I would like to announce you that iSiek’s forum about Microsoft Windows services has been launched!
I hope you would participate in building new IT community on this forum. I hope we would be able to help each other.
You are invited! I encourage you to register your account for free and start posting your issues or try to help others.
Just some simple forum’s rules
- Forum is free of charge. It is maintained from ads.
- To contribute in community, free registration is required
- Write posts in English
- Check forums if similar problem does not exist
- Use appropriate forum to post issue
- Do not spam
- Use external services to attach images/logs and place only link to them
- Be polite and do not use vulgarism
- If you do not want to help, do not answer
Be a part of this new community and make family atmosphere here.
I hope we will make this IT world better!
Forum address is http://kpytko.pl/forum
Author: Krzysztof Pytko
We already know how to get attributes information of an object in a domain, how to create or modify and finally, how to move it. It’s time to learn a command which deletes objects from the domain.
You need to be careful using it because in very simple way, you can delete many objects by mistake!
The command, which deletes objects from the domain is DSRM. This tool is also contextless as DSMOVE and uses Distinguished Name to locate the object in an environment.
Before we start using DSRM, we will discuss a little bit its parameters, to get deeper knowledge about them. It’s important to understand these parameters because you can delete more objects than you need and, you would fall into troubles.
To see what we can do with DSRM, let’s type in command-line
- -noprompt – this switch is responsible for deleting object(s) without confirmation from administrator. By default, when you do not specify it, you are asked if you really want to delete an object. It’s mostly used in batch mode.
- -subtree – when you want to remove the object containing other objects, you need to specify this switch (i.e OU with users/groups/computers or OU with child OUs)
- -subtree -exclude – it deletes all child objects without the top one from which deletion process was initiated
OK, let’s start using it in real. First of all, DSRM relies on Distinguished Name as it was stated earlier in this post. That’s the most simple command execution to delete an object
dsrm <Distinguished Name of an object>
when you execute this syntax above, you will be asked if you are sure to do it. When you confirm, DSRM deletes an object
We have an empty OU within our Active Directory structure and we want to delete it
confirm that you want to delete this object
Now, let’s remove Ann Polack user from the domain. She is not working in a company anymore. But this time we will use DSQUERY with DSRM together. To be able to use piped value, you need to add -noprompt switch, to remove her account. In case that you run command without any switch at the end, it won’t work. DSRM thinks that it was executed inproperly.
dsquery user -name “Ann Polack” | dsrm -noprompt
Let’s see what will happen, if we try to delete an OU where users exist and we do not use -subtree switch
as you can see, command failed because OU object contains another objects. So, re-try this command but with -subtree and -noprompt switches (we don’t want to confirm each object deletion). This command deletes specified OU and all users within it.
dsrm “OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -noprompt -subtree
refresh ADUC view and you will see that OU and all users were deleted
and the last example for -subtree -exclude switches. We want to delete all sub OUs of “wroc” OU but we don’t want to delete “wroc” OU itself
dsrm “OU=wroc,DC=testenv,DC=local” -noprompt -subtree -exclude
and refresh ADCU once again to see what happened
all sub OUs were deleted but the top one from witch we ran deletion process is still available
Author: Krzysztof Pytko
This time, we will learn the first contextless tool, DSMOVE. It does an operation on object’s Distinguished Name, so there is no matter what kind of object it is. The tool can do one of these 2 operations:
- rename object (its common name)
- move object within a domain
to start using it, you need to give as an input Distinguished Name of an object or redirect it over pipe (|) from another command and specify action to do on the object. When you want to move that object to another place (OU or container) within domain, you also need to specify target Distinguished Name of that location (OU or container)
That’s all about prerequisites for DSMOVE. Let’s check how it works in practice.
In our company, we have Ann Smith user, who got married and changed her surname. We modified all necessary attributes using DSMOD but ADUC console still displays her old name. This is because DSMOD tool is limited and cannot change “common name” attribute. For that we need to use DSMOVE with -newname parameter. This parameter changes “common name” of an object specified in a syntax. Rename operation is being done in-place, object is not moved within a tree structure.
dsmove “CN=Ann Smith,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -newname “Ann Polack”
dsquery user -name “Ann Smith” | dsmove -newname “Ann Polack”
when you refresh view in ADUC console, you see that her name was changed (“common name” attribute was modified)
all you need to change a “common name” of the object is to specify its new name in command’s syntax
The second usage of DSMOVE tool is moving objects within a domain. To be able to move an object from one place to another, you need to specify as the first parameter object’s Distinguished Name, and as the second Distinguished Name of target place.
