Solved

DSGET Help

Posted on 2009-05-12
4
764 Views
Last Modified: 2012-05-06
Hi Everyone,

I'm new to the DS Series of command prompt tools but I have been tasked with querying Active Directory and creating an Excel Spreadsheet providing details on the following items:

Show only Disabled User Accounts
of those Disabled User Accounts list the following Details:

Location of Mailbox Store
Display what groups the Disabled User Account is a Member Of

I have been tinkering with the DSGET and DSQUERY commands but as you can imagine I have been a bit overwhelmed by the amount of information these commands can return and at the moment the information above is all I require.  Could someone provide me with some commands and/or ideas to get started with?
0
Comment
Question by:crphd
  • 2
  • 2
4 Comments
 
LVL 27

Accepted Solution

by:
bluntTony earned 500 total points
ID: 24366844
DSGET and DSQUERY aren't that great for this sort of this. A more complete utility is AdFind from joeware.net : http://www.joeware.net/freetools/tools/adfind/index.htm

This can handle more complex queries using LDAP filters and the like. The command for what you want, using Adfind is below.

It basically says, get me all disbled users and output the CN (name), group memberships and home mailbox location.

If you want to output to a text file, add > results.txt to the end of the command, where results.txt is the text file you want to create.


adfind -f "(&(objectcategory=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" cn memberof homeMDB

Open in new window

0
 
LVL 1

Author Comment

by:crphd
ID: 24367467
Hi bluntTony,

Your suggestion was fantastic and I was able to create a txt file with everything that I was looking for.  I just realized however that I forgot to point out that the OU that I am looking to scan is within some other OU's and I need to re-write this command so that it supports that structure.  Rather than scan the entire AD for the information that I am looking for how can I narrow the results down so that I am scanning something like

Domain > OU > OU  where Domain is our Domain Name and OU is the name of the OU
0
 
LVL 1

Author Comment

by:crphd
ID: 24370067
I got it to work thanks to you.

The final command I ended up using to get this to function was as following:

adfind -s sub -b ou=ouname,ou=ouname,dc=dcname,dc=dcname -f "(&(objectcategory=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" cn memberof homeMDB > textfileoutput.txt

Where ouname is the name of the OU and dc name is the name of the Domain Controller.  -s sub used everything from the OU and it's subtree to search through.

I'm still not sure what the center section translates to but I do know that this worked for me.  Thanks again for all of your help!
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24372216
Glad you got it sorted. Looks like you've got the scope and base arguments down as well.

The centre section is an LDAP filter used to query AD.

(objectCategory=user) = find users
(userAccountControl:1.2.840.113556.1.4.803:=2) = find those that are disabled (there's no simple 'disabled' yes/no field to query but this is the same thing)

Surrounding the two in a (& ) means AND, so 'find all objects that are users AND are disabled'

Hope this helps.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question