AD Command Line Queries
Retrieving Groups
Retrieve a list of all groups in the Sales OU (and any groups in child OUs):dsquery group "ou=sales,dc=pearson,dc=itcertification,dc=com"
If you want to omit groups in the child OUs from the output, you can add the -scope onelevel switch. This command retrieves a list of the groups in the Sales OU only:
dsquery group "ou=sales,dc=pearson,dc=itcertification,dc=com" -scope onelevel
List all groups in an OU including their Group Scope & Group Type:
dsquery group "ou=test,dc=gs,dc=com" -limit 0 | dsget group -samid -scope -secgrp
Retrieving Users and Computers
Retrieves a list of all users in the domain and redirects the output to a text file named users.txt:dsquery user "dc=pearson,dc=itcertification,dc=com" > users.txt
Retrieve a list of all computer objects in an OU:
dsquery computer "ou=computers,dc=person,dc=itcertification,dc=com"
Retrieve a list of users within a specific OU using the scope switch to limit the output. Note this can also be done with computers.
dsquery user "ou=sales,dc=pearson,dc=itcertification,dc=com" -scope onelevel
Identify Inactive User Accounts using the inactive switch. The inactive switch accepts an integer as a number of weeks. For example, the following commands identify users and computers that have not been logged onto in the past four weeks:
dsquery user "dc=pearson,dc=itcertification,dc=com" -inactive 4
dsquery computer "dc=pearson,dc=itcertification,dc=com" -inactive 4
You can pipe the results of the above dsquery command to the dsmod command to disable the accounts:
dsquery user "dc=pearson,dc=itcertification,dc=com" -inactive 4 | dsmod user -disabled yes
List disabled user or computer accounts in your domain using the disabled switch like this:
dsquery user "dc=pearson,dc=itcertification,dc=com" -disabled
dsquery computer "dc=pearson,dc=itcertification,dc=com" -disabled
Identify user accounts with passwords that haven't been changed in the last 60 days, and sends the output to a file named stale.txt:
dsquery user "dc=pearson,dc=itcertification,dc=com" -stalepwd 60 > stale.txt
List a user's SID:
dsquery user -samid santhosh | dsget user -sid
dsquery * -filter (samaccountname=santhosh) -attr sid
List all enabled computer accounts in an OU:
dsquery computer OU=Test,DC=sivarajan,DC=com -limit 5000 | dsget computer -dn -disabled | find /i " no"
Count all enabled computer accounts in an OU:
dsquery computer OU=Test,DC=sivarajan,DC=com -limit 5000 | dsget computer -dn -disabled | find /c /i " no"
Find all contacts in an OU:
dsquery contact OU=Sales,DC=Contoso,DC=Com
List all objects with a primary group of "Domain Users".
You can change the "primaryGroupID" as per your requirement:
513 = Domain Users
514 = Domain Guests
515 = Domain Computers
516 = Domain Controllers
dsquery * -filter "(primaryGroupID=513)" -limit 0
List all expired user accounts in the domain (you could also do this for an OU by altering the DN):
dsquery * "dc=contoso,dc=com" -filter "(&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807)) " -attr sAMAccountname displayName
List a user's Account Expiry date:
dsquery user -name * -limit 0 | dsget user -samid -acctexpires
List the samaacountname for all users in the domain (can also be done for an OU and also with computer objects):
dsquery user -o rdn -limit 0
What about -o samid?
-limit is the maximum number of objects to return, default=100.
