamecomputer /passwordO:[<password>| *] Specifies the password of the user account that you specify for the /uo or /usero parameter. If you specify the value of this parameter as a wildcard character (*), this parameter prompts you for the password.
netdom renamecomputer /reboot[:<Delay>] Specifies to shut down and automatically restart the computer after the rename operation completes. The delay value is the number of seconds before automatic shutdown occurs. The default delay value is 20 seconds.
netdom renamecomputer /userd:[<domain\]<UserName> Specifies the user account that you want to use for the destination domain.
netdom renamecomputer /usero:[<domain>\]<UserName> Specifies the user account that you want to use for the originating domain.

.

↑ Up to command list

‘netdom renamecomputer’ examples

Rename a member server ‘member’ to ‘member1′:

netdom renamecomputer member /newname:member1.contoso.com /userd:administrator

↑ Up to command list

netdom reset

Resets the secure connection between a workstation and a domain controller.

Default ‘netdom reset’ syntax

netdom reset <Computer> {/d: | /domain:}<Domain> [{/s: | /server:}<Server>] [{/uo: | /usero:}<User> {/po: | /passwordo}{<Password>|*}] [{/help | /?}]

‘netdom reset’ options

Description

netdom reset <Computer> Specifies the name of the computer whose secure connection you want to reset.
netdom reset {/d: | /domain:}<Domain> Specifies the domain with which to establish the secure connection. If you do not specify this parameter, then netdom reset uses the domain to which the current computer belongs.
netdom reset {/help | /?} Displays help at the command prompt.
netdom reset {/po: | /passwordO}{<Password>|*} Specifies the password of the user account that you specify in the /uo or /usero parameter. If you specify the value of this parameter as a wildcard character (*), this parameter prompts you for the password.
netdom reset {/s: | /server:}<Server> Specifies the domain controller to use to establish the secure connection.
netdom reset {/uo: | /userO:}<User> Specifies the user account to use to make the secure connection with the computer that you want to reset. If you do not specify this parameter, then netdom reset uses the current user account.

.

↑ Up to command list

‘netdom reset’ examples

Reset the secure channel secret that is maintained between mywksta and devgroup.woodgrovebank.com (regardless of OU):

netdom reset /d:devgroup.woodgrovebank.com mywksta

Reset the secure channel between the Windows NT 4.0 primary domain controller (PDC) for NorthAmerica and the backup domain controller NABDC:

netdom reset /d:NorthAmerica NABDC

Force a secure channel session between a member server and a specific domain controller:

netdom reset /d:devgroup.woodgrovebank.com mywksta /Server:mylocalbdc

↑ Up to command list

netdom resetpwd

Resets the computer account password for a domain controller.

Default ‘netdom resetpwd’ syntax

netdom resetpwd {/s: | /server:}<Server> {/ud: | /userd:}[<Domain>\]<User> {/pd: | /passwordD:}{<Password>|*}] [{/help | /?}]

‘netdom resetpwd’ options

Description

netdom resetpwd {/help | /?} Displays help at the command prompt.
netdom resetpwd {/pd: | /passwordd:}{<Password>|*} Specifies the password of the user account that you specify in the /ud parameter. If you specify the value of this parameter as a wildcard character (*), this parameter prompts you for the password.
netdom resetpwd {/s: | /server:}<Server> Specifies the domain controller to use to set the computer account password.
netdom resetpwd {/ud: | /userd:}[<Domain>\]<User> Specifies the user account to use to make the secure connection with the domain that you specify in the /s parameter. You must specify the user account in the Domain\User format. If you do not specify this parameter, then netdom resetpwd uses the current user account.

.

↑ Up to command list

‘netdom resetpwd’ examples

netdom resetpwd /server:Replication_Partner_Server_Name /userd:domainname\administrator_id /passwordd:*

↑ Up to command list

netdom trust

Establishes, verifies, or resets a trust relationship between domains (cannot be used to create a forest trust between two AD DS forests; to create a cross forest trust between two AD DS forests, you can either use a scripting solution or the Active Directory Domains and Trusts snap-in).

Default ‘netdom trust’ syntax

netdom trust <TrustingDomainName> {/d: | /domain:} <TrustedDomainName> [{/ud: | /userd:}[<Domain>\]<User> [{/pd: | /passwordd:}{<Password>|*}] [{/uo: | /usero:}<User>] [{/po: | /passwordo:}{<Password>|*}] [/verify] [/reset] [/passwordt:<NewRealmTrustPassword>] [/add [/realm]] [/remove [/force]] [/twoway] [/kerberos] [/transitive[:{YES|NO}]] [/oneside:{TRUSTED | TRUSTING}] [/force] [/quarantine[:{YES | NO}]] [/namesuffixes:<TrustName> [/togglesuffix:#]] [/EnableSIDHistory] [/ForestTRANsitive] [/SelectiveAUTH][/AddTLN][/AddTLNEX][/RemoveTLN] [/RemoveTLNEX][{/help | /?}]

‘netdom trust’ options

Description

netdom trust /add Specifies to create a trust.
netdom trust /AddTLN Adds the specified top level name (DNS name suffix) to the forest trust info for the specified trust. Valid only for a forest transitive non-Windows realm trust and can only be performed on the root domain for a forest. Refer to the /NameSuffixes operation for a list of name suffixes.
netdom trust /AddTLNEX Adds the specified top level name exclusion(DNS name suffix) to the forest trust info for the specified trust. Valid only for a forest transitive non-Windows realm trust and can only be performed on the root domain for a forest. Refer to the /NameSuffixes operation for a list of name suffixes.
netdom trust {/d: | /domain:}<TrustedDomainName> Specifies the name of the trusted domain. If you do not specify this parameter, then netdom trust uses the domain to which the current computer belongs. When used with the netdom trust operation, the /d: parameter always refers to the trusted domain.
netdom trust /EnableSIDhistory Specifying yes allows users who migrate to the trusted forest from any other forest to use SID history to access resources in this forest. Valid only for an outbound forest trust. Note: allow migrated users to use SID history only if you can trust the trusted forest administrators to specify SIDs of this forest in the SID history attribute of their users appropriately.

Specifying no would disable the ability of the migrated users in the trusted forest to use SID history to access resources in this forest. Specifying /EnableSIDHistory without yes or no will display the current state.

netdom trust /force Removes from the forest both the trusted domain object and the cross-reference object for the domain that you specify. You use this parameter to clean up decommissioned domains that you no longer use and that you cannot remove by using the Active Directory Installation Wizard. This problem can occur if the domain controller for a decommissioned domain is disabled or damaged and there are no additional domain controllers, or if you cannot recover a decommissioned domain controller from backup media. This parameter is valid only if you specify the /remove parameter.
netdom trust /ForestTRANsitive Specifying yes marks this trust as forest transitive. Specifying no marks this trust as not forest transitive. Specifying /ForestTRANsitive without yes or no will display the current state of this trust attribute. Valid only for non-Windows realm trusts and can only be performed on the root domain for a forest.
netdom trust {/help | /?} Displays help at the command prompt.
netdom trust /kerberos Specifies to exercise the Kerberos protocol between a workstation and a destination domain. This parameter is valid only if you specify the /verify parameter.
netdom trust /namesuffixes:<TrustName> Lists the routed name suffixes for TrustName on the domain that TrustingDomainName names. You can use the /usero and /passwordo parameters for authentication. The /domain parameter is not required.
netdom trust /oneside:{TRUSTED| TRUSTING} Specifies to create or remove the trust object on only one domain. TRUSTED specifies to create or remove the trust object on the trusted domain that you specify in the /d or /domain parameter. TRUSTING specifies to create or remove the trust object on the trusting domain. This value is valid only if you specify the /add or /remove parameter. The /passwordt parameter is required when you use the /add or /remove parameter.
netdom trust /passwordT:<NewRealmTrustPassword> pecifies a new trust password. This parameter is valid only if you specify the /add parameter, and only if one of the domains that you specify is a non-Windows, Kerberos realm. You set the trust password on the Windows domain only, which means that you do not need credentials for the non-Windows domain.
netdom trust /pd:{<Password>|*} Specifies the password of the user account that you specify in the /ud or /userD: parameter. If you specify the value of this parameter as a wildcard character (*), this parameter prompts you for the password.
netdom trust {/po: | /passwordO:}{<Password>|*} Specifies the password of the user account that you specify in the /uo or /usero parameter. If you specify the value of this parameter as a wildcard character (*), this parameter prompts you for the password.
netdom trust /quarantine[:{YES | NO}] Sets or clears the domain quarantine attribute. If you do not specify a value for this parameter, then netdom trust displays the current quarantine state. YES specifies to accept only security identifiers (SIDs) from the directly-trusted domain for authorization data that netdom trust returns during authentication. Netdom trust removes SIDS from any other domains. NO specifies to accept any SID for authorization data that netdom trust returns during authentication. This is the default value.
netdom trust /realm Specifies to create the trust for a non-Windows, Kerberos realm. This parameter is valid only if you specify the /add and /passwordt parameters.
netdom trust /remove Specifies to break a trust.
netdom trust /RemoveTLN Removes the specified top level name (DNS name suffix) from the forest trust info from the specified trust. Valid only for a forest transitive non-Windows realm trust and can only be performed on the root domain for a forest. Refer to the /NameSuffixes operation for a list of name suffixes.
netdom trust /RemoveTLNEX Removes the specified top level name exclusion (DNS Name Suffix) from the forest trust info from the specified trust. Valid only for a forest transitive non-Windows realm trust and can only be performed on the root domain for a forest. Refer to the /NameSuffixes operation for a list of name suffixes.
netdom trust /reset Resets the trust secret between trusted domains or between the domain controller and the workstation. The /reset parameter synchronizes the appropriate shared secrets if they are not already synchronized.
netdom trust /SelectiveAUTH Specifying no disables selective authentication across this trust. Specifying /SelectiveAUTH without yes or no displays the current state of this trust attribute. Specifying yes enables selective authentication across this trust. Valid only on outbound forest and external trusts.
netdom trust /togglesuffix:# Changes the status of a name suffix. Used with the /namesuffixes parameter. The number of the name entry specified by the /namesuffixes parameter must be provided to indicate which name will have its status changed. Names that are in conflict cannot have their status changed until the name in the conflicting trust is disabled. Always precede this command with the /namesuffixes parameter because LSA will not always return the names in the same order.
netdom trust /transitive[:{YES|NO}] Specifies to set either a transitive or non-transitive trust. This parameter is valid only for a non-Windows, Kerberos realm. Netdom trust creates non-Windows, Kerberos trusts that are non-transitive. If you do not specify a value for this parameter, then netdom trust displays the current transitivity state. The following list shows the values that you can specify. YES sets the realm to a transitive trust. NO sets the realm to a non-transitive trust.

A trust relationship is a defined affiliation between domains that enables pass-through authentication. A one-way trust relationship between two domains means that one domain (the trusting domain) allows users who have accounts on the other domain (the trusted domain), access to its resources. In two-way trusts, each domain treats the users from the trusted (and trusting) domain as its own users.

netdom trust <TrustingDomainName> Specifies the name of the trusting domain.
netdom trust /twoway Specifies to establish a two-way trust relationship rather than a one-way trust relationship.
netdom trust {/ud: | /userD:}[<Domain>\]] Specifies the user account to use to make the connection with the domain that you specify in the /d or /domain parameter. If you do not specify this parameter, then netdom trust uses the current user account.
netdom trust {/uo: | /userO:}<User> Specifies the user account to use to make the connection with the trusting domain. If you do not specify this parameter, then netdom trust uses the current user account.
netdom trust /verify Verifies the secure channel secrets upon which a specific trust relationship is based. When you use the netdom trust operation with the /verify /kerberos parameters, the trust operation searches for a session ticket for the Kerberos Admin service in the target domain. If the search operation is successful, you can conclude that all Kerberos operations, such as KDC referrals, operate correctly between the workstation and the target domain. You cannot run this trust operation from a remote location. You must run the operation on the workstation that you want to test.

.

↑ Up to command list

‘netdom trust’ examples

Netdom trust TrustingDomainName /domain: TrustedDomainName /enablesidhistory:Yes /usero:domainadministratorAcct/passwordo:domainadminpwd

Specify a two-way trust:

netdom trust /d:marketing.woodgrovebank.com engineering.woodgrovebank.com /add /twoway /Uo:admin@engineering.woodgrovebank.com /Ud:admin@marketing.woodgrovebank.com

Establish a one-way trust where domain NorthAmerica trusts the non-Windows, Kerberos realm ATHENA (The /d parameter specifies the trusted domain and the /realm parameter indicates that this is a non-Windows, Kerberos realm. The order of the domains is not important):

netdom trust /d:ATHENA NorthAmerica /add /PT:password /realm

Set the Kerberos realm ATHENA to trust the NorthAmerica domain:

netdom trust /d:Northamerica ATHENA /add

Change the trust from ATHENA to Northamerica as transitive:

netdom trust Northamerica /d:ATHENA /trans:yes

Display the transitive state:

netdom trust Northamerica /d:ATHENA /trans

Undo the trust that USA-Chicago has for NorthAmerica:

netdom trust /d:Northamerica USA-Chicago /remove

Break a two-way trust relationship:

netdom trust /d:marketing.woodgrovebank.com Engineering.woodgrovebank.com /remove /twoway /Uo:admin@engineering.woodgrovebank.com /Ud:admin@marketing.woodgrovebank.com

Verify the one-way trust that USA-Chicago has for NorthAmerica:

netdom trust /d:Northamerica USA-Chicago /verify

Verify a two-way trust between the NorthAmerica and Europe domains:

netdom trust /d:Northamerica EUROPE /verify /twoway

Reset the secure channel for the one-way trust between NorthAmerica and USA-Chicago:

netdom trust /d:Northamerica USA-Chicago /Ud:Northamerica\admin /reset

Verify that Kerberos authentication occurs successfully between a workstation and a service that is located in the domain devgroup.example.com:

netdom trust /d:devgroup.example.com /verify /KERBEROS

List the routed name suffixes for the trust between woodgrovebank and the trustpartnerdomain (the /d parameter is not needed for this operation which is an exception from other netdom trust operations):

netdom trust woodgrovebank /namesuffixes:trustpartnerdomain

The command above lists all the routed name suffixes for the trust relationship between woodgrovebank and the trustpartnerdomain (the trust relationship must be either a Forest Trust relationship or a Non-Windows Realm trust with the Forest Transitive attribute set).

Add the DNS name suffix woodgrovebank.com to the Forest Trust Info with trustpartnerdomain:

netdom trust myTestDomain /d:trustPartnerDomain /AddTln:woodgrovebank.com

↑ Up to command list

netdom verify

Verifies the secure connection between a workstation and a domain controller.