Let’s check this in a practice.
Our comapany decided to reorganize its OU structure. All IT administrators must be placed within the same OU in whole company, regardless of their office location. So, the old place for administrators in Wroclaw was “it/users/wroc/testenv.local” and now, new OU is created where they need to be moved “all-admins/testenv.local“
to move all users using DSMOVE syntax, you need to use this structure
dsquery user “OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -name * -limit 0 >>c:users.txt
for /f “tokens=* delims=<quote>” %i in (c:users.txt) do dsmove %i -newparent “OU=all-admins,DC=testenv,DC=local”
and all of them will be moved to the new Organizational Unit (OU)
You can also use DSMOVE tool to move object to another place with new name (renaming it)
dsmove “OU=all-admins,DC=testenv,DC=local” -newparent “OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -newname “admins”
refresh domain view in ADUC console and you will see that there is no more “all-admins” OU. When you expand “wroc” OU and its sub OUs, you notice that there is new OU named “admins” under “it”
and one more important thing. When you moved OU to the new location (with changed name or not) all objects from it, were also moved
Author: Krzysztof Pytko
OK, we know, how to query AD for objects and how to get some information from them. We also already know, how to add completely new, non-existing AD object. But what if we want to modify some attributes of the existing objects in our environment? Do we have that possibility? The answer is, YES, we have. For that we need to use DSMOD tool which allows for changing object’s attributes. This tool doesn’t allow to change any attribute but only those predefined in it. How to check what we can modify using this tool? It’s simple, in command-line type
dsmod <context> /?
then we will receive all possible attributes to modify within that particular context.
Why we may want to use DSMOD in our environment? I can do all those things in Active Directory Users and Computers console much more simple and faster. Actually, it’s true for single object. But what if we need to modify a hundreds of user/group attributes or we want to add many users into a domain group? Does it still convenient to use ADUC console? In the most cases, yes 🙂 But you also may to wish to do that using command-line tools. Then DSMOD tool comes with its help.
Let’s see what DSMOD offers us to simplify AD objects management.
There is the only one attribute in DSMOD which cannot be modified using ADUC by default. This attribute is “Employee ID“. However, it’s not a big problem to implement solution, allowing employee ID changes using GUI. Please visit Mike’s blog, there is great entry for that (“Add Employee ID field – ADUC“)
but going back to command-line tool, let’s try to modify employee ID for a single user with DSMOD syntax
dsmod user “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -empid “PL1230987”
after executing this command, employee ID of Krzysztof Pytko users in testenv.local domain will be changed to PL1230987
so, what if we don’t want to type whole Distinguished Name of a user? Then we can use DSQUERY with DSMOD together.
dsquery user -name “Krzysztof Pytko” | dsmod user -empid “PL1230987”
Now, it’s time to see if this attribute was really modified. Run this command to verify that
dsquery user -name “Krzysztof Pytko” | dsget user -empid
That was simple, man, we had only one user to modify. What if our HR department gives us a list where a lot of users are inserted? This is not a big problem. We only need to prepare a text file with atrributes separator to tell command-line script how to treat values within a file. The most simle way to achieve that is separate full user’s name with comma character (,) from employee ID. The file can look like
this file can be saved on a C-Drive, named as empIDs.txt and then in command-line use
for /f “tokens=1,2 delims=,” %i in (c:empIDs.txt) do dsquery user -name “%i” | dsmod user -empid %j
OK, but what all of those parameters mean?
