dsget | new in WS2003 |
Displays properties of objects in Active Directory.
dsget command switches [{-s Server -d Domain }] [-u UserName ] [-p { Password *}] [-q] [-c] [-l] [-desc]
Any dsget command (see below).
Various switches that go with each command (see below)
Connect to a specified server or domain to run the command (if omitted, defaults to domain controller in logon domain).
Credentials for running the command. Specify UserName as domain\ user or user@domain . If -p * , prompts for password.
Runs in quiet mode to suppress standard output of command.
Reports errors and then continues with next object in argument list if multiple objects are specified; otherwise exits upon error.
Displays output in list format instead of the default table format.
Displays the description for the object.
Here is a list of supported dsget commands together with a brief description of their syntax (only the most commonly used switches are described):
Displays properties of one or more computer accounts identifed by their distinguished names . Options include:
Displays the distinguished name of each computer
Displays the SAM account name of each computer
Displays the SID of each computer
Displays whether computer account is enabled (yes) or disabled (no)
Displays the configured and used quota values for the computer account in Active Directory
This variation of dsget computer displays which groups the specified computer belongs to. The -expand switch recursively expands the list of groups to which the computer belongs.
Displays first name, last name, email address, and other info about one or more contacts identified by their distinguished names.
Displays properties of one or more groups identified by their distinguished names. See dsadd group earlier in this chapter for info about -secgrp and -scope options.
This variation of dsget group displays which groups the specified group belongs to. The -expand switch recursively expands the list of groups to which the group belongs.
Displays properties of one or more organizational units specified by their distinguished names.
Displays properties of the specified partition object and their default quota and tombstone object count.
Displays the properties of a quota specification defined in Active Directory. Here ObjectDN is the distinguished name of the quota object being viewed , -acct displays the DN of the accounts to which the quotas are assigned, and -qlimit the quota limits for the specified quotas.
Displays properties of one or more domain controllers specified by their distinguished names. Options here include:
Displays the DNS names of the servers
Displays the sites to which the servers belong
Indicates whether the server is a global catalog server (yes) or not (no)
This variation of dsget server displays the distinguished names of the directory partitions on the specified domain controller.
This variation of dsget server lists the N security principals that own the greatest number of directory ojects on the specified domain controller.
Displays properties of one or more sites specified by their distinguished names. The options here are:
Indicates whether automatic intersite topology generation is enabled (yes) or not (no)
Indicates whether caching of universal group memberships is enabled (yes) or not (no)
Displays the preferred global catalog site used for refreshing universal group membership caching for domain controllers in this site
Displays properties of one or more subnets specified by their distinguished names.
Displays the properties of one or more user accounts specified by their distinguished names. See dsadd user earlier in this chapter for information on some of the switches here.
This variation of dsget user displays which groups the specified user belongs to. The -expand switch recursively expands the list of groups to which the user belongs.
Display the SAM account name and SID number of the computer named DESK155 located in the Sales OU of the mtit.local domain:
dsget computer CN=DESK155,OU=Sales,DC=mtit,DC=local -samid -sid samid sid DESK155$ S-1-5-21-3989638602-2554627321-2483607968-1111 dsget succeeded
Use dsget in interactive mode to display the account status (enabled or disabled) for three computers in the Sales OU:
dsget computer -disabled CN=DESK155,OU=Sales,DC=mtit,DC=local CN=DESK156,OU=Sales,DC=mtit,DC=local CN=DESK157,OU=Sales,DC=mtit,DC=local ^Z disabled no no yes dsget succeeded
Display selected properties of Human Resources group in list format:
dsget group "CN=Human Resources,OU=Sales,DC=mtit, DC=local" -dn -secgrp -scope -samid -sid -l dn: CN=Human Resources,OU=Sales,DC=mtit,DC=local samid: Human Resources sid: S-1-5-21-3989638602-2554627321-2483607968-1112 scope: domain local secgrp: yes dsget succeeded
Display properties of user Bob Jones in the Sales department:
dsget user CN=bjones,OU=Sales,DC=mtit,DC=local -samid -sid -upn -l samid: bjones sid: S-1-5-21-3989638602-2554627321-2483607968-1114 upn: bjones@mtit.local dsget succeeded
Display the groups to which Bob belongs:
dsget user CN=bjones,OU=Sales,DC=mtit,DC=local -memberof "CN=Human Resources,OU=Sales,DC=mtit,DC=local" "CN=Domain Users,CN=Users,DC=mtit,DC=local"
List the properties of a domain controller named ESRV210D located in Default-First-Site, in particular its DNS name and whether it is a global catalog server or not:
dsget server CN=ESRV210D,CN=Servers,CN=Default-FirstSite, CN=Sites,CN=Configuration, DC=mtit,DC=local -dnsname -isgc -l dnsname: esrv210d.mtit.local isgc: yes dsget succeeded
Note that here the distinguished name involved the location of the domain controller in the Configuration container.
Active Directory , dsadd , dsmod , dsmove , dsquery , dsrm , Groups , Users