DS Commands – DSQUERY


Retrieving Information about Objects with DSQUERY

You can use the dsquery command to retrieve information about objects in Active Directory (AD). A benefit of dsquery is that you can retrieve multiple objects at the same time by specifying filter criteria. The basic syntax of the dsquery command is

dsquery dn-property property-value

The following table shows some examples of how to use the dsquery command to retrieve multiple objects.

dsquery Command

Comments

Retrieve all the groups in an Organizational Unit (OU).

dsquery group dn

C:\>dsquery group “ou=east, ou=sales, dc=habib, dc=local”

Retrieves a list of all the groups in the sales\east OU.

Note: The only thing you need to add is the distinguished name (DN).

Retrieve all the groups in an OU matching a specific name.

dsquery group dn

C:\>dsquery group “ou=east, ou=sales, dc=habib, dc=local” -name IT*

You can use the -name switch to identify all the groups with specific names, and you can also use the asterisk (*) wildcard.

This example retrieves a list of all the groups in the sales\east OU that have a name that starts with “IT.”

Retrieve a listing of all users in the domain or in an OU.

dsquery user dn

C:\>dsquery user “dc=habib, dc=local”

C:\>dsquery user “ou=sales, dc=habib, dc=local ” C:\>dsquery user “ou=sales, dc=habib, dc=local ” -scope base

Retrieves a listing of all objects, such as all users or all computers. The dn identifies the search range.

The first example lists all users in the domain. The second example lists all users in the Sales OU and child OUs. The third example limits the scope to the base OU (Sales) and lists all users in the Sales OU only (not child OUs).

Identify inactive accounts.

dsquery object-type dn -inactive

number-of-weeks C:\>dsquery user ” dc=habib, dc=local ” -inactive 4

C:\>dsquery computer ” dc=habib, dc=local ” -inactive 4

The -inactive switch identifies inactive accounts.

These examples retrieve any user accounts and computer accounts that have not been logged on to in the past four weeks.

Identify accounts with stale passwords.

dsquery user dn -stalepwd

number-of-days C:\>dsquery user ” dc=habib, dc=local ” -stalepwd 45

A stale password hasn’t been changed in a specific number of days.

Note: Use this to locate service accounts that have the Password Never Expires setting enabled and haven’t had their passwords changed within a given time.

Locate disabled accounts.

dsquery user dn -disabled C:\>dsquery user ” dc=habib, dc=local” -disabled

Locates all disabled accounts.


An added benefit of the dsquery command is that you can use it to modify multiple objects at the same time. You can pipe the results of the dsquery command to another command such as the dsmod command. The basic format is

dsquery command | dsmod command

Note: Piping or pipelining is done by adding a pipe character (|) between the com- mands. The output of the first command becomes the input of the second command.

The following table shows a few examples where you can pipe the results of a dsquery
command to a dsmod command.

dsquery Command

Comments

Disable inactive accounts.

dsquery object-type dn -inactive

number-of-weeks | dsmod user

-disabled yes C:\>dsquery user “dc=habib,dc=local” -inactive 4 | dsmod user -disabled yes

This example uses a query to identify accounts that are inac- tive, and then passes the list to the dsmod command. The dsmod command then disables all accounts in the list.

Modify a property for a group of users.

dsquery user dn | dsmod user

-office value

C:\>dsquery user “ou=east, ou=sales,dc=habib,dc=local” | dsmod user -office “East Sales

This example first retrieves a list of all users in the sales\east OU and passes this list to the dsmod command. The dsmod command uses the -office switch to

change the -office name to Virginia Beach for each of the users.

Note: Because the office name of Virginia Beach has a space, it must be enclosed in quotes.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s