We needed to use loop to reapeat command for each user’s object. With /f switch, loop command works with file(s)
in our text file we have two values, user full name and its employee ID. We need to declare how variables will be used in a syntax. We declared to use 2 variables which are separated in a file by comma (,)
this is the first variable from which we start declaration
search values for decalred variabled in a file empIDs.txt located on C-Drive
start executing command in a loop
dsquery user -name “%i”
do AD query for user object named with value of %i variable. %i variable stores full name which contains space, so we need to place it in quotes
redirect DSQUERY output to another command
dsmod user -empid %j
modify user’s employee ID. User’s Distinguished Name was received from pipe (|) of previous command. %j variable stores employee ID value from text file
That’s all about modifying user objects in AD. Other attributes can be changed in similar way or you can use ADUC console for that.
Note: DSMOD is limited tool and you must remember when you change user name in Active Directory, its common name (CN) is not changed during that operation. To change CN you need to use DSMOVE tool.
Now, let’s see how we can add many users into single domain group or one user into many domain groups.
To add user into domain group we can use this syntax
dsmod group “<Distinguished Name of a group>” -addmbr “<Distinguished Name of a user>”
dsmod group “CN=gg-it-wroc-common,OU=groups,OU=wroc,DC=testenv,DC=local” -addmbr “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local”
Now, user Krzysztof Pytko is added into gg-it-wroc-common domain group. OK but we can simplify this in two-ways, using output of DSQUERY command. Let’s see how it would look like
- we will query for a user object and redirect its DN to DSMODcommanddsquery user -name “Krzysztof Pytko” | dsmod group “CN=gg-it-wroc-common,OU=groups,OU=wroc,DC=testenv,DC=local” -addmb
- we will query domain for a group object and redirect its DN to DSMODcommanddsquery group -name gg-it-wroc-common | dsmod group -addmbr “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local”
We can see, that we can replace one “static” DN in a syntax and get its value from pipe output. Basing on that, we can try to prepare a script to get users from a text file and add them to one domain group (gg-it-wroc-common). In this case our users text file will have only logins and it will be located on C-Drive in users.txt file.
for /f %i in (c:users.txt) do dsquery user -samid %i | dsmod group “CN=gg-it-wroc-common,OU=groups,OU=wroc,DC=testenv,DC=local” -addmbr
This time, we don’t need to declare more variables because we will use the only one. As you can see, all users from text file were added to gg-it-wroc-common group
OK, now we will add one users into many domain groups using similar concept. Text file will have domain group names instead of users and it will be saved on C-Drive as groups.txt
for /f %i in (c:groups.txt) do dsquery group -samid “%i” | dsmod group -addmbr “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local”
At the and, I will explain what is the difference between -addmbr and -chmbr switches
When your domain group has members and you only want to add another user(s), preserving existing ones, you need to use this switch
when your group has members and you want to change existing group membership (overwrite) with new members only, then this switch is appropriate to do that
Author: Krzysztof Pytko
Today, I would like to introduce DSADD tool. This is the first tool, from those we got to know, which makes changes in Active Directory database. Its role is new object creation – only (as its name suggest DSADD). Using it, we can create non-existing object(s) in Active Directory but we cannot modify them.
When you have one new user to create then it’s much more simple and faster to do that in Active Directory Users and Computers console. But what if, you have to create many users in short time or new user needs to be added into many groups in Active Directory? Then you may use for that DSADD. That’s really good tool to add many users in very short time. You can also use it to prepare user template for departments in your company as simple script. We will go through both cases in this article.
DSADD like previous tools require appropriate syntax to start working. What parameters we can use with this tool, we can see after reading its help. Some parameters can be ommited because they are not important for new object creation or they are used with default values but some are required to create the object properly. So, first of all, let’s see what parameters are available for DSADD in user context
dsadd user /?
OK, now we will try to create John Doe, new user in wroc/users/it OU in testenv.local domain
for that, we will use the minimum of required parameters in DSADD syntax
dsadd user “CN=John Doe,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -samid jdoe -upn email@example.com -fn John -ln Doe -display “John Doe” -pwd InitialPassword -memberof “CN=gg-it-common,OU=groups,OU=wroc,DC=testenv,DC=local” “CN=gg-it-wroc-common,OU=groups,OU=wroc,DC=testenv,DC=local” -hmdrv P: -hmdir \FS01Privatejdoe -loscr logon.vbs -mustchpwd yes
and we can see that John Doe was created under specified path in Active Directory with predefined attributes
OK, let’s see what these parameters do, step-by-step
- dsadd user – add new user object in AD
- “CN=John Doe,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” – Distinguished Name of new user object (Remember! Each DS Tool always require DN to start working!), DN points what and where must be created.
