Adds a single group to the directory.

Dsadd is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use dsadd, you must run the dsadd command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.

Syntax

dsadd group <GroupDN> [-secgrp {yes | no}] [-scope {l | g | u}] [-samid <SAMName>] [-desc <Description>] [-memberof <Group> ...] [-members <Member> ...] [{-s Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]

Parameters

Parameter Description

<GroupDN>

Required. Specifies the distinguished name of the group that you want to add. If you omit the distinguished name, dsadd takes the name from standard input (stdin).

-secgrp {yes | no}

Specifies whether the group that you want to add is a security group (yes) or a distribution group (no). By default, dsadd adds the group as a security group (yes).

-scope {l | g | u}

Specifies whether the scope of the group that you want to add is domain local (l), global (g), or universal (u). If the domain is in mixed-mode, then AD DS does not support the universal scope. By default, dsadd sets the scope of the group to global.

-samid <SAMName>

Specifies to use the Security Accounts Manager (SAM) name as the unique SAM account name for this group, for example, operators. If you do not specify this parameter, dsadd generates the SAM account name from the relative distinguished name.

-desc <Description>

Specifies the description of the group that you want to add.

-memberof <Group> ...

Specifies other groups of which the new group that you are adding is a member.

-members <Member> ...

Specifies the members to add to the new group.

{-s <Server> | -d Domain}

Connects to a remote server or domain that you specify. By default, dsadd connects the computer to the domain controller in the logon domain.

-u <UserName>

Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name:

  • user name (for example, Linda)

  • domain\user name (for example, widgets\Linda)

  • user principal name (UPN) (for example, Linda@widgets.contoso.com)

-p {<Password> | *}

Specifies to use either a password or a an asterisk (*) to log on to a remote server. If you type *, you are prompted for a password.

-q

Suppresses all output to standard output (quiet mode).

{-uc | -uco | -uci}

Specifies that dsadd formats output or input data in Unicode. The following table shows each format.

Value Description

-uc

Specifies to use the Unicode format for input from or output to a pipe (|).

-uco

Specifies to use the Unicode format for output to a pipe (|) or a file.

-uci

Specifies to use the Unicode format for input from a pipe (|) or a file.

/?

Displays help at the command prompt.

Remarks

  • If you do not supply a target object at the command prompt, dsadd obtains the target object from standard input (stdin). Dsadd can accept stdin from the keyboard, from a redirected file, or as piped output from another command. To mark the end of stdin data from the keyboard or in a redirected file, use the end-of-file character (CTRL+Z).

  • If a value that you supply contains spaces, use quotation marks around the text, for example, "CN=Mike Danseglio,CN=Users,DC=Contoso,DC=Com".

  • If you supply multiple values for a parameter, use spaces to separate the values, for example, a list of distinguished names.

  • This command only supports a subset of commonly used object class attributes.

Examples

To create a group account named Sales in the default Users container of northwindtraders.com, type:

dsadd group cn=sales,cn=users,dc=northwindtraders,dc=com