Microsoft DS Tools – part 3
We know how to use DSQUERY command for context search or for more advanced LDAP query. Now, we will learn how to use DSGET to request object attributes. That command can be used in “standalone” mode or in piped mode with DSQUERY. It works also in read-only mode like previously discussed tool, so we cannot destroy anything in an environment. DSGET is not so powerful as DSQUERY but it’s also good if we want to easily get some object attributes.
For this command, Microsoft defined parameters which can request value from object attributes and we cannot form our own LDAP query. DSGET is limited but still enough for many daily requests in Active Directory management. Let’s see what we can do using it
DSGET has the same contexts like other DS Tools, so we should remember them from previous article. If not, just for short overview: computer, contact, subnet, group, ou, site, server, user, quota, partition.
In this article we will discuss only two of them: user and group
Let’s start with user context. As you remember, to get more detailed help for a context of DS tool, you need to use
<DS Tool name> plus <context name> and </question mark (?)>
dsget user /?
and now, we can see what is possible to get from user object running DSGET query:
I don’t remember if I mentioned it before (if not, that’s good place for that) that DS Tools require Distinguished Name of an object to start query. That’s always the first value which must be given in a syntax!
Let’s start to get some details for “Krzysztof Pytko” user. The user is located in “wroc/users/it” OU under testenv.local domain
for start, we want to get user’s First Name, Last Name and login.
syntax for the query should look like this:
dsget user “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -samid -fn -ln
simple, isn’t it? 😉
Now, we will request more information from this user object. Let’s see what will be displayed as an output
dsget user “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -samid -upn -fn -ln -display -desc -email -hmdrv -hmdir -loscr -mustchpwd -canchpwd -pwdneverexpires -disabled -acctexpires
Oh, what a mess! How can I read anything from this output? Yes, that’s true. We requested too many attributes and the output is not readable. In this case we can solve that problem by redirecting command’s output to a flat text file. At the end of previous syntax add >c:user-info.txt
dsget user “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -samid -upn -fn -ln -display -desc -email -hmdrv -hmdir -loscr -mustchpwd -canchpwd -pwdneverexpires -disabled -acctexpires >c:user-info.txt
Now, open a text file in notepad, disable word-warpping and review the output. It’s much more readable!
Another usage of DSGET in user context is to get all user’s group membership. For that you need to use different parameters. Let’s try to get Krzysztof Pytko group membership
dsget user “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -memberof
we can see group membership of Krzysztof Pytko. What if some groups are members of other groups (nested membership)? We don’t see that using only -memberof switch. For that we have to use one more parameter -expand Then all groups membership will be displayed
dsget user “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -memberof -expand
above command returns all groups in which user is a member.
OK, everything looks pretty good but do I have to each time specify Distinguised Name of a user to start query one by one? NO! As you remember, I mentioned about piped mode. By default DSQUERY returns DN of an object. Let’s try to use combination fo DSQUERY and DSGET together
dsquery user -name “Krzysztof Pytko” | dsget user -samid -fn -ln -display
so, we used DSQUERY to search for user object “Krzysztof Pytko” and we received Distinguished Name of that object. Instead of standard display this DN on a screen, we piped it to another command using pipe “|” character. As you noticed in DSGET command Distinguished Name of a user is missing. In this place, tool will use “piped variable” received from previous command and will display requested attribute values (user login, First Name, Last Name and Display Name).
Now, we run the query for all user accounts in a domain
dsquery user -name * -limit 0 | dsget user -samid -fn -ln -display
Accoring to above syntax, we can also use text file with user logins to get their basic user details. Prepare flat text file with user names, each user in separate line and save it on C-Drive as users.txt From command-line run this query
for /f %i in (C:users.txt) do dsquery user -samid %i | dsget user -samid -fn -ln -display
Thanks to this query, you can get only details for some sort of users, not for all users in whole domain.
That’s all about DSGET user context. It’s time to see what we can do using group context.
Actually, there is no big difference between previous context, just only other switches but the same idea. It can be used similarly to user context. I will only show you, how to get all group members and then display their login, First Name, Last Name and Display Name. Let’s try to run this query
dsquery group -name “gg-all-sites-admins” | dsget group -members -expand | dsget user -samid -fn -ln -display
You will receive all users which are members of this group (gg-all-sites-admins)
Author: Krzysztof Pytko