JSI Tip 7326. How do I create a group in Active Directory, and add members, from the command-line?

Using the Active Directory command-line tools, in a Windows 2000 domain, or Windows Server 2003 domain, you can create a group, and set its' type and scope, from the command-line.

The syntax is:

dsadd group group_DN -samid SAM_Name -secgrp yes | no -scope l | g | u


group_DN   is the distinguished name of the group, like any of the following:
                     "CN=Accounts Payables,CN=Users,DC=JSIINC,DC=COM"

SAM_Name   is the unique SAM name for the group, like accountants.

yes | no   indicates if the group type is a security group (yes), or a distribution group (no).

l | g | u  is the group scope where l is domain local, g is global, and u is universal. 
           If the domain functional level is Windows 2000 mixed, only security groups with domain local scopes or global scopes are permitted.
To add a member to a group, the syntax is:

dsmod group group_DN -addmbr member_DN where:

group_DN   is the distinguished name of the group.

member_DN  is the distinguished name of the object that you wish to add to the group,
           like "CN=Jerold Schulman,CN=Users,DC=JSIINC,DC=COM".

NOTE: To delete a group:

dsrm group_DN

NOTE: To delete a member:

dsmod group group_DN -rmmbr member_DN

NOTE: For additional options, type dsadd group /? or dsmod group /?.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.