| dsget | new in WS2003 |
Displays properties of objects in Active Directory.
dsget command switches [{-s Server|-d Domain}] [-u UserName]
[-p {Password|*}] [-q] [-c] [-l] [-desc]
command
Any dsget command (see below).
switches
Various switches that go with each command (see below)
{-s Server | -d Domain}
Connect to a specified server or domain to run the command (if omitted, defaults to domain controller in logon domain).
[-u UserName] [-p {Password | *}]
Credentials for running the command. Specify UserName as domain\user or user@domain. If -p *, prompts for password.
-q
Runs in quiet mode to suppress standard output of command.
-c
Reports errors and then continues with next object in argument list if multiple objects are specified; otherwise exits upon error.
-l
Displays output in list format instead of the default table format.
-desc
Displays the description for the object.
Here is a list of supported dsget commands together with a brief description of their syntax (only the most commonly used switches are described):
dsget computer ComputerDN... [-dn] [-samid] [-sid] [-disabled] [-part PartitionDN [-qlimit] [-qused]]
Displays properties of one or more computer accounts identifed by their distinguished names. Options include:
-dn
Displays the distinguished name of each computer
-samid
Displays the SAM account name of each computer
-sid
Displays the SID of each computer
-disabled
Displays whether computer account is enabled (yes) or disabled (no)
-part PartitionDN [-qlimit] [-qused]
Displays the configured and used quota values for the computer account in Active Directory
dsget computer ComputerDN [-memberof [-expand]]
This variation of dsget computer displays which groups the specified computer belongs to. The -expand switch recursively expands the list of groups to which the computer belongs.
dsget contact ContactDN... dn] [-fn] [-ln] [-email] ...
Displays first name, last name, email address, and other info about one or more contacts identified by their distinguished names.
dsget group GroupDN... [-dn] [-secgrp] [-scope] [-samid] [-sid] [-part PartitionDN [-qlimit] [-qused]]
Displays properties of one or more groups identified by their distinguished names. See dsadd group earlier in this chapter for info about -secgrp and -scope options.
dsget group GroupDN [-memberof [-expand]]
This variation of dsget group displays which groups the specified group belongs to. The -expand switch recursively expands the list of groups to which the group belongs.
dsget ou OrganizationalUnitDN... [-dn]
Displays properties of one or more organizational units specified by their distinguished names.
dsget partition ObjectDN... [-dn] [-qdefault] [-qtmbstnwt] [-topobjowner N]
Displays properties of the specified partition object and their default quota and tombstone object count.
dsget quota ObjectDN [-dn] [-acct] [-qlimit]
Displays the properties of a quota specification defined in Active Directory. Here ObjectDN is the distinguished name of the quota object being viewed, -acct displays the DN of the accounts to which the quotas are assigned, and -qlimit the quota limits for the specified quotas.
dsget server ServerDN... [-dn] [-dnsname] [-site] [-isgc]
Displays properties of one or more domain controllers specified by their distinguished names. Options here include:
-dnsname
Displays the DNS names of the servers
-site
Displays the sites to which the servers belong
-isgc
Indicates whether the server is a global catalog server (yes) or not (no)
dsget server ServerDN -part PartitionDN
This variation of dsget server displays the distinguished names of the directory partitions on the specified domain controller.
dsget server ServerDN -topobjowner N
This variation of dsget server lists the N security principals that own the greatest number of directory ojects on the specified domain controller.
dsget site SiteDN... [-dn] [-autotopology] [-cachegroups] [-prefGCsite]
Displays properties of one or more sites specified by their distinguished names. The options here are:
-autotopology
Indicates whether automatic intersite topology generation is enabled (yes) or not (no)
-cachegroups
Indicates whether caching of universal group memberships is enabled (yes) or not (no)
-prefGCsite
Displays the preferred global catalog site used for refreshing universal group membership caching for domain controllers in this site
dsget subnet SubnetDN [-dn] [-site]
Displays properties of one or more subnets specified by their distinguished names.
dsget user UserDN... [-dn] [-samid] [-sid] [-upn] [-fn] [-ln] [-display] [-pwd] [-tel] [-email] [-title] [-company] [-hmdir] [-profile] [-pwdneverexpires] ...
Displays the properties of one or more user accounts specified by their distinguished names. See dsadd user earlier in this chapter for information on some of the switches here.
dsget user UserDN [-memberof] [-expand]
This variation of dsget user displays which groups the specified user belongs to. The -expand switch recursively expands the list of groups to which the user belongs.
Display the SAM account name and SID number of the computer named DESK155 located in the Sales OU of the
mtit.local domain:
dsget computer CN=DESK155,OU=Sales,DC=mtit,DC=local -samid -sid samid sid DESK155$ S-1-5-21-3989638602-2554627321-2483607968-1111 dsget succeeded
Use dsget in interactive mode to display the account status (enabled or disabled) for three computers in the Sales OU:
dsget computer -disabled CN=DESK155,OU=Sales,DC=mtit,DC=local CN=DESK156,OU=Sales,DC=mtit,DC=local CN=DESK157,OU=Sales,DC=mtit,DC=local ^Z disabled no no yes dsget succeeded
Display selected properties of Human Resources group in list format:
dsget group "CN=Human Resources,OU=Sales,DC=mtit, DC=local" -dn -secgrp -scope -samid -sid -l dn: CN=Human Resources,OU=Sales,DC=mtit,DC=local samid: Human Resources sid: S-1-5-21-3989638602-2554627321-2483607968-1112 scope: domain local secgrp: yes dsget succeeded
Display properties of user Bob Jones in the Sales department:
dsget user CN=bjones,OU=Sales,DC=mtit,DC=local -samid -sid -upn -l samid: bjones sid: S-1-5-21-3989638602-2554627321-2483607968-1114 upn: bjones@mtit.local dsget succeeded
Display the groups to which Bob belongs:
dsget user CN=bjones,OU=Sales,DC=mtit,DC=local -memberof "CN=Human Resources,OU=Sales,DC=mtit,DC=local" "CN=Domain Users,CN=Users,DC=mtit,DC=local"
List the properties of a domain controller named ESRV210D located in Default-First-Site, in particular its DNS name and whether it is a global catalog server or not:
dsget server CN=ESRV210D,CN=Servers,CN=Default-FirstSite, CN=Sites,CN=Configuration, DC=mtit,DC=local -dnsname -isgc -l dnsname: esrv210d.mtit.local isgc: yes dsget succeeded
Note that here the distinguished name involved the location of the domain controller in the Configuration container.
Active Directory , dsadd, dsmod, dsmove, dsquery, dsrm,
Groups ,
Users