DSQuery Command Line Tool for Active Directory 2003
New DS built-in tools for Windows Server 2003
At last I have found a real useful member of the DS family of utilities. If I need to find a user quickly from the command prompt, I call for DSQuery.
Let us find how many Organizational Units are there in your domain? This command will produce a listing of all OUs with this command.
dsquery ou dc=mydom,dc=com
Note 1: dc does NOT mean domain controller, it means domain context.
Note 2: The dc commands are not case sensitive, but they dislike spaces.
Note 3: If you haven't got any OUs (Organizational Units), I seriously suggest that you create some to organize your users.
Note 4: Best of all, in this scenario, you can substitute domainroot for dc=cp.
In this DSQuery example we just want to trawl the users folder and find out who is in that container.
dsquery user cn=users,dc=cp,dc=com
Note 1: The default users' folder is actually a container object called cn=users. My point is if you try ou=users, the command fails.
Note 2: I queried users, however dsquery requires the singular user, not userS. Other objects that you can query are computer (not computers!), group or even contact.
Challenge 1: Substitute OU=xyz for cn=users, where xyz is the name of your OU. Unfortunately, cn=users domainroot does not work.
Challenge 2: Substitute computer for user
Import users from a spreadsheet. Just provide a list of the users with their fields in the top row, and save as .csv file. Then launch this FREE utility and match your fields with AD's attributes, click and import the users.
Optionally, you can provide the name of the OU where the new accounts will be born. Download your FREE bulk import tool.
If you need more comprehensive software, download a free trial of SAM (Server & Application Monitor)
Suppose you want to list all of your domain controllers, (not computers). Which command do you think would supply the information?
Note 1: Amazingly, dsquery server, the simplest command get the job done.
Note 2: I thank Jim D for pointing out that we want here is the singular 'server'.
Here is a wonderful command to find the FSMO roles (Flexible Single Master Roles) -hasfsmo. The arguments, which correspond to the 5 roles are: schema, rid, name, infr and pdc.
dsquery server -hasfsmo schema
Note 1: The command is -hasfsmo not ?hasfsmo as in some documents.
This DSQuery example shows two ways to filter your output and so home in on what you are looking for. Let us pretend that we know the user's name but have no idea which OU they are to be found. Moreover, we are not sure whether their name is spelt Smith, Smithy or Smithye.
dsquery user domainroot -name smith*
Note 1: Remember to type the singular user.
Note 2: Probably no need to introduce *, you probably realize it's a wildcard.
Note 3: -name is but one of a family of filters. -desc or -disabled are others.
I like the Permissions Monitor because it enables me to see quickly WHO has permissions to do WHAT. When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource. Give this permissions monitor a try - it's free!
The purpose of -o rdn is to reduce the output to just the relative distinguished name. In a nutshell rdn strips away the OU=, DC= part which you may not be interested in.
dsquery user -name smith* -o rdn
Note 1: o is the letter oh (not a number). In my minds eye o stands for output.
Note 2: There is a switch -o dn, but this is not a switch I use.
Summary - DSQuery
Knowledge is power. The DS family in general and DSQuery in particular, are handy commands for interrogating Active Directory from the command line. Perhaps the day will come when you need to find a user, computer or group without calling for the Active Users and Computers GUI. Next try DSGet.
If you like this page then please share it with your friends
See more of the DS family of built-in Active Directory utilities