Default ‘netdom verify’ syntax

netdom verify <Computer> {/d: | /domain:}<Domain> [{/uo: | usero}<User> {/po: | /passwordo}{<Password>|*}] [{/help | /?}]

‘netdom verify’ options

Description

netdom verify <Computer> Specifies the name of the computer whose secure connection you want to verify.
netdom verify {/d: | /domain:}<Domain> Specifies the domain with which to verify the secure connection. If you do not specify this parameter, then netdom verify uses the domain to which the current computer belongs.
netdom verify {/help | /?} Displays help at the command prompt.
netdom verify {/po: | /passwordo}{<Password>|*} Specifies the password of the user account that you specify in the /uo or /usero parameter. If you specify the value of this parameter as a wildcard character (*), this parameter prompts you for the password.
netdom verify {/uo: | usero}<User> Specifies the domain with which to verify the secure connection. If you do not specify this parameter, then netdom verify uses the current user account.

.

↑ Up to command list

‘netdom verify’ examples

Verify that netdom maintains the secure channel secret between mywksta and devgroup.woodgrovebank.com:

netdom verify /d:devgroup.woodgrovebank.com mywksta

↑ Up to command list

netsh

Netsh (‘net shell’) is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a currently running computer. Unlike most of the commands appearing on this page, netsh does not interact with Active Directory objects but rather with the actual TCP/IP settings of local or remote Windows hosts. Netsh allows you to perform a wide array of network configuration tasks such as specifying IP address parameters, resetting the TCP/IP stack, configuring WINS, routing, IPv6, DHCP, network configuration import and export, and much more.

Netsh’s complete capabilities are simply too extensive to be provided on this page. It may be covered in a separate article in the future. Until then, you can use the links below to explore netsh’s very diverse functions.

TechNet.microsoft.com, Network Shell (netsh) on Windows Server 2008

TechNet.microsoft.com, Netsh on Windows Server 2003 overview

TechNet.microsoft.com, Windows Server 2003 Routing Tools and Utilities – netsh

TechNet.microsoft.com, Using netsh on Windows XP

Support.microsoft.com, How to use the Netsh.exe tool and command-line switches

Support.microsoft.com, How to reset Internet Protocol (TCP/IP) with netsh

Windowsnetworking.com, New netsh commands in Windows 7 and Server 2008 R2

↑ Up to command list

net

net computer

Adds or deletes a computer from a domain database.

Default ‘net computer’ syntax

net computer \\<ComputerName> {/add | /del}

‘net computer’ options

Description

net computer \\<ComputerName> /add Adds the specified computer to the domain database.
net computer \\<ComputerName> Specifies the computer to add or delete from the domain database for the domain in which you are currently logged on. You can specify only one computer. You cannot specify other domains.
net computer \\<ComputerName> /del Delete the specified computer from the domain database.
net help computer Displays help for the ‘net computer’ command.

.

↑ Up to command list

‘net computer’ examples

Adds the computer named ‘Grizzlybear’ to the domain database:

net computer \\grizzlybear /add

↑ Up to command list

net group

Adds, displays, or modifies global groups in domains. When you use net group without parameters, this command displays the name of a server and the names of groups on the server. You can use net group to group users who use the network in the same or similar ways. When you assign rights to a group, each member of the group automatically has those rights. In the command output, net group precedes groups that include both users and groups with an asterisk (*).

Default ‘net group’ syntax

net group [ [/comment:""]] [/domain]

net group [{/add [/comment:""] | /delete} [/domain]]

net group [ [ ...] {/add | /delete} [/domain]]

‘net group’ options

Description

net group \\<GroupName> Specifies the name of the group to add, expand, or delete. Specify a group name to view a list of users in a group only.
net group <GroupName> /add Adds a group, or adds a user name to a group. You must establish accounts for users that you add to a group with this command.
net group <GroupName> /comment:”<Text>” Adds a comment for a new or existing group. The comment can have as many as 48 characters. Enclose the text in quotation marks.
net group <GroupName> /delete Removes a group, or removes a user name from a group.
net group <GroupName> /domain Performs the operation on the domain controller in the current domain. Otherwise, the operation is performed on the local computer.
net group <UserName>[ ...] Lists one or more user names to add to or remove from a group. Separate multiple user names with a space.
net help group Displays help for the ‘net group’ command.

.

↑ Up to command list

‘net group’ examples

List all the groups on the local server:

net group

Add a group called ‘Exec’ to the local user accounts database:

net group exec /add

Add a group called ‘Exec’ to the domain database:

net group exec /add /domain

Add the existing user accounts estherv, ralfr, and stevent to the Exec group on the local computer:

net group exec estherv ralfr stevent /add

Add the existing user accounts estherv, ralfr, and stevent to the Exec group in the domain database:

net group exec estherv ralfr stevent /add /domain

Display users in the Exec group:

net group exec

Add a comment to the Exec group record:

net group exec /comment:"The executive staff"

↑ Up to command list

net localgroup

Adds, displays, or modifies local groups. Used without parameters, net localgroup displays the name of the server and the names of local groups on the computer. Use net localgroup to group users who use the computer or network in the same or similar ways. When you assign rights to a local group, each member of the local group automatically has the same rights.

Default ‘net localgroup’ syntax

net localgroup [<GroupName> [/comment:"<Text>"]] [/domain]

net localgroup [<GroupName> {/add [/comment:"<Text>"] | /delete} [/domain]

net localgroup [<GroupName> <Name> […] {/add | /delete} [/domain]

‘net localgroup’ options

Description

net help localgroup Displays help for the ‘net localgroup’ command.
net localgroup <GroupName> Specifies the name of the local group to add, expand, or delete. Used without additional parameters, net localgroup <GroupName> displays a list of users or global groups in a local group.
net localgroup <GroupName> /add Adds a global group name or user name to a local group. You must first establish an account for users or global groups before you can add it to a local group with this command.
net localgroup <GroupName> /comment:”<Text>” Adds a comment for a new or existing group. The comment can contain up to 256 characters. Enclose the text in quotation marks.
net localgroup <GroupName> /delete Removes a group name or user name from a local group.
net localgroup <GroupName> /domain Performs the operation on the primary domain controller of the current domain. Otherwise, the operation is performed on the local computer. /domain applies only to computers that are members of a domain. By default, server computers perform operations on the primary domain controller.
net localgroup <Name>[ ...] Lists one or more user names or group names to add or remove from a local group. Separate multiple entries with a space. Names can be local users, users on other domains, or global groups, but not other local groups. If a user is from another domain, preface the user name with the domain name (for example, Sales\Ralphr).

.

↑ Up to command list

‘net localgroup’ examples

Displays a list of all the local groups on the local server:

net localgroup

Adds a local group called ‘Exec’ to the local user accounts database:

net localgroup exec /add

Add a local group called ‘Exec’ to the domain user accounts database:

net localgroup exec /add /domain

Adds the existing user accounts stevev, ralphr (from the Sales domain), and jennyt to the Exec local group on the local computer:

net localgroup exec stevev sales\ralphr jennyt /add

Adds the existing user accounts stevev, ralphr, and jennyt to the Exec group of a domain:

net localgroup exec stevev ralphr jennyt /add /domain

Display users in the Exec local group:

net localgroup exec

Adds a comment to the Exec local group record:

net localgroup exec /comment:"The executive staff."

↑ Up to command list

net print

Displays information about a specified printer queue or a specified print job, or controls a specified print job.

This command has been deprecated in Windows 7 and Windows Server 2008 R2. However, you can perform many of the same tasks using prnjobs.vbs, Windows Management Instrumentation (WMI), or Windows PowerShell cmdlets.

Default ‘net print’ syntax

Net print {\\<ComputerName>\<ShareName> | \\<ComputerName> <JobNumber> [/hold | /release | /delete]} [help]

‘net print’ options

Description

net help print Displays help for the ‘net print’ command.
net print \\<ComputerName> Specifies (by name) the computer that hosts the print job you want to control. If you do not specify a computer, the local computer is assumed. Requires the <JobNumber> parameter.
net print \\<ComputerName>\<ShareName> Specifies (by name) the computer and print queue about which you want to display information.
net print /delete Removes a print job from a print queue.
net print /hold Delays the job, allowing other print jobs to bypass it until it is released.
net print <JobNumber> Specifies the number of the print job you want to control. This number is assigned by the computer that hosts the print queue where the print job is sent. After a computer assigns a number to a print job, that number is not assigned to any other print jobs in any queue hosted by that computer. Required when using the \\<ComputerName> parameter.
net print /release Releases a print job that has been delayed.

.

↑ Up to command list

‘net print’ examples

List the contents of the Dotmatrix print queue on the \\Production computer:

Net print \\Production\Dotmatrix

Display information about job number 35 on the \\Production computer:

Net print \\Production 35

Delay job number 263 on the \\Production computer:

Net print \\Production 263 /hold

Release job number 263 on the \\Production computer:

Net print \\Production 263 /release

↑ Up to command list

net session

Manages server computer connections. Can be abbreviated as net sess. Use net session to view the computer names and user names of users on a server, to see if users have files open, and to see how long each user’s session has been idle.

Using net session can result in a loss of data. You might want to warn users before you disconnect a session.

Default ‘net session’ syntax

net session [\\<ComputerName>] [/delete] [/list]

‘net session’ options

Description

net help session Displays help for the ‘net session’ command.
net session \\<ComputerName> Identifies the client computer for which you want to list or disconnect sessions.
net session /delete Ends the session with the specified client computer and closes all open files on the local computer for the session. If you omit \\<ComputerName>, all sessions on the local computer are canceled.
net session /list Displays information in a list rather than a table.

.

↑ Up to command list

‘net session’ examples

Display a list of session information for the local server:

net session

Display session information for a client with the computer name ‘bweston’:

net session \\bweston

End all sessions between the server and the clients connected to it:

net session /delete

↑ Up to command list

net share

Manages shared resources. Used without parameters, net share displays information about all of the resources that are shared on the local computer. For each resource, the device name(s) or pathname(s) and a descriptive comment are displayed. To share a directory with a path that contains a space, enclose the drive and the path of the directory in quotation marks (for example, “C:\Path Name”).

Default ‘net share’ syntax

net share <ShareName>

net share <ShareName>=<drive>:<DirectoryPath> [/grant:<user>,{read | change |full}] [/users:<number> | /unlimited] [/remark:<text>] [/cache:{manual | documents | programs | BranchCache |none} ]

net share [/users:<number> | /unlimited] [/remark:<text>] [/cache:{manual | documents | programs | BranchCache |none} ]

net share {<ShareName> | <DeviceName> | <drive>:<DirectoryPath>} /delete

net share <ShareName> \\<ComputerName> /delete

‘net session’ options

Description

net help share Displays help for the ‘net share’ command.
net share /cache: BranchCache Enables manual caching of documents with BranchCache enabled from this share.
net share /cache: documents Enables automatic caching of documents from this share.
net share /cache: manual Enables manual client caching of programs and documents from this share.
net share /cache: none Disables caching from this share.
net share /cache: programs Enables automatic caching of documents and programs from this share.
net share /delete Stops sharing the resource.
net share <drive>:<DirectoryPath> Specifies the absolute path of the directory to be shared.
net share /grant:<user>,{read | change | full} Creates the share with a security descriptor that gives the requested permissions to the specified user. The permissions that can be granted to a user are: read, change or full. This option may be used more than once to give share permissions to multiple users.
net share <PrintDeviceName> Specifies one or more printers (LPT1: through LPT9) shared by ShareName.
net share /remark: <text> Adds a descriptive comment about the resource. Enclose the text in quotation marks.
net share <ShareName> Specifies the network name of the shared resource. Type net share with a ShareName to display information about that share only.
net share /unlimited Specifies an unlimited number of users can simultaneously access the shared resources.
net share /users:<number> Specifies the maximum number of users who can simultaneously access the shared resources.

.

↑ Up to command list

‘net share’ examples

Display information about shared resources on the local computer:

net share

Share a computer’s C:\Data directory with the share name DataShare and include a remark:

net share DataShare=c:\Data /remark:"For department 123"

Stop sharing the DataShare folder you created in the previous example:

net share DataShare /delete

share a computer’s C:\Art List directory with the share name ‘List’:

net share list="c:\Art List"

↑ Up to command list

net use

Connects a computer to or disconnects a computer from a shared resource, or displays information about computer connections. The command also controls persistent net connections. Used without parameters, net use retrieves a list of network connections. Use net use to connect to and disconnect from a network resource, and to view your current connections to network resources.

Default ‘net use’ syntax

net use [{<DeviceName> | *}] [\\<ComputerName>\<ShareName>[\<volume>]] [{<Password> | *}]] [/user:[<DomainName>\]<UserName>] >[/user:[<DottedDomainName>\]<UserName>] [/user: [<UserName@DottedDomainName>] [/savecred] [/smartcard] [{/delete | /persistent:{yes | no}}]

net use [<DeviceName> [/home[{<Password> | *}] [/delete:{yes | no}]]

net use [/persistent:{yes | no}]

‘net use’ options

Description

net help use Displays help for the ‘net use’ command.
net use \\<ComputerName>\<ShareName> Specifies the name of the server and the shared resource. If ComputerName contains spaces, use quotation marks around the entire computer name from the double backslash (\\) to the end of the computer name (for example, “\\Computer Name\Share Name”). The computer name can be from 1 to 15 characters long.
net use /delete Cancels the specified network connection. If you specify the connection with an asterisk (*), all network connections are canceled.
net use <DeviceName> Assigns a name to connect to the resource or specifies the device to be disconnected. There are two kinds of device names: disk drives (that is, D: through Z:) and printers (that is, LPT1: through LPT3:). Type an asterisk (*) instead of a specific device name to assign the next available device name.
net use <DomainName> Specifies another domain. If you omit DomainName, net use uses the current logged on domain.
net use <DottedDomainName> Specifies the fully-qualified domain name for the domain where the user account exists.
net use /home Connects a user to the home directory.
net use <Password> Specifies the password needed to access the shared resource. Type an asterisk (*) to produce a prompt for the password. The password is not displayed when you type it at the password prompt.
net use /persistent: {yes | no} Controls the use of persistent network connections. The default is the setting used last. Deviceless connections are not persistent. Yes saves all connections as they are made, and restores them at next logon. No does not save the connection being made or subsequent connections. Existing connections are restored at the next logon. Use /delete to remove persistent connections.
net use /savecred Stores the provided credentials for reuse.
net use /smartcard Specifies the network connection is to use the credentials on a smart card. If multiple smart cards are available, you are asked to specify the credential.
net use /user Specifies a different user name with which the connection is made.
net use <UserName> Specifies the user name with which to log on.
net use <Volume> Specifies a NetWare volume on the server. You must have Client Service for NetWare or Gateway Service for Netware (Windows Server) installed and running to connect to NetWare servers.

.

↑ Up to command list

‘net use’ examples

Assign the drive letter E: to the ‘Documents’ shared directory on the \\Financial server:

net use e: \\financial\documents

Assign (map) the drive letter M: to the directory Mike within the Documents volume on the \\Financial server:

net use m: \\financial\documents\mike

Connect the user identifier Dan as if the connection were made from the Accounts domain:

net use d:\\server\share /user:Accounts\Dan

Disconnect from the \\Financial\Public directory:

net use f: \\financial\public /delete

Connect to the resource memos shared on the \\Financial 2 server:

net use k: "\\financial 2" \memos

Restore the current connections at each logon regardless of future changes:

net use /persistent:yes

↑ Up to command list

net user

Adds or modifies user accounts, or displays user account information. When you enter net user without parameters, it displays a list of the user accounts on the computer.

Default ‘net user’ syntax

net user [<UserName> {<Password> | *} [<Options>]] [/domain]

net user [<UserName> {<Password> | *} /add [<Options>] [/domain]]

net user [<UserName> [/delete] [/domain]]

‘net user’ options

Description

net help user Displays help for the ‘net use’ command.
net user /active:{no | yes} Enables or disables the user account. If the user account is not active, the user cannot access resources on the computer. The default is yes (active).
net user /comment:”<Text>” Provides a descriptive comment about the user’s account. This comment can have as many as 48 characters. Enclose the text in quotation marks.
net user /countrycode:<NNN> Uses the operating system Country/Region codes to implement the specified language files for a user’s Help and error messages. A value of 0 signifies the default Country/Region code.
net user /domain Performs the operation on the domain controller in the computer’s primary domain.
net user /expires:{{<MM/DD/YYYY> | <DD/MM/YYYY> | <mmm,dd,YYYY>} | never} Causes the user account to expire if you specify the date. Expiration dates can be in [MM/DD/YYYY], [DD/MM/YYYY], or [mmm,dd,YYYY] formats, depending on the Country/Region code. Note that the account expires at the beginning of the specified date. For the month value, you can use numbers, spell it out, or use a three-letter abbreviation (that is, Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec). You can use two or four numbers for the year value. Use commas or slashes to separate parts of the date. Do not use spaces. If you omit <YYYY>, the next occurrence of the date (that is, according to your computer’s date and time) is assumed.
net user /fullname:”<Name>” Specifies a user’s full name rather than a user name. Enclose the name in quotation marks.
net user /homedir:<Path> Sets the path for the user’s home directory. The path must exist beforehand.
net user /passwordchg:{yes | no} Specifies whether users can change their own password. The default is yes.
net user /passwordreq:{yes | no} Specifies whether a user account must have a password. The default is yes.
net user /profilepath:[<Path>] Sets a path for the user’s logon profile. This path points to a registry profile.
net user /scriptpath:<Path> Sets a path for the user’s logon script. <Path> cannot be an absolute path. <Path> is relative to %systemroot%\System32\Repl\Import\Scripts.
net user /times:{<Day>[<-Day>][,<Day>[-<Day>]],<Time>[-<Time>][,<Time>[-<Time>]][;] | all} Specifies the times that users are allowed to use the computer. <Time> is limited to one-hour increments. For the <-Day> values, you can spell out the names of the days or use abbreviations (that is, M,T,W,Th,F,Sa,Su). You can use 12-hour or 24-hour notation for hours. If you use 12-hour notation, use AM and PM, or A.M. and P.M. The value all means a user can always log on. A null value (blank) means a user can never log on. Separate day and time with commas, and separate units of day and time with semicolons (for example, M,4AM-5PM;T,1PM-3PM). Do not use spaces when you designate times.
net user /usercomment:”<Text>” Specifies that an administrator can add or change the “User comment” for the account. Enclose the text in quotation marks.
net user /workstations:{<ComputerName>[,...] | *} Lists as many as eight workstations from which a user can log on to the network. Separate multiple entries in the list with commas. If /workstations has no list or if the list is an asterisk (*), users can log on from any computer.

.

↑ Up to command list

‘net user’ examples

Assign the drive letter E: to the ‘Documents’ shared directory on the \\Financial server:

Display a list of all user accounts for the local computer:

net user

Displays information about the user account ‘tommyh’:

net user tommyh

Adds a user account for a user whose full name is Jay Jamison and whose user account name is ‘jayj’, with logon rights from 8 A.M. to 5 P.M., Monday through Friday (no spaces in time designations), a mandatory password (Cyk4^g3B), and the user’s full name:

net user jayj Cyk4^g3B /add /passwordreq:yes /times:monday-friday,8am-5pm /fullname:"Jay Jamison"

Sets the logon time (8 A.M. to 5 P.M.) for user ‘miked’ by using 24-hour notation:

net user miked /time:M-F,08:00-17:00

Sets the logon time (8 A.M. to 5 P.M.) for user ‘miked’ by using 12-hour notation:

net user miked /time:M-F,8AM-5PM

Specifies logon hours of 4 A.M. until 5 P.M. on Monday, 1 P.M. until 3 P.M. on Tuesday, and 8 A.M. until 5 P.M. Wednesday through Friday for user ‘anibals’:

net user anibals /time:M,4AM-5PM;T,1PM-3PM;W-F,8:00-17:00

↑ Up to command list

net view

Displays a list of domains, computers, or resources that are being shared by the specified computer. Used without parameters, net view displays a list of computers in your current domain.

Default ‘net view’ syntax

net view [\\ComputerName [/CACHE] | [/ALL] | /DOMAIN[:DomainName]]

‘net view’ options

Description

net help view >Displays help for the ‘net view’ command.
net view /ALL Displays all the shares including the $ shares
net view /CACHE Displays the offline client caching settings for the resources on the specified computer.
net view \\ComputerName Specifies the computer that contains the shared resources that you want to view.
net view /domain[:DomainName] Specifies the domain for which you want to view the available computers. If you omit DomainName, /domain displays all of the domains in the network.

.

↑ Up to command list

‘net view’ examples

See a list of the resources shared by the \\Production computer:

net view \\production

See a list of the computers in the sales domain or workgroup:

net view /domain:sales

↑ Up to command list

nltest

Performs network administrative tasks. Nltest can test and reset the secure channel that the NetLogon service establishes between clients and the domain controller that logs them on. Clients using Kerberos authentication cannot use this secure channel.

You can use nltest to get a list of domain controllers, force a remote shutdown, query the status of trust, test trust relationships and the state of domain controller replication in a Windows domain, and force a user-account database to synchronize on Windows NT version 4.0 or earlier domain controllers.

Default nltest syntax

nltest [/server:<servername>] [<operation>[<parameter>]

nltest options

Description

nltest /bdc_query: <DomainName> Queries for a list of BDCs in DomainName, and then displays their state of synchronization and replication status. You can use this parameter only for Windows NT 4.0 domain controllers.
nltest /cdigest: <Message> /domain: <DomainName> Displays the current digest that the client uses for the secure channel (the digest is the calculation that nltest derives from the password). This parameter displays the digest that is based on the previous password, also. Nltest uses the secure channel for logons between client computers and a domain controller, or for directory service replication between domain controllers. You can use this parameter in conjunction with the /sdigest parameter to check the synchronization of trust account passwords.
nltest /dbflag: <HexadecimalFlags> Sets a new debug flag. For most purposes, use 0x2000FFFF as the value for HexadecimalFlags. The entry in the Windows Server 2003 registry for debug flags is HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\DBFlag.
nltest /dclist:[ <DomainName>] Lists all domain controllers in the domain. In a Windows NT 4.0 domain environment, this parameter uses the Browser service to retrieve the list of domains. In an Active Directory environment, this command first queries Active Directory for a list of domain controllers. If this query is unsuccessful, nltest then uses the Browser service.
nltest /dcname:[ <DomainName>] Lists the primary domain controller or the PDC emulator for DomainName.
nltest /dnsgetdc: <DomainName> Queries the DNS server for a list of domain controllers and their corresponding IP addresses. The following list shows the values that you can use to filter the list of domain controllers.

/FORCE: Forces the computer to run the command against the DNS server instead of looking in cache for the information.

/GC: Returns only those domain controllers that you designate as global catalogs.

/KDC: Returns only those domain controllers that you designate as Kerberos key distribution centers.

/LDAPONLY: Returns servers that are running a Lightweight Directory Access Protocol (LDAP) application. The servers can include LDAP servers that are not domain controllers.

/PDC: Returns only those domain controllers that are PDCs (Windows NT 4.0) or designated as PDC emulators.

/SITESitename: Sorts the returned records to list first the records that pertain to the site that you specify.

/SITESPEC: Filters the returned records to display only those records that pertain to the site that you specify. This operation can only be used with the /SITE parameter.

/WRITABLE: Returns only those domain controllers that can accept changes to the directory database. This value returns all Active Directory domain controllers, but not Windows NT 4.0 BDCs.

nltest /dsderegdns: <DnsHostName> Deregisters DNS host records for the host that you specify in the DnsHostName parameter. The following list shows the values that you can use to specify which records nltest deregisters.

/DOM: specifies a DNS domain name for the host to use when you search for records on the DNS server. If you do not specify this value, nltest uses the DNS domain name as the suffix of the DnsHostName parameter.

/DOMGUID: deletes DNS records that are based on a globally unique identifier (GUID).

/DSAGUID: deletes Directory System Agent (DSA) records that are based on a GUID.

nltest /dsgetdc:[ <DomainName>] Queries the Domain Name System (DNS) server for a list of domain controllers and their corresponding IP addresses. This parameter also contacts each domain controller to check for connectivity. The following list shows the values that you can use to filter the list of domain controllers or specify alternate names types in the syntax.

/DNS: Specifies computer names in the syntax as fully qualified domain names (FQDNs). If you do not specify a return format, the domain controller can return either NetBIOS or DNS format.

/DS: Returns only those domain controllers that are Windows 2000 and later.

/DSP: Returns only Windows 2000 and later domain controllers. If the query finds no such server, then this value returns Windows NT 4.0 domain controllers.

/FORCE: Forces the computer to run the command against the DNS server instead of looking in the cache for the information.

/GC: Returns only those domain controllers that you designate as global catalog servers.

/GTTIMESERV: Returns only those domain controllers that you designate as master time servers.

/IP: Returns only domain controllers that have IP addresses. This value returns only domain controllers that use TCP/IP as their protocol stacks.

/KDC: Returns only those domain controllers that you designate as Kerberos key distribution centers.

/NetBIOS: Specifies computer names in the syntax as NetBIOS names. If you do not specify a return format, the domain controller can return either NetBIOS or DNS format.

/PDC: Returns only the PDC (Windows NT 4.0) or domain controller that you designate as the PDC emulator (Windows 2000 and later).

/TIMESERV: Returns only those domain controllers that you designate as time servers.

nltest /dsgetfti: <DomainName>[ /UpdateTDO] Returns information about interforest trusts. You use this parameter only for a Windows Server 2008 domain controller that is in the root of the forest. If no interforest trusts exist, this parameter returns an error. The /UpdateTDO value updates the locally stored information on the interforest trust.
nltest /dsgetsite Returns the name of the site in which the domain controller resides.
nltest /dsgetsitecov Returns the name of the site that the domain controller covers. A domain controller can cover a site that has no local domain controller of its own.
nltest /dsquerydns Queries for the status of the last update for all DNS records that are specific to a domain controller that you specify.
nltest /dsregdns Refreshes the registration of all DNS records that are specific to a domain controller that you specify.
nltest /finduser: <User> Finds the directly-trusted domain that the user account that you specify belongs to. You can use this parameter to troubleshoot logon issues of older client operating systems.
nltest /help Displays help at the command prompt.
nltest /list_deltas: <FileName> Displays the contents of the FileName change log file, which lists changes to the user account database. Netlogon.chg is the default name for this log file, which resides only on Windows NT 4.0 BDCs.
nltest /logon_query Queries the cumulative number of NTLM logon attempts at a console or over a network.
nltest /parentdomain Returns the name of the parent domain of the server.
nltest /pdc_repl Forces the PDC to send a synchronization notification to all BDCs. You can use this parameter for Windows NT 4.0 PDCs only, not for Active Directory replication. You must have administrative credentials to use this parameter.
nltest /query Reports on the state of the secure channel the last time you used it (the secure channel is the one that the NetLogon service established).
nltest /repl Forces synchronization with the primary domain controller (PDC). Nltest synchronizes only changes that are not yet replicated to the backup domain controller (BDC). You can use this parameter for Windows NT 4.0 BDCs only, not for Active Directory replication. You must have administrative credentials to use this parameter.
nltest /sc_change_pwd:[ <DomainName>] Changes the password for the trust account of a domain that you specify. If you run nltest on a domain controller, and an explicit trust relationship exists, then nltest resets the password for the interdomain trust account. Otherwise, nltest changes the computer account password for the domain that you specify. You can use this parameter only for computers that are running Windows 2000 and later.
nltest /sc_query: <DomainName> Reports on the state of the secure channel the last time that you used it (the secure channel is the one that the NetLogon service established). This parameter lists the name of the domain controller that you queried on the secure channel, also.
nltest /sc_reset:[ <DomainName>] Removes, and then rebuilds, the secure channel that the NetLogon service established. You must have administrative credentials to use this parameter.
nltest /sc_verify:[ <DomainName>] Checks the status of the secure channel that the NetLogon service established. If the secure channel does not work, this parameter removes the existing channel, and then builds a new one. You must have administrative credentials to use this parameter. This parameter is only valid on domain controllers that run Windows 2000 with Service Pack 2 and later.
nltest /sdigest: <Message> /rid: <RID_In_Hexadecimal> Displays the current digest that the server uses for the secure channel (the digest is the calculation that nltest derives from the password). This parameter displays the digest for the previous password, also. If the digest from the server matches the digest from the client, then nltest synchronizes the passwords that it uses for the secure channel. If the digests do not match, then nltest might not have replicated the password change yet.
nltest /sim_sync: <DomainName> <ServernName> Simulates full synchronization replication. This is a useful parameter for test environments.
nltest /shutdown: <Reason>[ <Seconds>] Remotely shuts down the server that you specify in ServerName. You use a string to specify the reason for the shutdown in the Reason value, and you use an integer to specify the amount of time before the shutdown occurs in the Seconds value. For a complete description, see the Platform SDK documentation for InitiateSystemShutdown.
nltest /shutdown_abort Terminates a system shutdown.
nltest /sync Forces an immediate synchronization with the PDC of the entire Security Accounts Manager (SAM) database. You can use this parameter for Windows NT 4.0 BDCs only, not for Active Directory replication. You must have administrative credentials to use this parameter.
nltest /time: <HexadecimalLSL> <HexadecimalMSL> Converts Windows NT Greenwich Mean Time (GMT) time to ASCII. HexadecimalLSL is a hexadecimal value for least significant longword. HexadecimalMSL is a hexadecimal value for most significant longword.
nltest /transport_notify Flushes the negative cache to force the discovery of a domain controller. You can use this parameter for Windows NT 4.0 domain controllers only. This operation is done automatically when clients log on to Windows 2000 and Windows Server 2003 domain controllers.
nltest /user: <UserName> Displays many of the attributes that you maintain in the SAM account database for the user that you specify. You cannot use this parameter for user accounts that are stored in an Active Directory database.
nltest /whowill: <Domain>/ <User> Finds the domain controller that has the user account that you specify. You can use this parameter to determine whether nltest has replicated the account information to other domain controllers.

