Monday, March 29, 2010

Directory service command-line tools

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2


Directory service command-line tools

Directory service command-line tools are a suite of tools that you can use to manage the various objects in Active Directory and to perform queries for information in the directory. You can use directory service command-line tools by opening a command prompt on a Domain Controller. To open a command prompt, click Start, click Run, type cmd, and then press ENTER.

The following list provides a brief description of each command-line tool and its functionality:

  • dsadd--Adds objects to the directory. For more information, see Dsadd [ http://technet.microsoft.com/en-us/library/cc755811(WS.10).aspx ] .
  • dsget--Displays properties of objects in the directory. For more information, see Dsget [ http://technet.microsoft.com/en-us/library/cc755876(WS.10).aspx ] .
  • dsmod--Modifies select attributes of an existing object in the directory. For more information, see Dsmod [ http://technet.microsoft.com/en-us/library/cc755470(WS.10).aspx ] .
  • dsquery--Finds objects in the directory that match a specified search criteria. For more information, see Dsquery [ http://technet.microsoft.com/en-us/library/cc755655(WS.10).aspx ] .
  • dsmove--Moves an object from its current location to a new parent location. For more information, see Dsmove [ http://technet.microsoft.com/en-us/library/cc773242(WS.10).aspx ] .
  • dsrm--Removes an object, the complete subtree under an object in the directory, or both. For more information, see Dsrm [ http://technet.microsoft.com/en-us/library/cc755841(WS.10).aspx ] .

Target object types

All of the command-line tools can operate on a variety of object types in the directory. Each command that accepts object-specific arguments allows you to enter a target object type as an argument along with the identity of the target object upon which the command will operate. The target object type is specified as a string literal representing the object class from a predefined set of string literals. For example, in the command dsmod computer, computer is the string literal specifying the object type.

The identity of the target object is specified following the object type and in the format of a distinguished name (the value of an object's distinguished name attribute). For example, the distinguished name of a user object may be CN=Jeff Smith,OU=Sales,DC=microsoft,DC=com.

In the following command, computer specifies the object type being modified and CN=Jeff Smith,OU=Sales,DC=microsoft,DC=com identifies the target object to be modified:


Copy Code

dsmod computer CN=Jeff Smith,OU=Sales,DC=microsoft,DC=com

-disabled yes

Running commands on the network

Each tool has parameters that allow you to specify the server, domain, user name, and password to use when running the command. For example, here is the syntax for the dsadd computer command:

dsadd computer ObjectDN

[-samid SAMName]

[-desc Description]

[-loc Location]

[-memberof Group...]

[(-sServer -dDomain)]

[-u UserName]

[-p (Password*)]

[-q]

If these parameters are not entered, the tool uses the local server, domain, user name, and password.

Command Syntax

The following conventions are used to document the syntax of the directory service command-line tools:

  • The option for a target object's distinguished name attribute is displayed as ObjectDN or ObjectDN ... when you can specify multiple objects.
  • A command does not perform any operation without an object type, such as computer, and any of the object type's required parameters, such as a target object's distinguished name, ObjectDN.
  • For certain commands, if the user does not specify a target object at the command prompt, the target object is obtained from standard input. Obtaining values from standard input allows you to pipe output from one command into another.
  • Target object syntaxes that use the "..." (ellipsis) character indicate that a list of distinguished names can be specified, with each distinguished name separated by a space, unless noted otherwise. For example, the following parameter accepts multiple distinguished names:

    -memberof Group ...

    If the distinguished names themselves contain spaces, then they should be enclosed with quotation marks (" ").

    Commas that are not used as separators in distinguished names must be escaped with the backslash (\) character (for example, "CN=Company\, Inc.,CN=Users,DC=microsoft,DC=com"). Backslashes used in distinguished names must be escaped with a backslash (for example, "CN=Sales\\ Latin America,OU=Distribution Lists,DC=microsoft,DC=com").

Command input

  • All parameters are case insensitive.
  • Command-line parameters can be specified with either a hyphen (-) or forward slash (/) character.
  • A command line parameter and any corresponding values for the parameter should be separated by at least one space.
  • When reading from standard input, both space and newline characters are treated as argument separators.
  • An empty string or null string value can be specified by quotation marks (" ") with no characters enclosed between the quotes. An empty string value specified is not the same as a missing value. A parameter value of "" (NULL string) will be treated as a request to delete the attribute value(s) from the target object.
  • Help on any command can be requested with /? (for example, dsadd computer /?).

