Active Directory Domain Services (AD DS) Commands and Scripts
Here are some useful commands and scripts for administering Active Directory.
For more information please see Active Directory Domain Services Command Reference (http://technet.microsoft.com/library/cc771131).
Source reference
http://portal.sivarajan.com/2011/08/searching-active-directory-using.html
User
Identify OCS enabled users in Active Directory
Dsquery * -filter (msRTCSIP-UserEnabled=TRUE) -limit 0 -attr name samaccountname
|
Query Password Last Set (pwdlastset) value
Dsquery * -filter "&(objectClass=User)(objectCategory=Person)" -limit 0
-attr name pwdlastset
|
Note: Time can be converted using the w32tm /ntte command.
Search Password Never Expires Settings
Dsquery * -limit 0 "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))" -attr samaccountname name
|
User accounts with no pwd required
Dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)userAccountControl:1.2.840.113556.1.4.803:=32))"
|
User accounts that are disabled
Dsquery *domainroot -filter "(&(objectCategory=Person)(objectClass=User)
(userAccountControl:1.2.840.113556.1.4.803:=2))"
|
dsget user
CN=User1,DC=santhosh,DC=la -acctexpiresdsquery * -limit 0
|
Password Expiring in 30 Days
dsquery * -limit 0 -filter "(&(objectCategory=person)(objectClass=user)
(userAccountControl:1.2.840.113556.1.4.803:=4194304))" -attr name samaccountname
|
User accounts with "Do not require kerberos preauthentication" enabled
Dsquery * -limit 0 "(&(objectCategory=person)(objectClass=user)
(!userAccountControl:1.2.840.113556.1.4.803:=8388608)(!userAccountControl:1.2.840.113556.1.4.803:=65536)
(pwdLastSet>=129522420000000000)(pwdLastSet<=129548340000000000))"
-attr samaccountname name
|
List all Roaming Profile users in Active Directory
Dsquery * -filter "&(objectClass=User)(objectCategory=Person)(profilePath=*) -limit 0 -name
|
Generate SIDHistory Report
Dsquery * -filter "&(objectClass=User)(objectCategory=Person)"
-attr samAccountName sidHistory
|
Generate SID (ObjectSID) Report
Dsquery * -filter "&(objectClass=User)(objectCategory=Person)"
-attr samAccountName Object
|
Group
Identify all Security Groups
dsquery * -filter "(&(objectCategory=group)
groupType:1.2.840.113556.1.4.804:=2147483648))" -attr samAccountName name
|
Identify all Built-In Security Groups
dsquery * -filter "(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.803:=2147483649))" -attr samAccountName name
|
Identify all Universal Security Groups
dsquery * -filter "(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.803:=2147483656))" -attr samAccountName name
|
Identify all Global Security Groups
dsquery * -filter "(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.803:=2147483650))" -attr samAccountName name
|
Computer
Move Computer Objects Based on OS Version
Move Windows 7 Computers
dsquery * CN=Computers,DC=santhosh,DC=lab -filter "(&(objectCategory=Computer)
(operatingSystemVersion=6.1))" | dsmove -newparent OU=Win7,OU=ComputerAccounts,DC=santhosh,DC=lab
|
Move Windows XP Computers
dsquery * CN=Computers,DC=santhosh,DC=lab -filter "(&(objectCategory=Computer)
(operatingSystemVersion=5.1))" | dsmove -newparent OU=WinXP,OU=ComputerAccounts,DC=santhosh,DC=lab
|
Site and Subnet
List all Sites in Active Directory
Get Site Name from Subnet IP Address in Active Directory
(For example, Site Name for Subnet 192.168.2.0/24)
Dsquery Subnet -Name 192.168.2.0/24 | Dsget Subnet -Site
|
Active Directory
When Active Directory installed
Dsquery * "CN=Configuration,DC=Santhosh,DC=lab" -attr Whencreated -Scope Base
|
Find Trusts from specified Domain
Dsquery * "CN=System,DC=Santhosh,DC=lab" -filter "(objectClass=trustedDomain)"
-attr TrustPartner FlatName
|
Find Servers in Active Directory with descriptions
Dsquery * DC=Santhosh,DC=lab -filter "(&(objectCategory=Computer)
(operatingSystem=*server*))"
-limit 0 -attr cn description
|
View all replicated attributes
Dsquery * CN=Schema,CN=Configuration,DC=Santhosg,DC=lab
-filter "(&(objectCategory=attributeSchema)(!systemFlags:1.2.840.113556.1.4.803:=1))" -limit 0
|
Find Tombstone and Garbage Collection
Dsquery *
"CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Santhosh,DC=lab"
-attr GarbageCollPeriod TombstoneLifetime
|
Find Group Policy GUIDs
Dsquery * "CN=Policies,CN=System,DC=Santhosh,DC=lab"
-filter (objectCategory=groupPolicyContainer) -attr Name DisplayName
|
Dsquery * "CN=Policies,CN=System,DC=Santhosh,DC=lab"-filter "(objectCategory=groupPolicyContainer)"
-attr displayName cn whenCreated gPCFileSysPath
|
Enumerate the trusts from the specified domain
Dsquery * "CN=System,DC=Santhosh,DC=lab" -filter "(objectClass=trustedDomain)"-attr TrustPartner FlatName
|
Dsquery * "CN=Subnets,CN=Sites,CN=Configuration,DC=Santhosh,DC=lab"-attr CN SiteObject Description Location
|
Dsquery * "CN=Sites,CN=Configuration,DC=Santhosh,DC=lab"-attr CN Cost Description ReplInterval SiteList -filter (objectClass=siteLink)
|
Find Group Policy display name with the GUID
Dsquery * "CN=Policies,CN=System,DC=Santhosh,DC=lab"
-filter (objectCategory=groupPolicyContainer) -attr Name DisplayName
|