Resources For IT Professionals
Post an article
Wikis - Page Details
  • First published by (MVP, Microsoft Partner, Microsoft Community Contributor)
  • When: 23 Jun 2011 11:51 AM
  • Last revision by (Microsoft Partner)
  • When: 15 May 2013 5:38 AM
  • Revisions: 53
  • Comments: 32
Options
RSSSubscribe to Article (RSS)
Can You Improve This Article?
Positively! Click Sign In to add the tip, solution, correction or comment that will help other users.

Report inappropriate content using these instructions.
Wiki  >  TechNet Articles  >  Active Directory: Active Directory Domain Services (AD DS) Commands and Scripts

Active Directory: Active Directory Domain Services (AD DS) Commands and Scripts

Active Directory: Active Directory Domain Services (AD DS) Commands and Scripts

Here are some useful commands and scripts for administering Active Directory. For more information please see Active Directory Domain Services Command Reference.

Reference : userAccountControl

Table of Contents

User

Identify OCS enabled users in Active Directory

Dsquery * -filter (msRTCSIP-UserEnabled=TRUE) –limit 0 –attr name samaccountname

Query Password Last Set (pwdlastset) value

Dsquery * -filter "&(objectClass=User)(objectCategory=Person)" -limit 0
-attr name pwdlastset

Note: Time can be converted using the w32tm /ntte command.

Search Password Never Expires Settings

Dsquery *  -limit 0 “(&(objectCategory=person)(objectClass=user)
(userAccountControl:1.2.840.113556.1.4.803:=65536))” –attr samaccoutname name

User accounts with no pwd required 

Dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)
(userAccountControl:1.2.840.113556.1.4.803:=32))"

User accounts that are disabled 
Dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)
(userAccountControl:1.2.840.113556.1.4.803:=2))"

Password Expiring in 30 Days
dsquery * -limit 0 -filter "(&(objectCategory=person)(objectClass=user)
(userAccountControl:1.2.840.113556.1.4.803:=4194304))" -attr name samaccountname

User accounts with “Do not require kerberos preauthentication” enabled

Dsquery * -limit 0 “(&(objectCategory=person)(objectClass=user)
(!userAccountControl:1.2.840.113556.1.4.803:=8388608)
(!userAccountControl:1.2.840.113556.1.4.803:=65536)
(pwdLastSet>=129522420000000000)(pwdLastSet<=129548340000000000))”
–attr samaccountname name

List all Roaming Profile users in Active Directory

Dsquery * -filter "&(objectClass=User)(objectCategory=Person)(profilePath=*)"
-limit 0 -name

Generate SIDHistory Report

Dsquery * -filter "&(objectClass=User)(objectCategory=Person)"
–attr samAccountName sidHistory

Generate SID (ObjectSID) Report

Dsquery * -filter "&(objectClass=User)(objectCategory=Person)"
–attr samAccountName Object
Group

Identify all Security Groups

dsquery * -filter "(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.804:=2147483648))" –attr samAccountName name

Identify all Built-In Security Groups

dsquery * -filter "(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.803:=2147483649))" –attr samAccountName name

Identify all Universal Security Groups

dsquery * -filter "(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.803:=2147483656))" –attr samAccountName name

Identify all Global Security Groups

 dsquery * -filter "(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.803:=2147483650))" –attr samAccountName name 
Computer

Move Computer Objects Based on OS Version

Move Windows 7 Computers

dsquery * CN=Computers,DC=santhosh,DC=lab -filter "(&(objectCategory=Computer)
(operatingSystemVersion=6.1))" | dsmove -newparent OU=Win7,OU=ComputerAccounts,DC=santhosh,DC=lab

Move Windows XP Computers

dsquery * CN=Computers,DC=santhosh,DC=lab -filter "(&(objectCategory=Computer)
(operatingSystemVersion=5.1))" | dsmove -newparent OU=WinXP,OU=ComputerAccounts,DC=santhosh,DC=lab
Site and Subnet

List all Sites in Active Directory

Dsquery site * -name

Get Site Name from Subnet IP Address in Active Directory (For example, Site Name for Subnet 192.168.2.0/24)

 Dsquery Subnet -Name 192.168.2.0/24 | Dsget Subnet -Site

 

Active Directory
When Active Directory installed

Dsquery * “CN=Configuration,DC=Santhosh,DC=lab” -attr Whencreated -Scope Base

Find Trusts from specified Domain

Dsquery * "CN=System,DC=Santhosh,DC=lab" -filter "(objectClass=trustedDomain)"
-attr TrustPartner FlatName

Find Servers in Active Directory with descriptions

Dsquery * DC=Santhosh,DC=lab -filter "(&(objectCategory=Computer)
(operatingSystem=*server*))"
-limit 0 -attr cn description

View all replicated attributes
Dsquery * CN=Schema,CN=Configuration,DC=Santhosg,DC=lab
-filter "(&(objectCategory=attributeSchema)(!systemFlags:1.2.840.113556.1.4.803:=1))" -limit 0

Find Tombstone and Garbage Collection
Dsquery *
"CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Santhosh,DC=lab"
-attr GarbageCollPeriod TombstoneLifetime

Find Group Policy GUIDs
Dsquery * "CN=Policies,CN=System,DC=Santhosh,DC=lab"
-filter (objectCategory=groupPolicyContainer) -attr Name DisplayName

Existing GPO’s  information
Dsquery * "CN=Policies,CN=System,DC=Santhosh,DC=lab"
-filter "(objectCategory=groupPolicyContainer)"
-attr displayName cn whenCreated gPCFileSysPath

Enumerate the trusts from the specified domain

 

Dsquery * "CN=System,DC=Santhosh,DC=lab" -filter "(objectClass=trustedDomain)"
-attr TrustPartner FlatName

Active Directory Subnet and Site Information 
Dsquery * "CN=Subnets,CN=Sites,CN=Configuration,DC=Santhosh,DC=lab"
-attr CN SiteObject Description Location

Active Directory Site Links and Cost Information 
Dsquery * "CN=Sites,CN=Configuration,DC=Santhosh,DC=lab"
-attr CN Cost Description ReplInterval SiteList -filter (objectClass=siteLink)

Find Group Policy display name with the GUID 
Dsquery * "CN=Policies,CN=System,DC=Santhosh,DC=lab"
-filter (objectCategory=groupPolicyContainer) -attr Name DisplayName
, , , , , , , , ,
Sort by: Published Date | Most Recent | Most Useful
Comments
Page 1 of 2 (18 items) 12