Windows: Active directory from command line


this post contains command line example for querying the Active Directory using the ds* command family. The ds* commands are part of the Remote Administration Tools (RSAT)

Find a User by its Display Name

dsquery user -Name "Tux*"

Find a User by sAMAccountname/Login

dsquery user -samid myUserSamName
"CN=DisplayName myUserSamName,OU=Users,DC=myDomain,DC=net"

Get group Memberships

dsget user "CN=DisplayName myUserSamName,OU=Users,DC=myDomain,DC=net" -memberof

Same procedure for groups. Find a group by its Display name

dsquery group -Name "Group Fileshare*"

Find a Group by its sAMAccountname

dsquery group -samid GROUP_FILESHARE_*
"CN=DisplayName Groupe,OU=groups,DC=myDomain,DC=net"

Get groups the group is member of

dsget group "CN=DisplayName Groupe,OU=groups,DC=myDomain,DC=net" -memberof

Get all members of the group

dsget group "CN=DisplayName Groupe,OU=groups,DC=myDomain,DC=net" -members

Find a computer

dsquery computer -name myComputer

Set join permissions for a computer object

SET ADJOIN_GROUP=ComputerJoiners
dsacls "CN=myComputer,OU=Computers,DC=myDomain,DC=net" /I:T /G %ADJOIN_GROUP%:CA;"Reset Password";  %ADJOIN_GROUP%:RP;; %ADJOIN_GROUP%:WP;;

Find an Service Principal Name (with Powershell)

$oDirSearch = New-Object DirectoryServices.DirectorySearcher
$oDirSearch.filter = "(servicePrincipalName=host/myComputer)"
$oDirSearch.Findall() | %{New-Object DirectoryServices.DirectoryEntry($_.Path)} | fl *


Advertisment to support

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.