Windows Tip Sheet
DSQuery, And Then Some
DSQuery User gives up lots of info, but what if you want more? There is a way to wring out more info with this nifty trick.
- By Jeffery Hicks
- 08/01/2007
I was helping out an administrator not too long ago who was trying to find user accounts based on some specific user properties. My first thought for a quick and easy solution was to use DSQuery User. Problem was, the properties he wanted aren't part of the default query set. But there's another way using a custom DSQuery command. The basic syntax is:
Dsquery * -filter Your-LDAP-Filter
Creating the LDAP query filter is easier than you think. Once you get the basics worked out, you can copy, paste and tweak. Here are some examples for you to try (hopefully in your test lab). All of the dsquery commands are one-line commands and all quotes should be straight quotes.
The following essentially dumps all user objects in your domain to a text file:
dsquery * -filter "(&(objectcategory=person)(objectclass=user))" -limit 0 -attr * >>userexport.txt
It's a good idea, when querying for user objects, to use the objectcategory and objectclass combination. This should ensure you get user accounts and not any other object that may be based on the user class. The attr parameter followed by the asterisk instructs the command to return ALL attributes.
The output will be redirected to the text file userexport.txt. This gets you basically the same information as the CSVDE command, but in a tab-delimited format.
Ususally you won't want or need that much information.
Here's how you would get something a little more limited:
dsquery * -filter "(&(objectcategory=person)(objectclass=user))" -limit 0 -attr distinguishedname samaccountname description department title >> exportedusers.txt
This expression finds all users and list their distinguishedname, SAMAccountname, description, department and title in a tab-delimited format.
What if you want to limit your search to a particular oU:
dsquery * "ou=Employees,DC=Mycompany,DC=local" -filter "(&(objectcategory=person)(objectclass=user))" -limit 0 -attr distinguishedname samaccountname description department title
Are you starting to see how easy this is?
Finally, you can also run a custom search where some criteria must be met. In this example, the only user accounts that are returned are those with a department set to "Sales":
dsquery * -filter "(&(objectcategory=person)(objectclass=user)(department=Sales))"
Tech Help—Just An
E-Mail Away |
|
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
at [email protected];
the best questions get answered in this column and garner
the questioner with a nifty Redmond T-shirt.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.) |
|
|
Because I didn't specify any properties, the users' distinguished name is returned. But that's fine because I can then pipe the result of this command to DSMod or DSGet for additional processing.
There is a lot of information in Active Directory, if you know how to ask. Using custom DSQuery commands is like saying, "pretty please with sugar on top."
About the Author
Jeffery Hicks is an IT veteran with over 25 years of experience, much of it spent as an IT infrastructure consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He is a multi-year recipient of the Microsoft MVP Award in Windows PowerShell. He works today as an independent author, trainer and consultant. Jeff has written for numerous online sites and print publications, is a contributing editor at Petri.com, and a frequent speaker at technology conferences and user groups.