List all users in an OU including attributes such as samaccountname, description, department and title:
dsquery * "ou=test,DC=contoso,DC=com" -filter "(&(objectcategory=person)(objectclass=user))" -limit 0 -attr samaccountname description department title
List all computers in an OU including attributes like name and operating system:
dsquery * "cn=computers,dc=lucasbeare,dc=local" -filter "(&(objectcategory=computer)(objectclass
=user))" -attr name operatingsystem
List a particular object's attributes using an LDAP filter. In the below example we return the name and whenchanged attributes for the samaccountname biz:
dsquery * -filter (samaccountname=biz) -attr name whenchanged
List several attributes for all users in an OU:
dsquery user "OU=Support,DC=internal,DC=net" | dsget user -display -samid -email
List Group Membership for Groups and Users
Retrieve a list of members for the Domain Admins group:dsget group "cn=Domain Admins,cn=users,dc=pearson,dc=itcertification,dc=com" -members
Many of the members listed will be groups, but the members of these groups aren't included in the output. If you want to get a full listing of users and groups that are either direct or indirect members of the Domain Admins group, you can use the -expand switch like this:
dsget group "cn=Domain Admins,cn=users,dc=pearson,dc=itcertification,dc=com" -members -expand
List the members of a Group by samaccountname:
dsquery group -samid "CS_CLUB_ACCOUNTS" | dsget group -members -expand | dsget user -samid
List group membership for a specific user (DN):
dsget user "cn=Sally,ou=sales,dc=pearson,dc=itcertification,dc=com" -memberof
You can use the -expand switch to get a full group listing:
dsget user "cn=Sally,ou=sales,dc=pearson,dc=itcertification,dc=com" -memberof -expand
You can also use samaccountname to list membership:
dsquery user -samid "username" | dsget user -memberof -expand
List all groups a user is memberof without the DNs:
dsquery user -samid anthony | dsget user -memberof | dsget group -samid dsquery user -samid anthony | dsget user -memberof | dsget group -samid
List all groups a computer is memberof without giving the DN:
dsquery computer -name test1 | dsget computer -memberof | dsget group -samid
List alphabetically a user's AD group membership
dsquery user -samid username | dsget user -memberof -expand | dsget group -samid | sort
Modifying objects with DSMOD
Change a user's password:dsmod user "cn=joe,ou=east, ou=sales, dc=habib,dc=local" -pwd abc@123
Change group type, the below example converts a security group to a distribution list:
dsmod group "cn=IT Admins, ou=east, ou=sales, dc=habib, dc=local" -secgrp yes
Change group scope ie l, g, u. The below example converts a group to a global group. Note, you can't convert a global group directly to a domain local group, and you can't convert a domain local group directly to a global group. However, you can convert it to a universal group first, and then convert it to a domain local or global group.
dsmod group "cn=IT Admins, ou=east, ou=sales, dc=habib, dc=local" -scope g
Add users to a group, the below example adds Joe and Sally to the IT Admins group. You can add as many members as desired in the same command by adding additional DNs. You need only a space between DNs, not a comma.
dsmod group "cn=IT Admins, ou=east, ou=sales, dc=habib, dc=local" -addmbr "cn=Joe,ou=east, ou=sales, dc=habib, dc=local" "cn=Sally,ou=east,ou=sales, dc=habib, dc=local"
Remove a user from a group:
dsmod group "cn=IT Admins, ou=east, ou=sales, dc=habib, dc=local" -rmmbr "cn=Joe, ou=east, ou=sales, dc=habib, dc=local"
Add a group to another group. In the below example the IT Admins group is added to the dl_printer group.
dsmod group "cn=dl_printer, ou=east, ou=sales, dc=habib, dc=local" -addmbr "cn=IT Admins, ou=east, ou=sales, dc=habib, dc=local"
Remove a group from another group. In the below example the IT Admins group is removed from the dl_printer group.
