More Essential Tools for Active Directory
Dsget and Dsquery
The ds* command-line toolset also includes two tools used to query Active Directory for information rather than for creating or modifying objects.
Dsget takes an object’s DN as input and provides you with the value of the attribute or attributes you specify. Dsget uses the same submenus as dsadd and dsmod—user, computer, contact, group, ou, and quota.
To obtain the SAM Account Name and Security Identifier (SID) of a user account, enter the following command (note that the following is all on one line):
dsget user cn=afuller,ou=IT,dc=contoso,dc=com
–samAccountName –sid
You’ll get output such as that in Figure 3.
Figure 3 Running dsget (Click the image for a smaller view)
Figure 3 Running dsget (Click the image for a larger view)
Dsquery returns a list of Active Directory objects that meet criteria you specify. You can specify the following parameters no matter which submenu you’re using:
dsquery <ObjectType> <StartNode> -s <Search Scope> -o <OutputFormat>
For ObjectType, dsquery can use the following submenus, each of which has its own syntax: computer, contact, subnet, group, ou, site, server (note that the server submenu retrieves information about domain controllers, not any member servers in your environment), user, quota, and partition. And if one of these query types doesn’t fit the bill, you can use the * submenu, which lets you enter a free-form LDAP query.
StartNode specifies the location in the Active Directory tree where the search will start. You can use a specific DN such as ou=IT,dc=contoso,dc=com, or one of the following shortcut specifiers: domainroot, which begins at the root of a particular domain, or forestroot, which begins at the root of the forest root domain using a Global Catalog server to perform the search.
Finally, the Search Scope option specifies how dsquery should search the Active Directory tree. Subtree (the default) queries the specified StartNode and all of its child objects, onelevel queries only the immediate children of the StartNode, and base queries the StartNode object only.
To better understand search scopes, consider an OU that contains both user objects and a child OU that itself contains additional objects. Using the subtree scope will query the OU, all of the user objects contained within it, and the child OU and its contents. The onelevel scope will query only the users contained within the OU and will not query the child OU or its contents. A base query will search only the OU itself without querying any of the objects contained within it.
Finally, you can use Output Format to control how the results of dsquery are formatted. By default, dsquery returns the distinguished names of any objects that match the query, like this:
"cn=afuller,ou=Training,dc=contoso,dc=com" "cn=rking,ou=ITTraining,ou=Training,dc=contoso,dc=com"
To query for all user objects contained within the IT OU and any child OUs, use the following:
dsquery user ou=IT,dc=contoso,dc=com
You can further refine this query by adding additional switches such as -disabled, which returns only disabled user accounts; -inactive x, which returns only users who haven’t logged on in the past x weeks or more; or -stalepwd x, which will return only users who have not changed their passwords in x days or more.
Depending on the number of objects in your directory, you may need to specify the -limit x switch when running your query. By default, dsquery will return up to 100 objects that match the specifics of your query; you can specify a larger number such as -limit 500, or use -limit 0 to instruct dsquery to return all matching objects.
You can use the other submenus to perform useful queries for other object types as well. Consider the following query, which returns every subnet defined in Active Directory Sites and Services that’s in the 10.1.x.x address space:
dsquery subnet –name 10.1.*
Or use the following to return every subnet located in the Corp site:
dsquery subnet –site Corp
With another submenu, you can quickly determine how many domain controllers in your forest are configured as Global Catalog servers:
dsquery server –forest –isgc
You can also use this syntax to help you determine which domain controller in your domain hosts the Primary Domain Controller (PDC) Emulator Flexible Single Master Operations (FSMO) role:
dsquery server –hasfsmo pdc
As with the other ds* commands that include submenus, you can view all of the switches available within a particular dsquery submenu by going to the command prompt and typing dsquery user /?, dsquery computer /?, dsquery subnet /?, and so forth.
An additional slick trick is to pipe the output of dsquery into another tool such as dsmod using the | character (shift-backslash on U.S. keyboards). For example, let’s say your company has renamed a department from Training to Internal Development and now you have to update the description field of each relevant user from the old department name to the new. On a single command line, you can query for user objects that have a description field of Training and then modify that description field in bulk, as follows:
dsquery user –description "Training" | dsmod
-description "Internal Development"
Recommended Download: Microsoft Outlook Connector | HowTo: An interactive guide for Office 2007
Leave a Reply