Hi,
The “net” builtin commands of Windows have some limitations: It truncates groupnames longer then 20 Characters, it cannot resolve group in group memberships….
dsget/dsquery are (LDAP) command line interfaces for active directory. For using these commands you have to install the Windows RSAT Tools (Remote Server Administration Tools).
Some examples.
Show your distinguished name by samaccount name
1 | C:\> dsquery user -samid %USERNAME% |
Or with by a custom LDAP filter
1 | dsquery * -filter "(&(objectClass=User)(sAMAccountName=%USERNAME%)) |
Get specific LDAP attributes of an User
1 | C:\> dsquery * "CN=myUser Account,OU=UsersOU,DC=yourDomain,DC=org" -attr sAMAccountName displayName department |
Get all LDAP attributes of an User
1 | C:\> dsquery * "CN=myUser Account,OU=UsersOU,DC=yourDomain,DC=org" -attr * |
Get all distinguished name of Groups you are a member of
1 | C:\> dsquery user -samid %USERNAME% | dsget user -memberof |
and more readable with just the sAMAccountname of the groups
1 | C:\> dsquery user -samid %USERNAME% | dsget user -memberof | dsget group -samid |
Get distinguished name of a group by sAMAccountname
1 | C:\> dsquery group -samid YourGroupName |
Get all members of a Group by its sAMACcountname
1 | C:\> dsquery group -samid YourGroupName | dsget group -members |
and recursive if the group contains other groups as member
1 | C:\> dsquery group -samid YourGroupName | dsget group -members -expand |
and more readable with more details
1 | C:\> dsquery group -samid YourGroupName | dsget group -members -expand | dsget user -display -samid -email |
Michael
For the last one, how can you filter out sub groups?
This is a late response, but just remove the “-expand” parameter, that will disable recursivity