- -samid jdoe – create user login jdoe
- -upn firstname.lastname@example.org – create User Principle Name
- -fn John – set First Name to John
- -ln Doe – set Last Name (surname) to Doe
- -display “John Doe” – set Display Name to First Name and Last Name
- -pwd InitialPassword – set initial password for user (by default Domain Password Policy doesn’t allow for user creation with blank password)
- -memberof – all groups to which the new user should be added (all groups must be given in Distinguished Name format; you may place as many groups as you need, separate them using <space>)
- -hmdrv P: – set up user’s home drive to P-Drive in AD profile
- -hmdir \FS01Privatejdoe – specify user’s home folder location
- -loscr logon.vbs – assign logon script to user
- -mustchpwd yes – force password change during first logon
That was simple for one user. What if we want to create in the same department many users or what if, we want to have a template for new user, i.e. for IT department? This is also simple but requires from us few changes in a syntax.
Let’s see what we have to do to prepare IT department template for new user:
dsadd user “CN=%1 %2,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -samid %3 -upn %email@example.com -fn %1 -ln %2 -display “%1 %2” -pwd InitialPassword -memberof “CN=gg-it-common,OU=groups,OU=wroc,DC=testenv,DC=local” “CN=gg-it-wroc-common,OU=groups,OU=wroc,DC=testenv,DC=local” -hmdrv P: -hmdir \FS01Private%3 -loscr logon.vbs -mustchpwd yes
save this syntax as batch file with cmd or bat extension (i.e. IT-dept.cmd) and check below explanation how to use that
In command-line type batch file name and put after that three parameters:
- %1 – First Name
- %2 – Last Name
- %3 – user login
that’s all what you need to specify, if you want to create new use for IT department
IT-dept.cmd Ann Smith asmith
and you will see that new user (Ann Smith) was created in wroc/users/it OU
Prepare as many templates as you need for departments in your organization. I know that’s much work to do but this is only one time action, after that you can simply and in short time create new users in your environment.
Now, it’s time for bulk user creation in a domain. That’s also simple. It requires only small changes in previous script (template) and some input file. Let’s see what we can do for that
First of all, we need to prepare a text file with necessary data. It must be flat text file because DS Tools don’t support CSV or other file formats. There are also three arguments necessary
- First Name
- Last Name (surname)
- User login
OK, put these necessary information into notepad and save it on a C-Drive as new-users.txt
after that create new file wher you need to put this modified script content
for /f “tokens=1-3” %%i in (c:new-users.txt) do dsadd user “CN=%%i %%j,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -samid %%k -upn %%firstname.lastname@example.org -fn %%i -ln %%j -display “%%i %%j” -pwd InitialPassword -memberof “CN=gg-it-common,OU=groups,OU=wroc,DC=testenv,DC=local” “CN=gg-it-wroc-common,OU=groups,OU=wroc,DC=testenv,DC=local” -hmdrv P: -hmdir \FS01Private%%k -loscr logon.vbs -mustchpwd yes
and save it with the same place as new-users.txt file (i.e. bulk-it.cmd)
Now, you need to only run this batch file in command-line, all attributes will be pull from text file. You can use other variables convetion in your script. I started using i as the first variable in a syntax but you can simply start using them as you wish even beginning from a. Next letters are in the alphabet order.
and just for verification, let’s see Active Directory Users and Computers console, if these users were created in wroc/users/it OU
Author: Krzysztof Pytko
We know how to use DSQUERY command for context search or for more advanced LDAP query. Now, we will learn how to use DSGET to request object attributes. That command can be used in “standalone” mode or in piped mode with DSQUERY. It works also in read-only mode like previously discussed tool, so we cannot destroy anything in an environment. DSGET is not so powerful as DSQUERY but it’s also good if we want to easily get some object attributes.
