dsadd is the legacy Windows command-line utility to add objects (user, group, computer, contact, OU, quota) to Active Directory Domain Services. It requires AD DS role or RSAT.
dsadd <ObjectType> <DistinguishedName> [OptionalFlags]
ObjectType: computer | contact | group | ou | user | quotaOptions and Flags
| Flag | Type | Default | Description |
|---|---|---|---|
| -samid <SAMName> | string | CN part of DN | Sets the SAM account name for a user or computer |
| -pwd <password|*> | string | none | Password. Use * to prompt at runtime |
| -upn <UPN> | string | none | User principal name (e.g., user@domain.com) |
| -mustchpwd {yes|no} | bool | no | Force password change at next logon |
| -hmdir <path> | string | none | Home directory path (supports %username% token) |
| -hmdrv <driveLetter:> | string | none | Home drive letter to map |
| -fax <number> | string | none | Fax telephone number for user/contact |
All flags are optional except Distinguished Name for most object types.
Usage Examples
1. Create a user with mandatory password change
dsadd user "cn=John Doe,ou=Users,dc=contoso,dc=com" -samid jdoe -pwd * -mustchpwd yes -upn jdoe@contoso.comPrompts for password interactively. User must change password at first logon. Best practice for new hires.
2. Add a group and a computer object
dsadd group "cn=Finance,ou=Groups,dc=contoso,dc=com" -samid Finance
dsadd computer "cn=LAPTOP001,ou=Workstations,dc=contoso,dc=com"Creates a security group (default) and a computer account. Computer requires -samid only if name differs.
3. Batch import from CSV using a for loop
@echo off
for /f "skip=1 tokens=1-4 delims=," %%a in (users.csv) do (
dsadd user "cn=%%a,ou=Users,dc=contoso,dc=com" -samid %%b -pwd %%c -upn %%b@contoso.com -mustchpwd yes
)Assumes CSV columns: DisplayName,SamAccountName,Password,OU. Efficient for bulk provisioning (50+ users).
Troubleshooting & Common Errors
| Error Message / Code | Root Cause | Resolution Command / Steps |
|---|---|---|
| “Access denied” | Account lacks domain admin or delegated permissions | Run elevated as Domain Admin: runas /user:CONTOSOAdministrator dsadd ... |
| “Object already exists” | Same DN or SAM account name already in AD | Check uniqueness: dsquery user -name "jdoe" or use Get-ADUser -Identity (PowerShell) |
| “Invalid distinguished name” | Special characters (commas, quotes) not escaped | Escape commas with backslash: "CN=Company, Inc.,..." |
| “The password does not meet the password policy” | Password too short/complexity failure | Use -pwd * or set compliant password; check Get-ADDefaultDomainPasswordPolicy |
Performance Considerations and Tuning
dsadd adds Active Directory objects one at a time via LDAP. Because it does not expose built-in knobs for parallelism, MTU, buffer sizes, or timeouts, performance tuning relies on scripting and operating system defaults. Microsoft’s Active Directory Domain Services Capacity Planning documentation recommends batching multiple dsadd commands in a script to reduce per-connection overhead. Network latency and TCP window size are controlled at the network stack level; dsadd inherits the system’s default TCP settings. To simulate parallelism, launch multiple dsadd instances concurrently in a PowerShell script:
# Parallel batch creation (PowerShell 7+)
Get-Content C:users.csv | ForEach-Object -Parallel {
$name, $ou = $_ -split ','
dsadd user "CN=$name,$ou" -pwd * -upn "$name@domain.com"
} -ThrottleLimit 10Key considerations:
- Batch size: No internal batch flag exists; use external scripting to avoid creating too many simultaneous LDAP connections (typically <100).
- Timeouts: dsadd relies on LDAP timeout (default 120 seconds). Adjust via the registry key
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLDAPLDAPClientTimeout. - Network overhead: Reduce round trips by pre-creating parent OUs. dsadd uses TCP port 389; MTU settings are handled by the OS.
- Parallelism: Use
Start-Processor PowerShell jobs (as shown) to run multiple dsadd commands concurrently, throttled to avoid server overload.
For large bulk imports, consider using ldifde or csvde instead; dsadd is best for small-to-medium batches due to its sequential nature.
