Start DSQuery
- Open DSQUERY GUI Window
Querying Users & Groups
Find User Attributes
Update users
- Modify user last name
- Expire use account.
Computers
Computer attributes
- Find OS
Servers & DC
- Find the GCs
- Get all the servers in the forest
AD DS Settings
AD Subnet & sites
AD Schema
- Find Schema version
AD Replication
AD Roles
Fine Granted Password Policy
Exchange server
- Find mail box
- find the Schema Version for Exchange Servers.
Hyper-V
- Find all Hyper-V hosts in your forest
- Find all windows virtual machine in your forest
DNS application partition
- Find the DNS servers from DomainDNSZones & ForestDNSzones
- Find the object for DES-Only-Encryption
See also
- More on Active Directory: LDAP Syntax Filters
References

Start DSQuery

Open DSQUERY GUI Window


rundll32 dsquery,OpenQueryWindow

Querying Users & Groups

Find out Account Expiry date



dsquery user -name * -limit 0 | dsget user -samid -acctexpires

Get all sAMAccount names



dsquery user -o rdn -limit 0

Retrieve the DN of all users in the domain that are not direct members of a specified group



dsquery * -filter "(&(objectCategory=person)(objectClass=user)(!(memberOf=Groupname,ou=West,
dc=Contoso,dc=com))) -limit 0 > NotInGroup.txt

Find all contacts in the organizational unit (OU)



dsquery contact OU=Sales,DC=Contoso,DC=Com

List of all users with primary group "Domain Users"



dsquery * -filter "(primaryGroupID=513)" -limit 0
(You can change the "primaryGroupID" as per your requirement)
513:Domain Users 
514:Domain Guests
515:Domain Computers
516:Domain Controllers

Find all members for a particular group.


dsget group "<DN of the group>" -members

Find all groups for a particular member (including nested groups)


dsget user "<DN of the user>" -memberof -expand


dsquery user -samid "username" | dsget user -memberof -expand

Get the Groups name form Users container



dsquery group -o rdn cn=users,dc=contoso,dc=com

Get the members from a Group



dsquery group -samid "CS_CLUB_ACCOUNTS" | dsget group -members -expand | dsget user -samid

Find disabled users



dsquery user "dc=ssig,dc=com" -disabled 
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))"

Find all the active users



dsquery * -filter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))"

Find users logon name by their mail address for bulk users

For Single user


dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(mail=e-mailaddress))" -attr name

For bulk users


for /f %%x in (%1) do dsquery * domainroot -filter "(&(objectcategory=person)(objectclass=user)(mail=%%x))" -attr name

Find all groups of a user is memberof without the DN's



dsquery user -samid anthony | dsget user -memberof | dsget group -samid 
dsquery user -samid (provide the samaccount name of the user) | dsget user -memberof | dsget group -samid

Find all members for a OU.



dsquery user ou=targetOU,dc=domain,dc=com

Find all groups for a OU.



dsquery group ou=targetOU,dc=domain,dc=com

To get the members status from the active directory group



dsquery group -samid “Group Pre-Win2k Name” | dsget group -members | dsget user -disabled -display

Extract the all groups from an OU with Group Scope & Group Type.

Find the below snap for your reference.



C:\>dsquery group "ou=test,dc=gs,dc=com" -limit 0 | dsget group -samid -scope -secgrp

Display a list of users from the OU "Customer Support",

This list can then be forwarded to dsget that can provide detailed information about objects.

In the example, the requested user list is headed by the pipe symbol after dsget that

-outputs then the sAMAccountName for all users and email address.

If we wanted to carry out modifications to the information returned by DSQuery user list,

we could send the result to dsmod, which for us is making changes to all users.

In below snap shows the change in the command ensures that all users of DSQuery

-user list must change their passwords at next logon.

Another way to get the user attributes from an OU. Find the below snap & dsquery for that.

C:\>dsquery * "ou=test,DC=contoso,DC=com" -filter "(&(objectcategory=person) (objectclass=user))" -limit 0

-attr samaccountname description department title

Find User Attributes

Displays properties of users or other objects.