For this command, Microsoft defined parameters which can request value from object attributes and we cannot form our own LDAP query. DSGET is limited but still enough for many daily requests in Active Directory management. Let’s see what we can do using it
DSGET has the same contexts like other DS Tools, so we should remember them from previous article. If not, just for short overview: computer, contact, subnet, group, ou, site, server, user, quota, partition.
In this article we will discuss only two of them: user and group
Let’s start with user context. As you remember, to get more detailed help for a context of DS tool, you need to use
<DS Tool name> plus <context name> and </question mark (?)>
dsget user /?
and now, we can see what is possible to get from user object running DSGET query:
I don’t remember if I mentioned it before (if not, that’s good place for that) that DS Tools require Distinguished Name of an object to start query. That’s always the first value which must be given in a syntax!
Let’s start to get some details for “Krzysztof Pytko” user. The user is located in “wroc/users/it” OU under testenv.local domain
for start, we want to get user’s First Name, Last Name and login.
syntax for the query should look like this:
dsget user “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -samid -fn -ln
simple, isn’t it? 😉
Now, we will request more information from this user object. Let’s see what will be displayed as an output
dsget user “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -samid -upn -fn -ln -display -desc -email -hmdrv -hmdir -loscr -mustchpwd -canchpwd -pwdneverexpires -disabled -acctexpires
Oh, what a mess! How can I read anything from this output? Yes, that’s true. We requested too many attributes and the output is not readable. In this case we can solve that problem by redirecting command’s output to a flat text file. At the end of previous syntax add >c:user-info.txt
dsget user “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -samid -upn -fn -ln -display -desc -email -hmdrv -hmdir -loscr -mustchpwd -canchpwd -pwdneverexpires -disabled -acctexpires >c:user-info.txt
Now, open a text file in notepad, disable word-warpping and review the output. It’s much more readable!
Another usage of DSGET in user context is to get all user’s group membership. For that you need to use different parameters. Let’s try to get Krzysztof Pytko group membership
dsget user “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -memberof
we can see group membership of Krzysztof Pytko. What if some groups are members of other groups (nested membership)? We don’t see that using only -memberof switch. For that we have to use one more parameter -expand Then all groups membership will be displayed
dsget user “CN=Krzysztof Pytko,OU=it,OU=users,OU=wroc,DC=testenv,DC=local” -memberof -expand
above command returns all groups in which user is a member.
OK, everything looks pretty good but do I have to each time specify Distinguised Name of a user to start query one by one? NO! As you remember, I mentioned about piped mode. By default DSQUERY returns DN of an object. Let’s try to use combination fo DSQUERY and DSGET together
dsquery user -name “Krzysztof Pytko” | dsget user -samid -fn -ln -display
so, we used DSQUERY to search for user object “Krzysztof Pytko” and we received Distinguished Name of that object. Instead of standard display this DN on a screen, we piped it to another command using pipe “|” character. As you noticed in DSGET command Distinguished Name of a user is missing. In this place, tool will use “piped variable” received from previous command and will display requested attribute values (user login, First Name, Last Name and Display Name).
Now, we run the query for all user accounts in a domain
dsquery user -name * -limit 0 | dsget user -samid -fn -ln -display
Accoring to above syntax, we can also use text file with user logins to get their basic user details. Prepare flat text file with user names, each user in separate line and save it on C-Drive as users.txt From command-line run this query
for /f %i in (C:users.txt) do dsquery user -samid %i | dsget user -samid -fn -ln -display
Thanks to this query, you can get only details for some sort of users, not for all users in whole domain.
That’s all about DSGET user context. It’s time to see what we can do using group context.
Actually, there is no big difference between previous context, just only other switches but the same idea. It can be used similarly to user context. I will only show you, how to get all group members and then display their login, First Name, Last Name and Display Name. Let’s try to run this query
dsquery group -name “gg-all-sites-admins” | dsget group -members -expand | dsget user -samid -fn -ln -display
You will receive all users which are members of this group (gg-all-sites-admins)
Author: Krzysztof Pytko
DSQUERY is one of the most powerful tool which can be used to query any existing object within any domain in a forest.