.

↑ Up to command list

nltest examples

Create a list of domain controllers of the domain fourthcoffee.com:

nltest /dclist:fourthcoffee

Show detailed information about a specific user:

nltest /user:"TestAdmin"

Verify that the a-dc1 server has a valid trust relationship with the domain:

nltest.exe /server:fourthcoffee-dc-01 /sc_query:fourthcoffee

List the established trust relationships for your domain:

nltest /domain_trusts

↑ Up to command list

ntdsutil

Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the ntdsutil commands to perform database maintenance of AD DS, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. This tool is intended for use by experienced administrators.

If you have the AD LDS server role installed but not the AD DS server role, you can use the dsdbutil.exe and dsmgmt.exe command-line tools to perform the same tasks that you can perform with ntdsutil.exe.

For more guidance on using ntdsutil, see Microsoft’s Active Directory Diagnostic Tool page.

For most of the Ntdsutil commands, you only need to type the first few characters of the command name instead than the entire command. For example, you can type either of the following commands to activate an instance for AD DS:

activate instance ntds

ac i ntds

Default ntdsutil syntax

Ntdsutil [activate instance %s | authoritative restore | change service account %s1 %s2 | configurable settings | DS behavior | files | group membership evaluation | Help | ifm | ldap policies | ldap port %d | list instance | local roles | metadata cleanup | partition management | popups on | popups off | quit | roles | security account management | semantic database analysis | set DSRM password | snapshot | SSL port %d]

ntdsutil options

Description

Activate instance %s

short form: ac i %s

Sets NTDS or a specific AD LDS instance as the active instance.
authoritative restore

Short form: au r

Authoritatively restores the Active Directory database or AD LDS instance. See below for options.
Change service account %s1 %s2 Changes the AD LDS service account to user name %s1 and password %s2. Use “NULL” for a blank password. Use * to prompt the user to enter a password.
configurable settings

Short form: co s

Manages configurable settings. See below for options.
DS behavior

Short form: ds b

Views and modifies AD DS or AD LDS behavior.
files

Short form: f

Manages AD DS or AD LDS database files.
group membership evaluation

Short form: g m e

Evaluates security IDs (SIDs) in the token for a given user or group.
Help Shows help information.
ifm

Short form: i

Creates installation media for writable (full) and read-only domain controllers (RODCs) and instances of AD LDS.
LDAP policies Manages Lightweight Directory Access Protocol (LDAP) protocol policies.
Ldap port %d Configures an LDAP port for an AD LDS instance.
List instances

Short form: li i

Lists all AD LDS instances that are installed on a computer.
local roles

Short form: lo r

Manages local administrative roles on an RODC.
metadata cleanup

Short form: m c

Cleans up objects of decommissioned servers.
partition management

Short form: pa m

Manages directory partitions.
Popups off

Short form: po off

Disables popups.
Popups on

Short form: po on

Enables popups.
Quit

Short form: q

Quits the command.
roles

Short form: r

Transfers and seizes operations master roles.
security account management

Short form: sec a m

Manages SIDs.
semantic database analysis

Short form: sem d a

Verifies integrity of AD DS or AD LDS database files with respect to Active Directory semantics.
set DSRM password

Short form: set d p

Resets the Directory Services Restore Mode (DSRM) administrator password.
snapshot

Short form: sn

Manages snapshots of the volumes that contain the Active Directory database and log files.
SSL port %d Configures a Secure Sockets Layer (SSL) port for an AD LDS instance.

.

↑ Up to command list

ntdsutil authoritative restore

Restores domain controllers to a specific point in time, and marks objects in Active Directory as being authoritative with respect to their replication partners. Before you can run the authoritative restore subcommand, you need to set NTDS or an AD LDS instance as the active instance for ntdsutil. For example, if the AD LDS instance that you want to restore is named instance 1, type the following command at the ntdsutil: prompt before you run the authoritative restore subcommand, and then press ENTER:

ac in instance 1

Default ‘ntdsutil authoritative restore’ syntax

{create ldif file(s) from %s | list nc crs | restore object %s | restore object verinc %d |restore subtree %s | restore subtree %s verinc %d}

‘ntdsutil authoritative restore’ options

Description

authoritative restore: create ldif file(s) from %s This option creates an LDIF file of link updates from the Ntdsutil-generated text file that is named in %s. This file can be used to update back-links on objects in a domain other than the domain of the restored object. For example, this file can be used to restore group membership for a user where the group belongs to a different domain than the user.
authoritative restore: %d A numeric value that overrides the default value of 100,000. The version number of the object or database being authoritatively restored will be increased by this value times the number of days since backup.
authoritative restore: List NC CRs Lists partitions and cross-references. You need the cross-reference of an application directory partition to restore it.
authoritative restore: Help Displays Help at the command prompt.
authoritative restore: quit Takes you back to the previous menu, or exits the utility.
authoritative restore: restore object %s Marks object %s as being authoritative. This option also generates a text file that contains the distinguished name of the restored object and an LDIF file that can be used to restore back-links for objects that are being authoritatively restored (such as group memberships of users).
authoritative restore: restore object %s verinc %d Marks object %s as being authoritative and updates links as described in restore object %s; also increments the version number by %d times the number of days since backup. Use this option only to authoritatively restore over a previous, incorrect authoritative restore, such as an authoritative restore from a backup that contains the problem that you want to restore.
authoritative restore: restore subtree %s Marks subtree %s (and all children of the subtree) as being authoritative. This option also generates a text file that contains the distinguished names of the restored objects and an LDIF file that can be used to restore back-links for objects that are being authoritatively restored (such as group memberships of users).
authoritative restore: restore subtree %s verinc %d Marks subtree %s (and all children of the subtree) as being authoritative and updates links as described in restore subtree %s; also increments the version number by %d times the number of days since backup. Use this option only to authoritatively restore over a previous, incorrect authoritative restore, such as an authoritative restore from a backup that contains the problem that you want to restore.
authoritative restore: %s An alphanumeric variable, either a distinguished name for a restored object or subtree, or a file name for a text file that is used to create an LDIF file.
authoritative restore: Toggle recycled objects flag Sets the flag to allow undeletion or authoritative restore of recycled objects. This is not recommended and can result in lost linked values after undeletion or authoritative restore.
authoritative restore: ? Displays Help at the command prompt.

.

↑ Up to command list

‘ntdsutil authoritative restore’ examples

List the directory partitions on a domain controller and their cross-references:

authoritative restore: list nc crs

↑ Up to command list

ntdsutil configurable settings

Aids in modifying the time to live (TTL) of dynamic data that is stored in Active Directory Domain Services (AD DS). At the configurable setting: prompt, type any of the parameters listed under Syntax. Before you can run other configurable settings subcommand parameters, you need to connect to a specific AD DS or AD LDS instance by using the connections parameter.

Default ‘ntdsutil configurable settings’ syntax

connections

{cancel changes | commit changes} {list | set %s1 to %s2 | show values}

‘ntdsutil configurable settings’ options

Description

configurable setting: cancel changes Cancels the changes that are made but not yet committed.
configurable setting: commit changes Commits the changes made to the server.
configurable setting: connections Invokes the server connections submenu. See “Remarks” later in this topic for more information.
configurable setting: Help Displays Help at the command prompt.
configurable setting: list Lists the names of the supported configurable settings.
configurable setting: %sN An alphanumeric variable, such as a domain or domain controller name.
configurable setting: quit Takes you back to the previous menu, or exits the utility.
configurable setting: set %s1 to %s2 Sets the configurable settings %s1 to the value %s2.
configurable setting: show values Displays values of configurable settings.
configurable setting: ? Displays Help at the command prompt.

.

↑ Up to command list

‘ntdsutil configurable settings’ examples

Change the value of a configurable setting named DynamicObjectDefaultTTL to 172800 seconds (two days):

Configurable setting: set DynamicObjectDefaultTTL to 172800

Show the current values of configurable settings:

Configurable setting: show values

↑ Up to command list

ntdsutil DS behavior

Manages password operations over unsecured connections. You can allow or deny password operations over unsecured connections and list the current setting. Before you can run the DS behavior subcommand, you need to connect to a specific AD Ds or AD LDS instance by using the connections parameter.

Default ‘ntdsutil DS behavior’ syntax

connections

[{allow passwd op on unsecured connection | deny passwd op on unsecured connection | list current ds-behavior}]

‘ntdsutil DS behavior’ options

Description

AD DS/LDS behavior: allow passwd op on unsecured connection Modifies AD DS or AD LDS behavior to allow password operations over an unsecured connection.
AD DS/LDS behavior: connections Invokes the server connections submenu.
AD DS/LDS behavior: deny passwd op on unsecured connection Modifies AD DS or AD LDS behavior to deny password operations over an unsecured connection.
AD DS/LDS behavior: Help Displays Help at the command prompt.
AD DS/LDS behavior: list current ds-behavior Lists current behavior for the AD DS or AD LDS instance.
AD DS/LDS behavior: quit Takes you back to the previous menu, or exits the utility.
AD DS/LDS behavior: ? Displays Help at the command prompt.

.

↑ Up to command list

‘ntdsutil DS behavior’ examples

Allow password operations over secured connections only:

AD DS/LDS behavior: deny passwd op on unsecured connection

↑ Up to command list

ntdsutil files

Provides commands for managing the directory service data and log files. The data file is called Ntds.dit. At the file maintenance: prompt, type any of the parameters listed in the syntax below.

Default ‘ntdsutil files’ syntax

[checkpoint] [checksum] [compact to %s] [dump page %d] [header] [info] [integrity] [logfile %s] [metadata] [move DB to %s] [move logs to %s] [recover] [set backup exclusion key] [set default folder security] [set path backup %s] [set path db %s] [set path logs %s] [set path working dir %s] [space usage]

‘ntdsutil files’ options

Description

file maintenance: checkpoint Dumps the Jet database checkpoint file (edb.chk). This option is intended for use only by support personnel.
file maintenance: checksum Performs Jet database physical integrity check.
file maintenance: compact to %s (where %s identifies an empty target directory) Invokes esentutl.exe to compact the existing data file and writes the compacted file to the specified directory. The directory can be remote, that is, mapped by means of the net use command or similar means. After compaction is complete, archive the old data file and move the newly compacted file back to the original location of the data file. ESENT supports online compaction, but this compaction only rearranges pages within the data file and does not release space back to the file system. (The directory service invokes online compaction regularly.)
file maintenance: dump page %d Dumps the Jet database page number specified as %d. This option is intended for use only by support personnel.
file maintenance: header Writes the header of the Ntds.dit data file to the screen. This command can help support personnel analyze database problems.
file maintenance: Help Shows the help message at the command prompt.
file maintenance: info Analyzes and reports the free space for the disks that are installed in the system, reads the registry, and then reports the sizes of the data and log files (the directory service maintains the registry, which identifies the location of the data files, log files, and directory service working directory.)
file maintenance: integrity Invokes Esentutl.exe to perform an integrity check on the data file, which can detect low-level database corruption. It reads every byte of your data file; thus it can take a long time to process large databases. Note that you should always run recover before performing an integrity check.
file maintenance: logfile %s Dumps the Jet log file %s, where %s can be the absolute path or just the log file name in the Logs folder. This option is intended for use only by support personnel.
file maintenance: metadata Dumps the Jet database metadata. This option is intended for use only by support personnel.
file maintenance: move DB to %s (where >em>%s identifies a target directory) Moves the Ntds.dit data file to the new directory specified by %s and updates the registry so that, upon service restart, the directory service uses the new location.
file maintenance: move logs to %s (where >em>%s identifies a target directory) Moves the directory service log files to the new directory specified by %s, and updates the registry so that, upon service restart, the directory service uses the new location.
file maintenance: quit Takes you back to the previous menu or exits the utility.
file maintenance: recover Invokes Esentutl.exe to perform a soft recovery of the database. Soft recovery scans the log files and ensures all committed transactions therein are also reflected in the data file. Logs are used to ensure committed transactions are not lost if your system fails or if you have unexpected power loss. In essence, transaction data is written first to a log file and then to the data file. When you restart after failure, you can rerun the log to reproduce the transactions that were committed but hadn’t made it to the data file.
file maintenance: set backup exclusion key Sets the backup exclusion key for the AD DS or AD LDS instance. This option is intended for use only by support personnel.
file maintenance: set default folder security Resets security on the NTDS folder to default values.
file maintenance: set path backup %s (where %s identifies a target directory) Sets the disk-to-disk backup target to the directory specified by %s. The directory service can be configured to perform an online, disk-to-disk backup at scheduled intervals.
file maintenance: set path db %s (where %s identifies a target directory) Updates the part of the registry that identifies the location and file name of the data file. Use this command only to rebuild a domain controller that has lost its data file and that is not being restored by means of normal restoration procedures.
file maintenance: set path logs %s (where %s identifies a target directory) Updates the part of the registry that identifies the location of the log files. Use this command only if you are rebuilding a domain controller that has lost its log files and is not being restored by means of normal restoration procedures.
file maintenance: set path working dir %s (where %s identifies a target directory) Sets the part of the registry that identifies the directory service’s working directory to the directory specified by %s.
file maintenance: space usage Dumps the Jet database space usage.
file maintenance: ? Shows the help message at the command prompt.

.