Command output

The following are the conventions for displaying data, status messages, errors, and warnings that result from running commands:

  • Successful command completion status messages are written to standard output.
  • Any data displayed by a command is written to standard output.
  • Any warning or error messages are written to standard error.
  • Exit codes (error levels) use 0 to indicate success. If an operation is not successful, the exit code will be a value in HRESULT format. For example, the value for the HRESULT E_FAIL is 0x80004005.
  • If the quiet mode is specified for a command (using the -q parameter), then all output to standard output is suppressed. However, any messages to standard error are not suppressed as a result of quiet mode.

Managing users with windows interface

Managing users When creating new users and groups,we can do two things:

1.Add users and groups using Active windows interface

2.Using a command line

Using the Windows interface

  • Open Active Directory Users and Computers.
  • In the console tree, right-click the folder in which you want to add a user account.

    Where?
    • Active Directory Users and Computers/domain node/folder
  • Point to New, and then click User.
  • In First name, type the user's first name.
  • In Initials, type the user's initials.
  • In Last name, type the user's last name.
  • Modify Full name to add initials or reverse order of first and last names.
  • In User logon name, type the user logon name, click the UPN suffix in the drop-down list, and then click Next.

    If the user will use a different name to log on to computers running Windows 95, Windows 98, or Windows NT, then you can change the user logon name as it appears in User logon name (pre-Windows 2000) to the different name.
  • In Password and Confirm password, type the user's password, and then select the appropriate password options.

Note:To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups [ http://technet.microsoft.com/en-us/library/cc785098(WS.10).aspx ] , Default groups [ http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx ] , and Using Run as [ http://technet.microsoft.com/en-us/library/cc780931(WS.10).aspx ] .

  • To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
  • To add a user, you can also click

    on the toolbar.
  • To add a user, you can also copy any previously created user account. For more information, see Related Topics.
  • A new user account with the same name as a previously deleted user account does not automatically assume the permissions and group memberships of the previously deleted account because the security ID (SID) for each account is unique. To duplicate a deleted user account, all permissions and memberships must be manually recreated.
  • For interoperability with other directory services, you can create an InetOrgPerson user object. To create a new inetOrgPerson, in step three, click InetOrgPerson instead of User. For more information about InetOrgPerson, see User and computer accounts in Related Topics.
  • When creating a new user, the full name attribute is created in the FirstNameLastName format by default. The full name attribute also governs the display name format that is shown in the global address list. You can change the display name format by using ADSI Edit. If you do so, this will also change the full name format. For more information, see article Q250455, "How to Change Display Names of Active Directory Users" in the Microsoft Knowledge Base [ http://go.microsoft.com/fwlink/?LinkId=4441 ] .
  • Windows NT 4.0 and earlier domains allow the use of a period (.) at the end of a user logon name as long as the user logon name does not consist solely of period characters. Windows Server 2003 domains do not allow the use of a period or multiple periods at the end of a user logon name.

Security Groups

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Before modifying any security settings, it is important to take into consideration the default settings.

There are three fundamental levels of security that are granted to users. These are granted to end users through membership in the Administrators, Power Users, or Users groups.

Administrators

The Administrators group is provided to perform computer maintenance tasks. The default permissions allotted to this group allow complete control over the entire system. As a result, only trusted personnel should be members of this group.

Power Users

Members of the Power Users group have more permissions than members of the Users group and fewer than members of the Administrators group. Power Users can perform any operating system task except tasks reserved for the Administrators group. The default permissions that are allotted to the Power Users group allow members of the Power Users group to modify computerwide settings.

When you upgrade from Windows NT 4.0, members of the Restricted Users group are automatically placed in the Power Users group to prevent backward compatibility issues with the applications that your organization used before the upgrade. Many applications used on Windows NT 4.0 required elevated permissions to run correctly. The default Windows 2000, Windows XP Professional, and Windows Server 2003 family security settings for Power Users are very similar to the default security settings for Users in Windows NT 4.0. Any program that a user can run in Windows NT 4.0, a Power User can run in Windows 2000, Windows XP Professional or Windows Server 2003 family.

If you do not want end users to have the elevated permissions of the Power Users group, you can make them members of the Users group and only run applications that belong to the Windows Logo program for Software. If applications that do not belong to the Windows Logo program for Software must be supported, then end users will need to be part of the Power Users group. For information about the Windows Logo program for Software, see the Windows Logo program for Software on the Microsoft Web site [ http://go.microsoft.com/fwlink/?LinkId=3688 ] .