It can be run in one of available method
- standard predefined context (basic query)
- LDAP syntax (more advanced query)
The first one is limited and it’s mostly used with cooperation with other DS Tools. DSQUERY always returns a Distinguished Name of a queried object. That’s the only one purpose of it in any context search. There is no possibility to change any object’s attribute using DSQUERY command. So, don’t worry, you cannot break anything in an environment using it!
You may ask “What’s so great in this tool if it can only return a DN of an object”? At this point the answer in not obvious but for those who used it at least once with other DS commands (i.e. DSGET) it’s one of the greatest tool which simplifies a life. It will become much more clear for us a little bit latter when we use it in “piped” mode.
Let’s check what contexts are available for that command. Each time you want to get help for DSQUERY, run in command-line
and you will receive an output where you can find these contexts:
the last one * (asterisk) is used for more advanced query (using LDAP syntax) which will be discussed in this article latter.
The most frequent used contexts are: computer, user, group and server. We use them almost every day in Active Directory management. Let’s start to see these tools a little bit closer to understand how to get them working.
We start explanation only with user context of DSQUERY tool. The rest works the same way. It’s time to check what we can request using that context. First of all, we will review its help by running in command-line
dsquery user /?
after typing this in command-line, we received all available switches to use in the syntax. This may look scary but don’t worry, we will discuss all necessary parts here. You need only couple of minutes to understend them all.
As each command-line tool, DSQUERY also requires some parameters to start working. There must be given at leat one parameter to start quering Active Directory for object(s). The most basic is -name parameter which meaning is equal to “Name” column in “Active Directory Users and Computers” console
OK, let’s try to run our first syntax of DSQUERY tool in command-line for “Krzysztof Pytko” user-object
dsquery user -name “Krzysztof Pytko”
Why do you put user Full Name in quotas? Because it’s necessary part of syntax, if object name contains a space.
REMEMBER! In each command-line tool, where you need to place an object name containing space, you have to put it within quotas “” to get it working properly!
and after typying that, review an output
Do you remember when I said that DSQUERY tool in context mode always returns Distinguished Name of an object? Now, you see that’s true! An output of typed command syntax is
OK, but this output is not valuable for us. Very few information can be read in this string:
- object common name – CN=Krzysztof Pytko
- Organizational Unit (OU) location of that object – OU=it,OU=users,OU=wroc (wroc/users/it)
- and a domain in which object exists – DC=testenv,DC=local (testenv.local)
what about other attributes? Actually, there is no possibility to get more using context mode of DSQUERY. Once again, as I said, the output is DN of an object. If you want to get more details, you need to use DSQUERY in “piped” mode.
That was the most simple syntax for querying user object in a domain. What if we want to find more users with common search criteria? Then we can use and * (asterisk) charecter which means:
- at the beginning of a syntax – find everything ending with specified string (i.e. -> *Pytko find all users with Pytko string at the end or simply saying, find all users with Pytko surname in the domain)
- at the end of a syntax – find everything beginning with specified string (i.e. -> Krzysztof* find all users starting with Krzysztof string or simply saying, find all users with Krzysztof first name in the domain)
- at the beginning and at the end of a syntax – find everything containing specified string (i.e. -> *Krzysztof* find all users with Krzysztof pattern in a string)
syntax for all users which surname is Pytko
dsquery user -name *Pytko
will return all user objects found in a domain.
OK, what if we want to find all users in a domain? Then instead of typing name to find, put * (asterisk) character
dsquery user -name *
The output will be limited to first 100 found entries (default limit). If you want to really display all users, you need to specify at the end of a command -limit 0 parameter
dsquery user -name * -limit 0
Now, you have listed all users in the domain in which query was run (by default query is performed in a domain from which was initiated).
Another possible way to search users is -samid parameter. Using it, you can query a domain for particular user login
dsquery user -samid iSiek
and like in previous parameter, you can query all user logins with * (asterisk) character
dsquery user -samid * -limit 0
similarly to previous command, you will get all users in the domain
So, let’s try to experiment a liitle bit more with DSQUERY user in your environment. Don’t worry, you cannot destroy anything!
The second usage of DSQUERY is more powerful. You can query for any object attibute and get value from it. For that you need to use generic LDAP queries. To start performing LDAP queries you need to know a DSQUERY syntax and a liitle bit more about object classes and categories.
