Friday, July 31, 2015

Sample DS Command

PowerShell is all the hype these days, and rightfully so - you can do just about anything with it; but, call me old-fashioned I still like to use ds commands every now and then, it's quick and dirty. Here are a few samples that query AD and to get some basic counts and other information:

# Get a count of enabled and disabled user accounts in the domain
dsquery user -limit 0 domainroot | dsget user -dn -disabled | find /c /i " no"
dsquery user -limit 0 domainroot | dsget user -dn -disabled | find /c /i " yes"

# Get a count of enabled and disabled computer accounts in the domain
dsquery computer -limit 0 domainroot | dsget computer -dn -disabled | find /c /i " no"
dsquery computer -limit 0 domainroot | dsget computer -dn -disabled | find /c /i " yes"

# Get a count of enabled, but inactive (at least 24 weeks) user and computer accounts in the domain
dsquery user -inactive 24 -limit 0 domainroot | dsget user -dn -disabled | find /c /i " no"
dsquery computer -inactive 24 -limit 0 domainroot | dsget computer -dn -disabled | find /c /i " no"

# Get a count of security and distribution groups in the domain
dsquery group -uc -limit 0 domainroot | dsget group -uc -dn -secgrp | find /c /i " no"
dsquery group -uc -limit 0 domainroot | dsget group -uc -dn -secgrp | find /c /i " yes"

# Get a count of Organizational Units (OU) and subnets
dsquery ou -limit 0 | dsget ou -dn | find /c /i "DC=GOV"
dsquery subnet | dsget subnet -dn | find /c /i "Sites"

# List disabled user and computer accounts in the domain (output to text file)
dsquery computer -limit 0 domainroot | dsget computer -dn -disabled | find /i " yes" > disabled-computers.txt
dsquery user -limit 0 domainroot | dsget user -dn -disabled | find /i " yes" > disabled-users.txt

# List enabled, but inactive (at least 24 weeks) user and computer accounts in the domain (output to text file)
dsquery user -inactive 24 -limit 0 domainroot | dsget user -dn -disabled | find /i " no" > inactive-users.txt
dsquery computer -inactive 24 -limit 0 domainroot | dsget computer -dn -disabled | find /i " no" > inactive-computers.txt

# List security groups, OUs, and subnets (output to text file)
dsquery ou -limit 0 | dsget ou -dn | find /i "DC=GOV" > OUs.txt
dsquery subnet | dsget subnet -dn | find /i "Sites" > subnets.txt
dsquery group -uc -limit 0 domainroot | dsget group -uc -dn -secgrp | find " yes" > groups.txt

Querying Active Directory to find recently created accounts (WhenCreated date format - YYYYMMDDHHMMSS):
dsquery * domainroot -filter "&(objectClass=Computer)(objectCategory=Computer)(WhenCreated>=20150226000000.0Z)" -Limit 0
dsquery * domainroot -filter "&(objectClass=User)(objectCategory=Person)(WhenCreated>=20150226000000.0Z)" -Limit 0
dsquery * domainroot -filter "&(objectClass=Group)(objectCategory=Group)(WhenCreated>=20150226000000.0Z)" -Limit 0
dsquery * domainroot -filter "&(objectClass=organizationalUnit)(objectCategory=Organizational-Unit)(WhenCreated>=20150226000000.0Z)" -Limit 0


Querying AD user and group objects to find ones without sidHistory:
dsquery * domainroot -filter "&(objectClass=User)(objectCategory=Person)" -attr distinguishedname sidhistory -Limit 0 > users-sidhistory.txt
dsquery * domainroot -filter "&(objectClass=Group)(objectCategory=Group)" -attr distinguishedname sidhistory -Limit 0 > groups-sidhistory.txt



Querying AD user objects to find ones with/without HSPD-PID attribute set:
dsquery * domainroot -filter "&(objectClass=User)(objectCategory=Person)(!HSPD-PID=*)" -Limit 0 > without-PIV.txt
dsquery * domainroot -filter "&(objectClass=User)(objectCategory=Person)(HSPD-PID=*)" -Limit 0 > with-PIV.txt

GPO and WMI Filters

WMI Filters and GPOs are powerful when used in combination (though evaluating MWI filters may slow down policy processing). Just a few quick examples:

For settings that may need to be applied to workstations, but not servers one could go with something like this -

WMI queries for workstations vs. servers
 

​SELECT * FROM Win32_OperatingSystem WHERE (ProductType <> "2") AND (ProductType <> "3")     ​- workstations
​SELECT * FROM Win32_OperatingSystem WHERE ProductType = "1"     ​- workstations

ProductType 1 = Desktop OS
ProductType 2 = Server OS – Domain Controller
ProductType 3 = Server OS – Not a Domain Controller


For things like Bitlocker policy that needs to be applied to laptops only one could go with something like this -

WMI queries for laptops vs. desktops
​SELECT * FROM Win32_Battery WHERE (BatteryStatus <> 0)     ​- presence of a battery indicates laptop
​SELECT * FROM Win32_PhysicalMemory WHERE (FormFactor = 12)     ​- SODIMM memory indicates laptop

If you want a quick test for certain WMI values on a computer – use WMI command line tool (wmic) -



Here are some helpful links -