↑ Up to command list

‘ntdsutil files’ examples

Perform a Jet database physical integrity check:

file maintenance: checksum

Compact the Active Directory database and write the compacted file to a folder named C:\Windows\NTDS_Old:

file maintenance: compact to C:\Windows\NTDS_Old

↑ Up to command list

ntdsutil group membership evaluation

Generates a report with information about group memberships for a user. Active Directory environments that contain complex group structures can encounter problems with access token limitation during authentication. This problem can result in the inability of a user to log on or access resources. By analyzing the results of the report, you can identify the source of the problem.

Default ‘ntdsutil group membership evaluation’ syntax

[clear credentials] [run %s1 %s2] [set account dc %s] [set credentials %s1 %s2 %s3] [set global catalog %s] [set resource dc %s] [verbose %s]

‘ntdsutil group membership evaluation’ options

Description

group membership evaluation: clear credentials Clears credentials that were used for a prior connection.
group membership evaluation: Help Displays Help at the command prompt.
group membership evaluation: quit Takes you back to the previous menu, or exits the utility.
group membership evaluation: run %s1 %s2 Runs token evaluation for the principal %s2 in domain %s1.
group membership evaluation: set account dc %s Specifies the domain controller used in the account domain. The account domain is the domain that includes the user account. If you do not specify a domain controller, the tool automatically locates one.
group membership evaluation: set credentials %s1 %s2 %s3 Sets connection credentials as domain %s1, user %s2, and password %s3.
group membership evaluation: set global catalog %s Specifies which global catalog server to use. If you do not specify a global catalog, ntdsutil.exe automatically locates one.
group membership evaluation: set resource dc %s Specifies the domain controller used in the resource domain. Use this parameter only if the user and computer on which the logon is being attempted are in different domains. If the user and computer belong to different domains, the resource groups of the computer must also be enumerated.
group membership evaluation: verbose %s Turns verbose mode on or off.
group membership evaluation: ? Displays Help at the command prompt.

.

↑ Up to command list

‘ntdsutil group membership evaluation’ examples

To evaluate the group memberships for a user with SAM Account Name ‘ToniPoe’ in a domain named corp.cpandl.com:

  1. At the ntdsutil: prompt, type group membership evaluation, and then press ENTER.
  2. Type set account dc <dcname>, where <dcname> is the actual name of a domain controller in your domain that you want to use to obtain the accounts global group memberships, and then press ENTER.
  3. Type set globcal catalog <gcname>, where <gcname> is the actual name of a domain controller in your domain acting as a global catalog server that you want to use to obtain the accounts universal group memberships, and then press ENTER.
  4. Type set resource dc <dcname>, where <dcname> is the actual name of a domain controller in your domain that you want to use to obtain the accounts local group memberships, and then press ENTER.
  5. Type run corp.cpandl.com tonipoe, and then press ENTER.
  6. Ntdsutil outputs a tab-separated-value file (.tsv) with a specific name. That file is located in the folder from which you started Ntdsutil. The file name is reported by Ntdsutil. To access the file, type quit, and then press ENTER twice.
  7. Type dir *.tsv to see a list of the tab-separated-value files in the current folder.
  8. You can open the file in a spreadsheet program or a text file viewer. For example, to open a file named tonipoe-20090514203117.tsv in Notepad, type notepad tonipoe-20090514203117.tsv, and then press ENTER.

.

↑ Up to command list

ntdsutil ifm

Creates installation media for writable (full) domain controllers, read-only domain controllers (RODCs), and instances of Active Directory Lightweight Directory Services (AD LDS). Before you run ifm, you must set an active instance of a directory that ntdsutil is to use. You can either specify “ntds” to set AD DS as the active instance or you can specify the name of an AD LDS instance.

You can run the ifm subcommand on a writable domain controller to create installation media for an RODC. Ntdsutil removes any cached secrets, such as passwords, from RODC installation media. You can also create installation media for an RODC by running the ifm subcommand on another RODC in that domain. However, to generate installation media for a writable domain controller, you must use another writable domain controller as the source of the installation media.

You cannot run the ifm subcommand on a domain controller that runs Windows Server 2003. You cannot use a domain controller that runs Windows Server 2003 to create installation media for a domain controller that runs Windows Server 2008, or the reverse.

Default ‘ntdsutil ifm’ syntax

ifm {create full %s | create rodc %s | create sysvol full %s | create sysvol rodc %s} [quit]

‘ntdsutil ifm’ options

Description

ifm: create full %s Creates installation media for a writable Active Directory domain controller or an AD LDS instance in the %s folder. You can specify only this parameter for an AD LDS instance.
ifm: create rodc %s Creates installation media for an RODC in the %s folder. You can use this command only with AD DS.
ifm: Create Sysvol Full %s Creates installation media for a writable domain controller with SYSVOL in the %s folder. In order for the additional domain controller to use the SYSVOL folder on the IFM media as a replication source during the installation, you must run this command on a domain controller that runs Windows Server 2008 with SP2 or later or Windows Server 2008 R2.
ifm: Create Sysvol RODC %s Creates installation media for an RODC with SYSVOL in the %s folder. In order for the additional domain controller to use the SYSVOL folder on the IFM media as a replication source during the installation, you must run this command on a domain controller that runs Windows Server 2008 with SP2 or later or Windows Server 2008 R2.
ifm: Help Shows the help message at the command prompt.
ifm: quit Returns to the prior menu.
ifm: ? Shows the help message at the command prompt.

.

↑ Up to command list

‘ntdsutil ifm’ examples

Create RODC installation in a folder named ‘Installation Media’ on drive C:

create rodc "C:\Installation Media"

Create writable domain controller installation media in a folder named ‘InstallationMedia’ on drive C:

create full C:\InstallationMedia

↑ Up to command list

ntdsutil LDAP policies

Sets the Lightweight Directory Access Protocol (LDAP) administration limits for the Default-Query Policy object. At the LDAP policy: prompt, type any of the parameters listed in the syntax below.

Default ‘ntdsutil LDAP policies’ syntax

connections

{cancel changes | commit changes} {list | set %s1 to %s2 | show values}

‘ntdsutil LDAP policies’ options

Description

LDAP policy: cancel changes Cancels any uncommitted modifications of the LDAP administration limits to the default query policy.
LDAP policy: commit changes Commits all modifications of the LDAP administration limits to the default query policy.
LDAP policy: connections Invokes the Server connections submenu.
LDAP policy: Help Displays help at the command prompt.
LDAP policy: list Lists all supported LDAP administration limits for the domain controller.
LDAP policy: quit Takes you back to the previous menu, or exits the utility.
LDAP policy: set %s1 to %s2 Sets the value of the LDAP administration limit %s1 to the value %s2. The following administration limits are supported (default values are noted in parentheses).

InitRecvTimeout

Initial receive time-out (120 seconds).

MaxConnections

Maximum number of open connections (5000).

MaxConnIdleTime

Maximum amount of time a connection can be idle (900 seconds).

MaxNotificationPerConnection

Maximum number of notifications that a client can request for a given connection (5).

MaxPageSize

Maximum page size supported for LDAP responses (1000 records).

MaxQueryDuration

Maximum length of time the domain controller can execute a query (120 seconds).

MaxTempTableSize

Maximum size of temporary storage allocated to execute queries (10,000 records).

MaxResultSetSize

Maximum size of the LDAP Result Set (262144 bytes).

MaxPoolThreads

Maximum number of threads created by the domain controller for query execution (4 per processor).

MaxDatagramRecv

Maximum number of datagrams that can be processed by the domain controller simultaneously (1024).

MaxReceiveBuffer

The maximum size, in bytes, of a request that the server will accept (10,485,760 bytes).

MaxValRange

The maximum number of values that can be retrieved from a multivalued attribute in a single search request (1500 values). This policy is available only in Windows Server 2003 and Windows Server 2008.

LDAP policy: show values Shows the current and proposed values for the LDAP administration limits.
LDAP policy: ? Displays help at the command prompt.

.

↑ Up to command list

‘ntdsutil LDAP policies’ examples

Show the current ldap policy values:

ldap policy: show values

↑ Up to command list

ntdsutil local roles

Manages Administrator Role Separation for a read-only domain controller (RODC). Administrator role separation provides a nonadministrative user with the permissions to install and administer an RODC, without granting that user permissions to do any other type of domain administration. You can use this subcommand only with the AD DS server role because AD LDS does not include RODCs.

Default ‘ntdsutil local roles’ syntax

connections

{add %s1 %s2 | remove %s1 %s2} [list roles] [show roles]

‘ntdsutil local roles’ options

Description

local roles: add %s1 %s2 Adds an account %s1 to the local role %s2.
local roles: connections Invokes the server connections submenu.
local roles: Help Displays help at the command prompt.
local roles: list roles List defined local roles. These roles correspond to the various Built-in groups, such as Administrators, Backup Operators, Server Operators, and so on. Each RODC stores in its registry a list of accounts that should be considered members of those groups (roles) on that RODC. This list of accounts supplements any members of those groups stored in the directory. For example, suppose the BUILTIN\Administrators group stored in the directory contains a single member, the Domain Admins group. Suppose also that on a particular RODC, fabrikam\MikeDan is listed in the Administrators local role. Then on that RODC, both MikeDan and anyone in the Domain Admins group are considered to be Administrators.
local roles: quit Takes you back to the previous menu, or exits the utility.
local roles: remove %s1 %s2 Removes an account %s1 from the local role %s2.
local roles: show roles Shows local role members.
local roles: ? Displays help at the command prompt.

.

↑ Up to command list

‘ntdsutil local roles’ examples

Add a user account named ‘MikeDan’ from the Woodgrovebank domain to the administrators local role on an RODC:

add Woodgrovebank\MikeDan administrators

↑ Up to command list

ntdsutil metadata cleanup

Cleans up metadata for failed domain controllers. When a failed domain controller stores the only copy of one or more domains or application directory partitions (also called “naming contexts”), metadata cleanup can also be used to clean up metadata for selected domains or application directory partitions. In this version of Ntdsutil.exe, metadata cleanup also removes File Replication Service (FRS) connections and attempts to transfer or seize any operations master roles (also known as flexible single master operations or FSMO roles) that the retired domain controller holds.

Do not delete the metadata of existing domains and domain controllers.

At the metadata cleanup: prompt, type any of the parameters listed in the syntax below.

Default ‘ntdsutil metadata cleanup’ syntax

connections

[select operation target] {remove selected domain | remove selected naming context |remove selected server | remove selected server %s | remove selected server %s1 on %s2}

‘ntdsutil metadata cleanup’ options

Description

metadata cleanup: connections Invokes the Server connections submenu.
metadata cleanup: Help Displays help at the command prompt.
metadata cleanup: remove selected domain Removes the metadata associated with the domain that is selected in the Select operation target submenu.
metadata cleanup: remove selected naming context Removes the metadata associated with the Naming Context that is selected in the Select operation target submenu.
metadata cleanup: remove selected server Removes the metadata associated with the domain controller that is selected in the Select operation target submenu. This parameter also removes FRS metadata and tries to transfer or seize operations master roles.
metadata cleanup: remove selected server %s Removes directory and FRS metadata for the disabled server %s from the directory on localhost, and attempts to transfer or seize any operations master roles that are held by server %s to localhost. This parameter also removes FRS metadata and tries to transfer or seize operations master roles.
metadata cleanup: remove selected server %s1 on %s2 Connects to server %s2, removes directory and FRS metadata for server %s1 from the directory on server %s2, and attempts to transfer or seize any operations master roles held by server %s1 to server %s2. This parameter also removes FRS metadata and tries to transfer or seize operations master roles.
metadata cleanup: quit Takes you back to the previous menu, or exits the utility.
metadata cleanup: select operation target Invokes the Select operation target submenu.
metadata cleanup: ? Displays help at the command prompt.

.

↑ Up to command list

‘ntdsutil metadata cleanup’ examples

Remove metadata for a server named RODC1:

metadata cleanup: remove selected server RODC1

↑ Up to command list

ntdsutil partition management

Manages directory partitions for Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS).

Default ‘ntdsutil partition management’ syntax

connections

[select operation target] [add nc replica %s1 %s2] [create nc %s1 %s2] [create nc %s1 %s2 %s3] [delete nc %s] [list] [list nc information %s] [list nc replicas %s] [precreate %s1 %s2] [remove nc replica %s1 %s2] [set nc reference domain %s1 %s2] [set nc replication notification delay %s %d1 %d2]

‘ntdsutil partition management’ options

Description

partition management: add nc replica %s1 %s2 Adds the Active Directory domain controller or AD LDS instance with full Domain Name System (DNS) name %s2 to the replica set for the application directory partition with distinguished name %s1. If you specify “NULL” for %s2, then this command uses the currently connected Active Directory domain controller or AD LDS instance.
partition management: connections Invokes the server connections submenu.
partition management: create nc %s1 %s2 Creates the application directory partition with distinguished name %s1, on the Active Directory domain controller or AD LDS instance with full DNS name %s2. If you specify “NULL” for %s2, this command uses the currently connected Active Directory domain controller. Use this command only with AD DS. For AD LDS, use create nc %s1 %s2 %s3.
partition management: create nc %s1 %s2 %s3 Creates the AD LDS application directory partition with distinguished name %s1 of object class %s2 on a computer named %s3. You should annotate the %s3 value with the Lightweight Directory Access Protocol (LDAP) port number. For example, type adam1.fabrikam.com:389. If you specify “NULL” for %s3, this command uses the currently connected AD LDS instance.
partition management: delete nc %s Completely removes the application directory partition or precreated cross-reference with distinguished name %s from AD DS or AD LDS.
partition management: Help Displays help at the command prompt.
partition management: list Lists known naming contexts.
partition management: list nc information %s Shows the reference domain and replication delays for the application directory partition with distinguished name %s.
partition management: list nc replicas %s Shows the list of Active Directory domain controllers or AD LDS instances in the replica set for the application directory partition with distinguished name %s.
partition management: precreate %s1 %s2 Precreates a cross-reference object for the domain or application directory partition with distinguished name %s1, allowing a server with DNS name %s2 to be promoted as an Active Directory domain controller for the domain or create the application directory partition. This can also be used to precreate cross-reference objects for application directory partitions for AD LDS. For AD LDS, %2 should be hostname:ldapPort:ldapSslPort, such as adam1.fabrikam.com:389:636.
partition management: quit Takes you back to the previous menu, or exits the utility.
partition management: remove nc replica %s1 %s2 Deletes the AD DS or AD LDS instance with DNS name %s2 from the replica set of the application directory partition with distinguished name %s1. If you specify “NULL” for %s2, this command uses the currently connected Active Directory domain controller or AD LDS instance.
partition management: select operation target Invokes the Select operation target submenu.
partition management: set nc reference domain %s1 %s2 Sets the reference domain of application directory partition with distinguished name %s1 to domain with distinguished name %s2.
partition management: set nc replication notification delay %s %d1 %d2 Sets the notification delays of directory partition with distinguished name %s to %d1 and %d2 seconds, where %d1 is the delay between notifying the first Active Directory domain controller or AD LDS instance of changes and %d2 is the delay of notifying subsequent Active Directory domain controllers or AD LDS instances of changes. If you specify -1 in either %d1 or %d2, this command will not modify the corresponding delay (in case you are trying to modify only one delay). If you specify any other negative number, the command will delete the delay. Delays are always set on the naming master.
partition management: ? Displays help at the command prompt.

