Sample DS Command

PowerShell is all the hype these days, and rightfully so - you can do just about anything with it; but, call me old-fashioned I still like to use ds commands every now and then, it's quick and dirty. Here are a few samples that query AD and to get some basic counts and other information:

# Get a count of enabled and disabled user accounts in the domain
dsquery user -limit 0 domainroot | dsget user -dn -disabled | find /c /i " no"
dsquery user -limit 0 domainroot | dsget user -dn -disabled | find /c /i " yes"

# Get a count of enabled and disabled computer accounts in the domain
dsquery computer -limit 0 domainroot | dsget computer -dn -disabled | find /c /i " no"
dsquery computer -limit 0 domainroot | dsget computer -dn -disabled | find /c /i " yes"

# Get a count of enabled, but inactive (at least 24 weeks) user and computer accounts in the domain
dsquery user -inactive 24 -limit 0 domainroot | dsget user -dn -disabled | find /c /i " no"
dsquery computer -inactive 24 -limit 0 domainroot | dsget computer -dn -disabled | find /c /i " no"

# Get a count of security and distribution groups in the domain
dsquery group -uc -limit 0 domainroot | dsget group -uc -dn -secgrp | find /c /i " no"
dsquery group -uc -limit 0 domainroot | dsget group -uc -dn -secgrp | find /c /i " yes"

# Get a count of Organizational Units (OU) and subnets
dsquery ou -limit 0 | dsget ou -dn | find /c /i "DC=GOV"
dsquery subnet | dsget subnet -dn | find /c /i "Sites"

# List disabled user and computer accounts in the domain (output to text file)
dsquery computer -limit 0 domainroot | dsget computer -dn -disabled | find /i " yes" > disabled-computers.txt
dsquery user -limit 0 domainroot | dsget user -dn -disabled | find /i " yes" > disabled-users.txt

# List enabled, but inactive (at least 24 weeks) user and computer accounts in the domain (output to text file)
dsquery user -inactive 24 -limit 0 domainroot | dsget user -dn -disabled | find /i " no" > inactive-users.txt
dsquery computer -inactive 24 -limit 0 domainroot | dsget computer -dn -disabled | find /i " no" > inactive-computers.txt

# List security groups, OUs, and subnets (output to text file)
dsquery ou -limit 0 | dsget ou -dn | find /i "DC=GOV" > OUs.txt
dsquery subnet | dsget subnet -dn | find /i "Sites" > subnets.txt
dsquery group -uc -limit 0 domainroot | dsget group -uc -dn -secgrp | find " yes" > groups.txt

Querying Active Directory to find recently created accounts (WhenCreated date format - YYYYMMDDHHMMSS):
dsquery * domainroot -filter "&(objectClass=Computer)(objectCategory=Computer)(WhenCreated>=20150226000000.0Z)" -Limit 0
dsquery * domainroot -filter "&(objectClass=User)(objectCategory=Person)(WhenCreated>=20150226000000.0Z)" -Limit 0
dsquery * domainroot -filter "&(objectClass=Group)(objectCategory=Group)(WhenCreated>=20150226000000.0Z)" -Limit 0
dsquery * domainroot -filter "&(objectClass=organizationalUnit)(objectCategory=Organizational-Unit)(WhenCreated>=20150226000000.0Z)" -Limit 0


Querying AD user and group objects to find ones without sidHistory:
dsquery * domainroot -filter "&(objectClass=User)(objectCategory=Person)" -attr distinguishedname sidhistory -Limit 0 > users-sidhistory.txt
dsquery * domainroot -filter "&(objectClass=Group)(objectCategory=Group)" -attr distinguishedname sidhistory -Limit 0 > groups-sidhistory.txt



Querying AD user objects to find ones with/without HSPD-PID attribute set:
dsquery * domainroot -filter "&(objectClass=User)(objectCategory=Person)(!HSPD-PID=*)" -Limit 0 > without-PIV.txt
dsquery * domainroot -filter "&(objectClass=User)(objectCategory=Person)(HSPD-PID=*)" -Limit 0 > with-PIV.txt

Comments

  1. morbihan Its as if you had a great grasp on the subject matter, but you forgot to include your readers. Perhaps you should think about this from more than one angle.

    ReplyDelete
  2. where to get food additives online You actually make it look so easy with your performance but I find this matter to be actually something which I think I would never comprehend. It seems too complicated and extremely broad for me. I'm looking forward for your next post, I’ll try to get the hang of it!

    ReplyDelete
  3. CBD Isolate Wholesale Thank you for taking the time to publish this information very useful!

    ReplyDelete

Post a Comment

Popular posts from this blog

Mail-enabled security groups in Office 365

User attributes in Office 365

Skype for Business and VTC Interoperability