Power Users can:

  • Run legacy applications, in addition to applications for Windows 2000, Windows XP Professional, or the Windows Server 2003 family that belong to the Windows Logo program for Software.
  • Install programs that do not modify operating system files or install system services.
  • Customize systemwide resources including printers, date, time, power options, and other Control Panel resources.
  • Create and manage local user accounts and groups.
  • Stop and start system services which are not started by default.

Power Users do not have permission to add themselves to the Administrators group. Power Users do not have access to the data of other users on an NTFS volume, unless those users grant them permission.

Caution

  • Running legacy programs on Windows 2000, Windows XP Professional, or a member of the Windows Server 2003 family often requires you to modify access to certain system settings. The same default permissions that allow Power Users to run legacy programs also make it possible for a Power User to gain additional privileges on the system, even complete administrative control. Therefore, it is important to deploy applications belonging to the Windows Logo program for Software in order to achieve maximum security without sacrificing program functionality. These programs can run successfully under the Secure configuration that is provided by the Users group.
  • Since Power Users can install or modify programs, running as a Power User when connected to the Internet could make the system vulnerable to Trojan horse programs and other security risks.

Users

The Users group is the most secure, because the default permissions allotted to this group do not allow members to modify operating system settings or other users' data.

The Users group provides the most secure environment in which to run programs. On a volume formatted with the NTFS file system, the default security settings on a newly-installed system (but not on an upgraded system) are designed to prevent members of this group from compromising the integrity of the operating system and installed programs. Users cannot modify systemwide registry settings, operating system files, or program files. Users can shut down workstations but not servers. Users can create local groups, but can manage only the local groups that they created. They can run Windows 2000, Windows XP Professional, or a member of the Windows Server 2003 family programs that belong to the Windows Logo program for Software that have been installed or deployed by administrators. Users have full control over all of their own data files (stored at %userprofile%) and their own portion of the registry (located in HKEY_CURRENT_USER).

Note that user-level permissions often do not allow the user to successfully run legacy applications. To run these legacy applications, you must either loosen security to allow members of the Users group to run the applications or you must promote members of the Users group to the Power Users group. Both options decrease the security of your organization. Since members of the Users group are guaranteed to be able to run applications belonging to the Windows Logo program for Software, it is a best practice to only use applications that belong to the Windows Logo program for Software. For more information, see the Windows Logo program for Software on the Microsoft Web site [ http://go.microsoft.com/fwlink/?LinkId=3688 ] .

To secure a system running Windows 2000, Windows XP Professional, or a member of the Windows Server 2003 family, an administrator should:

  • Make sure that end users are members of the Users group only.
  • Deploy programs that members of the Users group can run successfully, such as programs that belong to the Windows Logo program for Software.

Users will not be able to run most programs written for versions of Windows prior to Windows 2000, because they did not support file system and registry security (such as Windows 95 and Windows 98) or shipped with other default security settings (Windows NT). If you have problems running legacy applications on newly-installed NTFS systems, then do one of the following:

  1. Install new versions of the applications that belong to the Windows Logo program for Software.
  2. Move end users from the Users group into the Power Users group.
  3. Decrease the default security permissions for the Users group. This can be accomplished by using the Compatible security template.

The Anonymous group is no longer a member of the Everyone group

For Windows XP Professional and the Windows Server 2003 family, the Anonymous group is no longer a member of the Everyone group.

When a Windows 2000 system is upgraded to Windows XP Professional or the Windows Server 2003 family, resources with permission entries for the Everyone group (and not explicitly to the Anonymous Logon group) will no longer be available to Anonymous users after the upgrade. In most cases, this is an appropriate restriction on anonymous access. You may need to permit anonymous access in order to support pre-existing applications that require it. If you need to grant access to the Anonymous logon group, you should explicitly add the Anonymous Logon security group and its permissions.

However, in some situations where it might be difficult to determine and modify the permission entries on resources, you can change the Network access: Let Everyone permissions apply to anonymous users [ http://technet.microsoft.com/en-us/library/cc778182(WS.10).aspx ] security setting.

Other groups

  • Interactive. This group contains the user who is currently logged on to the computer. During an upgrade to Windows 2000, Windows XP Professional, or the Windows Server 2003 family, members of the Interactive group will also be added to the Power Users group, so that legacy applications will continue to function as they did before the upgrade.
  • Network. This group contains all users who are currently accessing the system over the network.
  • Backup Operators


    Members of the Backup Operators group can back up and restore files on the computer, regardless of any permissions that protect those files. They can also log on to the computer and shut it down, but they cannot change security settings.