.

↑ Up to command list

‘ntdsutil partition management’ examples

Create an application directory partition named AppPartition in the woodgrovebank.com domain:

  1. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click ‘Run as administrator’.
  2. Type: ntdsutil
  3. Type: Ac in ntds
  4. Type: partition management
  5. Type: connections
  6. Type: Connect to server DC_Name
  7. Type: quit
  8. Type: list
  9. The following partitions will be listed:0 CN=Configuration,DC=Woodgrovebank,DC=com1 DC=Woodgrovebank,DC=com

    2 CN=Schema,CN=Configuration,DC=Woodgrovebank,DC=com

    3 DC=DomainDnsZones,DC=Woodgrovebank,DC=com

    4 DC=ForestDnsZones,DC=Woodgrovebank,DC=com

  10. At the partition management prompt, type: create nc dc=AppPartition,dc=woodgrovebank,dc=com ConDc1.woodgrovebank.com
  11. Run the list command again to refresh the list of partitions.

↑ Up to command list

ntdsutil roles

Seizes and transfers operations master roles (also known as flexible single master operations or FSMO roles). At the roles: prompt, type any of the parameters listed in the syntax below.

Do not make a server an operations master role owner by means of seizure commands if the real role holder exists on the network. Doing this can create irreconcilable conflicts for key system data. If an operations master role owner is temporarily unavailable, do not make another domain controller the role owner. This can result in a situation in which two computers function as the role owner, which might cause irreconcilable conflicts for key system data.

Default ‘ntdsutil roles’ syntax

connections

[select operation target] [{seize naming master | seize infrastructure master | seize PDC | seize RID master | seize schema master}] [{transfer naming master | transfer infrastructure master | transfer PDC | transfer RID master | transfer schema master}]

‘ntdsutil roles’ options

Description

fsmo maintenance: connections Invokes the Server connections submenu.
fsmo maintenance: Help Displays help at the command prompt.
fsmo maintenance: quit Takes you back to the previous menu, or exits the utility.
fsmo maintenance: seize naming master Forces the domain controller to which you are connected to claim ownership of the domain naming master operations master role without regard to the data associated with the role. Use only for recovery purposes.
fsmo maintenance: seize infrastructure master Forces the domain controller to which you are connected to claim ownership of the infrastructure operations master role without regard to the data associated with the role. Use only for recovery purposes.
fsmo maintenance: seize PDC Forces the domain controller to which you are connected to claim ownership of the primary domain controller (PDC) emulator operations master role without regard to the data associated with the role. Use only for recovery purposes.
fsmo maintenance: seize RID master Forces the domain controller to which you are connected to claim ownership of the relative ID (RID) operations master role without regard to the data associated with the role. Use only for recovery purposes.
fsmo maintenance: seize schema master Forces the domain controller to which you are connected to claim ownership of the schema operations master role without regard to the data associated with the role. Use only for recovery purposes.
fsmo maintenance: transfer naming master Invokes the Instructs the domain controller to which you are connected to obtain the domain naming master role by means of controlled transfer.
fsmo maintenance: transfer infrastructure master Instructs the domain controller to which you are connected to obtain the infrastructure operations master role by means of controlled transfer.
fsmo maintenance: transfer PDC Instructs the domain controller to which you are connected to obtain the PDC emulator operations master role by means of controlled transfer.
fsmo maintenance: transfer RID master Instructs the domain controller to which you are connected to obtain the RID operations master role by means of controlled transfer.
fsmo maintenance: transfer schema master Instructs the domain controller to which you are connected to obtain the schema operations master role by means of controlled transfer.
fsmo maintenance: ? Displays help at the command prompt.

.

↑ Up to command list

‘ntdsutil roles’ examples

Transfer the PDC emulator master role to the domain controller that you are currently connected to:

fsmo maintenance: transfer PDC

↑ Up to command list

ntdsutil security account management

Manages security identifiers (SIDs). At the security account maintenance: prompt, type any of the parameters listed in the syntax below.

Default ‘ntdsutil security account management’ syntax

[{check duplicate SID | cleanup duplicate SID}] [connect to server %s] [log file %s]

‘ntdsutil security account management’ options

Description

security account maintenance: check duplicate SID Checks the Security Accounts Manager (SAM) database for any objects that have duplicate SIDs but does not delete any of the duplicates.
security account maintenance: cleanup duplicate SID Deletes all objects that have duplicate SIDs and logs these entries into the log file.
security account maintenance: connect to server %s Connects to the server, NetBIOS name, or Domain Name System (DNS) host name. You must connect to a specific domain controller before you can check for or clean up duplicate SIDs.
security account maintenance: Help Displays Help at the command prompt.
security account maintenance: log file %s Sets the log file name to %s. If you do not explicitly set a log file name, the default log file name is dupsid.log.
security account maintenance: quit Takes you back to the previous menu, or exits the utility.
security account maintenance: ? Displays Help at the command prompt.

.

↑ Up to command list

‘ntdsutil security account management’ examples

Connect to a domain controller named DC1:

security account maintenance: connect to DC1

Check for duplicate SIDs on a domain controller named DC1:

security account maintenance: check duplicate SID

↑ Up to command list

ntdsutil semantic database analysis

Verifies the integrity of Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) database files with respect to Active Directory semantics.

Unlike the file management commands described earlier, which test the integrity of the database with respect to the ESENT database semantics, the semantic analysis analyzes the data with respect to Active Directory semantics. It generates reports on the number of records present, including deleted and phantom records.

Before you can run the semantic database analysis subcommand, you need to set NTDS or an AD LDS instance as the active instance for Ntdsutil. For example, if the AD LDS instance that you want to restore is named instance1, type the following command at the ntdsutil: prompt before you run the authoritative restore subcommand:

ac in instance1

You have to stop the AD DS or AD LDS service before you can run the semantic database analysis subcommand. To stop AD DS, click Start, click Server Manager. In the console tree, double-click Configuration, and then click Services. In the details pane, right-click Active Directory Domain Services, and then click Stop.

At the semantic checker: prompt, type any of the parameters that are listed in the syntax below.

Default ‘ntdsutil semantic database analysis’ syntax

[get %d] [{go | go fixup}] [verbose %s] [{check quota | rebuild quota}]

‘ntdsutil semantic database analysis’ options

Description

semantic checker: check quota Integrity-checks the quota-tracking table (object owner quotas). This command checks whether the quota table is correct by trying to open the quota-tracking table and getting column information for each predefined column name.
semantic checker: get %d Retrieves record number %d from the Ntds.dit.
semantic checker: go Starts the semantic analysis of the Ntds.dit or AD LDS instance with no fixup. A report is generated and written to a file named dsdit.dmp.n, in the current directory, where n is an integer that is incremented each time that you carry out the command.
semantic checker: go fixup Starts the semantic checker with fixup.
semantic checker: Help Shows the help message at the command prompt.
semantic checker: quit Takes you back to the previous menu, or exits the utility.
semantic checker: rebuild quota Forces asynchronous rebuild of the quota-tracking table.
semantic checker: ? Shows the help message at the command prompt.

.

↑ Up to command list

‘ntdsutil semantic database analysis’ examples

Turns on verbose mode logging:

semantic checker: verbose on

Starts the semantic analysis of Ntds.dit with no fixup:

semantic checker: go

↑ Up to command list

ntdsutil set DSRM password

Resets the Directory Services Restore Mode (DSRM) password on a domain controller. At the Reset DSRM Administrator Password: prompt, type any of the parameters listed in the syntax below.

Default ‘ntdsutil set DSRM passowrd’ syntax

Reset Password on server %s

‘ntdsutil set DSRM password’ options

Description

Reset DSRM Administrator Password: Help Displays Help at the command prompt.
Reset DSRM Administrator Password: Reset Password on server %s Prompts for a new DSRM password for a domain controller. Use NULL as the domain controller name to reset the DSRM password on the current server. %s stands for an alphanumeric variable, such as a domain or domain controller name.After you enter this parameter, the Please type password for DS Restore Mode Administrator Account: prompt appears. At this prompt, type the desired new DSRM password.
Reset DSRM Administrator Password: Sync from domain account %s Perform one-time password synchronization from the specified user name %s from this Active Directory domain to the DSRM administrator account on the local computer. This parameter is available on domain controllers that run Windows Server 2008 R2 or Windows Server 2008 with Service Pack 3 or later or have installed hotfix 961320.
Reset DSRM Administrator Password: quit Takes you back to the previous menu, or exits the utility.
Reset DSRM Administrator Password: ? Displays Help at the command prompt.

.

↑ Up to command list

‘ntdsutil set DSRM passowrd’ examples

Reset the DSRM password on a domain controller named DC2:

Reset DSRM Administrator Password: reset password on server DC2

↑ Up to command list

ntdsutil snapshot

Manages snapshots of the volumes that contain the Active Directory database and log files, which you can view on a domain controller without starting in Directory Services Restore Mode (DSRM). You can also run the snapshot subcommand on an Active Directory Lightweight Directory Services (AD LDS) server. In the command-line tool ntdsutil.exe, you can use the snapshot subcommand to manage the snapshots, but you must use dsamain.exe to expose the snapshot as a Lightweight Directory Access Protocol (LDAP) server.

Before you can run the snapshot subcommand, you must run the activate instance subcommand in ntdsutil to set an active instance. You are not required to run the snapshot subcommand to use dsamain.exe. Instead, you can use a backup of the AD DS or AD LDS database or another domain controller or AD LDS server. Running the snapshot subcommand simply provides convenient data input for dsamain.exe.

Default ‘ntdsutil snapshot’ syntax

activate instance %s [create] [delete %s] [unmount %s] [list all] [list mounted ] [mount %s] [quit]

‘ntdsutil snapshot’ options

Description

snapshot: activate instance %s Sets an active instance for the command. You can either specify “ntds” to set AD DS as the active instance or you can specify the name of an AD LDS instance.
snapshot: create Creates a snapshot.
snapshot: delete %s Deletes a snapshot with globally unique identifier (GUID) %s. Use * to delete all snapshots.
snapshot: Help Shows the help message at the command prompt.
snapshot: list all Lists all mounted snapshots. You can run this command to obtain an index number for a mounted snapshot. You can then use the index number, instead of a (GUID), to mount or unmount a snapshot.
snapshot: list mounted Lists mounted snapshots. You can run this command to obtain an index number for a mounted snapshot. You can then use the index number instead of a (GUID) to mount or unmount a snapshot.
snapshot: quit Returns to the prior menu.
snapshot: mount %s Mounts a snapshot with (GUID) %s. You can refer to an index number of any mounted snapshot instead of its GUID.
snapshot: unmount %s Unmounts a snapshot with (GUID) %s. Use * to unmount all mounted snapshots.
snapshot: ? Shows the help message at the command prompt.

.

↑ Up to command list

‘ntdsutil snapshot’ examples

Set NTDS as the active instance:

ntdsutil: activate instance ntds

Set NTDS as the active instance:

ntdsutil: ac in ntds

Mount a snapshot with its (GUID):

snapshot: mount {8ec8ff74-c0d7-435a-b6b1-54ef185926be}

Unmount the same snapshot:

snapshot: unmount {8ec8ff74-c0d7-435a-b6b1-54ef185926be}

List the mounted snapshots:

snapshot: list mounted

↑ Up to command list

pathping

The pathping command is addressed on the Troubleshooting network connectivity commands page.

repadmin

Repadmin.exe helps administrators diagnose Active Directory replication problems between domain controllers running Microsoft Windows operating systems. You can use Repadmin.exe to view the replication topology, as seen from the perspective of each domain controller. In addition, you can use Repadmin.exe to manually create the replication topology, to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors (UTDVECs). You can also use Repadmin.exe to monitor the relative health of an Active Directory Domain Services (AD DS) forest. During the normal course of operations, there is no need to create the replication topology manually. Incorrect use of repadmin can adversely impact the replication topology. The primary use of repadmin is to monitor replication so that you can identify problems, such as offline servers or an unavailable local area network (LAN) or wide area network (WAN) connection.

To use Repadmin.exe, you must run the command from an elevated command prompt. Repadmin also requires administrative credentials on each domain controller that is targeted by the command. Members of the Domain Admins group have the sufficient permissions to run repadmin on domain controllers in that domain. Members of the Enterprise Admins group are, by default, granted membership in the Domain Admins group in each domain in the forest.

Default repadmin syntax

repadmin <cmd> <args> [/u:{domain\user}] [/pw:{password | *}] [/retry[:<retries>][:<delay>]] [/csv]

repadmin options

Description

repadmin /csv Displays the results of the /showrepl parameter in a comma-separated-value (CSV) format.
repadmin /experthelp Displays commands that are available for advanced users only.
repadmin /help Displays and describes commands that are available.
repadmin /help:<cmd> Displays possible arguments :<args:>, appropriate syntaxes, and examples for the specified command <cmd>.
repadmin /kcc Forces the Knowledge Consistency Checker (KCC) on targeted domain controllers to immediately recalculate the inbound replication topology.
repadmin /listhelp Displays the variations of syntax that are available for the DSA_NAME, DSA_LIST, NCNAME and OBJ_LIST strings (the DSA_LIST parameter is the same as the DC_LIST parameter in the Windows Server 2003 version of repadmin).
repadmin /oldhelp Displays help for commands in the Windows 2000 Server and Windows Server 2003 versions of Repadmin.exe.
repadmin /prp Specifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs).
repadmin /pw Specifies the password for the user name that you enter with the /u parameter.
repadmin /queue Displays inbound replication requests that the domain controller must issue to become consistent with its source replication partners.
repadmin /replicate Triggers the immediate replication of the specified directory partition to a destination domain controller from a source domain controller.
repadmin /replsingleobj Replicates a single object between any two domain controllers that have common directory partitions.
repadmin /replsummary Identifies domain controllers that are failing inbound replication or outbound replication, and summarizes the results in a report.
repadmin /retry Causes repadmin to retry its attempt to bind to the target domain controller, if the first attempt fails with one of the following errors: Event ID 1722 (0x6ba): “The RPC Server is unavailable” or Event ID 1753 (0x6d9): “There are no more endpoints available from the endpoint mapper”.
repadmin /rodcpwdrepl Triggers replication of passwords for the specified users from the source domain controller to one or more read-only domain controllers. (The source domain controller is typically a hub site domain controller.)
repadmin /showattr Displays the attributes of an object.
repadmin /showobjmeta Displays the replication metadata for a specified object that is stored in AD DS, such as attribute ID, version number, originating and local update sequence numbers (USN), globally unique identifier (GUID) of the originating server, and date and time stamp.
repadmin /showrepl Displays the replication status when the specified domain controller last attempted to perform inbound replication on Active Directory partitions.
repadmin /showutdvec Displays the highest, committed USN that AD DS, on the targeted domain controller, shows as committed for itself and its transitive partners.
repadmin /syncall Synchronizes a specified domain controller with all replication partners.
repadmin /u Specifies the domain and user name with permission to perform operations in AD DS (the domain and user name are separated by a backslash, for example, domain\user.) This parameter does not support using a User Principal Name (UPN) to log on to a domain.
repadmin /? Displays and describes commands that are available.
repadmin /?:<cmd> Displays possible arguments <args>, appropriate syntaxes, and examples for the specified command <cmd>.

