Friday, July 31, 2015

Sample DS Command

PowerShell is all the hype these days, and rightfully so - you can do just about anything with it; but, call me old-fashioned I still like to use ds commands every now and then, it's quick and dirty. Here are a few samples that query AD and to get some basic counts and other information:

# Get a count of enabled and disabled user accounts in the domain
dsquery user -limit 0 domainroot | dsget user -dn -disabled | find /c /i " no"
dsquery user -limit 0 domainroot | dsget user -dn -disabled | find /c /i " yes"

# Get a count of enabled and disabled computer accounts in the domain
dsquery computer -limit 0 domainroot | dsget computer -dn -disabled | find /c /i " no"
dsquery computer -limit 0 domainroot | dsget computer -dn -disabled | find /c /i " yes"

# Get a count of enabled, but inactive (at least 24 weeks) user and computer accounts in the domain
dsquery user -inactive 24 -limit 0 domainroot | dsget user -dn -disabled | find /c /i " no"
dsquery computer -inactive 24 -limit 0 domainroot | dsget computer -dn -disabled | find /c /i " no"

# Get a count of security and distribution groups in the domain
dsquery group -uc -limit 0 domainroot | dsget group -uc -dn -secgrp | find /c /i " no"
dsquery group -uc -limit 0 domainroot | dsget group -uc -dn -secgrp | find /c /i " yes"

# Get a count of Organizational Units (OU) and subnets
dsquery ou -limit 0 | dsget ou -dn | find /c /i "DC=GOV"
dsquery subnet | dsget subnet -dn | find /c /i "Sites"

# List disabled user and computer accounts in the domain (output to text file)
dsquery computer -limit 0 domainroot | dsget computer -dn -disabled | find /i " yes" > disabled-computers.txt
dsquery user -limit 0 domainroot | dsget user -dn -disabled | find /i " yes" > disabled-users.txt

# List enabled, but inactive (at least 24 weeks) user and computer accounts in the domain (output to text file)
dsquery user -inactive 24 -limit 0 domainroot | dsget user -dn -disabled | find /i " no" > inactive-users.txt
dsquery computer -inactive 24 -limit 0 domainroot | dsget computer -dn -disabled | find /i " no" > inactive-computers.txt

# List security groups, OUs, and subnets (output to text file)
dsquery ou -limit 0 | dsget ou -dn | find /i "DC=GOV" > OUs.txt
dsquery subnet | dsget subnet -dn | find /i "Sites" > subnets.txt
dsquery group -uc -limit 0 domainroot | dsget group -uc -dn -secgrp | find " yes" > groups.txt

Querying Active Directory to find recently created accounts (WhenCreated date format - YYYYMMDDHHMMSS):
dsquery * domainroot -filter "&(objectClass=Computer)(objectCategory=Computer)(WhenCreated>=20150226000000.0Z)" -Limit 0
dsquery * domainroot -filter "&(objectClass=User)(objectCategory=Person)(WhenCreated>=20150226000000.0Z)" -Limit 0
dsquery * domainroot -filter "&(objectClass=Group)(objectCategory=Group)(WhenCreated>=20150226000000.0Z)" -Limit 0
dsquery * domainroot -filter "&(objectClass=organizationalUnit)(objectCategory=Organizational-Unit)(WhenCreated>=20150226000000.0Z)" -Limit 0


Querying AD user and group objects to find ones without sidHistory:
dsquery * domainroot -filter "&(objectClass=User)(objectCategory=Person)" -attr distinguishedname sidhistory -Limit 0 > users-sidhistory.txt
dsquery * domainroot -filter "&(objectClass=Group)(objectCategory=Group)" -attr distinguishedname sidhistory -Limit 0 > groups-sidhistory.txt



Querying AD user objects to find ones with/without HSPD-PID attribute set:
dsquery * domainroot -filter "&(objectClass=User)(objectCategory=Person)(!HSPD-PID=*)" -Limit 0 > without-PIV.txt
dsquery * domainroot -filter "&(objectClass=User)(objectCategory=Person)(HSPD-PID=*)" -Limit 0 > with-PIV.txt

No comments:

Post a Comment