    Caution
    • Backing up and restoring data files and system files requires permissions to read and write those files. The same default permissions granted to Backup Operators that allow them to back up and restore files also make it possible for them to use the group's permissions for other purposes, such as reading another user's files or installing Trojan horse programs. Group Policy settings can be used to create an environment in which Backup Operators only can run a backup program. For more information, see the Microsoft Security page on the Microsoft Web site [ http://go.microsoft.com/fwlink/?LinkId=102 ] .

Default local groups

Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Default local groups

The Groups folder located in the Local Users and Groups Microsoft Management Console (MMC) displays the default local groups as well as the local groups that you create. The default local groups are automatically created when you install a stand-alone server or a member server running Windows Server 2003. Belonging to a local group gives a user the rights and abilities to perform various tasks on the local computer. For more information about domain-based groups, see Default groups [ http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx ] .

You can add local user accounts, domain user accounts, computer accounts, and group accounts to local groups. However, you cannot add local user accounts and local group accounts to domain group accounts. For more information about adding members to local groups, see Add a member to a local group [ http://technet.microsoft.com/en-us/library/cc739265(WS.10).aspx] .

Note

  • To learn what group you need to be a member of to perform a particular procedure, many procedural topics under How To in Help and Support Center provide a note that identifies this information.

The following table provides descriptions of the default groups located in the Groups folder and lists the assigned user rights for each group. These rights are assigned within the local security policy. For complete descriptions of the user rights listed in the table, see User Rights Assignment [ http://technet.microsoft.com/en-us/library/cc780182(WS.10).aspx] . For information about editing these rights, see Assign user rights for your local computer [ http://technet.microsoft.com/en-us/library/cc739028(WS.10).aspx ] .


Group

Description

Default user rights

Administrators

Members of this group have full control of the server and can assign user rights and access control permissions to users as necessary. The Administrator account is also a default member. When this server is joined to a domain, the Domain Admins group is automatically added to this group. Because this group has full control of the server, add users with caution. For more information, see Default local groups [ http://technet.microsoft.com/en-us/library/cc785098(WS.10).aspx ] and Default groups [ http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx ] .

Access this computer from the network; Adjust memory quotas for a process; Allow log on locally; Allow log on through Terminal Services; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Force shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Manage auditing and security log; Modify firmware environment variables; Perform volume maintenance tasks; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects.

Backup Operators

Members of this group can back up and restore files on the server, regardless of any permissions that protect those files. This is because the right to perform a backup takes precedence over all file permissions. They cannot change security settings.

Access this computer from the network; Allow log on locally; Back up files and directories; Bypass traverse checking; Restore files and directories; Shut down the system.

DHCP Administrators (installed with the DHCP Server service)

Members of this group have administrative access to the Dynamic Host Configuration Protocol (DHCP) Server service. This group provides a way to assign limited administrative access to the DHCP server only, while not providing full access to the server. Members of this group can administer DHCP on a server using the DHCP console or the Netsh command, but are not able to perform other administrative actions on the server.

No default user rights.

DHCP Users (installed with the DHCP Server service)

Members of this group have read-only access to the DHCP Server service. This allows members to view information and properties stored at a specified DHCP server. This information is useful to support staff when they need to obtain DHCP status reports.

No default user rights.

Guests

Members of this group will have a temporary profile created at log on, and when the member logs off, the profile will be deleted. The Guest account (which is disabled by default) is also a default member of this group.

No default user rights.

HelpServicesGroup

This group allows administrators to set rights common to all support applications. By default, the only group member is the account associated with Microsoft support applications, such as Remote Assistance. Do not add users to this group.

No default user rights.

Network Configuration Operators

Members of this group can make changes to TCP/IP settings and renew and release TCP/IP addresses. This group has no default members.

No default user rights.

Performance Monitor Users

Members of this group can monitor performance counters on the server locally and from remote clients without being a member of the Administrators or Performance Log Users groups.

No default user rights.

Performance Log Users

Members of this group can manage performance counters, logs and alerts on the server locally and from remote clients without being a member of the Administrators group.

No default user rights.

