Posts

Showing posts from July, 2015

Sample DS Command

PowerShell is all the hype these days, and rightfully so - you can do just about anything with it; but, call me old-fashioned I still like to use ds commands every now and then, it's quick and dirty. Here are a few samples that query AD and to get some basic counts and other information:

# Get a count of enabled and disabled user accounts in the domain
dsquery user -limit 0 domainroot | dsget user -dn -disabled | find /c /i " no"
dsquery user -limit 0 domainroot | dsget user -dn -disabled | find /c /i " yes"

# Get a count of enabled and disabled computer accounts in the domain
dsquery computer -limit 0 domainroot | dsget computer -dn -disabled | find /c /i " no"
dsquery computer -limit 0 domainroot | dsget computer -dn -disabled | find /c /i " yes"

# Get a count of enabled, but inactive (at least 24 weeks) user and computer accounts in the domain
dsquery user -inactive 24 -limit 0 domainroot | dsget user -dn -disabled | find /c /i " no&quo…

GPO and WMI Filters

Image
WMI Filters and GPOs are powerful when used in combination (though evaluating MWI filters may slow down policy processing). Just a few quick examples:

For settings that may need to be applied to workstations, but not servers one could go with something like this -

WMI queries for workstations vs. servers

​SELECT * FROM Win32_OperatingSystem WHERE (ProductType <> "2") AND (ProductType <> "3")     ​- workstations
​SELECT * FROM Win32_OperatingSystem WHERE ProductType = "1"     ​- workstations

ProductType 1 = Desktop OS
ProductType 2 = Server OS – Domain Controller
ProductType 3 = Server OS – Not a Domain Controller


For things like Bitlocker policy that needs to be applied to laptops only one could go with something like this -

WMI queries for laptops vs. desktops
​SELECT * FROM Win32_Battery WHERE (BatteryStatus <> 0)     ​- presence of a battery indicates laptop
​SELECT * FROM Win32_PhysicalMemory WHERE (FormFactor = 12)     ​- SODIMM memory ind…