dsmod group "cn=dl_printer, ou=east, ou=sales, dc=habib, dc=local" -rmmbr "cn=IT Admins, ou=east, ou=sales, dc=habib, dc=local"
Domain Controller related queries
Provide a total number of all DCs in the domain:dsquery server | find /c /v ""
List all DCs whose name starts with a particular string eg DNO:
dsquery server -name dno* -o rdn
List all GCs in the domain:
DsQuery Server -domain contoso.com -isgc
Return the Schema version:
dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion
OR
schupgr
Determine what site a server is in:
dsquery server -name test1 | dsget server -site
dsquery server -name (provide the server name for DN) | dsget server -site
List the PDC role holder for the current domain:
dsquery server -hasfsmo PDC
List the Infrastructure Master role holder for the current domain:
dsquery server -hasfsmo INFR
List the RID master holder for the current domain:
dsquery server -hasfsmo RID
List the Schema master holder for the current forest:
dsquery server -forest -hasfsmo Schema
List the Domain Naming Master for the current forest:
dsquery server -forest -hasfsmo Name
Determine if a DC is a GC:
dsquery server -name test1 | dsget server -isgc
Determine what site a subnet is associated with:
dsquery subnet -name 10.222.88.0/25 | dsget subnet
For each domain controller in the domain, display the DNS host name, site name, and whether or not the server is a Global Catalog (GC):
dsquery server | dsget server -dnsname -site -isgc
For each domain controller in the forest, display the DNS host name, site name, and whether or not the server is a Global Catalog (GC):
dsquery server -forest -limit 0 | dsget server -dnsname -site -isgc
List any RODCs in the domain:
dsquery server -isreadonly
List all the subnets for a site:
dsquery subnet -o rdn -site site_name
List all DCs in a site:
dsquery server -o rdn -site site_name
List all DCs in the Forest:
dsquery server -o rdn -forest
List the distinguished names of all AD partitions in the current forest:
dsquery partition
List all sites that are defined in AD:
dsquery site -limit 0
List how many times the wrong password has been entered on a specified domain controller for a given account eg jsmith:
dsquery * -filter "(sAMAccountName=jsmith)" -s Enter_DC_Name -attr givenName sn badPwdCount
adprep /forestprep extends the schema, updates permissions and prepares the forest for new domain controllers. The below command shows the current version of the schema.
56 = Windows Server 2012
47 = Windows Server 2008 R2
44 = Windows Server 2008
31 = Windows Server 2003 R2
30 = Windows Server 2003
13 = Windows 2000
dsquery.exe * "CN=Schema,CN=Configuration,DC=domain,DC=local" -scope base -attr objectversion
adprep /domainprep creates new containers and objects, modifies ACLs on some objects, and prepares the domain for new domain controllers. The below command shows the Active Directory Update version.
9 = Windows Server 2012
5 = Windows Server 2008R2
3 = Windows Server 2008
dsquery * CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,DC=domain,DC=local -scope base -attr revision
adprep /rodcprep updates permissions on the application directory partitions so that RODCs can replicate these partitions. The below command will let you know if adprep /rodcprep has been run before.
Output:
2 = The command has been executed (both on server 2008 and 2012)
Directory object not found = The command has not been executed.
dsquery * CN=ActiveDirectoryRodcUpdate,CN=ForestUpdates,CN=Configuration,DC=domain,DC=local -scope base -attr revision
List what site DCs starting with a name of SERVER are in:
dsquery server -name SERVER* | dsget server -site
Miscellaneous Queries
List any Virtual Machines in the forest:dsquery * forestroot -filter "&(cn=windows virtual machine)(objectCategory=serviceconnectionpoint)" -limit 0 -attr * >> c:\allvirtualPCs.txt
List general information about an ad user object:
net user username /domain
Finding inactive workstations
The below powershell script shows computer objects whose password has not been changed for 60 days and exports the results to csv:
dsquery computer "ou=workstations,dc=beare,dc=local" -stalepwd 180 -l
imit 10000 | dsget computer -samid -dn -disabled | % {$_ -replace "\s+", ";"} |
Out-File -FilePath c:\users\beare\desktop\expired_cmp_.csv
Change multiple user's passwords. Put the below lines in a bat file.
dsmod user "CN=Bruce Wayne,OU=Hero,DC=demo,DC=local" -pwd insert_password -mustchpwd no
dsmod user "CN=Bruce Banner,OU=Hero,DC=demo,DC=local" -pwd insert_password -mustchpwd no
Show all DCs including what site they are in.
nltest /dclist:domain.local
Show all DCs in a particular site.
nltest /dnsgetdc:domain.local /site:syd
Show all inbound/outbound trusts with domain.
nltest /domain_trusts
Show descriptive information about a DC, including what services it is providing.
nltest /dsgetdc:domain.local /server:dc1
Show all DCs, including total quantity.
repadmin /viewlist *
Show inbound and outbound replication times.
repadmin /showrepl /repsto
Show queues?
repadmin /queue DC01
Copy a user's groups to another user
Add a user (New_User) to the same groups that an existing user is a member of (sample.user). The -c switch ensures that the command continues if the user (New_User) is already in a group that the existing user (sample.user) is a member of, otherwise the command fails.dsquery user -samid sample.user | dsget user -memberOf | dsmod group -addmbr "CN=New_User,OU=test,DC=bhp,DC=org,DC=au" -c