.

↑ Up to command list

repadmin /kcc

Forces the Knowledge Consistency Checker (KCC) on each targeted domain controller to immediately recalculate the inbound replication topology. By default, each domain controller performs this recalculation every 15 minutes. Run this command to troubleshoot KCC errors after you remove suspected fault conditions or to re-evaluate whether new connection objects must be created on behalf of the targeted domain controllers.

Default repadmin /kcc syntax

repadmin /kcc [<DSA_LIST>] [/async]

repadmin /kcc options

Description

repadmin /kcc /async Specifies that replication is asynchronous. That is, repadmin starts the replication event, but it does not expect an immediate response from the destination domain controller. Use this parameter to start the KCC if you do not want to wait for the KCC to finish. Repadmin /kcc is typically run without the /async parameter.
repadmin /kcc <DSA_LIST> Specifies the host name of a domain controller or a list of domain controllers that are separated in the list by single spaces.

.

↑ Up to command list

repadmin /kcc examples

Trigger the KCC to run on each of the domain controllers that are in the site named HQ:

repadmin /kcc site:HQ

↑ Up to command list

repadmin /prp

Lists and modifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs). You run the repadmin /prp command against a writable domain controller that runs Windows Server 2008 rather than an RODC. The repadmin /prp command can perform the following operations: add, delete, move, and view.

Default repadmin /prp syntax

repadmin /prp <OPERATION> <RODC> [ADDITIONAL_ARGS]

repadmin /prp add

Adds the specified security principal to the msDS-RevealOnDemandGroup attribute that is associated with the RODC (this attribute is also known as the Allowed List).

Default repadmin /prp add syntax

repadmin /prp add <RODC> allow <PRINCIPAL>

repadmin /prp add options

Description

repadmin /prp add <Principal> Specifies the name of the security principal that you want to add to the Allowed List.
repadmin /prp add <RODC> Specifies the host name of the RODC. You can specify the single-label host name or the fully qualified domain name (FQDN). In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain.

.

↑ Up to command list

repadmin /prp delete

Deletes one or more specified security principals from the msDS-AuthenticatedToAccountList attribute or from the msDS-RevealOnDemandGroup attribute that is associated with the RODC (the AuthenticatedToAccountList attribute is also known as the Authenticated to List, and the msDS-RevealOnDemandGroup attribute is also known as the Allowed List).

Default repadmin /prp delete syntax

repadmin /prp delete allow {|/all}

repadmin /prp delete auth2 /all

repadmin /prp delete options

Description

repadmin /prp delete /all Specifies all security principals. You cannot delete only one security principal from the msDS-AuthenticatedToAccountList attribute.
repadmin /prp delete <Principal> Specifies the name of the security principal that you want to delete from the Allowed List. Specify /all to have the operation delete all security principals.
repadmin /prp delete <RODC> Specifies the host name of the RODC. You can specify the single-label host name or the FQDN. In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain.

.

↑ Up to command list

repadmin /prp move

Moves all the security principals from the msDS-AuthenticatedToAccountList attribute to the specified group. If the group does not exist, this command creates the group. If necessary, this command also adds the group to the msDS-RevealOnDemandGroup attribute of the RODC (the msDS-AuthenticatedToAccountList attribute is also known as the Authenticated To List, and the msDS-RevealOnDemandGroup attribute is also known as the Allowed List).

Default repadmin /prp move syntax

repadmin /prp move <RODC> <Group> [/noauth2cleanup] [/users_only | /comps_only]

repadmin /prp move options

Description

repadmin /prp move /comps_only Moves only computer accounts from the msDS-AuthenticatedToAccountList attribute to the specified group. The group is then added to the msDS-RevealOnDemandGroup attribute.
repadmin /prp move <Group> Specifies the name of the security group to which you want to move the security principals. If the security group does not exist, this command creates the security group in the built-in Users container. You can specify the name of the security group but not the distinguished name.
repadmin /prp move /noauth2cleanup Retains the list of security principals in the msDS-AuthenticatedToAccountList attribute after the Move operation is complete. By default, the msDS-AuthenticatedToAccountList attribute is cleared.
repadmin /prp move <RODC> Specifies the host name of the RODC. For this operation, you can specify the single-label host name or the FQDN.
repadmin /prp move /users_only Moves only user accounts from the msDS-AuthenticatedToAccountList attribute to the specified group. The group is then added to the msDS-RevealOnDemandGroup attribute.

.

↑ Up to command list

repadmin /prp view

Displays the security principals in the specified list or displays the current PRP setting (allowed or denied) for a specified user.

Default ‘repadmin /prp view’ syntax

repadmin /prp view <RODC> {<List_Name>|<User>}

‘repadmin /prp view’ options

Description

repadmin /prp view <List_Name> Specifies all the security principals that are in the list that you want to view. The valid list names are as follows:

allow: The list of security principals in the msDS-RevealOnDemandGroup attribute. The RODC can cache passwords for this list of security principals only.

auth2: The list of security principals that the RODC has authenticated.

deny: The list of security principals in the msDS-NeverRevealGroup attribute. The RODC cannot cache passwords for any security principals in this list.

reveal: The list of security principals for which the RODC has cached passwords.

repadmin /prp view <RODC> Specifies the host name of the RODC. You can specify the single-label host name or the fully qualified domain name. In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain.
repadmin /prp view <User> Specifies the effective PRP setting (allowed or denied) for the specified user. You can specify the user name only or the distinguished name.

.

↑ Up to command list

repadmin /prp examples

Lists the users whose passwords are currently cached on the domain controller named br1-rodc01:

repadmin /prp view br1-rodc01 reveal

Cache the password for the user account named ‘MikeDan’ on the domain controller named br1-rodc1:

repadmin /prp add br1-rodc1 allow cn=MikeDan,ou=user-groups,dc=contoso,dc=com

↑ Up to command list

repadmin /queue

Displays inbound replication requests that the domain controller has to issue to become consistent with its source replication partners.

Default repadmin /queue syntax

repadmin /queue [DSA_LIST]

‘repadmin /queue options

Description

repadmin /queue <DSA_LIST> Specifies the host name of a domain controller or a list of domain controllers that are separated in the list by a single space.

.

↑ Up to command list

repadmin /queue examples

Return the queue of inbound replication requests that a bridgehead server named WoodGroveBank-DC-01 has not yet processed:

repadmin /queue WoodGroveBank-DC-01

↑ Up to command list

repadmin /replicate

Triggers the immediate replication of the specified directory partition to a destination domain controller from a source domain controller. The /replicate command tests replication success after you remove suspected fault conditions without waiting for the replication schedule to open.

You can refer to the source or destination domain controller by its single-label host name, by its fully qualified host name, or by the globally unique identifier (GUID) that is assigned to the NTDS Settings object for the domain controller. You can obtain the GUID for the directory system agent (DSA) object from the header of the output of the following command:

repadmin /showrepl <name of domain controller>

Default repadmin /replicate syntax

repadmin /replicate <Dest_DSA_List> <Naming Context> /allsources [/force] [/async] [/full] [/addref] [/readonly]

repadmin /replicate <Dest_DSA_List> <Source_DSA_Name> <Naming Context> [/force]

repadmin /replicate options

Description

repadmin /replicate /addref Enables change notification between the source and destination domain controllers.
repadmin /replicate /allsources Specifies that replication on the destination domain controllers occurs with all replication partners. In Windows Server 2008 R2, the /allsources parameter is deprecated.
repadmin /replicate /async Specifies that replication is asynchronous. That is, Repadmin starts the replication event, but it does not expect an immediate response from the destination domain controller. Use this parameter to start the KCC, if you do not want to wait for KCC to finish.
repadmin /replicate <Dest_DSA_List> pecifies the single-label host name of a domain controller or a list of domain controllers that are separated in the list by single spaces.
repadmin /replicate /force Allows the caller to override connections that an administrator has disabled by using /repadmin options and allows replication with corrupt and divergent partners. Do not use this parameter if you suspect that Update Sequence Number (USN) Rollback has occurred.
repadmin /replicate /full Requests that the source domain controller replicate all changes again for the specified partition. This command resets the up-to-dateness vector (UTDVECs) and the high watermark. This parameter does not remove lingering objects on the destination domain controller. Do not use this parameter if you suspect USN Rollbacks has occurred.
repadmin /replicate /readonly Specifies that the destination domain controller holds a read-only copy of the partition that is replicated.
repadmin /replicate <Source_DSA_Name> Specifies the host name of a source domain controller.

.

↑ Up to command list

repadmin /replicate examples

Replicates the WoodGroveBank naming context from source-dc01 to dest-dc01:

repadmin /replicate dest-dc01 source-dc01 DC=WoodGroveBank,DC=com

Replicate the Mayberry naming context from source-dc01 to dest-dc01 and specify that the naming context is read-only on the destination domain controller:

repadmin /replicate dest-dc01 source-dc01 DC=Mayberry,DC=WoodGroveBank,DC=com /readonly

↑ Up to command list

repadmin /replsingleobj

Replicates a single object between any two domain controllers that have common directory partitions. The two domain controllers do not have a replication agreement. That is, neither domain controller has an inbound connection object for the other domain controller. You can use the repadmin /showrepl or the repadmin /showconn command to show replication agreements.

Default repadmin /replsingleobj syntax

repadmin /replsingleobj <DSA_LIST> <Source_DSA_Name> <obj dn>

repadmin /replsingleobj options

Description

repadmin /replsingleobj <DSA_LIST> Specifies the host name of a domain controller or a list of domain controllers that are separated in the list by single spaces.
repadmin /replsingleobj <obj dn> Specifies the distinguished name of the object that you want to replicate.
repadmin /replsingleobj <Source_DSA_Name> Specifies the host name of a source domain controller.

.

↑ Up to command list

repadmin /replsingleobj examples

Trigger replication of the object named VPSales from source-dc01 to dest-dc01:

repadmin /replsingleobj dest-dc01 source-dc01 cn=VPSales,ou=execs,dc=woodgrovebank,dc=com

↑ Up to command list

repadmin /replsummary

Identifies domain controllers that are failing inbound replication or outbound replication, and summarizes the results in a report. When it begins to collect data for the replication summary, this command displays a series of dots. Each dot represents a domain controller that is specified in the DSA_LIST parameter (plus some extra dots for preprocessing). Fifty dots are displayed on each line of the output. For example, four lines of dots represent about 200 domain controllers that are specified by the DSA_LIST parameter. The dots help you gauge throughput and completion time in large environments.

Default repadmin /replsummary syntax

repadmin /replsummary [DSA_LIST] [/bysrc] [/bydest] [/errorsonly] [/sort:{delta | partners | failures | error | percent | unresponsive}]

repadmin /replsummary options

Description

repadmin /replsummary /bydest Summarizes the replication status for all domain controllers that a given destination domain controller replicates from. This parameter does not display the source domain controller.

You can specify the /bysrc and /bydest parameters at the same time. If you do so, then repadmin displays the /bysrc parameter table first and the /bydest parameter table next. If the parameters /bysrc and /bydest are both absent, repadmin displays the one with the least number of partner errors.

repadmin /replsummary /bysrc Summarizes the replication status for all domain controllers that a given source domain controller replicates to. This parameter does not display the destination domain controller.

You can specify the /bysrc and /bydest parameters at the same time. If you do so, then repadmin displays the /bysrc parameter table first and the /bydest parameter table next. If the parameters /bysrc and /bydest are both absent, repadmin displays the one with the least number of partner errors.

repadmin /replsummary <DSA_LIST> Specifies the host name of a domain controller or a list of domain controllers.
repadmin /replsummary /errorsonly Shows only the domain controllers where the partner error is non-zero.
repadmin /replsummary /sort:delta Sorts the results according to the least current naming context for each source or destination domain controller.
repadmin /replsummary /sort:error Sorts the results list by the last replication result (the error code) that is blocking replication for each domain controller. This helps you troubleshoot the root cause of failure for domain controllers that fail with common errors.
repadmin /replsummary /sort:failures Sorts the results list by the number of partner replication failures for each domain controller.
repadmin /replsummary /sort:partners Sorts the results list by the number of replication partners for each domain controller.
repadmin /replsummary /sort:percent Sorts the results list by the partner replication failure percentage for each domain controller (this is calculated by dividing the number of failures by the total number of attempts, and then multiplying by 100; that is, failures/total attempts * 100). This helps you prioritize your troubleshooting efforts by identifying the domain controllers that are experiencing the highest frequency of replication errors.
repadmin /replsummary /sort:unresponsive Sorts the results list by the names of partners that do not respond to replication requests for each domain controller.

.

↑ Up to command list

repadmin /replsummary examples

Target all domain controllers in the forest to retrieve summary replication status from each, list the output in a table that has columns for source and destination, and sort the results based on the longest time since the last successful replication:

repadmin /replsum * /bysrc /bydest /sort:delta

↑ Up to command list

repadmin /rodcpwdrepl

Triggers replication of passwords for the specified users from a writable Windows Server 2008 source domain controller to one or more read-only domain controllers (RODCs). For each destination RODC, the source domain controller enforces the Password Replication Policy (PRP) before it performs the operation. If the PRP does not permit replicating the password to an RODC for a specified user, the operation for that user and RODC combination fails.

