Active Directory: DSQUERY Commands
Start DSQuery
Open DSQUERY GUI Window
rundll32 dsquery,OpenQueryWindow
Querying Users & Groups
Find out Account Expiry date
dsquery user -name * -limit 0 | dsget user -samid -acctexpires
Get all sAMAccount names
dsquery user -o rdn -limit 0
Retrieve the DN of all users in the domain that are not direct members of a specified group
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(!(memberOf=Groupname,ou=West,
dc=Contoso,dc=com))) -limit 0 > NotInGroup.txt
Find all contacts in the organizational unit (OU)
dsquery contact OU=Sales,DC=Contoso,DC=Com
List of all users with primary group "Domain Users"
dsquery * -filter "(primaryGroupID=513)" -limit 0
(You can change the "primaryGroupID" as per your requirement)
513:Domain Users
514:Domain Guests
515:Domain Computers
516:Domain Controllers
Find all members for a particular group.
dsget group "<DN of the group>" -members
Find all groups for a particular member (including nested groups)
dsget user "<DN of the user>" -memberof -expand
dsquery user -samid "username" | dsget user -memberof -expand
Get the Groups name form Users container
dsquery group -o rdn cn=users,dc=contoso,dc=com
Get the members from a Group
dsquery group -samid "CS_CLUB_ACCOUNTS" | dsget group -members -expand | dsget user -samid
Find disabled users
dsquery user "dc=ssig,dc=com" -disabled
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))"
Find all the active users
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))"
Find users logon name by their mail address for bulk users
For Single user
dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(mail=e-mailaddress))" -attr name
For bulk users
for /f %%x in (%1) do dsquery * domainroot -filter "(&(objectcategory=person)(objectclass=user)(mail=%%x))" -attr name
Find all groups of a user is memberof without the DN's
dsquery user -samid anthony | dsget user -memberof | dsget group -samid
dsquery user -samid (provide the samaccount name of the user) | dsget user -memberof | dsget group -samid
Find all members for a OU.
dsquery user ou=targetOU,dc=domain,dc=com
Find all groups for a OU.
dsquery group ou=targetOU,dc=domain,dc=com
To get the members status from the active directory group
dsquery group -samid “Group Pre-Win2k Name” | dsget group -members | dsget user -disabled -display
Extract the all groups from an OU with Group Scope & Group Type.
Find the below snap for your reference.
C:\dsquery group "ou=test,dc=gs,dc=com" -limit 0 | dsget group -samid -scope -secgrp
Display a list of users from the OU "Customer Support",
This list can then be forwarded to dsget that can provide detailed information about objects.
In the example, the requested user list is headed by the pipe symbol after dsget that
- -outputs then the sAMAccountName for all users and email address.
If we wanted to carry out modifications to the information returned by DSQuery user list,
we could send the result to dsmod, which for us is making changes to all users.
In below snap shows the change in the command ensures that all users of DSQuery
- -user list must change their passwords at next logon.
Another way to get the user attributes from an OU. Find the below snap & dsquery for that.
C:\dsquery * "ou=test,DC=contoso,DC=com" -filter "(&(objectcategory=person) (objectclass=user))" -limit 0
-attr samaccountname description department title
Find User Attributes
Displays properties of users or other objects.
In this example, it displays the 6 groups that explicitly list the Administrator as member
Note: The -memberof -expand combination recursively expands the list of groups of which the user is a member. In this example, the Users group is added to the list because Domain Users is a member of the Users group.
