SolutionBase: Using the Dsquery command in Windows Server 2003
Takeaway: Microsoft includes some handy GUI tools with Windows Server 2003 to help you manage Active Directory. Sometimes, however, command-line tools such as Dsquery can give you more flexibility and control. Here's a detailed look at the Dsquery command.
In the article "Getting started with Windows Server 2003's directory service command-line tools," I introduced you to the six basic directory service command-line tools and provided an expanded list showing you the particular objects that each tool is designed to work with. I also got you started with a basic understanding of distinguished names and the Lightweight Directory Access Protocol (LDAP) attribute tags.
The directory service command-line tools rely on these names to locate and work with objects in Active Directory. As I closed out that article, I briefly showed you how to use the Dsquery command to look at the distinguished names assigned to the objects in your Active Directory structure.
In this article, I'll pick up with the Dsquery command and examine its features. I'll then show you some cool search techniques you can perform with the Dsquery command to quickly and easily reveal information that would be a bit tricky to get out of GUI interface tools.
The commands
While the Dsquery command is one of the six main directory service command-line tools, it actually consists of 11 separate commands, as shown in Table A. Ten of these commands are designed to find objects of a specific type, and one is designed to find any object type in Active Directory.
Table A |
|
||||||||||||||||||||||||||
| The Dsquery commands |
Of course, each of these commands comes with a set of object-specific parameters that allow you to define the search criteria for each object. However, the majority of the parameters are common to most of the Dsquery commands.
The common parameters
Let's examine the common parameters and see how they work. Once you understand their function, you'll be able to look at the overly complex syntax layouts for each command and more easily pick out the object-specific parameters.
Targeting your search
The first set of common search parameters allows you to specify where you want your search operation to begin:
[{StartNode
| forestroot | domainroot}]
To more narrowly focus your search, you can use a node's distinguished name (StartNode). To broaden your search, use the forestroot parameter, in which case the search is done using the global catalog. The default value is domainroot; while it's implied, if you don't type anything else, you can enter it on the command line if you really like to type out long command strings.
The second set of parameters in this category allows you to specify the scope of your search:
[-scope
{subtree | onelevel | base}]
If you use the ï¿?scope base parameter, you target the search on a single object specified by command and the start node. In other words, you prevent the search from progressing down to child objects. Now, if you use the ï¿?scope onelevel parameter, you target the search on the object specified by command, the start node, and the object's immediate children. The ï¿?scope subtree parameter is the default, and it allows the search to freely progress down the tree from the start node.
As I mentioned, you can use the forestroot parameter in order to search the global catalog. You can also use the ï¿?gc parameter to require that your search specifically use the Active Directory global catalog.
One more way that you can target your search is by using the ï¿?r parameter. In this case, the r stands for recursion. This parameter allows you to specify that your search use recursionï¿?also described as following referrals during a search. As I understand it, this parameter allows you to extend your search to multiple servers.
Formatting output
The next set of common parameters lets you specify the output format for the search results:
[-o {dn | rdn}]
The default output is the distinguished name and uses the -o dn parameter. If you want to see the relative distinguished name, you'd use the -o rdn parameter.
As I said in the previous article, the Dsquery command will display only 100 objects by default. The next parameter allows you to expand the number of items displayed in the output:
-limit
NumberofObjects
Essentially, you can use any number you want here. While it may seem a bit weird at first glance, if you want to see all of the objects, follow the -limit parameter with a zero. However, be careful when changing the limit because Microsoft's goal in limiting the output to 100 objects is to prevent the domain controller from being unnecessarily taxed by an exhaustive Active Directory search operation.
The last set of output format parameters also double as input format parameters and are designed to allow you to specify Unicode format:
{-uc
| -uco | -uci}
The -uc parameter specifies a Unicode format for input from or output to a pipe (|). The -uco parameter specifies a Unicode format for output to a pipe (|) or a file. The -uci parameter is used to specify a Unicode format for input from a pipe (|) or a file.
While I'm on the topic of output, should you ever decide to run the Dsquery command and not see the results, you can use the -q parameter (a.k.a. Quiet Mode), which will suppress all output to the console. At first, this seemed like an odd thing to do, but then I thought it might be useful when you're redirecting output to a file. However, I've not had any luck getting the -q parameter to work at all.
Remote connection
The final set of common parameters that we'll look at are the remote connection parameters. By default, the Dsquery command assumes that you're running the command in the domain to which you're logged in. However, you can also run the Dsquery command on a remote server or domain.
{-s
Server | -d Domain}
Using these parameters, you can connect to a specified remote server or domain. You might also need to specify a username and password, in which case you'd use these parameters:
-u
UserName
-p
{Password | *}
If you use the asterisk, you'll be prompted for a password.
