Skip to main content

some ways to Export Active Directory data

 Here is a list of the Active Directory command line tools:

dsadd.exe
dsget.exe
dsmod.exe
dsmove.exe
dsrm.exe
dsquery.exe


dsquery.exe

Here are the parameters for the dsquery user command:
Parameters
{StartNode | forestroot | domainroot}
Specifies the node where the search will start. You can specify the forest root (forestroot), domain root (domainroot), or a node’s distinguished name (StartNode). If forestroot is specified, the search is done using the global catalog. The default value is domainroot.
-o {dn | rdn | upn | samid}
Specifies the format in which the list of entries found by the search will be displayed. A dn value displays the distinguished name of each entry. A rdn value displays the relative distinguished name of each entry. A upn value displays the user principal name of each entry. A samid value displays the SAM account name of each entry. By default, the dn format is used.
-scope {subtree | onelevel | base}
Specifies the scope of the search. A value of subtree indicates that the scope is a subtree rooted at start node. A value of onelevel indicates the immediate children of start node only. A value of base indicates the single object represented by start node. If forestroot is specified as StartNode, subtree is the only valid scope. By default, the subtree search scope is used.
-name Name
Searches for users whose name attributes (value of CN attribute) matches Name. For example, "jon*" or "*ith" or "j*th".
-desc Description
Searches for users whose description attribute matches Description. For example, "jon*" or "*ith" or "j*th".
-upn UPN
Searches for users whose UPN attribute matches UPN.
-samid SAMName
Searches for users whose SAM account name matches SAMName.
-inactive NumberOfWeeks
Searches for to find all users that have been inactive (stale) for at least the specified number of weeks.
-stalepwd NumberOfDays
Searches for all users that have not changed their password for at least the specified number of days.
-disabled
Searches for all users whose accounts are disabled.
{-s Server | -d Domain}
Connects to a specified remote server or domain. By default, the computer is connected to the domain controller in the logon domain.
-u UserName
Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name:
user name (for example, Linda)
domain\user name (for example, widgets\Linda)
user principal name (UPN) (for example, Linda@widgets.microsoft.com)
-p {Password | *}
Specifies to use either a password or a * to log on to a remote server. If you type *, you are prompted for a password.
-q
Suppresses all output to standard output (quiet mode).
-r
Specifies that the search use recursion or follow referrals during search. By default, the search will not follow referrals during search.
-gc
Specifies that the search use the Active Directory global catalog.
-limit NumberOfObjects
Specifies the number of objects that match the given criteria to be returned. If the value of NumberOfObjects is 0, all matching objects are returned. If this parameter is not specified, by default the first 100 results are displayed.
{-uc | -uco | -uci}
Specifies that output or input data is formatted in Unicode. The following table lists and describes each format. Value Description
-uc Specifies a Unicode format for input from or output to a pipe (|).
-uco Specifies a Unicode format for output to a pipe (|) or a file.
-uci Specifies a Unicode format for input from a pipe (|) or a file.


dsget.exe


Here is a list of objects dsget can extract attributes from:

DSGET COMPUTER
DSGET CONTACT
DSGET SUBNET
DSGET GROUP
DSGET OU
DSGET SERVER
DSGET SITE
DSGET USER
DSGET QUOTA
DSGET PARTITION


Here is a list of attributes dsget can return for the USER object:

-dn
Displays the distinguished names of the users.
-samid
Displays the SAM account names of the users.
-sid
Displays the user security IDs (SIDs).
-upn
Displays the user principal names of the users.
-fn
Displays the first names of the users.
-mi
Displays the middle initials of the users.
-ln
Displays the last names of the users.
-display
Displays the display names of the users.
-empid
Displays the employee IDs of the users.
-desc
Displays the descriptions of the users.
-full
Displays the full names of the users.
-office
Displays the office locations of the users.
-tel
Displays the telephone numbers of the users.
-email
Displays the e-mail addresses of the users.
-hometel
Displays the home telephone numbers of the users.
-pager
Displays the pager numbers of the users.
-mobile
Displays the mobile phone numbers of the users.
-fax
Displays the fax numbers of the users.
-iptel
Displays the user IP phone numbers.
-webpg
Displays the user Web page URLs.
-title
Displays the titles of the users.
-dept
Displays the departments of the users.
-company
Displays the company information for the users.
-mgr
Displays the user managers of the users.
-hmdir
Displays the drive letter to which the home directory of the user is mapped to if the home directory path is a UNC path.
-hmdrv
Displays the user's home drive letter if home directory is a UNC path.
-profile
Displays the user profile paths.
-loscr
Displays the user logon script paths.
-mustchpwd
Displays information about whether users must change their passwords at the time of next logon (yes) or not (no).
-canchpwd
Displays information about whether users can change their password (yes) or not (no).
-pwdneverexpires
Displays information about whether the user passwords never expires (yes) or not (no).
-disabled
Displays information about whether user accounts are disabled for logon (yes) or not (no).
-acctexpires
Displays dates indicating when user accounts expire. If the accounts never expire, never is displayed.
-reversiblepwd
Displays information about whether the user passwords are allowed to be stored using reversible encryption (yes) or not (no).
UserDN
Required. Specifies the distinguished name of the user you want to view.
-memberof
Displays the immediate list of groups of which the user is a member.
-expand
Displays the recursively expanded list of groups of which the user is a member. This option takes the immediate group membership list of the user, and then recursively expands each group in this list to determine its group memberships as well to arrive at a complete closure set of the groups.
{-uc | -uco | -uci}
Specifies that output or input data is formatted in Unicode. The following table lists and describes each format.
-part PartitionDN
Connect to the directory partition with the distinguished name of PartitionDN.
-qlimit
Displays the effective quota of the user within the specified directory partition.
-qused
Displays how much of the quota the user has used within the specified directory partition. Value Description
-uc Specifies a Unicode format for input from or output to a pipe (|).
-uco Specifies a Unicode format for output to a pipe (|) or a file.
-uci Specifies a Unicode format for input from a pipe (|) or a file.


All Active Directory command line tools are documented in Windows Server 2003 online help. Just open up the Help link off the start menu and type in dsget as a search criteria and you will find all of the parameters documented. The long list of parameters above are a copy/paste from the Windows Server 2003 online help.

-------------------------

As I mentioned in an earlier post, both 
dsquery and dsget can be used as standalone commands to return a list of objects or object attributes respectively, -=or=- dsquery can be used to return a list of objects which can then be directly piped into a dsget command to return attributes of the queried objects.

Here are a few examples which directly addresses what the original author of this post was looking for.


Consider the following Active Directory where our user objects are stored in the default "Users" container that is built into Active Directory:



The following screenshot shows two commands.


The first command uses dsquery to query all user objects in the default built-in Users contaner (CN=Users). It then pipes the list of user objects into a dsget command which outputs the Email address of all the user objects that were piped into it.


The second command uses dsquery to query all user objects in the default built-in Users contaner (CN=Users). It then pipes the list of user objects into a dsget command which outputs the UPN of all the user objects that were piped into it.






Consider the next Active Directory (which is just a slight variation of the above example) where our user objects are stored in the Marketing OU which is a sub-OU of the Production OU in the contoso.com Active Directory domain:



The only thing I'm pointing out in this second example is that the built-in "Users" container in AD is addressed as CN=Users (CN stands for "Common Name"). Whereas an OU in AD is addressed as OU=xxx (OU stands for "Organizational Unit"). When OUs are nested, they are presented in the following format: OU=child ou,OU=parent ou,DC=contoso,DC=com


The following screenshot shows two commands.


The first command uses dsquery to query all user objects in the Marketing OU (OU=Marketing). It then pipes the list of user objects into a dsget command which outputs the Email address of all the user objects that were piped into it.


The second command uses dsquery to query all user objects in the Marketing OU (OU=Marketing). It then pipes the list of user objects into a dsget command which outputs the UPN of all the user objects that were piped into it.