dsget user cn=Administrator,cn=Users,dc=contoso,dc=com -memberof
find lastLogonTimestamp for all users for a domain
dsquery * -filter "&(objectClass=person)(objectCategory=user)" -attr cn lastLogonTimestamp -limit 0
Inactive users are go to disable state
dsquery * <ou> -filter "(&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807))" | dsmod user -disabled yes
Find all attributes for all users
Dsquery * -limit 0 -filter "&(objectClass=User)(objectCategory=Person)" -attr * >>output123.txt
Find memberof , lastlogontimestamp , homemta(Mail server) , Samaccountname & so on(Repadmin /showattr <DCname> <"DN">)
dsquery * "<DN>" -scope base -attr lastlogontimestamp memberoff
repadmin /showattr <DCNAME> <"DN"> /attrs:lastlogon,homemta,whencreated,lastlogontimestamp,samaccountname
Find memberof , lastlogontimestamp , homemta(Mail server) , Samaccountname & so on for "n" number of users
Create a batch file(for /f "eol= tokens=* delims= usebackq" %%x in (%1) do dsquery * %%x -scope base -attr sAMAccountName objectsid whencreated lastlogontimestamp mail homeMTA memberof) e.g ds.bat
Create a text file (All users DN e.g:dn.txt)
Open cmd & run ds.bat dn.txt >> c:\attr.txt
Find particular user attribute using LDAP Filter
C:\dsquery * -filter (samaccountname=biz) -attr name whenchanged
name whenchanged
biz 01/03/2014 07:02:14
Find SID of a user
dsquery user -samid <bbiswas> | dsget user -sid
dsquery * -filter (samaccountname=santhosh) – attr sid
Find sIDHistory of a user
Dsquery * -filter (samaccoutname=santhosh) – attr siDhistory
Update users
Modify user last name
dsmod user <dn> -ln "<last name>"
Expire use account.
dsquery * "dc=contoso,dc=com" -filter "(&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807)) " -attr sAMAccountname displayName
Computers
Find enabled computer accounts in an OU
dsquery computer OU=Test,DC=sivarajan,DC=com -limit 5000 | dsget computer -dn -disabled | find /i " no"
Count enabled computer accounts in an OU
dsquery computer OU=Test,DC=sivarajan,DC=com -limit 5000 | dsget computer -dn -disabled | find /c /i " no"
Find DN for n number of computers
for /f %%x in (%1) do dsquery computer -name %%x
(Create a batch file with line & create a txt file computer.txt
open cmd >>>>>>batchfile computer.txt >> c:\dn.txt
Find all groups of a computer account without giving the DNs
dsquery computer -name test1 | dsget computer -memberof | dsget group -samid
Computer attributes
Find OS
dsquery * <"DN"> -scope base -attr operatingSystem
Servers & DC
Find the GCs
DsQuery Server -domain contoso.com -isgc
Get all the servers in the forest
dsquery server -forest -limit 0 | dsget server -dnsname -site -isgc
AD DS Settings
Display all attributes of the contoso.com domain object
dsquery * -filter (dc=contoso) -attr *
ADDS existing connection point objects
dsquery * forestroot -filter (objectclass=serviceconnectionpoint)
Get tombstonelifetime
dsquery * "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com" -scope base -attr tombstonelifetime
Find the DNS servers from all the DNS partitions.
dsquery * "CN=Configuration,DC=contoso,DC=com" -filter "(&(objectClass=crossRef)(objectCategory=crossRef)(systemFlags=5))" -attr NcName msDS-NC-Replica-Locations
Find Forestprep , domainprep & RodcPrep is done or not
C:\dsquery * CN=ActiveDirectoryUpdate,CN=ForestUpdates,cn=configuration,dc=msft ,dc=net -scope base -attr revision revision 5
C:\dsquery * CN=ActiveDirectoryRodcUpdate,CN=ForestUpdates,cn=configuration,dc= msft,dc=net -scope base -attr revision revision 2
Find the Functional Levels of Active Directory
dsquery * "DC=contoso,DC=com" -scope base -attr msDS-Behavior-Version ntMixedDomain
0, 0 Windows 2000 Native domain Level
0, 1 Windows 2000 Mixed domain Level
2, 0 Windows 2003 Domain Level
3, 0 Windows 2008 Domain Level
4, 0 Windows 2008 R2 Domain Level
To list the distinguished names of all directory partitions in the current forest
dsquery partition
Below example for single domain
Below example for parent/child domain
AD Subnet & sites
Find Subnet with associated site
dsquery subnet -name <CIDR> | dsget subnet
Find site
dsquery site -name * -limit 0
dsquery server -s <server> | dsget server -site
Find Site name by server name
dsquery server -name test1 | dsget server -site
dsquery server -name (provide the server name for DN) | dsget server -site
To list the relative distinguished names of all sites that are defined in the directory
dsquery site -limit 0
AD Schema
Find Schema version
dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion
or
schupgr
Shortest command for finding the schema version
AD Replication
Displays the names of all attributes (150) that Windows Server 2003 replicates to Global Catalog servers.
