Skip to main content

some ways to Export Active Directory data

 Here is a list of the Active Directory command line tools:

dsadd.exe
dsget.exe
dsmod.exe
dsmove.exe
dsrm.exe
dsquery.exe


dsquery.exe

Here are the parameters for the dsquery user command:
Parameters
{StartNode | forestroot | domainroot}
Specifies the node where the search will start. You can specify the forest root (forestroot), domain root (domainroot), or a node’s distinguished name (StartNode). If forestroot is specified, the search is done using the global catalog. The default value is domainroot.
-o {dn | rdn | upn | samid}
Specifies the format in which the list of entries found by the search will be displayed. A dn value displays the distinguished name of each entry. A rdn value displays the relative distinguished name of each entry. A upn value displays the user principal name of each entry. A samid value displays the SAM account name of each entry. By default, the dn format is used.
-scope {subtree | onelevel | base}
Specifies the scope of the search. A value of subtree indicates that the scope is a subtree rooted at start node. A value of onelevel indicates the immediate children of start node only. A value of base indicates the single object represented by start node. If forestroot is specified as StartNode, subtree is the only valid scope. By default, the subtree search scope is used.
-name Name
Searches for users whose name attributes (value of CN attribute) matches Name. For example, "jon*" or "*ith" or "j*th".
-desc Description
Searches for users whose description attribute matches Description. For example, "jon*" or "*ith" or "j*th".
-upn UPN
Searches for users whose UPN attribute matches UPN.
-samid SAMName
Searches for users whose SAM account name matches SAMName.
-inactive NumberOfWeeks
Searches for to find all users that have been inactive (stale) for at least the specified number of weeks.
-stalepwd NumberOfDays
Searches for all users that have not changed their password for at least the specified number of days.
-disabled
Searches for all users whose accounts are disabled.
{-s Server | -d Domain}
Connects to a specified remote server or domain. By default, the computer is connected to the domain controller in the logon domain.
-u UserName
Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name:
user name (for example, Linda)
domain\user name (for example, widgets\Linda)
user principal name (UPN) (for example, Linda@widgets.microsoft.com)
-p {Password | *}
Specifies to use either a password or a * to log on to a remote server. If you type *, you are prompted for a password.
-q
Suppresses all output to standard output (quiet mode).
-r
Specifies that the search use recursion or follow referrals during search. By default, the search will not follow referrals during search.
-gc
Specifies that the search use the Active Directory global catalog.
-limit NumberOfObjects
Specifies the number of objects that match the given criteria to be returned. If the value of NumberOfObjects is 0, all matching objects are returned. If this parameter is not specified, by default the first 100 results are displayed.
{-uc | -uco | -uci}
Specifies that output or input data is formatted in Unicode. The following table lists and describes each format. Value Description
-uc Specifies a Unicode format for input from or output to a pipe (|).
-uco Specifies a Unicode format for output to a pipe (|) or a file.
-uci Specifies a Unicode format for input from a pipe (|) or a file.


dsget.exe


Here is a list of objects dsget can extract attributes from:

DSGET COMPUTER
DSGET CONTACT
DSGET SUBNET
DSGET GROUP
DSGET OU
DSGET SERVER
DSGET SITE
DSGET USER
DSGET QUOTA
DSGET PARTITION


Here is a list of attributes dsget can return for the USER object:

-dn
Displays the distinguished names of the users.
-samid
Displays the SAM account names of the users.
-sid
Displays the user security IDs (SIDs).
-upn
Displays the user principal names of the users.
-fn
Displays the first names of the users.
-mi
Displays the middle initials of the users.
-ln
Displays the last names of the users.
-display
Displays the display names of the users.
-empid
Displays the employee IDs of the users.
-desc
Displays the descriptions of the users.
-full
Displays the full names of the users.
-office
Displays the office locations of the users.
-tel
Displays the telephone numbers of the users.
-email
Displays the e-mail addresses of the users.
-hometel
Displays the home telephone numbers of the users.
-pager
Displays the pager numbers of the users.
-mobile
Displays the mobile phone numbers of the users.
-fax
Displays the fax numbers of the users.
-iptel
Displays the user IP phone numbers.
-webpg
Displays the user Web page URLs.
-title
Displays the titles of the users.
-dept
Displays the departments of the users.
-company
Displays the company information for the users.
-mgr
Displays the user managers of the users.
-hmdir
Displays the drive letter to which the home directory of the user is mapped to if the home directory path is a UNC path.
-hmdrv
Displays the user's home drive letter if home directory is a UNC path.
-profile
Displays the user profile paths.
-loscr
Displays the user logon script paths.
-mustchpwd
Displays information about whether users must change their passwords at the time of next logon (yes) or not (no).
-canchpwd
Displays information about whether users can change their password (yes) or not (no).
-pwdneverexpires
Displays information about whether the user passwords never expires (yes) or not (no).
-disabled
Displays information about whether user accounts are disabled for logon (yes) or not (no).
-acctexpires
Displays dates indicating when user accounts expire. If the accounts never expire, never is displayed.
-reversiblepwd
Displays information about whether the user passwords are allowed to be stored using reversible encryption (yes) or not (no).
UserDN
Required. Specifies the distinguished name of the user you want to view.
-memberof
Displays the immediate list of groups of which the user is a member.
-expand
Displays the recursively expanded list of groups of which the user is a member. This option takes the immediate group membership list of the user, and then recursively expands each group in this list to determine its group memberships as well to arrive at a complete closure set of the groups.
{-uc | -uco | -uci}
Specifies that output or input data is formatted in Unicode. The following table lists and describes each format.
-part PartitionDN
Connect to the directory partition with the distinguished name of PartitionDN.
-qlimit
Displays the effective quota of the user within the specified directory partition.
-qused
Displays how much of the quota the user has used within the specified directory partition. Value Description
-uc Specifies a Unicode format for input from or output to a pipe (|).
-uco Specifies a Unicode format for output to a pipe (|) or a file.
-uci Specifies a Unicode format for input from a pipe (|) or a file.


All Active Directory command line tools are documented in Windows Server 2003 online help. Just open up the Help link off the start menu and type in dsget as a search criteria and you will find all of the parameters documented. The long list of parameters above are a copy/paste from the Windows Server 2003 online help.

-------------------------

As I mentioned in an earlier post, both 
dsquery and dsget can be used as standalone commands to return a list of objects or object attributes respectively, -=or=- dsquery can be used to return a list of objects which can then be directly piped into a dsget command to return attributes of the queried objects.

Here are a few examples which directly addresses what the original author of this post was looking for.


Consider the following Active Directory where our user objects are stored in the default "Users" container that is built into Active Directory:



The following screenshot shows two commands.


The first command uses dsquery to query all user objects in the default built-in Users contaner (CN=Users). It then pipes the list of user objects into a dsget command which outputs the Email address of all the user objects that were piped into it.


The second command uses dsquery to query all user objects in the default built-in Users contaner (CN=Users). It then pipes the list of user objects into a dsget command which outputs the UPN of all the user objects that were piped into it.






Consider the next Active Directory (which is just a slight variation of the above example) where our user objects are stored in the Marketing OU which is a sub-OU of the Production OU in the contoso.com Active Directory domain:



The only thing I'm pointing out in this second example is that the built-in "Users" container in AD is addressed as CN=Users (CN stands for "Common Name"). Whereas an OU in AD is addressed as OU=xxx (OU stands for "Organizational Unit"). When OUs are nested, they are presented in the following format: OU=child ou,OU=parent ou,DC=contoso,DC=com


The following screenshot shows two commands.


