DSQUERY and DSGET commands. The dsquery
command allows you to query the
Active Directory (AD) service according to specified criteria. E.g. the
dsquery user command finds users in the directory. By adding a
user name at the end of the command, you can view information for that user.
E.g., for a user named Pamela in a domain named "Mayflower" with a
Windows Small Business Server (SBS) 2003 server, I could use the command
below, which would show the user's full name:
C:\>dsquery user -samid pamela "CN=Pamela M. Rolm,CN=Users,DC=mayflower,DC=lan"
I can pipe the output of that command into the DSGET command,
which will display information for the object piped into it. E.g., for the
above account, I can use dsquery user -samid pamela | dsget -memberof
, which will show me the user's account is only in the
domain users group:
C:\>dsquery user -samid pamela | dsget user -memberof "CN=Domain Users,CN=Users,DC=mayflower,DC=lan"
That information can be further expanded by adding -expand to
the end of the command.
C:\>dsquery -samid pa C:\>dsquery user -samid pamela | dsget user -memberof -expand "CN=Domain Users,CN=Users,DC=mayflower,DC=lan" "CN=Users,CN=Builtin,DC=mayflower,DC=lan" C:\>
For the administrator account on the system, the results show the account belongs to many more groups:
C:\>dsquery user -samid administrator | dsget user -memberof "CN=Mobile Users,OU=Security Groups,OU=MyBusiness,DC=mayflower,DC=lan" "CN=Group Policy Creator Owners,CN=Users,DC=mayflower,DC=lan" "CN=Domain Admins,CN=Users,DC=mayflower,DC=lan" "CN=Enterprise Admins,CN=Users,DC=mayflower,DC=lan" "CN=Schema Admins,CN=Users,DC=mayflower,DC=lan" "CN=Administrators,CN=Builtin,DC=mayflower,DC=lan" "CN=TelnetClients,CN=Users,DC=mayflower,DC=lan" "CN=Domain Users,CN=Users,DC=mayflower,DC=lan"
And with the -expand option added.
C:\>dsquery user -samid administrator | dsget user -memberof -expand "CN=Mobile Users,OU=Security Groups,OU=MyBusiness,DC=mayflower,DC=lan" "CN=Group Policy Creator Owners,CN=Users,DC=mayflower,DC=lan" "CN=Domain Admins,CN=Users,DC=mayflower,DC=lan" "CN=Enterprise Admins,CN=Users,DC=mayflower,DC=lan" "CN=Schema Admins,CN=Users,DC=mayflower,DC=lan" "CN=Administrators,CN=Builtin,DC=mayflower,DC=lan" "CN=TelnetClients,CN=Users,DC=mayflower,DC=lan" "CN=Domain Users,CN=Users,DC=mayflower,DC=lan" "CN=Offer Remote Assistance Helpers,CN=Users,DC=mayflower,DC=lan" "CN=Usage Report Users,OU=Security Groups,OU=MyBusiness,DC=mayflower,DC=lan" "CN=Users,CN=Builtin,DC=mayflower,DC=lan"
The command will provide similar information for an administrator account in a domain with a Windows Server 2012 domain controller as well.
c:\>dsquery user -samid Thomas | dsget user -memberof -expand "CN=RA_AllowMediaAccess,CN=Users,DC=Midland,DC=local" "CN=RA_AllowVpnAccess,CN=Users,DC=Midland,DC=local" "CN=WSSUsers,CN=Users,DC=Midland,DC=local" "CN=RA_AllowNetworkAlertAccess,CN=Users,DC=Midland,DC=local" "CN=RA_AllowHomePageLinks,CN=Users,DC=Midland,DC=local" "CN=RA_AllowAddInAccess,CN=Users,DC=Midland,DC=local" "CN=RA_AllowComputerAccess,CN=Users,DC=Midland,DC=local" "CN=RA_AllowShareAccess,CN=Users,DC=Midland,DC=local" "CN=RA_AllowDashboardAccess,CN=Users,DC=Midland,DC=local" "CN=RA_AllowRemoteAccess,CN=Users,DC=Midland,DC=local" "CN=Domain Admins,CN=Users,DC=Midland,DC=local" "CN=Schema Admins,CN=Users,DC=Midland,DC=local" "CN=Domain Users,CN=Users,DC=Midland,DC=local" "CN=Denied RODC Password Replication Group,CN=Users,DC=Midland,DC=local" "CN=Administrators,CN=Builtin,DC=Midland,DC=local" "CN=Users,CN=Builtin,DC=Midland,DC=local" c:\>
References