Power Users

Members of this group can create user accounts and then modify and delete the accounts they have created. They can create local groups and then add or remove users from the local groups they have created. They can also add or remove users from the Power Users, Users, and Guests groups. Members can create shared resources and administer the shared resources they have created. They cannot take ownership of files, back up or restore directories, load or unload device drivers, or manage security and auditing logs.

Access this computer from the network; Allow log on locally; Bypass traverse checking; Change the system time; Profile single process; Remove computer from docking station; Shut down the system.

Print Operators

Members of this group can manage printers and print queues.

No default user rights.

Remote Desktop Users

Members of this group can remotely log on to a server.

For more information, see Enabling users to connect remotely to the server [ http://technet.microsoft.com/en-us/library/cc781509(WS.10).aspx] .

Allow log on through Terminal Services.

Replicator

The Replicator group supports replication functions. The only member of the Replicator group should be a domain user account used to log on the Replicator services of a domain controller. Do not add user accounts of actual users to this group.

No default user rights.

Terminal Server Users

This group contains any users who are currently logged on to the system using Terminal Server. Any program that a user can run with Windows NT 4.0 will run for a member of the Terminal Server User group. The default permissions assigned to this group enable its members to run most earlier programs.

No default user rights

Users

Members of this group can perform common tasks, such as running applications, using local and network printers, and locking the server. Users cannot share directories or create local printers. By default, the Domain Users, Authenticated Users, and Interactive groups are members of this group. Therefore, any user account created in the domain becomes a member of this group.

Access this computer from the network; Allow log on locally; Bypass traverse checking.

WINS Users (installed with WINS service)

Members of this group are permitted read-only access to Windows Internet Name Service (WINS). This allows members to view information and properties stored at a specified WINS server. This information is useful to support staff when they need to obtain WINS status reports.

No default user rights.

For more information about the most common default groups, see Default security settings for groups [ http://technet.microsoft.com/en-us/library/cc773320(WS.10).aspx ] .

Local user accounts

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Local user accounts

The Users folder located in the Local Users and Groups Microsoft Management Console (MMC) displays the default user accounts as well as the user accounts you create. These default user accounts are created automatically when you install a stand-alone server or member server running Windows Server 2003. The following table describes each default user account on servers running Windows Server 2003.


Default user account

Description

Administrator account

The Administrator account has full control of the server and can assign user rights and access control permissions to users as necessary. This account must be used only for tasks that require administrative credentials. It is highly recommended that you set up this account to use a strong password. For more information, see Strong passwords [ http://technet.microsoft.com/en-us/library/cc756109(WS.10).aspx ] . For additional security considerations for accounts with administrative credentials, see Local Users and Groups Best practices [ http://technet.microsoft.com/en-us/library/cc781451(WS.10).aspx ] .

The Administrator account is a member of the Administrators group on the server. The Administrator account can never be deleted or removed from the Administrators group, but it can be renamed or disabled. Because the Administrator account is known to exist on many versions of Windows, renaming or disabling this account will make it more difficult for malicious users to try and gain access to it. For more information about how to rename or disable a user account, see Rename a local user account [ http://technet.microsoft.com/en-us/library/cc738626(WS.10).aspx ] and Disable or activate a local user account [ http://technet.microsoft.com/en-us/library/cc781924(WS.10).aspx] .

The Administrator account is the account you use when you first set up the server. You use this account before you create an account for yourself.

Important

  • Even when the Administrator account has been disabled, it can still be used to gain access to a computer using Safe Mode.

Guest account

The Guest account is used by people who do not have an actual account on the computer. A user whose account is disabled, but not deleted, can also use the Guest account. The Guest account does not require a password. The Guest account is disabled by default, but you can enable it.

You can set rights and permissions for the Guest account just like any user account. By default, the Guest account is a member of the default Guests group, which allows a user to log on to a server. Additional rights, as well as any permissions, must be granted to the Guests group by a member of the Administrators group. The Guest account is disabled by default, and it is recommended that it stay disabled.

HelpAssistant account (installed with a Remote Assistance session)

The primary account used to establish a Remote Assistance session. This account is created automatically when you request a Remote Assistance session and has limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service and will be automatically deleted if no Remote Assistance requests are pending. For more information about Remote Assistance, see Administering Remote Assistance [ http://go.microsoft.com/fwlink/?linkid=38569] .