In this example, it displays the 6 groups that explicitly list the Administrator as member



Note: The -memberof -expand combination recursively expands the list of groups of which the user is a member. In this example, the Users group is added to the list because Domain Users is a member of the Users group.
dsget user cn=Administrator,cn=Users,dc=contoso,dc=com -memberof

find lastLogonTimestamp for all users for a domain



dsquery * -filter "&(objectClass=person)(objectCategory=user)" -attr cn lastLogonTimestamp -limit 0

Inactive users are go to disable state



dsquery * <ou> -filter "(&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807))" | dsmod user -disabled yes

Find all attributes for all users



Dsquery * -limit 0 -filter "&(objectClass=User)(objectCategory=Person)" -attr * >>output123.txt

Find memberof , lastlogontimestamp , homemta(Mail server) , Samaccountname & so on(Repadmin /showattr <DCname> <"DN">)



dsquery * "<DN>" -scope base -attr lastlogontimestamp memberoff 
repadmin /showattr <DCNAME> <"DN"> /attrs:lastlogon,homemta,whencreated,lastlogontimestamp,samaccountname

Find memberof , lastlogontimestamp , homemta(Mail server) , Samaccountname & so on for "n" number of users



Create a batch file(for /f "eol= tokens=* delims= usebackq" %%x in (%1) do dsquery * %%x -scope base -attr sAMAccountName objectsid whencreated lastlogontimestamp mail homeMTA memberof) e.g ds.bat

Create a text file (All users DN e.g:dn.txt)
Open cmd & run ds.bat dn.txt >> c:\attr.txt

Find particular user attribute using LDAP Filter



C:\>dsquery * -filter (samaccountname=biz) -attr name whenchanged
name whenchanged
biz 01/03/2014 07:02:14

Find SID of a user



dsquery user -samid <bbiswas> | dsget user -sid
dsquery * -filter (samaccountname=santhosh) – attr sid

Find sIDHistory of a user



Dsquery * -filter (samaccoutname=santhosh) – attr siDhistory

Update users

Modify user last name



dsmod user <dn> -ln "<last name>"

Expire use account.



dsquery * "dc=contoso,dc=com" -filter "(&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807)) " -attr sAMAccountname displayName

Computers

Find enabled computer accounts in an OU



dsquery computer OU=Test,DC=sivarajan,DC=com -limit 5000 | dsget computer -dn -disabled | find /i " no"

Count enabled computer accounts in an OU



dsquery computer OU=Test,DC=sivarajan,DC=com -limit 5000 | dsget computer -dn -disabled | find /c /i " no"

Find DN for n number of computers



for /f %%x in (%1) do dsquery computer -name %%x
(Create a batch file with line & create a txt file computer.txt
open cmd >>>>>>batchfile computer.txt >> c:\dn.txt

Find all groups of a computer account without giving the DNs



dsquery computer -name test1 | dsget computer -memberof | dsget group -samid

Computer attributes

Find OS



dsquery * <"DN"> -scope base -attr operatingSystem

Servers & DC

Find the GCs



DsQuery Server -domain contoso.com -isgc

Get all the servers in the forest

dsquery server -forest -limit 0 | dsget server -dnsname -site -isgc

AD DS Settings

Display all attributes of the contoso.com domain object



dsquery * -filter (dc=contoso) -attr *

ADDS existing connection point objects



dsquery * forestroot -filter (objectclass=serviceconnectionpoint)

Get tombstonelifetime



dsquery * "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com" -scope base -attr tombstonelifetime

Find the DNS servers from all the DNS partitions.



dsquery * "CN=Configuration,DC=contoso,DC=com" -filter "(&(objectClass=crossRef)(objectCategory=crossRef)(systemFlags=5))" -attr NcName msDS-NC-Replica-Locations

Find Forestprep , domainprep & RodcPrep is done or not


C:\>dsquery * CN=ActiveDirectoryUpdate,CN=ForestUpdates,cn=configuration,dc=msft ,dc=net -scope base -attr revision revision 5
C:\>dsquery * CN=ActiveDirectoryRodcUpdate,CN=ForestUpdates,cn=configuration,dc= msft,dc=net -scope base -attr revision revision 2

Find the Functional Levels of Active Directory


dsquery * "DC=contoso,DC=com" -scope base -attr msDS-Behavior-Version ntMixedDomain

0, 0 Windows 2000 Native domain Level

0, 1 Windows 2000 Mixed domain Level

2, 0 Windows 2003 Domain Level

3, 0 Windows 2008 Domain Level

4, 0 Windows 2008 R2 Domain Level

To list the distinguished names of all directory partitions in the current forest



dsquery partition 
Below example for single domain

Below example for parent/child domain

AD Subnet & sites

Find Subnet with associated site



dsquery subnet -name <CIDR> | dsget subnet

Find site



dsquery site -name * -limit 0 
dsquery server -s <server> | dsget server -site

Find Site name by server name



dsquery server -name test1 | dsget server -site 
dsquery server -name (provide the server name for DN) | dsget server -site

To list the relative distinguished names of all sites that are defined in the directory



dsquery site -limit 0

AD Schema

Find Schema version



dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion

or
schupgr

Shortest command for finding the schema version

AD Replication

Displays the names of all attributes (150) that Windows Server 2003 replicates to Global Catalog servers.



