Skip to main content

Sample DS Command

PowerShell is all the hype these days, and rightfully so - you can do just about anything with it; but, call me old-fashioned I still like to use ds commands every now and then, it's quick and dirty. Here are a few samples that query AD and to get some basic counts and other information:

# Get a count of enabled and disabled user accounts in the domain
dsquery user -limit 0 domainroot | dsget user -dn -disabled | find /c /i " no"
dsquery user -limit 0 domainroot | dsget user -dn -disabled | find /c /i " yes"

# Get a count of enabled and disabled computer accounts in the domain
dsquery computer -limit 0 domainroot | dsget computer -dn -disabled | find /c /i " no"
dsquery computer -limit 0 domainroot | dsget computer -dn -disabled | find /c /i " yes"

# Get a count of enabled, but inactive (at least 24 weeks) user and computer accounts in the domain
dsquery user -inactive 24 -limit 0 domainroot | dsget user -dn -disabled | find /c /i " no"
dsquery computer -inactive 24 -limit 0 domainroot | dsget computer -dn -disabled | find /c /i " no"

# Get a count of security and distribution groups in the domain
dsquery group -uc -limit 0 domainroot | dsget group -uc -dn -secgrp | find /c /i " no"
dsquery group -uc -limit 0 domainroot | dsget group -uc -dn -secgrp | find /c /i " yes"

# Get a count of Organizational Units (OU) and subnets
dsquery ou -limit 0 | dsget ou -dn | find /c /i "DC=GOV"
dsquery subnet | dsget subnet -dn | find /c /i "Sites"

# List disabled user and computer accounts in the domain (output to text file)
dsquery computer -limit 0 domainroot | dsget computer -dn -disabled | find /i " yes" > disabled-computers.txt
dsquery user -limit 0 domainroot | dsget user -dn -disabled | find /i " yes" > disabled-users.txt

# List enabled, but inactive (at least 24 weeks) user and computer accounts in the domain (output to text file)
dsquery user -inactive 24 -limit 0 domainroot | dsget user -dn -disabled | find /i " no" > inactive-users.txt
dsquery computer -inactive 24 -limit 0 domainroot | dsget computer -dn -disabled | find /i " no" > inactive-computers.txt

# List security groups, OUs, and subnets (output to text file)
dsquery ou -limit 0 | dsget ou -dn | find /i "DC=GOV" > OUs.txt
dsquery subnet | dsget subnet -dn | find /i "Sites" > subnets.txt
dsquery group -uc -limit 0 domainroot | dsget group -uc -dn -secgrp | find " yes" > groups.txt

Querying Active Directory to find recently created accounts (WhenCreated date format - YYYYMMDDHHMMSS):
dsquery * domainroot -filter "&(objectClass=Computer)(objectCategory=Computer)(WhenCreated>=20150226000000.0Z)" -Limit 0
dsquery * domainroot -filter "&(objectClass=User)(objectCategory=Person)(WhenCreated>=20150226000000.0Z)" -Limit 0
dsquery * domainroot -filter "&(objectClass=Group)(objectCategory=Group)(WhenCreated>=20150226000000.0Z)" -Limit 0
dsquery * domainroot -filter "&(objectClass=organizationalUnit)(objectCategory=Organizational-Unit)(WhenCreated>=20150226000000.0Z)" -Limit 0

Querying AD user and group objects to find ones without sidHistory:
dsquery * domainroot -filter "&(objectClass=User)(objectCategory=Person)" -attr distinguishedname sidhistory -Limit 0 > users-sidhistory.txt
dsquery * domainroot -filter "&(objectClass=Group)(objectCategory=Group)" -attr distinguishedname sidhistory -Limit 0 > groups-sidhistory.txt


Querying AD user objects to find ones with/without HSPD-PID attribute set:
dsquery * domainroot -filter "&(objectClass=User)(objectCategory=Person)(!HSPD-PID=*)" -Limit 0 > without-PIV.txt
dsquery * domainroot -filter "&(objectClass=User)(objectCategory=Person)(HSPD-PID=*)" -Limit 0 > with-PIV.txt
Labels:

Comments

  1. SkOfficalAugust 23, 2018 at 6:30 AM

    morbihan Its as if you had a great grasp on the subject matter, but you forgot to include your readers. Perhaps you should think about this from more than one angle.

    ReplyDelete
  2. SkOfficalAugust 25, 2018 at 4:43 AM

    where to get food additives online You actually make it look so easy with your performance but I find this matter to be actually something which I think I would never comprehend. It seems too complicated and extremely broad for me. I'm looking forward for your next post, I’ll try to get the hang of it!

    ReplyDelete
  3. SkOfficalAugust 26, 2018 at 3:37 AM

    CBD Isolate Wholesale Thank you for taking the time to publish this information very useful!

    ReplyDelete

Post a Comment

Popular posts from this blog

  Copilot Studio: Capabilities, Strategies, Scenarios 💡 Ready to Supercharge Your Team with AI? 🧠 A critical question for every leader: How do you transform the massive potential of AI into a practical, powerful, and cost-effective tool for your entire organization? 🤔 This guide explores various nuances of the AI adoption: 1️⃣ The Innovation Opportunity: The drive to deploy generative AI is reshaping the modern workplace, offering a monumental leap in productivity and creativity. This is the moment to empower your teams. 🚀 2️⃣ The Strategic Blueprint: Unlocking this potential requires a clear strategy. Navigating the licensing models for powerful tools like Microsoft Copilot Studio is the key to maximizing value and avoiding unexpected costs. 🗺 ️▶️ Our new interactive guide makes it simple. We break down the licensing paths, visualize the costs, and provide a clear, actionable roadmap for implementing a winning hybrid AI strategy. See how you can empower everyone, from citizen...
Post a Comment
Read more
  AI Agents as Trusted IoT/Software Defined Devices 🤖 Your Newest Endpoint Isn’t a Laptop; It’s an AI Agent. Are You Ready to Secure It? Dive into the next frontier of cybersecurity. Autonomous AI agents are no longer just code; they are powerful actors in our digital ecosystems. Treating them as simple software leaves a massive security gap. Our latest report introduces a new paradigm: The AI Agent as a Software-Defined Device. Discover the essential framework for securing the agentic future: ➡️ The Agent-as-Device Model: Learn why abstracting agents as software-defined devices, similar to IoT endpoints, is the key to managing their complexity and risk. Secure the “hardware” (host), “software” (agent logic), and “network” (communications). ➡️ A Digital Passport for AI: Move beyond static API keys. Explore how Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs) create a cryptographic root of trust, giving every agent a verifiable identity and provable permissions. ➡️...
Post a Comment
Read more
  AI Trends in DevSecOps 🤖 The AI Co-Developer Is Here: Is Your DevSecOps Ready? Dive into the symbiotic evolution of AI and DevSecOps. While AI coding assistants are accelerating development at an incredible pace, they’re also scaling security risks and introducing a new, complex attack surface. Discover the critical shifts redefining secure software development: ➡️ Secure the Foundation First: Learn why 99% of organizations have sensitive data exposed and how to tame the “blast radius” of GenAI tools before deployment by focusing on data security posture. ➡️ The Intelligent IDE: Move beyond just finding flaws. See how AI-generated fixes are revolutionizing secure coding by slashing remediation times and empowering developers to fix vulnerabilities in seconds. ➡️ The War on Noise: Understand how AI is finally solving the false positive problem in CI/CD pipelines, making fully automated security gates an operational reality. ➡️ Think Like the Adversary: Explore the rise of AI Red ...
Post a Comment
Read more