Local Users and Groups overview

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Local Users and Groups overview

Local Users and Groups is located in Computer Management, a collection of administrative tools that you can use to manage a single local or remote computer. You can use Local Users and Groups to secure and manage user accounts and groups stored locally on your computer. A local user or group account can be assigned permissions and rights on a particular computer and that computer only. Local Users and Groups is available on the following client and server operating systems:

  • Client computers running Microsoft® Windows® 2000 Professional or Windows XP Professional
  • Member servers running a product in the Microsoft Windows 2000 Server family or the Windows Server 2003 family
  • Stand-alone servers running a product in the Microsoft Windows 2000 Server family or the Windows Server 2003 family

Using Local Users and Groups you can limit the ability of users and groups to perform certain actions by assigning them rights and permissions. A right authorizes a user to perform certain actions on a computer, such as backing up files and folders or shutting down a computer. A permission is a rule associated with an object (usually a file, folder, or printer), and it regulates which users can have access to the object and in what manner.

You cannot use Local Users and Groups to view local user and group accounts once a member server has been promoted to a domain controller. However, you can use Local Users and Groups on a domain controller to target remote computers (that are not domain controllers) on the network. Use Active Directory Users and Computers to manage users and groups in Active Directory.

Add or upgrade server roles by using Manage Your Server

Applies To: Windows Server 2003 R2, Windows Server 2003 with SP2

After Setup is complete, you can add or upgrade server roles by using Manage Your Server. The File server role and the Print server role contain updates with Windows Server 2003 R2. Additionally, the Windows® SharePoint® Services role is a new server role with Windows Server 2003 R2.

To add or upgrade server roles by using Manage Your Server

  • Log on to the computer as an administrator.
  • Click Start, click Administrative Tools, and then click Manage Your Server.
  • Click Add or remove a role.
  • Follow the instructions in Configure Your Server Wizard. When you get to the Server Role page, select one of the following roles:
    • File Server


      Windows Server 2003 R2 components for file server include File Server Management, DFS Management, DFS Replication Service, File Server Resource Manager, Storage Management for SANs, Microsoft Services for Network File System, and Services for Macintosh.
    • SharePoint Services


      Windows Server 2003 R2 components for SharePoint Services includes Windows SharePoint Services.
    • Print Server


      Windows Server 2003 R2 component for Print Server is Print Management.
  • The Configure Your Server Wizard will install the components associated with the role that you select.

Command-line options for installing Windows Server 2003 R2

You can define the way Windows Server 2003 R2 is installed by using the following command-line options when you run Setup2.exe. These options are not case-sensitive.

Option

Description

/q

or

/quiet

Specifies that Windows Server 2003 R2 will be installed in quiet mode, without a user interface. When you use this option, no prompts appear during the installation process.

/p:
ProductKey

or

/productkey:
ProductKey

Specifies the Product Key that should be used to install Windows Server 2003 R2. This parameter is required if you have not yet entered a Windows Server 2003 R2 Product Key.

ProductKey must be specified in the AAAAA-AAAAA-AAAAA-AAAAA-AAAAA format.

/a

or

/accepteula

Specifies that you accept the EULA. This parameter is required if you did not use Disc 1 to install Windows Server 2003.

By using this option you are agreeing that you have read and accepted the terms of the applicable End User License Agreement (EULA) for Windows Server 2003 R2. You can find the following files in the \Cmpnents\R2 folder of Disc 2.

  • If you have received this product from an original equipment manufacturer (OEM), the applicable EULA is Eula_oem.txt.
  • If you have acquired the product in a retail store, the applicable EULA is Eula_retail.txt.
  • If you have an evaluation copy of Windows Server 2003 R2, the applicable EULA is Eula_eval.txt.

Important

If you are not the end-user of this computer, before you use this option you will need to first verify that the end-user (whether an individual or an organization) has received, read, and accepted the terms of the Windows Server 2003 R2 EULA.

/cs

or

/createshortcut

Creates a shortcut on the desktop to a document that describes the new Windows Server 2003 R2 components.

/sr

or

/suppressreboot

Suppresses restart after the installation of Windows Server 2003 R2 is complete.

/?

Displays the command-line options that you can use to install Windows Server 2003 R2.

Note:If you are using Setup2.exe in a script or answer file, you should start your command with cmd /c. This ensures that Windows Server 2003 R2 Setup is complete before executing the next command, for example:cmd /c setup2.exe /q /a /p:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /cs


Note:For information about how to create and modify the Unattend.txt file and to perform an unattended installation of Windows Server 2003 R2, see "Automating Windows Server 2003 R2 Setup" in Deploy.chm located in the \Docs folder of Windows Server 2003 R2 Disc 2.