Security and Operational Best Practices
When using dsadd to create Active Directory objects, follow these security and operational guidelines to minimize risk and maintain auditability.
- IAM / Least-Privilege: Run
dsaddunder a delegated account that has write permissions only on the target OUs (e.g.,OU=Users,OU=AcmeCo,DC=ss64,DC=com). Avoid using Domain Admin accounts; assign granular rights via AD Delegation Control. - Authentication Knobs: Use the
-pwd *flag to force a password prompt instead of embedding passwords in scripts. The special token$username$can place the SAM account name. Never pass plaintext passwords on the command line. - Audit / Logging Hooks: Enable Advanced Audit Policy for
User Account Management(Event ID 4720 on domain controllers). Use built-in Windows tools to query these events.
# Configure audit policy (run once on DC)
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
# Query last 5 user-creation events
wevtutil qe Security /q:"*[System[(EventID=4720)]]" /c:5 /rd:true /f:text
# PowerShell equivalent (for automation scripts)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4720} -MaxEvents 5 | Format-List
Regularly review these logs for unexpected object additions. Combine with scheduled dsquery runs to detect unauthorized accounts. Store dsadd scripts in version-controlled repositories and restrict execution to authorized administrators.
Frequently Asked Questions
What is the difference between dsadd user and dsadd computer?
Answer: dsadd user creates a user object in Active Directory; dsadd computer creates a computer object (security principal) in the Computers container or specified OU. Both use similar DN parameters, but dsadd computer automatically assigns a random password and requires domain admin privileges. For computer objects, you typically cannot specify -samid; the CN becomes the SAM account name. Use dsadd user -samid <sAMAccountName> for users.
dsadd user "CN=jsmith,OU=Users,DC=contoso,DC=com" -samid jsmith -pwd P@ssw0rd -upn jsmith@contoso.comWhen should I use the -pwd flag with dsadd user?
Answer: Use -pwd to set the initial password for a new AD user. If you skip -pwd, the account is created in a disabled state (password not set). You must later enable and set password via Active Directory Users and Computers or dsmod user. The password must meet domain complexity requirements.
dsadd user "CN=jdoe,OU=Sales,DC=contoso,DC=com" -samid jdoe -pwd P@ssword123How do I fix error 0x6 “The specified account already exists” when running dsadd user?
Answer: This error occurs when the SAM account name (-samid) or user principal name (-upn) already exists in the domain. First, verify no duplicate via dsquery user -samid <name>. If you intend to reuse the account, use dsmod to modify properties instead. Alternatively, delete the object carefully with dsrm. Ensure you are not attempting to create a user with a pre-existing GUID.
dsquery user -samid jsmith # returns DN if existsDoes dsadd work on Windows 11 or only on Windows Server domain controllers?
Answer: dsadd works on any Windows system with Active Directory module installed (RSAT), including Windows 11 Pro/Enterprise, not only domain controllers. To use dsadd, install Remote Server Administration Tools (RSAT). On Windows 11, enable “RSAT: AD DS and AD LDS Tools” via Optional Features. The tool connects to any writable domain controller. It is deprecated in favor of PowerShell AD cmdlets but still functional.
# Install RSAT on Windows 11
Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -OnlineWhat is the fastest way to bulk-create 500 users with dsadd?
Answer: Use a for loop in Command Prompt or PowerShell reading from a CSV file, calling dsadd user per line. For maximum speed, pre-compute DNs and minimize attribute modification. Example with PowerShell: Import-Csv and pipe to ForEach-Object executing dsadd. Alternatively, use dsadd with a helper script that generates the command. Note: PowerShell’s New-ADUser is faster for large batches.
for /f "tokens=1-3 delims=," %a in (users.csv) do dsadd user "CN=%a,OU=Users,DC=contoso,DC=com" -samid %b -pwd %c
Command Line Expert & Software Engineer
Welcome! I’m Thomas Heinrich, a software engineer and system administrator with a deep passion for the Command Line Interface (CLI). With years of experience navigating the terminal, building backend architectures, and automating server deployments, I created this space to share practical, real-world terminal knowledge.
Whether you are a beginner taking your first steps in a Linux environment or a seasoned DevOps engineer looking to optimize your deployment scripts, you will find actionable solutions here. My goal is to help you ditch the mouse, speed up your workflow, and harness the full power of the command line.