Search This Blog

Wednesday, July 11, 2007

(AD) Getting information out

As you know active directory holds a lot of information about your environment.
It holds computer and user accounts. It has groups configured to allow access to resources. It’s pretty straightforward how to create your accounts, groups and other objects in the active directory. But how do you get that information out? Everybody knows the search function in the "Users and computers" (dsa.msc) interface. But as you might know, you can not save the query result through the GUI. You can save your query, to run it again at a later time. But the output is lost as soon as you close the GUI. So how do you save the information that you get out of your query? Well if you know anything of scripting, you could write a script that saves your query output. Besides the GUI you can run DSQUERY in the command line interface.
DSQUERY is one of my most used command tools. It provides more useful information that the GUI, and lets you save the output to file. It’s very simple and straight forward.

Let’s say you need to find out all user accounts in your domain.
Open the command line interface (Start-Run, type CMD, press enter) and type 'DSQUERY USER DOMAINROOT' or 'DSQUERY USER DC=Domainname,DC=Suffix'
All user accounts in the active directory domain are displayed.
To save the query output to a text file type 'DSQUERY USER DOMAINROOT > Path' or 'DSQUERY USER DC=Domainname,DC=Suffix > Path' where path is the path where you want to save your file. Example: 'DSQUERY USER DC=TEST,DC=COM > C:\Users.txt'
You can perform these steps for groups, users and computers.

Another example:
Let’s say you want to get all computer accounts in an OU called desktops.
'DSQUERY COMPUTER OU=Desktops,DC=Domainname,DC=Suffix > Path'

Note: the output is limited to a 100 entries by default, if you expect more than 100 entries you can set the amount of entries by using the '-limit' switch. Example: 'DSQUERY COMPUTER DOMAINROOT -LIMIT 1000 > C:\Computers.txt'

Although you can use DSQUERY to show all objects in an OU, you can not use it to show the members of a security group. If you want to list the members of a security (or distribution) group you have to use DSGET with the '-member' switch. Example: 'DSGET GROUP -MEMBER CN=Groupname,OU=OU-Name,DC=Domainname,DC=Local > Path'

Along with DSQUERY and DSGET, you can also us DSMOD, DSMOVE and DSADD.

DSQUERY= Lets you query Active Directory, shows Users, computers and groups.
DSGET= Shows the properties of and object in Active Directory.
DSMOD= Lets you modify the properties of an object in Active Directory.
DSMOVE= Lets you move an object in Active Directory.
DSADD= Allows you to create a new object in Active Directory.

These command line tools are available on Windows Server 2003, and on Windows XP/2000 that have Windows Server 2003 support tools installed.

1 comment:

  1. Oi, achei teu blog pelo google tá bem interessante gostei desse post. Quando der dá uma passada pelo meu blog, é sobre camisetas personalizadas, mostra passo a passo como criar uma camiseta personalizada bem maneira. Se você quiser linkar meu blog no seu eu ficaria agradecido, até mais e sucesso. (If you speak English can see the version in English of the Camiseta Personalizada. If he will be possible add my blog in your blogroll I thankful, bye friend).

    ReplyDelete