(If the command displays no attributes, ensure that you typed TRUE in capital letters
>dsquery * cn=Schema,cn=Configuration,dc=contoso,dc=com -filter "(&(objectCategory=attributeSchema)(isMemberOfPartialAttributeSet=TRUE))" -limit 0 -attr name

AD Roles

Display the DNS host name, the site name, and whether the server is Global Catalog (GC) server for each domain controller



dsquery server | dsget server -dnsname -site -isgc

Find RODC


dsquery server -isreadonly

Find if the Domain Controller is a Global Catalog (GC) or not



dsquery server -name test1 | dsget server -isgc

Find PDC role holder for the existing domain



dsquery server -hasfsmo PDC

Find Infrastructure Master role holder existing domain



dsquery server -hasfsmo INFR

Find RID master role holder for existing domain



dsquery server -hasfsmo RID

Find Schema master role holder in a Forest



dsquery server -forest -hasfsmo Schema

Find Domain Naming Master in a Forest



dsquery server -forest -hasfsmo Name

Find all the subnets for the given site



dsquery subnet -o rdn -site <site name>

Command to find all DCs in the given site



dsquery server -o rdn -site <site name>

Command to find all DCs in the Forest



dsquery server -o rdn -forest

Show How Many Times wrong Password has been entered on a specified domain controller.



dsquery * -filter "(sAMAccountName=jsmith)" -s MyServer -attr givenName sn badPwdCount

The badPwdCount attribute is not replicated, so a different value is saved for each user on each domain controller.

Fine Granted Password Policy

find the 'PSO Applies to'

i)dsget user <user DN> -effectivepso

Example:
C:\>dsget user "CN=bshwjt,OU=pso,DC=contoso,DC=com" - effectivepso effectivepso "CN=test,CN=Password Settings Container,CN=System,DC=contoso,DC=com" dsget succeeded ("bshwjt" is the user and test is the "PSO" also see the below snap)

Find the PSO settings



C:\>dsquery * "<CN=your pso name>,CN=Password Settings Container,CN=System,DC=contoso,DC=com" -scope base -attr *

The output of the dsquery command can be used as input for the dsget command by using a pipe ( | ).

In this example, the SAM account name and the security ID (SID) of each user is displayed.



dsquery user | dsget user -samid -sid -limit 0 >> c:\Allusers-samid-sid.txt

Exchange server

Find mail box



dsquery * -filter "samaccountname=biswajit" -attr homemdb

find the Schema Version for Exchange Servers.



dsquery * CN=ms-Exch-Schema-Version-Pt,cn=schema,cn=configuration,dc=domain,dc=local -scope base -attr rangeUpper

Hyper-V

Find all Hyper-V hosts in your forest



C:\>dsquery * forestroot -filter "&(cn=Microsoft Hyper-V)(objectCategory=serviceconnectionpoint)" -attr servicebindinginformation >> c:\hyper-v.txt

Find all windows virtual machine in your forest


C:\>dsquery * forestroot -filter "&(cn=windows virtual machine)(objectCategory=serviceconnectionpoint)" -limit 0 -attr * >> c:\allvirtualPCs.txt

DNS application partition

Find the DNS servers from DomainDNSZones & ForestDNSzones


C:\>dsquery * DC=DomainDnsZones,DC=contoso,DC=com -scope base -attr msDs-masteredBy


C:\>dsquery * DC=forestDnsZones,DC=contoso,DC=com -scope base -attr msDs-masteredBy

Find the object for DES-Only-Encryption



dsquery * -filter "(UserAccountControl:1.2.840.113556.1.4.803:=2097152)"

References

For more switch see the below link.



http://technet.microsoft.com/en-us/library/cc732535.aspx

See the below link for custom filters:



http://www.rlmueller.net/ADOSearchTips.htm

DSQuery info



Find the Blogs for more DSQUERY, those are very helpful and effective.

http://social.technet.microsoft.com/wiki/contents/articles/3537.aspx
http://social.technet.microsoft.com/Forums/en-AU/winserverDS/thread/bf5bce23-c1d5-43ac-a47f-8a0585792903

Technet Link



http://technet.microsoft.com/en-us/library/cc754232%28WS.10%29.aspx#BKMK_examplesDSQuery

DSQuery, And Then Some



http://mcpmag.com/articles/2007/08/01/dsquery-and-then-some.aspx

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Active Directory: DSQUERY Commands