Getting the information above piped into a text file is the last part and very easy:


Code:
dsquery user "OU=Marketing,OU=Production,DC=Contoso,DC=com" | dsget user -samid -Email > c:\mytextfile.txt
The command above would output text into c:\mytextfile.txt
The output that goes in the text file would look like:



---------------------------


Other potentially useful examples:





Show me the samid and upn name of all disabled user accounts in the domain

Code:
C:\>dsquery user -disabled | dsget user -samid -upn
samid upn
Guest
krbtgt
B03EED71-B218-46F9-B
dsget succeeded

Show me the samid and upn of each user account in the domain and show me when the user account expires

Code:
C:\>dsquery user | dsget user -samid -upn -acctexpires
samid upn acctexpires
Administrator never
Guest never
krbtgt never
jason jason@contoso.com never
TsInternetUser never
arcada arcada@contoso.com never
nav nav@contoso.com never
storc01 storc01@contoso.com never
vcenter vcenter@contoso.com never
amy amy@contoso.com never
cluster cluster@contoso.com never
si_rev si_rev@contoso.com never
george george@contoso.com never
B03EED71-B218-46F9-B never
sim sim@contoso.com never
schedule schedule@contoso.com never
sql sql@contoso.com never
dsget succeeded

Show me the samid and upn of each user account in the domain and show me when the user account expires. Send output to a file called c:\log.txt

Code:
C:\>dsquery user | dsget user -samid -upn -acctexpires > c:\log.txt

Show me the samid and upn name of each user account in the Production OU in the CONTOSO.COM domain with a password age of 14 days or older and also show me if the account is flagged for "user must change password" and if the user account is allowed to change its password

Code:
C:\>dsquery user "OU=Production,DC=contoso,DC=com" -stalepwd 14 | dsget user -samid -upn -mustchpwd -canchpwd
samid upn mustchpwd canchpwd
Administrator no yes
Guest yes no
krbtgt no yes
jason jason@contoso.com no yes
TsInternetUser no no
arcada arcada@contoso.com no yes
nav nav@contoso.com no yes
storc01 storc01@contoso.com no yes
vcenter vcenter@contoso.com no yes
amy amy@contoso.com no yes
cluster cluster@contoso.com no no
si_rev si_rev@contoso.com no no
george george@contoso.com no no
B03EED71-B218-46F9-B no yes
sim sim@contoso.com no no
schedule schedule@contoso.com no yes
dsget succeeded
enumerate all the groups a user belongs to, even nested ones:

Code:
dsquery user -samid usnername | dsget user -memberof -expand



Create User
dsadd user "CN=Ahmed Mohamed Ali,OU=Temp,OU=Egypt,OU=Common Users,OU=User Accounts,DC=Expert,DC=com,DC=eg" -upn E00001@Expert.com.eg -samid E00001 -display "Ahmed Mohamed Ali" -dept "Finance" -pwd 123456789 -mustchpwd yes -disabled yes -title "Banker" -desc "Banker" -company "Expert EGYPT" -office "Cairo Branch" -fn "Ahmed" -mi "Mohame" -ln "Ali" -memberof "CN=Cairo Staff,OU=Egypt,OU=Groups,DC=Expert,DC=com,DC=eg"

Note:
- When the users is ready to logon to his PC, Enable the user account, and inform him to logon with password: 123456789
- I would recommend creating the User in a temp empty OU first, and after confirming that everything is OK, you can move them top their desired OU.
- The '-mi "xxxxxx"' field must NOT exceed 6 characters, that's by design.
- This example assumes that "require complex password" is disabled.

