Overview of Managing Group Accounts from the Command Line
|
| < Day Day Up > |
|
Group accounts help you manage privileges for multiple users. In Windows Server 2003, there are three types of groups:
-
Security groups Groups that have security descriptors associated with them and are used to help manage access permissions. You create and manage security groups with the directory services commands.
-
Distribution groups Groups used as e-mail distribution lists, which don’t have security descriptors associated with them. You create and manage distribution groups with the directory services commands.
-
Local groups Groups used on the local computer only. You create and manage local groups with the network services commands.
Security and distribution groups are used with domains. This makes them available throughout the directory. Local groups, however, are available only on the computer on which they are created. The general domain group account command-line utilities include
-
DSADD GROUP Creates a group account in Active Directory. The syntax is
dsadd group GroupDN [-secgrp {yes | no}] [-scope {l | g | u}]
[-samid SAMName] [-desc Description] [-memberof Group ...]
[-members Member ...] [{-s Server | -d Domain}] [-u UserName] [-p
{Password | *}] [-q] [{-uc | -uco | -uci}] -
DSGET GROUP Displays the properties of group accounts using one of two syntaxes. The syntax for viewing the properties of multiple groups is
dsget group GroupDN ... [-dn] [-samid] [-sid] [-desc] [-secgrp]
[-scope] [{-s Server | -d Domain}] [-u UserName] [-p {Password |
*}] [-c] [-q] [-l] [{-uc | -uco | - uci}] [-part PartitionDN
[-qlimit] [-qused]]The syntax for viewing the group membership information for an individual group is
dsget group GroupDN [{-memberof | -members} [-expand]] [{-s Server
| -d Domain}] [-u UserName] [-p {Password | *}] [-c] [-q] [-l]
[{-uc | -uco | -uci}] -
DSMOD GROUP Modifies attributes of one or more group accounts in the directory. The syntax is
dsmod group GroupDN ... [-samid SAMName] [-desc Description]
[-secgrp {yes | no}] [-scope {l | g | u}] [{-addmbr | -rmmbr |
-chmbr} MemberDN ...] [{-s Server | -d Domain}] [-u UserName]
[-p {Password | *}] [-c] [-q] [{-uc | -uco | -uci}]
| Tip | You can use input from DSQUERY GROUP to set the DN for the security group or groups you want to work with. You can also type the DNs for each group you want to work with. When you do this, make sure to separate each DN with a space. |
To manage local group accounts, you use the NET LOCALGROUP command. This command has several different syntaxes. The syntax you use depends on what you want to do, as follows:
-
Create local group accounts net localgroup [GroupName {/add [/comment:“Text”]}
-
Modify local group accounts net localgroup [GroupName Name [ ...]
{/add | /delete}] -
Delete local group accounts net localgroup [GroupName {/delete [/comment:“Text”]}
| Note | NET LOCALGROUP can be used to add a local group to a group in the current (logon) domain. In some limited situations you might want to consider doing this but ordinarily you wouldn’t use this technique to grant access permissions for regular users. For example, if you created a local group called DevTesters you can add this group to the Developers domain group. This would give local machine users who are members of the DevTesters group the same domain permissions as other members of the Developers domain group. Here, developers who are testing local system configurations need access to the domain. |
|
| < Day Day Up > |
|
EAN: 2147483647
Pages: 114