JSI Tip 7329. How do I create a Active Directory user from the command-line?

Using the Active Directory command-line tools, in a Windows 2000 domain, or Windows Server 2003 domain, you can create, modify, and delete a user, from the command-line.

The syntax for creating a user account is:

dsadd user user_DN -samid Sam_Name


user_DN   is the distinguished name (DN) of the user you wish to create, like "CN=Jerold Schulman,CN=Users,DC=JSIINC,DC=COM".

Sam_Name  is the SAM (Security Account Manager) name of the users, like Jerry.

NOTE: To disable / enable a user account, use dsmod user user_DN -disabled yes|no.

NOTE: To delete a user account, use dsrm user_DN.

NOTE: To modify the properties of a user account, use the dsmod user_DN command.

NOTE: When you type dsadd user /?, you receive:

Description:  Adds a user to the directory.
Syntax:  dsadd user <UserDN> \[-samid <SAMName>\] \[-upn <UPN>\] \[-fn <FirstName>\]
        \[-mi <Initial>\] \[-ln <LastName>\] \[-display <DisplayName>\]
        \[-empid <EmployeeID>\] \[-pwd \{<Password> | *\}\] \[-desc <Description>\]
        \[-memberof <Group ...>\] \[-office <Office>\] \[-tel <Phone#>\]
        \[-email <Email>\] \[-hometel <HomePhone#>\] \[-pager <Pager#>\]
        \[-mobile <CellPhone#>\] \[-fax <Fax#>\] \[-iptel <IPPhone#>\]
        \[-webpg <WebPage>\] \[-title <Title>\] \[-dept <Department>\]
        \[-company <Company>\] \[-mgr <Manager>\] \[-hmdir <HomeDir>\]
        \[-hmdrv <DriveLtr:>\] \[-profile <ProfilePath>\] \[-loscr <ScriptPath>\]
        \[-mustchpwd \{yes | no\}\] \[-canchpwd \{yes | no\}\]
        \[-reversiblepwd \{yes | no\}\] \[-pwdneverexpires \{yes | no\}\]
        \[-acctexpires <NumDays>\] \[-disabled \{yes | no\}\]
        \[\{-s <Server> | -d <Domain>\}\] \[-u <UserName>\]
        \[-p \{<Password> | *\}\] \[-q\] \[\{-uc | -uco | -uci\}\]


Value                   Description
<UserDN>                Required. Distinguished name (DN) of user to add.
                        If the target object is omitted, it will be taken
                        from standard input (stdin).
-samid <SAMName>        Set the SAM account name of user to <SAMName>.
                        If not specified, dsadd will attempt
                        to create SAM account name using up to
                        the first 20 characters from the
                        common name (CN) value of <UserDN>.
-upn <UPN>              Set the upn value to <UPN>.
-fn <FirstName>         Set user first name to <FirstName>.
-mi <Initial>           Set user middle initial to <Initial>.
-ln <LastName>          Set user last name to <LastName>.
-display <DisplayName>  Set user display name to <DisplayName>.
-empid <EmployeeID>     Set user employee ID to <EmployeeID>.
-pwd \{<Password> | *\}   Set user password to <Password>. If *, then you are
                        prompted for a password.
-desc <Description>     Set user description to <Description>.
-memberof <Group ...>   Make user a member of one or more groups <Group ...>
-office <Office>        Set user office location to <Office>.
-tel <Phone#>           Set user telephone# to <Phone#>.
-email <Email>          Set user e-mail address to <Email>.
-hometel <HomePhone#>   Set user home phone# to <HomePhone#>.
-pager <Pager#>         Set user pager# to <Pager#>.
-mobile <CellPhone#>    Set user mobile# to <CellPhone#>.
-fax <Fax#>             Set user fax# to <Fax#>.
-iptel <IPPhone#>       Set user IP phone# to <IPPhone#>.
-webpg <WebPage>        Set user web page URL to <WebPage>.
-title <Title>          Set user title to <Title>.
-dept <Department>      Set user department to <Department>.
-company <Company>      Set user company info to <Company>.
-mgr <Manager>          Set user's manager to <Manager> (format is DN).
-hmdir <HomeDir>        Set user home directory to <HomeDir>. If this is
                        UNC path, then a drive letter that will be mapped to
                        this path must also be specified through -hmdrv.
-hmdrv <DriveLtr:>      Set user home drive letter to <DriveLtr:>
-profile <ProfilePath>  Set user's profile path to <ProfilePath>.
-loscr <ScriptPath>     Set user's logon script path to <ScriptPath>.
-mustchpwd \{yes | no\}   User must change password at next logon or not.
                        Default: no.
-canchpwd \{yes | no\}    User can change password or not. This should be
                        "yes" if the -mustchpwd is "yes". Default: yes.
-reversiblepwd \{yes | no\}
                        Store user password using reversible encryption or
                        not. Default: no.
-pwdneverexpires \{yes | no\}
                        User password never expires or not. Default: no.
-acctexpires <NumDays>  Set user account to expire in <NumDays> days from
                        today. A value of 0 implies account expires
                        at the end of today; a positive value
                        implies the account expires in the future;
                        a negative value implies the account already expired
                        and sets an expiration date in the past;
                        the string value "never" implies that the
                        account never expires.
-disabled \{yes | no\}    User account is disabled or not. Default: no.
\{-s <Server> | -d <Domain>\}
                        -s <Server> connects to the domain controller (DC)
                        with name <Server>.
                        -d <Domain> connects to a DC in domain <Domain>.
                        Default: a DC in the logon domain.
-u <UserName>           Connect as <UserName>. Default: the logged in user.
                        User name can be: user name, domain\user name,
                        or user principal name (UPN).
-p \{<Password> | *\}     Password for the user <UserName>. If * is entered,
                        then you are prompted for a password.
-q                      Quiet mode: suppress all output to standard output.
\{-uc | -uco | -uci\}     -uc Specifies that input from or output to pipe is
                        formatted in Unicode.
                        -uco Specifies that output to pipe or file is
                        formatted in Unicode.
                        -uci Specifies that input from pipe or file is
                        formatted in Unicode.

If you do not supply a target object at the command prompt, the target
object is obtained from standard input (stdin). Stdin data can be
accepted from the keyboard, a redirected file, or as piped output from
another command. To mark the end of stdin data from the keyboard or
in a redirected file, use Control+Z, for End of File (EOF).

If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).

The special token $username$ (case insensitive) may be used to place the SAM
account name in the value of a parameter. For example, if the target user DN
is CN=Jane Doe,CN=users,CN=microsoft,CN=com and the SAM account name
attribute is "janed," the -hmdir parameter can have
the following substitution:

-hmdir \users\$username$\home

The value of the -hmdir parameter is modified to the following value:

- hmdir \users\janed\home

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.