Add Telephon and Mobile info to a User

dsmod user "CN=Ahmed Mohamed Ali,OU=Egypt,OU=Common Users,OU=User Accounts,DC=Expert,DC=com,DC=eg" -tel "0020211111111" -mobile "20101111111"
Create Global Security Group

dsadd group "CN=Finance,OU=egypt,ou=Groups,DC=Expert,DC=com,DC= eg" -samid Finance -secgrp yes -scope G
Add Members to a Group

dsmod group "CN=Finance,OU=egypt,ou=Groups,DC=Expert,DC=com,DC= eg" -addmbr "CN=Ahmed Mohamed Ali,OU=Temp,OU=Egypt,OU=Common Users,OU=User Accounts,DC=Expert,DC=com,DC=eg"
Dump objects details inside an OU to a .CSV file

CSVDE -d "OU=Egypt,OU=Users,DC=Expert,DC=com,DC=eg" -f "C:\Documents and Settings\Administrator\Desktop\Users_Egypt.csv"


Get User Email in a text file, from his SAMID

Create this batch and name it like Useremail.bat
@echo offdsquery user -samid %1 | dsget user -email | Find "@" >usermail.txtRun it as
Useremail.bat AMohamedand get the result in usermail.txt

Get The User DN from the SAMID

DSQuery User -samid AMohamed
Change a Domain Account’s Password[1]


Using the following command you reset user DoeJ his password to Pa$$word1!
dsquery user -samid DoeJ | dsmod user -pwd Pa$$word1!


If you use * instead of Pa$$word1!, you will be asked for a password. iIf you are logged on to a domain controller you can also use the net user command, the equivalent command in this case would be:


net user DoeJ Pa$$word1!

You can also use the net user command from your workstation:
net user DoeJ Pa$$word1! /domain

Comments

Popular posts from this blog

ما هى ال FSMO Roles

  بأختصار ال FSMO Roles هى اختصار ل Flexible Single Operation Master و هى عباره عن 5 Roles فى ال Active Directory و هما بينقسموا لقسمين A - Forest Roles 1- Schema Master Role و هى ال Role اللى بتتحكم فى ال schema و بيكون فى Schema Master Role واحد فى ال Forest بيكون موجود على Domain Controller و بيتم التحكم فيها من خلال ال Active Directory Schema Snap in in MMC بس بعد ما يتعمل Schema Register بواسطه الامر التالى من ال Cmd regsvr32 schmmgmt.dll 2-Domin Naming Master و هى ال Role المسئوله عن تسميه ال Domains و بتتأكد ان مفيش 2 Domain ليهم نفس الاسم فى ال Forest و بيتم التحكم فيها من خلال ال Active Directory Domains & Trusts B- Domain Roles 1-PDC Emulator و هى ال Role اللى بتتحكم فى ال Password change فى ال domain و بتتحكم فى ال time synchronization و هى تعتبر المكان الافتراضى لل GPO's و هى تعتبر Domain Role مش زى الاتنين الاولانيين و بيتم التحكم فيها من خلال ال Active directory Users & Computers عن طريق عمل كليك يمين على اسم الدومين و نختار operations master فى تاب ال PDC Emu

Recreating a missing VMFS datastore partition in VMware vSphere 5.x and 6.x

    Symptoms A datastore has become inaccessible. A VMFS partition table is missing.   Purpose The partition table is required only during a rescan. This means that the datastore may become inaccessible on a host during a rescan if the VMFS partition was deleted after the last rescan. The partition table is physically located on the LUN, so all vSphere hosts that have access to this LUN can see the change has taken place. However, only the hosts that do a rescan will be affected.   This article provides information on: Determining whether this is the same problem Resolving the problem   Cause This issue occurs because the VMFS partition can be deleted by deleting the datastore from the vSphere Client. This is prevented by the software, if the datastore is in use. It can also happen if a physical server has access to the LUN on the SAN and does an install, for example.   Resolution To resolve this issue: Run the  partedUtil  command on the host with the issues and verify if your output

Question كيفية عمل share للـ outlook conntact لكل الـ Domain Users

  الحل بسيط جدا عايز الكونتاكت تتحدث دايما بحيث انك لما تضيف يوزر جديد يسمع في الكونتاكت اول حاجه بتدخل علي in office 2003 tools --- email account ---- add address book --- internet directory service (LDAP) type your server name then login info . mark this server require me to logon type any user on active directory and its password then save and close outlook and open it again now you will find all your active directory users in address book