Default repadmin /rodcpwdrepl syntax

repadmin /rodcpwdrepl [DSA_LIST] <Hub DC> <User1 DN> [<User2 DN> <User3 DN>...]

repadmin /rodcpwdrepl options

Description

repadmin /rodcpwdrepl <DSA_LIST> Specifies the host name of a domain controller or a list of domain controllers that are separated in the list by single spaces.
repadmin /rodcpwdrepl <Hub DC> Specifies the writable Windows Server 2008 domain controller that enforces the PRP of the RODC.
repadmin /rodcpwdrepl <User1 DN> Specifies the distinguished name of the user account whose password must be cached (prepopulated) on the RODC.

.

↑ Up to command list

repadmin /rodcpwdrepl examples

Trigger replication of the passwords for the user account named ‘JaneOh’ from the source domain controller named source-dc01 to all RODCs that have the name prefix dest-rodc:

repadmin /rodcpwdrepl dest-rodc* source-dc01 cn=JaneOh,ou=execs,dc=woodgrovebank,dc=com

↑ Up to command list

repadmin /showattr

Displays the attributes of an object. Although the repadmin /showobjmeta command displays the number of times that the attributes on an object have changed and which domain controller made those changes, the repadmin /showattr command displays the actual values for an object. The repadmin /showattr command can also display the values for objects that are returned by a command-line Lightweight Directory Access Protocol (LDAP) query. An object can be referenced by its distinguished name or by its object globally unique identifier (GUID). By default, repadmin /showattr uses Lightweight Directory Access Protocol (LDAP) port 389 to query writable directory partitions. However, repadmin /showattr can optionally use LDAP port 3268 to query the read-only partitions of a global catalog server.

Default repadmin /showattr syntax

/showattr <DSA_LIST> <OBJ_LIST> [OBJ_LIST Options] [/atts:<att1>,<att2>...] [/allvalues] [/long] [/dumpallblob]

repadmin /showattr options

Description

repadmin /showattr /allvalues Displays all attribute values. By default, this parameter displays only 20 attribute values for an attribute.
repadmin /showattr /atts Returns values for specified attributes only. You can display values for multiple attributes by separating them with commas.
repadmin /showattr <DSA_LIST> Specifies the host name of a domain controller or a list of domain controllers that are separated in the list by single spaces.
repadmin /showattr /dumpallblob Displays all binary attribute values. This command is similar to /allvalues, but it displays binary attribute values.
repadmin /showattr /gc Specifies the use of TCP port 3268 to query read-only global catalog partitions.
repadmin /showattr /long Displays one line for each attribute value.
repadmin /showattr <OBJ_LIST> [OBJ_LIST Options} Specifies the distinguished name or object GUID of the object whose attributes you want to enumerate. When you perform an LDAP query from a command prompt, this parameter forms the base distinguished name path for the search. Enclose distinguished names that contain spaces in quotation marks.

.

↑ Up to command list

repadmin /showattr examples

Query a specific domain controller and show all attributes for an object using its distinguished name:

repadmin /showattr hq-dc-01 "cn=enterprise administrators,cn=users,dc=woodgrovebank,dc=com"

Query a specific domain controller and show all attributes for an object using its object GUID:

repadmin /showattr hq-dc-01 "<GUID=20b11743-1272-45c0-88fb-ea9a753d53f8>"

Query all domain controllers whose computer names start with HQ-DC and shows the value for a specific attribute, msDS-Behavior-Version, which denotes the domain functional level:

Repadmin /showattr hq-dc* "DC=woodgrovebank,DC=com" /atts:msDS-Behavior-Version

Query a single domain controller named hq-dc-01 and return the attributes operating system version and service pack revision for all domain controller computers, targeted by primary group ID = 516, which identifies enterprise domain controllers:

repadmin /showattr hq-dc-01 ncobj:domain: /filter:"(&(objectCategory=computer)(primaryGroupID=516))" /subtree /atts:operatingSystem,operatingSystemVersion,operatingSystemServicePack

Query the read-only partitions (/gc) of all global catalogs (“gc:”) in the forest to see if those partitions contain a copy of a specific object that is referenced by its object GUID. This command is useful for determining which domain controllers replicated an important change or contain a lingering object:

repadmin /showattr gc: "<GUID=20b11743-1272-45c0-88fb-ea9a753d53f8>" /gc

↑ Up to command list

repadmin /showobjmeta

Displays the replication metadata for a specified object stored in Active Directory Domain Services (AD DS), such as the attribute ID, a version number, the originating and local Update Sequence Numbers ((USNs)), the globally unique identifier (GUID) of the originating server, and the date and time stamp. By comparing the replication metadata for the same object on different domain controllers, you can determine whether replication has occurred or which domain controller added, modified, or deleted an attribute or object. You can reference an object by its distinguished name path, object GUID, or security identifier (SID). If the distinguished name path includes a space, enclose it in quotation marks.

Default repadmin /showobjmeta syntax

repadmin /showobjmeta [DSA_LIST] <Object DN> [/nocache] [/linked]

repadmin /showobjmeta options

Description

repadmin /showobjmeta <DSA_LIST> Specifies the host name of a domain controller or a list of domain controllers that are separated in the list by single spaces.
repadmin /showobjmeta /linked Displays the metadata for linked attributes, such as the member attribute of a security group object. This parameter is valid only if the forest functional level is Windows Server 2003.
repadmin /showobjmeta /nocache Specifies that GUIDs are left in hexadecimal form. By default, GUIDs are translated into strings.
repadmin /showobjmeta <Object DN> Specifies the distinguished name of the object for which you want to display metadata.

.

↑ Up to command list

repadmin /showobjmeta examples

Target all domain controllers that have a name prefixed with the string “dst” (such as ‘dst-01′, ‘dst-02′, and so on) and requests the replication metadata for an object by specifying the distinguished name (the distinguished name path is enclosed within quotation marks because it contains a space):

repadmin /showobjmeta dst* "CN=Joe Smith,OU=UserAccounts,DC=contoso,DC=com"

Targets all domain controllers that have a name prefixed with the string “dst” and requests the replication metadata for an object by specifying the distinguished name:

repadmin /showobjmeta dst* CN=Finance,OU=UserGroups,DC=contoso,DC=com /linked

Target a specific domain controller and request the replication metadata for an object by specifying the object GUID:

repadmin /showobjmeta destdc01 "<GUID=93f2ab2b-f140-4f74-b018-652566d8bdbd>"

Targets a specific domain controller and request the replication metadata for an object by specifying the object SID:

repadmin /showobjmeta destdc01 "<SID=S-1-5-21-1721254763-462695806-1538882281-35372>"

↑ Up to command list

repadmin /showrepl

Displays the replication status when the specified domain controller last attempted to perform inbound replication of Active Directory partitions. The repadmin /showrepl command helps you understand the replication topology and replication failures. It reports status for each source domain controller from which the destination has an inbound connection object. The status report is categorized by directory partition.

The administrative workstation on which you run repadmin must have remote procedure call (RPC) network connectivity to all domain controllers that are targeted by the DSA_LIST parameter. Replication errors may be caused by the source domain controller; destination domain controller; or any component of the replication process, including the underlying network.

In Windows Server 2003 and Windows Server 2008, repadmin does not display outbound partners for intrasite replication as it did in the Microsoft Windows 2000 Server operating system. Use the /repsto parameter to display outbound partners.

Default repadmin /showrepl syntax

repadmin /showrepl [DSA_LIST [Source DSA object GUID]] [Naming Context] [/verbose] [/nocache] [/repsto] [/conn] [/all] [/errorsonly] [/intersite] [/csv]

repadmin /showrepl options

Description

repadmin /showrepl /all Runs both the /repsto and the /conn parameters.
repadmin /showrepl /conn Appends a KCC CONNECTION OBJECTS section to the repadmin output that lists all connections and why they were created.
repadmin /showrepl /csv Displays the results in a comma-separated-value (CSV) format.
repadmin /showrepl <DSA_LIST> Specifies the host name of a domain controller or a list of domain controllers that are separated in the list by single spaces.
repadmin /showrepl /errorsonly Displays replication status only for source domain controllers with which the destination domain controller encounters replication errors.
repadmin /showrepl /intersite Displays the replication status for connections from domain controllers in remote sites from which the domain controller that is listed in the DSA_LIST parameter performs inbound replication.
repadmin /showrepl <NamingContext> Specifies the distinguished name of the directory partition to replicate.
repadmin /showrepl /nocache Specifies that globally unique identifiers (GUIDs) are left in hexadecimal form. By default, GUIDs are translated into strings.
repadmin /showrepl /repsto Lists the partner domain controllers with which the targeted domain controllers use change notification to perform outbound replication (partner domain controllers in this case are domain controllers in the same Active Directory site as the source domain controller and domain controllers that are in remote sites where change notification has been enabled). This list is appended under OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS of the repadmin output.
repadmin /showrepl <Source DSA object GUID> Specifies the unique hexadecimal number that identifies the object whose replication events are listed.
repadmin /showrepl /verbose Displays additional information about the source partners from which the destination domain controller performs inbound replication. The information includes fully qualified CNAME, invocation ID, replication flags, and update sequence number (USN), values for originating update and replicated updates.

.

↑ Up to command list

repadmin /showrepl examples

Report the inbound replication status for all domain controllers in the forest output in CSV format (which is ideal for viewing forest-wide replication status in a spreadsheet application such as Microsoft Excel):

repadmin /showrepl * /csv

Report the inbound replication status for all domain controllers in the forest that are experiencing a replication error:

repadmin /showrepl * /errorsonly

Reports the inbound replication status for all domain controllers in the site named HQ that perform inbound replication of a read-only or writable copy of the mayberry.woodgrovebank.com domain partition:

repadmin /showrepl site:HQ DC=Mayberry,DC=Woodgrovebank,dc=Com

↑ Up to command list

repadmin /showutdvec

Displays the highest committed Update Sequence Number (USN) that Active Directory Domain Services (AD DS) on the targeted domain controller shows as committed for itself and its transitive partners.

The up-to-dateness vector (UTDVEC) shows the highest USN that the destination domain controller has received by replication, in the form of changes it has received from its direct and transitive replication partners for the specified partition. Destination domain controllers start with the last received USNchanged attribute when they request changes from a specified source. All USNs for a specified source domain controller appear in the context of the local USN for that source, not the USNs on the destination domain controller.

The UTDVEC for a local domain controller shows the highest committed USN on which the domain controller has performed inbound replication or that it originated.

This command output lists current and historical replication partners, including transitive replication partners. By comparing the USNs from this command output on a source and destination domain controller, you can determine how current a destination domain controller is compared to its source partner. You may detect USN rollbacks if you run this command when the destination domain controller has a higher committed USN than the source domain controller. For best results, and to avoid false USN rollbacks, obtain this command output from destination domain controllers immediately followed by source domain controllers.

Default repadmin /showutdvec syntax

repadmin /showutdvec <DSA_LIST> <Naming Context> [/nocache] [/latency]

repadmin /showutdvec options

Description

repadmin /showutdvec <DSA_LIST> Specifies the host name of a domain controller or a list of domain controllers that are separated in the list by single spaces.
repadmin /showutdvec /latency Orders the entries in the UTDVEC from least current to most current.
repadmin /showutdvec <NamingContext> Specifies the distinguished name of the directory partition.
repadmin /showutdvec /nocache Specifies that globally unique identifiers (GUIDs) are left in hexadecimal form. By default, GUIDs are translated into strings.

.

↑ Up to command list

repadmin /showutdvec examples

Show the highest committed USN on a domain controller named dc1 for the woodgrovebank.com directory partition:

repadmin /showutdvec dc1 dc=woodgrovebank,dc=com

Show the highest USN on the local domain controller for the mayberry.woodgrovebank.com directory partition, and orders the entries from least current to most current:

repadmin /showutdvec localhost dc=mayberry,dc=woodgrovebank,dc=com /latency

↑ Up to command list

repadmin /syncall

Synchronizes a specified domain controller with all of its replication partners. By default, if no directory partition is provided in the <NamingContext> parameter, the command performs its operations on the configuration directory partition.

Default repadmin /syncall syntax

repadmin /syncall <DSA> [<Naming Context>] [<flags>]

repadmin /syncall options

Description

repadmin /syncall <DSA> Specifies the host name of a domain controller.
repadmin /syncall <flags> The flags in the following list are supported:

/a: Aborts, if any server is unavailable.

/A: Synchronizes all naming contexts that are held on the home server.

/d: Identifies servers by distinguished name in messages.

/e: Synchronizes domain controllers across all sites in the enterprise. By default, this command does not synchronize domain controllers in other sites.

/h: Displays the Help message.

/i: Iterates indefinitely.

/I: Runs the repadmin /showrepl command on each server pair in the path instead of synchronizing.

/j: Synchronizes adjacent servers only.

/p: Pauses after every message to allow the user to abort the command.

/P: Pushes changes outward from the specified domain controller.

/q: Runs in quiet mode, which suppresses call back messages.

/Q: Runs in very quiet mode, which reports fatal errors only.

/s: Does not synchronize.

/S: Skips the initial server response check.

repadmin /syncall <NamingContext> Specifies the distinguished name of the directory partition.

.

↑ Up to command list

repadmin /syncall examples

Synchronize the target domain controller will all its partners including domain controllers in other sites, display the partners by their distinguished names rather than their globally unique identifiers (GUIDs), and aborts the command if any one partner is not available:

repadmin /syncall dst-dc01 dc=woodgrovebank,dc=com /d /e /a

↑ Up to command list

Further reference

Microsoft.com, Active Directory management support tools

Microsoft.com, Complete Windows command line reference

Microsoft.com, Complete Windows command line reference – download

Microsoft.com, Domain and forest trust tools and settings

Microsoft.com, Network services management support tools

Retrohack.com, Scripting AD group creation using dsadd

Technet.com, Sample scripts for dsadd, dsmod, dsget, dsquery, and dsmove

Recommended reading

If you found the content of this article helpful and want to expand your knowledge further, please consider buying a relevant book using the links below. Thanks!

Windows Command Line Admin's Pocket Consultant on Amazon Windows Command-Line Installing and Configuring Windows Server 2012 on Amazon Installing and Configuring Windows Server 2012

Windows PowerShell Cookbook on Amazon Windows PowerShell Cookbook Windows Networking Essentials on Amazon Windows Networking Essentials

Learn Windows PowerShell 3 on Amazon Learn Windows PowerShell 3 Windows PowerShell 2.0 on Amazon Windows PowerShell Admin’s Pocket Consultant

About these ads

Written by Doug Vitale

February 7, 2013 at 3:38 PM

%d bloggers like this: