SolutionBase: Using the Dsget command in Windows Server 2003
Takeaway: Most Windows Server 2003 utilities are GUI-based, forcing you to point and click to get work done. Here's how you can use the Dsget utility to access Active Directory information from the command line.
In the article "Using the Dsquery command in Windows Server 2003," I explained how the Dsquery command works and showed you several examples of how to use it to reveal information that would be a bit tricky to get out of GUI interface tools.
In this article, I'll continue my examination of Windows Server 2003's directory service command-line tools with a detailed look at the Dsget command, which, as you'll remember, allows you to display the properties of objects in Active Directory. As I do, I'll show you some examples of how the Dsget command works. I'll also demonstrate how to create some cool command-line scripts by combining the Dsget and Dsquery commands.
The commands
The Dsget command consists of 10 separate subcommands, as shown in Table A. Each of these commands is designed to display the properties of a specific object type in Active Directory. Several of the commands have multiple variations, which I'll describe in more detail in a moment.
Table A |
|
||||||||||||||||||||||||
| The Dsget commands |
Just like the Dsquery command, each of the Dsget commands comes with a set of common parameters as well as a set of object-specific parameters that allow you to specify the type of information you want to view. In the case of the Dsget command, the first common parameter is a distinguished name that you use to identify the object(s) whose properties you want to view.
Now, if typing out distinguished names really isn't your idea of fun, donï¿?t worry. You can use the Dsquery command, which returns the distinguished name of any object, to generate input for the Dsget commands. To do so, you just pipe the result of the Dsquery command to the Dsget command (more on using Dsquery and piping in a moment).
Most useful Dsget commands
While you can use the Dsget command to display information about a single object in Active Directory, the real power of this command comes from the fact that you can use it to quickly gather information on large numbers of objects. While there are 10 separate Dsget commands, three of the commands target object types that contain large numbers of objects youï¿?d commonly need to gather information for. These three commands are Dsget user, Dsget group, and Dsget computer.
Iï¿?ll focus on these three commands to give you a good idea of how the Dsget command works and to help you build a foundation on which you can explore the other seven Dsget commands. As I discuss these commands, I wonï¿?t go into detail on all the various parameters for each. Instead, Iï¿?ll focus on the parameters that Iï¿?ll use in the example commands. Keep in mind that Windows Server 2003's Help and Support Center contains detailed information on the syntax of each of the Dsget commands.
Dsget user
The Dsget user command is designed to display the various properties related to user accounts. To make this command as versatile as possible, Microsoft endowed it with two variations. The first variation is specifically designed to allow you to gather the group membership information of a single user; the second variation allows you to view general properties of multiple users all at one time.
Let's begin with a look at the first variation of the Dsget user command. As you know, in a large Active Directory environment, users can belong to a number of groups in the domain. Of course, it's easy enough to go to the GUI and check out the Member Of tab and see what groups a particular user is a member of, but this won't show you which groups those groups are members of (also known as implicit groups). However, you can easily obtain this information using the first variation of the Dsget user command.
For example, suppose you want to create a list of all the groups to which John Doe belongs. To do so, you'd use this Dsget user command:
Dsget user "CN=John Doe,OU=Employees,DC=gcs,DC=com" -memberof -expand
In this case, the ï¿?memberof parameter displays the immediate list of groups of which the user is a member. The key here is the ï¿?expand parameter, which allows the Dsget user command to expand and recursively search each group to determine membership through nested groups.
Let's take a look at another example of the Dsget user command. Suppose youï¿?ve implemented quotas and need to find out how much of the quota John Doe has used so far. You can quickly find that information with this command:
Dsget user "CN=John Doe,OU=Employees,DC=gcs,DC=com" ï¿?part "DC=gcs,DC=com" -qlimit -qused
Here, the ï¿?part parameter connects to the directory partition; ï¿?qlimit displays the userï¿?s effective quota; and ï¿?qused shows how much of the quota has been used so far.
Now, letï¿?s consider an example of the second variation. Suppose you need to quickly find the first and last names, and the e-mail addresses, of all users who have accounts in the Employees organizational unit and who need to change their passwords at the next logon. In this case, weï¿?ll use the Dsquery command to perform a search on all objects in the Employees organizational unit and then pipe the results to the Dsget user command:
Dsquery user "OU=Employees,DC=gcs,DC=com" ï¿?limit 0 | Dsget user -fn -ln ï¿?email -mustchpwd
In this example of the Dsget command, the ï¿?fn and ï¿?ln parameters provide the first and last names of the users; the ï¿?email parameter displays the e-mail addresses; and the ï¿?mustchpwd parameter display either a yes or no, depending on whether the user must change the password. As youï¿?ll remember, by default the Dsquery command will return only 100 results. By using the ï¿?limit parameter and setting it to 0, we can force the Dsquery command to return all matching objects.
Dsget group
The Dsget group command is designed to allow you to display the various properties of a group and the members of a group. Like the Dsget user command, Dsget group also has two variations. The first variation will display the properties of multiple groups, whereas the second variation will display group membership information of a single group.
Letï¿?s begin with the second variation. In this example, suppose you need to find all members of the SrAccountants group:
Dsget group "CN=SrAccountants,OU=Accounting,DC=gcs,DC=com" -members -expand
You want to compile a list of all the groups in your Active Directory structure and find out whether the groups are local, global, or universal. You also want to determine whether the group is a security group or a distribution group. To accomplish this, weï¿?ll again use the Dsquery command to generate a list of all the groups and then pipe the results to the Dsget group command:
Dsquery group | Dsget group ï¿?scope ï¿?samid -secgrp
The ï¿?scope parameter indicates whether the groups are local, global, or universal; the ï¿?samid parameter displays each groupï¿?s security principal name; and the ï¿?secgrp parameter displays a yes if the group is a security group and no if the group is a distribution group.
Dsget computer
Using the Dsget computer command, you can easily track down information on multiple computers in Active Directory. For example, suppose you want to compile a list of all the computer accounts in your domain that have been inactive for the last two weeks. To generate this list, you use Dsquery and then pipe the results to the Dsget computer command:
Dsquery computer -inactive 2 -limit 0 | Dsget computer ï¿?desc ï¿?loc -samid
In this particular command line, Iï¿?ve actually used the Dsquery computer command for more than just generating the list. In fact, Dsquery computer is actually the real workhorse here in that it possesses the ï¿?inactive parameter. The Dsget computer command then uses the ï¿?desc, -loc, and ï¿?samid parameters to expand on the identity of any computers that the Dsquery computer command flagged as being inactive. This example shows how you can combine features of both these commands to provide information that might be difficult to obtain otherwise.
As another example of the combined power of the Dsquery and Dsget commands, suppose you wanted to document the computer account configuration for all the computers in Active Directory. To do this, you could use the command
Dsquery computer "DC=gcs,DC=com" | Dsget computer -dn -desc ï¿?loc ï¿?samid ï¿?sid ï¿?disabled ï¿?l > ComputerList.txt
Iï¿?ve used the Dsquery computer command to generate a list of all the computers in the domain, and the Dsget computer command to retrieve all the possible computer account information. Iï¿?ve then used the ï¿?l parameter to display the result in list format (as opposed to the default table format) and then redirected the report to a text file called ComputerList.txt.
A bit more to come
Now that youï¿?ve seen several detailed examples of how you can use the Dsget command to obtain valuable information about objects in Active Directory, you should be well on your way to getting the most out of all 10 of the available Dsget commands.
In the final article in this series, Iï¿?ll look at the remaining four directory service command-line tools (Dsadd, Dsmod, Dsmove, and Dsrm), which are pretty straightforward in and of themselves. However, Iï¿?ll show how you can get even more out of these commands by combining them with Dsquery and Dsget.
Print/View all Posts Comments on this article
 DSget group limited to 1000 membersa.adkins@... | 08/24/07 |
More from TechRepublic Series: SolutionBase
- SolutionBase: Enforce system policies with the Group Policy Diagnostic Best Practice Analyzer
- Fine tuning Microsoft ForeFront Server Security for Exchange
- Implementing Microsoft ForeFront Security for Exchange
- Configuring Exchange 2007 to be an Edge Transport Server
- Get Up To Speed with Interleave
- Installing System Center Essentials 2007
- SolutionBase: Enterprise-ready Process Automation with Interleave
- SolutionBase: Administer PacketFence with ease via Web interface
- SolutionBase: Installing and configuring Network Access Control with PacketFence
- SolutionBase: Block unwanted network access with PacketFence
- SolutionBase: Use PacketFence to stop unwanted network traffic
SponsoredWhite Papers, Webcasts, and Downloads
- Inside Business Finance - Finance and Accounting FAQ Checklist Inside Business Finance
- Finance Accounting Solutions Buyer's Guide Inside Business Finance
- Leveraging Information for Innovation and Competitive Advantage IBM
- Microsoft SQL Server 2005: Deployment and Tests in an iSCSI SAN Dell EqualLogic
- On-demand Webcast: Dell EqualLogic PS Series Storage for Microsoft SQL Server Dell EqualLogic
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
Ultraportables
- Understanding Ultraportable Laptops (BNET)
- Five steps to protect mobile devices anywhere, anytime (TechRepublic)
- View all ZDNet Toshiba laptop reviews
- From our sponsors
- Toshiba Satellite® U400 Series
-
- The ultra-portable, ultra-stylish Satellite® U405 is a smart choice for you and your small business. Only from the laptop expert, Toshiba. Explore the complete laptop lineup »
-