To start LDAP query you need to use this syntax
dsquery * -filter “&(&(objectClass=objectClass)(objectCategory=objectCategory))” -attr AttributesListToQuery
the most common classes and categories used in LDAP queries are:
- for user object (objectClass=User)(objectCategory=Person)
- for computer object (objectClass=Computer)(objectCategory=Computer)
- for group object (objctClass=Group)(objectCategory=Group)
using this DSQUERY method for getting object attributes, you can get everything what you want. OK, but you can ask, how can I find LDAP attributes to be able to start querying a domain? You have few ways, one of them is to search the Internet and the second is to create sample query to get all set up attributes for the object.
User LDAP attributes you can find here
Group LDAP attributes you can find here
When you check both above links to LDAP attributes, you will be able to get any of them.
Another mentioned method by me is using sample query. Let’s try to do this for user object.
In this example we use existing user login (iSiek) to get all its attributes. We need to know that LDAP attribute for user login is sAMAccountName. When you skip (sAMAccountName=iSiek) in a syntax, you will request all attributes for 100 users in a domain. If you want to do that for all users, remember that you have to add -limit 0 at the end of syntax
Run this query in command-line
dsquery * -filter “&(&(objectClass=User)(objectCategory=Person)(sAMAccountName=iSiek))” -attr *
this query will request all LDAP attributes for iSiek user. Please notice, that each LDAP attribute is on the left side of colon (:) character whereas attrubute’s value is on the righ side of colon (:) character
if you wish to use only few of them, then instead of * character use LDAP attribute name. When you want to get more than one attribute, separate them using <space>
To get only First Name, Last Name and user login use this structure
dsquery * -filter “&(&(objectClass=User)(objectCategory=Person(sAMAccountName=iSiek))” -attr givenName sn sAMAccountName
I hope that this article helped you with basic DSQUERY understanding and now you can practice yourself in your test/production environment. Once again, don’t worry, DSQUERY works in read-only mode and you cannot break anything. Good luck!
Author: Krzysztof Pytko
Many people afraid of using Microsoft DS Tools. They think that those command-line tools are very complicated and difficult to understand and use. This can be true but (in my opinion) only for couple of minutes. After some short time of using them, everything becomes more clear.
I’m big fan of these tools and I will try to explain, how to use them painless 🙂
First of all, to be able to use Microsoft DS Tools, you need to log on into Domain Controller or install Administrative/RSAT Tools on a workstation or a member server from which you want touse them. To install the tools, you need local administrative privileges on a client machine but to use them, you need to be only “Authenticated User” in a domain in which you want to run a query.
DS Tools can cooperate together. That means, you can pipe the output of one command into another. To use pipe, you have to separate two commands with pipe “|” character. Basically, input of one command can be output for another one.
Microsoft DS Tools contain these commands:
- dsquery (to query for existing objects in a domain)
- dsget (to get attributes from existing objects in a domain)
- dsadd (to add new object in a domain)
- dsmod (to modify existing objects in a domain)
- dsmove ( to move existing objects in a domain)
- dsrm (to remove existing objects in a domain)
above commands are available in all editions of Windows Server 2003 and Windows Server 2008/2008 R2.
From Windows Server 2008 we have also few more tools in a package:
- dsac (Active Directory Administrative Center)
- dsacls (to display/modify ACL of existing objects in a domain)
- dsamain (to review AD database backup)
- dsdbutil (to perform AD database management)
- dsmgmt (to manage AD application partitions, FSMO management and metadata cleanup)
For more detailed help of particular command, run
i.e. -> dsquery /?
You will see all available contexts for that command. To get more detailed help for a context, you need to run
<DS-Tool> <context> /?
i.e. -> dsquery user /?
So, you can ask yourself “What are they purpose of usage?”
When you need to get some object details that is difficult to get using standard GUI tools, you can use them, or if you need to get attributes, create/modify many objects in very few steps, then DS Tools come with their help.
So, try to practice with getting help for these commmands and their context, now. We will discuss DS Tools usage in next posts.
Let’s start new frendship, frendship with Microsoft DS Tools! 😀
Author: Krzysztof Pytko