Retrieving Information about Objects with DSQUERY
You can use the dsquery command to retrieve information about objects in Active Directory (AD). A benefit of dsquery is that you can retrieve multiple objects at the same time by specifying filter criteria. The basic syntax of the dsquery command is
dsquery dn-property property-value
The following table shows some examples of how to use the dsquery command to retrieve multiple objects.
|
dsquery Command |
Comments |
|
Retrieve all the groups in an Organizational Unit (OU). dsquery group dn C:\>dsquery group “ou=east, ou=sales, dc=habib, dc=local” |
Retrieves a list of all the groups in the sales\east OU. Note: The only thing you need to add is the distinguished name (DN). |
|
Retrieve all the groups in an OU matching a specific name. dsquery group dn C:\>dsquery group “ou=east, ou=sales, dc=habib, dc=local” -name IT* |
You can use the -name switch to identify all the groups with specific names, and you can also use the asterisk (*) wildcard. This example retrieves a list of all the groups in the sales\east OU that have a name that starts with “IT.” |
|
Retrieve a listing of all users in the domain or in an OU.
dsquery user dn C:\>dsquery user “dc=habib, dc=local” C:\>dsquery user “ou=sales, dc=habib, dc=local ” C:\>dsquery user “ou=sales, dc=habib, dc=local ” -scope base |
Retrieves a listing of all objects, such as all users or all computers. The dn identifies the search range.
The first example lists all users in the domain. The second example lists all users in the Sales OU and child OUs. The third example limits the scope to the base OU (Sales) and lists all users in the Sales OU only (not child OUs). |
|
Identify inactive accounts.
dsquery object-type dn -inactive number-of-weeks C:\>dsquery user ” dc=habib, dc=local ” -inactive 4 C:\>dsquery computer ” dc=habib, dc=local ” -inactive 4 |
The -inactive switch identifies inactive accounts.
These examples retrieve any user accounts and computer accounts that have not been logged on to in the past four weeks. |
|
Identify accounts with stale passwords.
dsquery user dn -stalepwd number-of-days C:\>dsquery user ” dc=habib, dc=local ” -stalepwd 45 |
A stale password hasn’t been changed in a specific number of days.
Note: Use this to locate service accounts that have the Password Never Expires setting enabled and haven’t had their passwords changed within a given time. |
|
Locate disabled accounts.
dsquery user dn -disabled C:\>dsquery user ” dc=habib, dc=local” -disabled |
Locates all disabled accounts. |
An added benefit of the dsquery command is that you can use it to modify multiple objects at the same time. You can pipe the results of the dsquery command to another command such as the dsmod command. The basic format is
dsquery command | dsmod command
Note: Piping or pipelining is done by adding a pipe character (|) between the com- mands. The output of the first command becomes the input of the second command.
The following table shows a few examples where you can pipe the results of a dsquery
command to a dsmod command.
|
dsquery Command |
Comments |
|
Disable inactive accounts. dsquery object-type dn -inactive number-of-weeks | dsmod user -disabled yes C:\>dsquery user “dc=habib,dc=local” -inactive 4 | dsmod user -disabled yes |
This example uses a query to identify accounts that are inac- tive, and then passes the list to the dsmod command. The dsmod command then disables all accounts in the list. |
|
Modify a property for a group of users. dsquery user dn | dsmod user -office value C:\>dsquery user “ou=east, ou=sales,dc=habib,dc=local” | dsmod user -office “East Sales“ |
This example first retrieves a list of all users in the sales\east OU and passes this list to the dsmod command. The dsmod command uses the -office switch to change the -office name to Virginia Beach for each of the users. Note: Because the office name of Virginia Beach has a space, it must be enclosed in quotes. |
Filed under: Active Directory, Windows Server 2003, Windows Server 2008 Tagged: Active Directory commands, DS Commands, dsquery
