Dsquery is a command line tool that queries Active Directory for objects that you specify. Dsquery is built into Windows Server 2008; it is available if you have the Active Directory Domain Servers role installed.
In this article, we will discuss a few of the search criteria that are available in the Dsquery command.
What is the Syntax of Dsquery?
The syntax of the Dsquery command-line tool is given below.
dsquery * [{<StartNode> | forestroot | domainroot}] [-scope {subtree | onelevel | base}] [-filter <LDAPFilter>] [-attr {<AttributeList> | *}] [-attrsonly] [-l][{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [-r] [-gc] [-limit <NumberOfObjects>] [{-uc | -uco | -uci}]
Let’s understand the set of parameters used with Dsquery to query active directory objects.
[{StartNode | forestroot | domainroot}] – To use a narrow search, you can use a node’s distinguished name (StartNode), The forestroot parameter is used for a broader search. Domainroot is the default search and will start its search at the domain root.
[-scope {subtree | onelevel | base}] – The subtree value specifies a subtree that is rooted at the start node in the console tree. The one-level value allows you to target the immediate children of the start node. The base value targets a single object that the start node represents.
[-o {dn | rdn}] – The distinguished name is the default output by using the -0 dn parameter. By using the -0 rdn parameter you can see the relative distinguished name.
The Dsquery command by default will only display 100 objects. To expand the number of items displayed use the parameter below.
-limit <NumberofObjects> – You can enter any number you want but be careful when changing the limit. Microsoft put a limit on the output to 100 to prevent the domain controller from possibly crashing due to excessive Active Directory searches.
{-s Server | -d Domain} – Using these two parameters, you can specify which remote server or domain to connect to. You may also need to specify a username and password, if so you would use the parameters below.
[-u <UserName>] [-p {<Password> | *}] – If you use the asterisk, you’ll be prompted for a password.
What is Dsquery used for?
Dsquery
command-line tool is used to find any objects in the Active Directory according to criteria using LDAP (Lightweight Directory Access Protocol) query.
Where is Dsquery located?
The Dsquery.exe
file is located on servers at C:\Windows\System32\dsquery.exe
.
Dsquery is part of the Windows Remote Server Administration Tools (RSAT) package and can be downloaded from the Microsoft website. RSAT is included as a set of “Features on Demand” in Windows 10.
Which Dsquery Commands are Available?
Below is a listing of the dsquery commands:
- Dsquery – Finds any object in Active Directory
- Dsquery computer – Finds computer accounts in Active Directory
- Dsquery contact – Finds contacts
- Dsquery group – Finds group accounts
- Dsquery ou – Finds organizational units
- Dsquery partition – Finds partition objects in the directory that match the search criteria that you specify
- Dsquery quota – Finds object quotas
- Dsquery server – Finds domain controllers that match the search criteria that you specify
- Dsquery site – Finds sites in the directory that match the search criteria that you specify
- Dsquery subnet – Finds subnet objects
Dsquery Examples
Let’s look at some of the examples of using the dsquery command to query Active Directory objects.
How to find all computer accounts that have been disabled
Use the following command to find all computer accounts that have been disabled.
dsquery computer –disabled
How to find all computer accounts that have been inactive for at least a week
dsquery computer - inactive 1
How to find all user accounts that have been disabled
dsquery user -disabled
How to find all the FSMO roles
dsquery server -hasfsmo schema
How to find all Domain Controller in the current domain
dsquery server
Cool Tip: Learn more about Active Directory Schema!
What is the alternative to Dsquery in PowerShell?
The Get-AdObject
cmdlet in PowerShell is the most accurate equivalent to the Dsquery command which is used to query Active Directory objects and retrieve the information.
How to Run a DS Query?
Open up an elevated command prompt to use dsquery on the command prompt. You must run the dsquery command from an elevated command prompt.
Does Dsquery use LDAP?
Yes, Dsquery command-line tool uses LDAP (Lightweight Directory Access Protocol) query to find objects in the active directory.
Cool Tip: How to use ADSI Edit utility in PowerShell!
Conclusion
I hope the above article on how to use Dsquery command-line tool to find active directory objects is helpful to you.
You can find more topics about Active Directory tools and PowerShell basics on the ActiveDirectoryTools home page.