Retrieve Information From AD With DSQUERY

Over the years of working with Active Directory (AD), I had a need to retrieve various types of information from the directory. Several tools can accomplish this task, but the most useful I found for ad-hock queries is the DSQUERY tool.

On this page I provide some common samples that systems administrators may find helpful. In my samples, I use the following sample domain names: mydom.local and mydom.com. For best results, run the sample queries in a command shell on a domain controller.


User Information

Find DN of Currently Logged On User

Paste code as is:


dsquery * domainroot -filter "(samAccountName=%USERNAME%)"


Find User With Primary Email Address

Retrieve user object matching given address as primary SMTP e-mail.


Syntax:

dsquery * domainroot -filter "(&(objectClass=User) (mail=<email address>))" -l -d <domain> -attr *


Example:

dsquery * domainroot -filter "(&(objectClass=User) (mail=John.Doe@mydom.com))" -l -d mydom.local -attr *


Find User With Any Email Address

Retrieve user object matching any assigned e-mail address.


Syntax:

dsquery * domainroot -filter "(&(objectClass=User) (proxyAddresses=*<email address>*))" -l -d <domain> -attr *


Example:

dsquery * domainroot -filter "(&(objectClass=User) (proxyAddresses=*John.Doe@mydom.com*))" -l -d mydom.local -attr *


Find Email of User when DN is Known

Retrieve user object matching given DN and show primary SMTP e-mail address.


Syntax:

dsquery * domainroot -filter "(distinguishedName=<user object DN>)" -d <domain> -l -attr mail


Example:

dsquery * domainroot -filter "(distinguishedName=CN=Kerekes\, Charlie,OU=Knoxville,DC=mydom,DC=local)" -d mydom.local -l -attr mail


Find Hidden GAL Recipients

Retrieve all user objects that are hidden from the Global Address List in Exchange.


Syntax:

dsquery * domainroot -filter "(&(objectClass=User) (msExchHideFromAddressLists=TRUE))" -l -d <domain> -attr displayName


Example:

dsquery * domainroot -filter "(&(objectClass=User) (msExchHideFromAddressLists=TRUE))" -l -d mydom.local -attr displayName


Users With Password Set to Never Expire

Retrieve list of users with the "Password never expires" attribute set.


Syntax:

dsquery * domainroot -filter "(&(objectClass=user) (userAccountControl>=65536))" -attr sAMAccountName userPrincipalName userAccountControl -d <domain>


Example:

dsquery * domainroot -filter "(&(objectClass=user) (userAccountControl>=65536))" -attr sAMAccountName userPrincipalName userAccountControl -d mydom.local


Group Information

List Members of a Group

Querying AD for group membership is a multi-step process. The reason is that AD stores group membership in two places. The first place is the most obvious—in the member attribute of the group object. The second is not as obvious—as an integer value in the primaryGroupID attribute of user objects.

For most scenarios, querying the member attribute of group objects will provide a complete list of members. However, if the group in question is set as a default group for any user object, that user will not be listed in the member attribute.


Query the Group's "Member" Attribute

The sample below lists all members stored in the member attribute of the group. If this query is not showing all members, you will need to perform the queries in the next section as well.


Syntax:

dsquery * domainroot -filter "(&(objectClass=group)(name=<group name>))" -l -d <domain> -attr member


Example:

dsquery * domainroot -filter "(&(objectClass=group)(name=Help Desk Associates))" -l -d mydom.local -attr member


Query the User's "primaryGroupID" Attribute

First, we determine the primary group ID for the group in question. We do this by finding the SID of the group object; the last segment of the SID is used as the primary group ID.


Syntax:

dsquery * domainroot -filter "(&(objectClass=group)(name=<group name>))" -l -d <domain> -attr objectSid


Example:

dsquery * domainroot -filter "(&(objectClass=group)(name=Help Desk Associates))" -l -d mydom.local -attr objectSid


The above query will produce an output similar to this:

S-1-5-21-123456789-1234567890-9876543211-1169



Now we are ready to find all user objects that have the above group set as their default.


Syntax:

dsquery * domainroot -filter "(&(objectClass=user)(primaryGroupID=<last segment of group SID>))" -l -d <domain> -attr cn


Example:

dsquery * domainroot -filter "(&(objectClass=user)(primaryGroupID=1169))" -l -d mydom.local -attr cn


List Group Members with Additional User Attributes

If we want more than the DN of group members, we need to use a FOR statement to first generate the list of members, then query each member object for the desired attributes.


Please be aware that the example below queries only the member attribute of the group and will miss any user objects with this group as their default. See the above section for details about the primaryGroupID attribute.


Syntax:

for /F "delims=*" %i IN ('dsquery * domainroot -filter "(&(objectClass=group)(name=<group name>))" -l -d <domain> -attr member') DO @dsquery * domainroot -filter "(distinguishedName=%i)" -attr <list of user attributes>


Example:

for /F "delims=*" %i IN ('dsquery * domainroot -filter "(&(objectClass=group)(name=Help Desk Associates))" -l -d mydom.local -attr member') DO @dsquery * domainroot -filter "(distinguishedName=%i)" -attr displayName samAccountName mail


Computer Information

List All Computer Objects

Syntax:

dsquery * domainroot -filter "(objectClass=Computer)" -attr name -l -d <domain>


Example:

dsquery * domainroot -filter "(objectClass=Computer)" -attr name -l -d mydom.local


List Computer Objects in a Specific OU

This example lists all computer objects stored in the mydom.local/Servers/Exchange OU.


Syntax:

dsquery * "<base DN>" -filter "(objectClass=Computer)" -attr name -l -d <domain>


Example:

dsquery * "ou=Exchange,ou=Servers,dc=mydom,dc=local" -filter "(objectClass=Computer)" -attr name -l -d mydom.local


List All Domain Controllers

Syntax:

dsquery * "ou=domain controllers,<domain DN>" -filter "(objectClass=Computer)" -attr name -l -d <domain>


Example:

dsquery * "ou=domain controllers,dc=mydom,dc=local" -filter "(objectClass=Computer)" -attr name -l -d mydom.local


Find DN of Computer Object in Current Domain

The DN contains the full directory path of the computer object and can be helpful in locating the computer using the GUI tools in a complex AD structure.


Syntax:

dsquery * domainroot -filter "(&(objectClass=Computer) (name=<computer name>))"


Example:

dsquery * domainroot -filter "(&(objectClass=Computer) (name=exch19))"