DSQuery - CMD

Overview

DSQuery is a command-line tool included with Windows Server that allows users to query the Active Directory for information about various objects like users, groups, computers, and more. The primary function of DSQuery is to facilitate the search and display of directory objects and their attributes based on specified search criteria. This tool is most effective in large corporate environments where managing a vast number of directory objects is required.

Syntax

The general syntax for DSQuery is as follows:

dsquery <object type> [<start node>] [-scope {subtree | onelevel | base}] [-filter <filter>] [-attr <attr list>] [-attrsonly] [-l] [-limit <number>]

Where <object type> and other parameters control the scope and output of the query.

Common Object Types:

  • user
  • group
  • ou (organizational unit)
  • computer

Options/Flags

  • : Specifies the node in the directory from which the search begins.
  • -scope {subtree|onelevel|base}: Defines the scope of the search. The default is subtree.
  • -filter : Applies a filter to the search, such as attributes or conditions that the results must meet.
  • -attr : Specifies which attributes to return in the results; defaults to distinguished name if not specified.
  • -attrsonly: Returns only attributes, no distinguished names.
  • -l: Displays results in list format.
  • -limit : Limits the number of entries returned. The default is no limit.

Examples

  1. Query for User Objects
    Find all users with a last name “Smith”:

    dsquery user -filter "&amp;(sn=Smith)"

  2. Search within Specific OU
    Search for users in the “Engineering” OU:

    dsquery user "ou=Engineering,dc=example,dc=com" -limit 100

  3. List Attributes
    List specific attributes (e.g., first name, last name) of users:

    dsquery user -attr givenName sn

Common Issues

  • Large Queries Time Out: By default, queries might time out for very large datasets. Adjust the -limit flag to manage the size of the result set.
  • Filter Complexity: Incorrect filter syntax can lead to no results or error messages. Ensuring proper LDAP query syntax is critical.

Integration

DSQuery can be paired with other commands like DSMod, DSAdd, or DSRm for comprehensive Active Directory management. For instance, to modify an attribute of the queried user:

dsquery user -name JohnDoe | dsmod user -desc "Updated Description"
  • DSAdd: Add objects to the directory.
  • DSMod: Modify objects in the directory.
  • DSGet: Retrieve specific properties of an object.
  • DSMove: Move an object from one location to another.
  • DSRm: Remove an object from the directory.

For further reading and more detailed information, consult the official Microsoft documentation.