(If the command displays no attributes, ensure that you typed TRUE in capital letters
>dsquery * cn=Schema,cn=Configuration,dc=contoso,dc=com -filter "(&(objectCategory=attributeSchema)(isMemberOfPartialAttributeSet=TRUE))" -limit 0 -attr name
AD Roles
Display the DNS host name, the site name, and whether the server is Global Catalog (GC) server for each domain controller
dsquery server | dsget server -dnsname -site -isgc
Find RODC
dsquery server -isreadonly
Find if the Domain Controller is a Global Catalog (GC) or not
dsquery server -name test1 | dsget server -isgc
Find PDC role holder for the existing domain
dsquery server -hasfsmo PDC
Find Infrastructure Master role holder existing domain
dsquery server -hasfsmo INFR
Find RID master role holder for existing domain
dsquery server -hasfsmo RID
Find Schema master role holder in a Forest
dsquery server -forest -hasfsmo Schema
Find Domain Naming Master in a Forest
dsquery server -forest -hasfsmo Name
Find all the subnets for the given site
dsquery subnet -o rdn -site <site name>
Command to find all DCs in the given site
dsquery server -o rdn -site <site name>
Command to find all DCs in the Forest
dsquery server -o rdn -forest
Show How Many Times wrong Password has been entered on a specified domain controller.
dsquery * -filter "(sAMAccountName=jsmith)" -s MyServer -attr givenName sn badPwdCount
The badPwdCount attribute is not replicated, so a different value is saved for each user on each domain controller.
Fine Granted Password Policy
find the 'PSO Applies to'
i)dsget user <user DN> -effectivepso
Example:
C:\dsget user "CN=bshwjt,OU=pso,DC=contoso,DC=com" - effectivepso
effectivepso
"CN=test,CN=Password Settings Container,CN=System,DC=contoso,DC=com"
dsget succeeded
("bshwjt" is the user and test is the "PSO" also see the below snap)
Find the PSO settings
C:\dsquery * "<CN=your pso name>,CN=Password Settings Container,CN=System,DC=contoso,DC=com" -scope base -attr *
The output of the dsquery command can be used as input for the dsget command by using a pipe ( | ).
In this example, the SAM account name and the security ID (SID) of each user is displayed.
dsquery user | dsget user -samid -sid -limit 0 >> c:\Allusers-samid-sid.txt
Exchange server
Find mail box
dsquery * -filter "samaccountname=biswajit" -attr homemdb
find the Schema Version for Exchange Servers.
dsquery * CN=ms-Exch-Schema-Version-Pt,cn=schema,cn=configuration,dc=domain,dc=local -scope base -attr rangeUpper
Hyper-V
Find all Hyper-V hosts in your forest
C:\dsquery * forestroot -filter "&(cn=Microsoft Hyper-V)(objectCategory=serviceconnectionpoint)" -attr servicebindinginformation >> c:\hyper-v.txt
Find all windows virtual machine in your forest
C:\dsquery * forestroot -filter "&(cn=windows virtual machine)(objectCategory=serviceconnectionpoint)" -limit 0 -attr * >> c:\allvirtualPCs.txt
DNS application partition
Find the DNS servers from DomainDNSZones & ForestDNSzones
C:\dsquery * DC=DomainDnsZones,DC=contoso,DC=com -scope base -attr msDs-masteredBy
C:\dsquery * DC=forestDnsZones,DC=contoso,DC=com -scope base -attr msDs-masteredBy
Find the object for DES-Only-Encryption
dsquery * -filter "(UserAccountControl:1.2.840.113556.1.4.803:=2097152)"
See also
More on Active Directory: LDAP Syntax Filters
References
For more switch see the below link.
See the below link for custom filters:
DSQuery info
Find the Blogs for more DSQUERY, those are very helpful and effective.
Technet Link
http://technet.microsoft.com/en-us/library/cc754232%28WS.10%29.aspx#BKMK_examplesDSQuery
DSQuery, And Then Some
http://mcpmag.com/articles/2007/08/01/dsquery-and-then-some.aspx