Microsoft DS Tools – part 3



We know how to use DSQUERY command for context search or for more advanced LDAP query. Now, we will learn how to use DSGET to request object attributes. That command can be used in “standalone” mode or in piped mode with DSQUERY. It works also in read-only mode like previously discussed tool, so we cannot destroy anything in an environment. DSGET is not so powerful as DSQUERY but it’s also good if we want to easily get some object attributes.

For this command, Microsoft defined parameters which can request value from object attributes and we cannot form our own LDAP query. DSGET is limited but still enough for many daily requests in Active Directory management. Let’s see what we can do using it

DSGET has the same contexts like other DS Tools, so we should remember them from previous article. If not, just for short overview: computer, contact, subnet, group, ou, site, server, user, quota, partition.

In this article we will discuss only two of them: user and group

Let’s start with user context. As you remember, to get more detailed help for a context of DS tool, you need to use

<DS Tool name> plus <context name> and </question mark (?)>

dsget user /?

and now, we can see what is possible to get from user object running DSGET query:

DSGET user help

I don’t remember if I mentioned it before (if not, that’s good place for that) that DS Tools require Distinguished Name of an object to start query. That’s always the first value which must be given in a syntax!

Let’s start to get some details for “Krzysztof Pytko” user. The user is located in “wroc/users/it” OU under testenv.local domain

User object location

for start, we want to get user’s First Name, Last Name and login.

syntax for the query should look like this:

dsget user “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -samid -fn -ln

User details

simple, isn’t it? 😉

Now, we will request more information from this user object. Let’s see what will be displayed as an output

dsget user “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -samid -upn -fn -ln -display -desc -email -hmdrv -hmdir -loscr -mustchpwd -canchpwd -pwdneverexpires -disabled -acctexpires

More details

Oh, what a mess! How can I read anything from this output? Yes, that’s true. We requested too many attributes and the output is not readable. In this case we can solve that problem by redirecting command’s output to a flat text file. At the end of previous syntax add >c:user-info.txt

dsget user “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -samid -upn -fn -ln -display -desc -email -hmdrv -hmdir -loscr -mustchpwd -canchpwd -pwdneverexpires -disabled -acctexpires >c:user-info.txt

Now, open a text file in notepad, disable word-warpping and review the output. It’s much more readable!

Another usage of DSGET in user context is to get all user’s group membership. For that you need to use different parameters. Let’s try to get Krzysztof Pytko group membership

dsget user “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -memberof

User group membership

we can see group membership of Krzysztof Pytko. What if some groups are members of other groups (nested membership)? We don’t see that using only -memberof switch. For that we have to use one more parameter -expand Then all groups membership will be displayed

dsget user “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -memberof -expand

User nested group membership

above command returns all groups in which user is a member.

OK, everything looks pretty good but do I have to each time specify Distinguised Name of a user to start query one by one? NO! As you remember, I mentioned about piped mode. By default DSQUERY returns DN of an object. Let’s try to use combination fo DSQUERY and DSGET together

dsquery user -name “Krzysztof Pytko” | dsget user -samid -fn -ln -display

so, we used DSQUERY to search for user object “Krzysztof Pytko” and we received Distinguished Name of that object. Instead of standard display this DN on a screen, we piped it to another command using pipe “|” character. As you noticed in DSGET command Distinguished Name of a user is missing. In this place, tool will use “piped variable” received from previous command and will display requested attribute values (user login, First Name, Last Name and Display Name).

DSQUERY and DSGET combination

Now, we run the query for all user accounts in a domain

dsquery user -name * -limit 0 | dsget user -samid -fn -ln -display

Accoring to above syntax, we can also use text file with user logins to get their basic user details. Prepare flat text file with user names, each user in separate line and save it on C-Drive as users.txt From command-line run this query

for /f %i in (C:users.txt) do dsquery user -samid %i | dsget user -samid -fn -ln -display

Thanks to this query, you can get only details for some sort of users, not for all users in whole domain.

That’s all about DSGET user context. It’s time to see what we can do using group context.

Actually, there is no big difference between previous context, just only other switches but the same idea. It can be used similarly to user context. I will only show you, how to get all group members and then display their login, First Name, Last Name and Display Name. Let’s try to run this query

dsquery group -name “gg-all-sites-admins” | dsget group -members -expand | dsget user -samid -fn -ln -display

You will receive all users which are members of this group (gg-all-sites-admins)

It’s done.

<<< Previous part

Next part >>>

Author: Krzysztof Pytko


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.