Active Directory: Active Directory Domain Services (AD DS) Commands and Scripts

I have updated the “Active Directory: Active Directory Domain Services (AD DS) Commands and Scripts” TechNet Wiki article with more DS commands. Feel free to update/modify this article.  http://social.technet.microsoft.com/wiki/contents/articles/3537.aspx

User

Identify OCS enabled users in Active Directory

Dsquery * -filter (msRTCSIP-UserEnabled=TRUE) –limit 0 –attr name samaccountname

Query Password Last Set (pwdlastset) value

dsquery * -filter "&(objectClass=User)(objectCategory=Person)" -limit 0 -attr name pwdlastset

Note: Time can be convered using the w32tm /ntte command.

Search Password Never Expires Settings

Dsquery * -limit 0 “(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))” –attr samaccoutname name

Password Expiring in 30 Days

dsquery * -limit 0 -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" -attr name samaccountname

User accounts with “Do not require kerberos preauthentication” enabled

Dsquery * -limit 0 “(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=8388608)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(pwdLastSet>=129522420000000000)(pwdLastSet<=129548340000000000))” –attr samaccountname name

List all Roaming Profile users in Active Directory

dsquery * -filter "&(objectClass=User)(objectCategory=Person)(profilePath=*)" -limit 0 -name

Generate SIDHistory Report

dsquery * -filter "&(objectClass=User)(objectCategory=Person)" –attr samAccountName sidHistory

Generate SID (ObjectSID) Report

dsquery * -filter "&(objectClass=User)(objectCategory=Person)" –attr samAccountName Object

Group

Identify all Security Groups

dsquery * -filter "(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.804:=2147483648))" –attr samAccountName name

Identify all Built-In Security Groups

dsquery * -filter "(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.803:=2147483649))" –attr samAccountName name

Identify all Universal Security Groups

dsquery * -filter "(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.803:=2147483656))" –attr samAccountName name

Identify all Gloabl Security Groups

dsquery * -filter "(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.803:=2147483650))" –attr samAccountName name

Computer

Move Computer Objects Based on OS Version

Move Widnows 7 Computers

dsquery * CN=Computers,DC=santhosh,DC=lab -filter "(&(ObjectClass=computer)(objectCategory=Computer)(operatingSystemVersion=6.1))" | dsmove -newparent OU=Win7,OU=ComputerAccounts,DC=santhosh,DC=lab

Move Windows XP Computers

dsquery * CN=Computers,DC=santhosh,DC=lab -filter "(&(ObjectClass=computer)(objectCategory=Computer)(operatingSystemVersion=5.1))" | dsmove -newparent OU=WinXP,OU=ComputerAccounts,DC=santhosh,DC=lab

Domain Controller

 

Site and Subnet

List all Sites in Active Directory

Dsquery site * -name

Get Site Name from Subnet IP Address in Active Directory (For example, Site Name for Subnet 192.168.2.0/24)

Dsquery Subnet -Name 192.168.2.0/24 | Dsget Subnet -Site

Posted in: Active Directory,Microsoft,Windows,Windows 2008 R2