Dsquery examples
Now that you have a good idea of how the Dsquery command works with its common parameters, let's look at some examples of where using this command will come in handy.
Tracking down servers
Suppose that while troubleshooting a problem, you discover that you need to quickly identify the domain controller that is performing one of the five Flexible Single Master Operation (FSMO) roles for a forest. What if you need to quickly identify which domain controllers are performing all five FSMO roles: the Schema Master, Domain Naming Master, RID Master, PDC Emulator, and Infrastructure Master? To perform this operation, you'll use the command:
Dsquery
server
along with the parameters:
-forest
-hasfsmo
{schema | name | infr | pdc | rid}
If you wanted to find only the Schema Master, you'd use the command:
Dsquery server -forest -hasfsmo schema
If you wanted to find all five, you'd use the command:
For
%x in (schema name infr pdc rid) do Dsquery server -forest -hasfsmo %x
Here, I've simply incorporated the Dsquery server command in a pretty standard For In Do loop. To use this command line, you might want to type it in Notepad and save it as a batch file. You might also want to capture the output in a file. If so, you can add the following to the end of the command line:
>>
FSMO-Query.txt
Tracking down inactive or disabled accounts
Suppose you've just taken a new job as a systems administrator. After a couple of days on the job, you discover that your predecessor wasn't very conscientious about cleaning up inactive and disabled user and computer accounts of employees who either left the company or were there only on a temporary contract basis.
You've already changed the name and passwords on all the Administrative accounts, and you want to plug any potential security breaches that have been left open by your predecessor. You need a way to quickly ascertain the magnitude of the problem. Fortunately, you can quickly gather the information you need with a few simple Dsquery commands. To find all user accounts that have been inactive for at least the last week or longer, you'd use the command:
dsquery
user - inactive 1
To find all user accounts that have been disabled, but never dealt with further, you'd use the command:
dsquery
user -disabled
To find all computers whose accounts have been inactive for the last week or more, you'd use the command:
dsquery
computer - inactive 1
To track down all computers whose accounts are disabled, you'd use the command:
dsquery
computer -disabled
Performing an inventory on the fly!
Now imagine this scenario: As a young network administrator, you learned the importance of documenting a network. Over the years, you've become very diligent when it comes to filling in the Description fields for every object account in Active Directory. The Description field for each computer account in your Active Directory structure contains a very detailed string of information that begins with a three-letter acronym specifying the operating system.
Suppose that your colleague asks you to find out how many computers in the Laptops organizational unit are still running Windows 2000 Professional. You could quickly open a command prompt window and type the command:
Dsquery
computer OU=Laptops,DC=gcs,DC=com -desc W2K*
Similarly, you could find out how many computers in the Laptops organizational unit are now running Windows XP Professional by using the command:
Dsquery
computer OU=Laptops,DC=gcs,DC=com -desc WXP*
Stay tuned
You should now have a pretty good handle on how to use the Dsquery command; you can use my examples as a starting point in your own explorations. In fact, if you come up with any cool examples of using the Dsquery command, please take a moment to share your command line by dropping a note in the Discussion area. In the next article, I'll focus on the Dsget command as I continue examining the directory service command-line tools.
Print/View all Posts Comments on this article
 Compile a list of DHCP serversGreg Shultz | 12/08/04 |
 RE: Using the Dsquery command in Windows Server 2003jf.luque@... | 05/20/08 |
More from TechRepublic Series: SolutionBase
- SolutionBase: Enforce system policies with the Group Policy Diagnostic Best Practice Analyzer
- Fine tuning Microsoft ForeFront Server Security for Exchange
- Implementing Microsoft ForeFront Security for Exchange
- Configuring Exchange 2007 to be an Edge Transport Server
- Get Up To Speed with Interleave
- Installing System Center Essentials 2007
- SolutionBase: Enterprise-ready Process Automation with Interleave
- SolutionBase: Administer PacketFence with ease via Web interface
- SolutionBase: Installing and configuring Network Access Control with PacketFence
- SolutionBase: Block unwanted network access with PacketFence
- SolutionBase: Use PacketFence to stop unwanted network traffic
SponsoredWhite Papers, Webcasts, and Downloads
- Using Emotional Intelligence in the Technical Professions Global Knowledge
- Eleven Myths about 802.11 Wi-Fi Networks Global Knowledge
- Using the Six Laws of Persuasion in Negotiations Global Knowledge
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
- BNET Industries
- Check out BNET's newest resource for managers and executives. Need to do research on your competitors? Don't have time to read every trade pub? BNET Industries is the new source for daily news, insights, and research on 11 major industries and 9,000 public companies.
-
- The technology industry from a different angle
-
- See what's hot in the auto industry
-
- Stay on top of the energy industry
