Tech, Gadgets, Photography, Social Media and Poor Spelling

Sometimes, just sometimes Windows Amazes Me.. dsquery

A a systems administrator i’m that one who prefers *nix to *dows systems, i love the command line and what i can do with it. I forget sometimes however just how powerful the Windows Command Line can be if you need it to be.

Today I had a need to find out the complete LDAP path on an AD Server for a group which I know can be done using the AD Gui tools, however it’s a bit of a cludge to get that working. A bit of googling found a really useful command, and i do mean a REALLY useful command if you are a sysadmin of an Windows 2008 AD network.

Windows command dsquery

Dsquery is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use dsquery, you must run the dsquery command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

The technical bit…


dsquery * [{<StartNode> | forestroot | domainroot}] [-scope {subtree | onelevel | base}] [-filter <LDAPFilter>] [-attr {<AttributeList> | *}] [-attrsonly] [-l][{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [-r] [-gc] [-limit <NumberOfObjects>] [{-uc | -uco | -uci}]


To display, in table format, the Security Accounts Manager (SAM) account names, user principal names, and departments of all users in the current domain whose SAM account names begin with “Jon”, type:

dsquery * domainroot -filter "((objectCategory=Person)(objectClass=User)(sAMAccountName=Jon*)) -attr sAMAccountName userPrincipalName department

To read the SAM account names, user principal names (UPNs), and department attributes of the object whose distinguished name is OU=Test,DC=Contoso,DC=Com, type:

dsquery * OU=Test,DC=Contoso,DC=Com -scope base -attr sAMAccountName userPrincipalName department

To read all attributes of the object whose distinguished name is OU=Test,DC=Contoso,DC=Com, type:

dsquery * OU=Test,DC=Contoso,DC=Com -scope base -attr *

So a command with that many switches has to be useful right? Well here are some examples of why this command is useful to a sysadmin.

Finding Old Computers

If you run a network it’s over a period of time going to end up with orphan machines within the AD infrastructure these can be really annoying and it can take an age to figure out what is a legitimate PC on the lan and what isn’t.

First you need to decide how far back you need to go in this example we will see if we can find all the machines which have not been modified or used within the last 6 months.

The following command will export the results into an Excel document at C:\ADReport.csv

dsquery computer -inactive 26 -limit 0 > C:\ADReport.csv

if you the report proves that you can remove these Pc’s you might want to disable them first, just in case..

dsquery computer -inactive 26 -limit 0 dsmod computer -disabled

after a few weeks, if these machines rove to be dead you can remove them from the AD using

dsquery computer -inactive 26 -limit 0 dsrm -noprompt –c


Finding LDAP Strings

With all those usernames in OU’s using the LDAP functionality of Active Directory is an obvious way to limit the number of needed passwords. However getting the right LDAP string for authentication can be a pain in the neck. Again dsquery comes to the rescue.

Find a Specific Group

C:\> DSquery OU -name “ProVMware Users”
“OU=ProVMware Users,DC=provmware,DC=local”

Find a Specific OU

C:\> DSquery OU -name “ProVMware Users”
“OU=ProVMware Users,DC=provmware,DC=local”

Find a User

C:\> DSquery user -name pro*
“CN=ProVMware,OU=ProVMware Users,DC=provmware,DC=local”

Some Additional Queries

These are just some queries i find useful

To find all users in the default Users folder with DSQuery

In this DSQuery example we just want to trawl the users folder and find out who is in that container.

dsquery user cn=users,dc=cp,dc=com

DSQuery to list all your Domain Controllers

Suppose you want to list all of your domain controllers, (not computers).  Which command do you think would supply the information?

dsquery server
dsquery server domainroot
dsquery server dc=cp,dc=com

Other DS Commands

There are other DS Commands which you might find useful

  • DSadd – add Active Directory users and groups
  • DSmod – modify Active Directory objects
  • DSrm – to delete Active Directory objects
  • DSmove – to relocate objects
  • DSQuery – to find objects that match your query attributes
  • DSget – list the properties of an object







Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: