DSGet - CMD

Overview

The dsget command is a versatile tool used in Windows Command Prompt to display properties of objects in Active Directory such as user accounts, groups, and computers. It is primarily used by administrators for managing and querying information about Active Directory objects. Its functionality is most effective in scenarios where quick retrieval of specific attributes is necessary, often aiding in scripting and automation tasks.

Syntax

The general syntax of dsget is as follows:

dsget objecttype ObjectDN [options]
  • objecttype: Specifies the type of AD object (e.g., user, group, ou, computer).
  • ObjectDN: Specifies the distinguished name of the object.

Examples of objecttype:

  • user
  • group
  • computer
  • ou (organizational unit)

Options/Flags

Options vary depending on the objecttype specified. Here are some common flags:

  • -dn: Retrieves the distinguished name of the object.
  • -samid: Retrieves the Security Account Manager (SAM) ID.
  • -sid: Returns the security identifier of the user.
  • -upn: Prints the User Principal Name.

User specific options:

  • -fn: First name.
  • -mi: Middle initial.
  • -ln: Last name.
  • -display: Full name.
  • -empid: Employee ID.

Group specific options:

  • -members: Lists all members of a group.

Use -? with any object type to see specific options for that type, e.g., dsget user -?.

Examples

  1. Retrieve the full name of a user:

    dsget user "CN=John Doe,OU=Users,DC=example,DC=com" -display

  2. List all members of a specific group:

    dsget group "CN=Developers,OU=Groups,DC=example,DC=com" -members

  3. Get multiple properties of a computer account:

    dsget computer "CN=Workstation1,OU=Computers,DC=example,DC=com" -dn -sid

Common Issues

  • Incorrect Distinguished Names: If the ObjectDN is not correct, dsget will return an error. Ensure paths are correctly specified.
  • Permission Errors: Insufficient permissions can lead to errors. Ensure you have adequate rights to run the queries.
  • Object Type Confusion: Sometimes users use the wrong object type with specific options leading to errors.

Integration

dsget can be seamlessly integrated with other commands like dsquery for more dynamic and powerful scripts.

Example script:

List usernames and their status:

for /f "tokens=*" %i in ('dsquery user -name *') do dsget user %i -samid -disabled
  • dsadd: Adds objects to the directory.
  • dsmod: Modifies objects in the directory.
  • dsrm: Removes objects from the directory.
  • dsquery: Searches for objects in the directory.

For further reading and more detailed information, visit the official Microsoft documentation.