The first command uses dsquery to query all user objects in the Marketing OU (OU=Marketing). It then pipes the list of user objects into a dsget command which outputs the Email address of all the user objects that were piped into it.


The second command uses dsquery to query all user objects in the Marketing OU (OU=Marketing). It then pipes the list of user objects into a dsget command which outputs the UPN of all the user objects that were piped into it.





Getting the information above piped into a text file is the last part and very easy:


Code:
dsquery user "OU=Marketing,OU=Production,DC=Contoso,DC=com" | dsget user -samid -Email > c:\mytextfile.txt
The command above would output text into c:\mytextfile.txt
The output that goes in the text file would look like:



---------------------------


Other potentially useful examples:





Show me the samid and upn name of all disabled user accounts in the domain

Code:
C:\>dsquery user -disabled | dsget user -samid -upn
samid upn
Guest
krbtgt
B03EED71-B218-46F9-B
dsget succeeded

Show me the samid and upn of each user account in the domain and show me when the user account expires

Code:
C:\>dsquery user | dsget user -samid -upn -acctexpires
samid upn acctexpires
Administrator never
Guest never
krbtgt never
jason jason@contoso.com never
TsInternetUser never
arcada arcada@contoso.com never
nav nav@contoso.com never
storc01 storc01@contoso.com never
vcenter vcenter@contoso.com never
amy amy@contoso.com never
cluster cluster@contoso.com never
si_rev si_rev@contoso.com never
george george@contoso.com never
B03EED71-B218-46F9-B never
sim sim@contoso.com never
schedule schedule@contoso.com never
sql sql@contoso.com never
dsget succeeded

Show me the samid and upn of each user account in the domain and show me when the user account expires. Send output to a file called c:\log.txt

Code:
C:\>dsquery user | dsget user -samid -upn -acctexpires > c:\log.txt

Show me the samid and upn name of each user account in the Production OU in the CONTOSO.COM domain with a password age of 14 days or older and also show me if the account is flagged for "user must change password" and if the user account is allowed to change its password

Code:
C:\>dsquery user "OU=Production,DC=contoso,DC=com" -stalepwd 14 | dsget user -samid -upn -mustchpwd -canchpwd
samid upn mustchpwd canchpwd
Administrator no yes
Guest yes no
krbtgt no yes
jason jason@contoso.com no yes
TsInternetUser no no
arcada arcada@contoso.com no yes
nav nav@contoso.com no yes
storc01 storc01@contoso.com no yes
vcenter vcenter@contoso.com no yes
amy amy@contoso.com no yes
cluster cluster@contoso.com no no
si_rev si_rev@contoso.com no no
george george@contoso.com no no
B03EED71-B218-46F9-B no yes
sim sim@contoso.com no no
schedule schedule@contoso.com no yes
dsget succeeded
enumerate all the groups a user belongs to, even nested ones:

Code:
dsquery user -samid usnername | dsget user -memberof -expand



Create User
dsadd user "CN=Ahmed Mohamed Ali,OU=Temp,OU=Egypt,OU=Common Users,OU=User Accounts,DC=Expert,DC=com,DC=eg" -upn E00001@Expert.com.eg -samid E00001 -display "Ahmed Mohamed Ali" -dept "Finance" -pwd 123456789 -mustchpwd yes -disabled yes -title "Banker" -desc "Banker" -company "Expert EGYPT" -office "Cairo Branch" -fn "Ahmed" -mi "Mohame" -ln "Ali" -memberof "CN=Cairo Staff,OU=Egypt,OU=Groups,DC=Expert,DC=com,DC=eg"

Note:
- When the users is ready to logon to his PC, Enable the user account, and inform him to logon with password: 123456789
- I would recommend creating the User in a temp empty OU first, and after confirming that everything is OK, you can move them top their desired OU.
- The '-mi "xxxxxx"' field must NOT exceed 6 characters, that's by design.
- This example assumes that "require complex password" is disabled.

Add Telephon and Mobile info to a User

dsmod user "CN=Ahmed Mohamed Ali,OU=Egypt,OU=Common Users,OU=User Accounts,DC=Expert,DC=com,DC=eg" -tel "0020211111111" -mobile "20101111111"
Create Global Security Group

dsadd group "CN=Finance,OU=egypt,ou=Groups,DC=Expert,DC=com,DC= eg" -samid Finance -secgrp yes -scope G
Add Members to a Group

dsmod group "CN=Finance,OU=egypt,ou=Groups,DC=Expert,DC=com,DC= eg" -addmbr "CN=Ahmed Mohamed Ali,OU=Temp,OU=Egypt,OU=Common Users,OU=User Accounts,DC=Expert,DC=com,DC=eg"
Dump objects details inside an OU to a .CSV file

CSVDE -d "OU=Egypt,OU=Users,DC=Expert,DC=com,DC=eg" -f "C:\Documents and Settings\Administrator\Desktop\Users_Egypt.csv"


Get User Email in a text file, from his SAMID

Create this batch and name it like Useremail.bat
@echo offdsquery user -samid %1 | dsget user -email | Find "@" >usermail.txtRun it as
Useremail.bat AMohamedand get the result in usermail.txt

Get The User DN from the SAMID

DSQuery User -samid AMohamed
Change a Domain Account’s Password[1]


Using the following command you reset user DoeJ his password to Pa$$word1!
dsquery user -samid DoeJ | dsmod user -pwd Pa$$word1!


If you use * instead of Pa$$word1!, you will be asked for a password. iIf you are logged on to a domain controller you can also use the net user command, the equivalent command in this case would be:


net user DoeJ Pa$$word1!

You can also use the net user command from your workstation:
net user DoeJ Pa$$word1! /domain

Comments

Popular posts from this blog

Question كيفية عمل share للـ outlook conntact لكل الـ Domain Users

  الحل بسيط جدا عايز الكونتاكت تتحدث دايما بحيث انك لما تضيف يوزر جديد يسمع في الكونتاكت اول حاجه بتدخل علي in office 2003 tools --- email account ---- add address book --- internet directory service (LDAP) type your server name then login info . mark this server require me to logon type any user on active directory and its password then save and close outlook and open it again now you will find all your active directory users in address book

3 things has to be done for better performance

  Tips from Goutham: 3 things has to be done for better performance: By default, XP displays extra graphic objects for menu items which can slow down your display. 1. To turn off these selectively... Right click My Computer Select Properties Click Advanced tab Under Performance, click Settings button To turn them all off, select Adjust for best performance Preference is to leave them all off except for Show shadows under mouse pointer and Show window contents while dragging 2. To speed up the display of the Start Menu Items, turn off the menu shadow. Right click open area of the Desktop Select Properties Click Appearance tab Click Effects button Uncheck Show shadows under menus 3. You can increase system performance by loading more of the system into memory. DO NOT attempt this with less then 512MBs of ram. Your system will become unstable. Click Start Click Run Enter regedit Click OK Go to HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Control Session Manager Memory Management Double cli

The difference between DNS and NDS

  Novell Directory Services(NDS) - Novell Directory Services (NDS) is a popular software product for managing access to computer resources and keeping track of the users of a  network , such as a company's  intranet , from a single point of administration. Using NDS, a network administrator can set up and control a  database  of users and manage them using a  directory  with an easy-to-use graphical user interface ( GUI ). Users of computers at remote locations can be added, updated, and managed centrally. Applications can be distributed electronically and maintained centrally. NDS can be installed to run under  Windows NT , Sun Microsystem's Solaris, and IBM's  OS/390  as well as under Novell's own  NetWare  so that it can be used to control a multi-platform network. NDS is generally considered an industry  benchmark  against which other products, such as Microsoft's Active Directory, must compete. Lucent Technologies plans to integrate NDS into its own QIP product