Dsquery

Dsquery is a command line tool that queries Active Directory for objects that you specify. Dsquery is built into Windows Server 2008; it is available if you have the Active Directory Domain Servers role installed. Dsquery is also part of the Windows 203 Administration Tool Pack.  In this article I will first cover the different dsquery commands. Then I will cover some of the common search criteria that is available with the dsquery command. Finally I will give some examples and list out the dsquery syntax.

Finding objects in Active Directory using dsquery commands:
Dsquery consists of 11 separate commands. Ten of them are designed to find specific objects, and one is designed to find any directory object type. Each of these commands comes with several parameters that allow you to define the search criteria.

Below is a listing of the dsquery commands:

• Dsquery – Finds any object in Active Directory
• Dsquery computer – Finds computer accounts in Active Directory
• Dsquery contact – Finds contacts
• Dsquery group – Finds group accounts
• Dsquery ou – Finds organizational units
• Dsquery partition – Finds partition objects in the directory that match search criteria that you specify
• Dsquery quota – Finds object quotas
• Dsquery server – Finds domain controllers that match search criteria that you specify
• Dsquery site – Finds sites in the directory that match the search criteria that you specify
• Dsquery subnet – Finds subnet objects
• Dsquery user – Finds users in the directory who match the search criteria

Common Search Criteria
Now that you have seen all the dsquery commands let’s look at some of the common search parameters. Once you get a handle on the syntax you will be able to pick out the object specific parameters as needed.

The first set of parameters will allow you to specify where at in the directory you want to begin your search.

[{StartNode | forestroot | domainroot}]

To use a narrow search, you can use a node’s distinguished name (StartNode), The forestroot parameter is used for a more broader search. Domainroot is the default search, and will start its search at the domain root.

The next set of parameters in this section allows you to specify the scope of the search.

[-scope {subtree | onelevel | base}]

The subtree value specifies a subtree that is rooted at the start node in the console tree. The onelevel value allows you to target the immediate children of the start node. The base value targets a single object that the start node represents.

The next set of common parameters lets you format the search results.

[-o {dn | rdn}]

The distinguished name is the default output by using the -0 dn parameter. By using the -0 rdn parameter you can see the relative distinguished name.

The Dsquery command by default will only display 100 objects. To expand the number of items displayed use the parameter below.

-limit NumberofObjects

You can enter in any number you want but be careful when changing the limit. Microsoft put a limit on the output to 100 to prevent the domain controller from possibly crashing due to excessive Active Directory searches.

The last set of parameters that I will discuss is the remote connection parameters. When running the dsquery command by default it will run on the domain controller you are logged into. With the connection parameters you can specify a remote server or domain.

{-s Server | -d Domain}

With these two parameters you can specify which remote server or domain to connect to. You may also need to specify a username and password, if so you would use the parameters below.

-u UserName

-p {Password | *}

If you use the asterisk, you’ll be prompted for a password.

Dsquery Examples
Now that you have seen the dsquery commands and some common parameters let’s look at a few examples of using the dsquery command.

To find all computer accounts that have been disabled, you would use the command below:

dsquery computer –disabled

To find all computer accounts that have been inactive for at least a week, use the command below:

dsquery computer - inactive 1

To find all user accounts that have been disabled, use the command below

dsquery user -disabled

To find all the FSMO roles, use the command below:

dsquery server -hasfsmo schema

To find all Domain Controller in the current domain, use the command below:

dsquery server

Dsquery syntax

dsquery user [{<StartNode> | forestroot | domainroot}] [-o {dn | rdn | upn | samid}] [-scope {subtree | onelevel | base}] [-name <Name>] [-desc <Description>] [-upn <UPN>] [-samid <SAMName>] [-inactive <NumberOfWeeks>] [-stalepwd <NumberOfDays>] [-disabled] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [-r] [-gc] [-limit <NumberOfObjects>] [{-uc | -uco | -uci}]