إضغط لتفاصيل الإعلانات



Results 1 to 3 of 3
Share
  1. #1
    Join Date
    Nov 2007
    Location
    Arab world!
    Posts
    6,169
    Blog Entries
    4
    Rep Power
    10

    Thumbs up some ways to Export Active Directory data

    Here is a list of the Active Directory command line tools:
    dsadd.exe
    dsget.exe
    dsmod.exe
    dsmove.exe
    dsrm.exe
    dsquery.exe


    dsquery.exe

    Here are the parameters for the dsquery user command:
    Parameters
    {StartNode | forestroot | domainroot}
    Specifies the node where the search will start. You can specify the forest root (forestroot), domain root (domainroot), or a node’s distinguished name (StartNode). If forestroot is specified, the search is done using the global catalog. The default value is domainroot.
    -o {dn | rdn | upn | samid}
    Specifies the format in which the list of entries found by the search will be displayed. A dn value displays the distinguished name of each entry. A rdn value displays the relative distinguished name of each entry. A upn value displays the user principal name of each entry. A samid value displays the SAM account name of each entry. By default, the dn format is used.
    -scope {subtree | onelevel | base}
    Specifies the scope of the search. A value of subtree indicates that the scope is a subtree rooted at start node. A value of onelevel indicates the immediate children of start node only. A value of base indicates the single object represented by start node. If forestroot is specified as StartNode, subtree is the only valid scope. By default, the subtree search scope is used.
    -name Name
    Searches for users whose name attributes (value of CN attribute) matches Name. For example, "jon*" or "*ith" or "j*th".
    -desc Description
    Searches for users whose description attribute matches Description. For example, "jon*" or "*ith" or "j*th".
    -upn UPN
    Searches for users whose UPN attribute matches UPN.
    -samid SAMName
    Searches for users whose SAM account name matches SAMName.
    -inactive NumberOfWeeks
    Searches for to find all users that have been inactive (stale) for at least the specified number of weeks.
    -stalepwd NumberOfDays
    Searches for all users that have not changed their password for at least the specified number of days.
    -disabled
    Searches for all users whose accounts are disabled.
    {-s Server | -d Domain}
    Connects to a specified remote server or domain. By default, the computer is connected to the domain controller in the logon domain.
    -u UserName
    Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name:
    user name (for example, Linda)
    domain\user name (for example, widgets\Linda)
    user principal name (UPN) (for example, Linda@widgets.microsoft.com)
    -p {Password | *}
    Specifies to use either a password or a * to log on to a remote server. If you type *, you are prompted for a password.
    -q
    Suppresses all output to standard output (quiet mode).
    -r
    Specifies that the search use recursion or follow referrals during search. By default, the search will not follow referrals during search.
    -gc
    Specifies that the search use the Active Directory global catalog.
    -limit NumberOfObjects
    Specifies the number of objects that match the given criteria to be returned. If the value of NumberOfObjects is 0, all matching objects are returned. If this parameter is not specified, by default the first 100 results are displayed.
    {-uc | -uco | -uci}
    Specifies that output or input data is formatted in Unicode. The following table lists and describes each format. Value Description
    -uc Specifies a Unicode format for input from or output to a pipe (|).
    -uco Specifies a Unicode format for output to a pipe (|) or a file.
    -uci Specifies a Unicode format for input from a pipe (|) or a file.


    dsget.exe


    Here is a list of objects dsget can extract attributes from:

    DSGET COMPUTER
    DSGET CONTACT
    DSGET SUBNET
    DSGET GROUP
    DSGET OU
    DSGET SERVER
    DSGET SITE
    DSGET USER
    DSGET QUOTA
    DSGET PARTITION


    Here is a list of attributes dsget can return for the USER object:

    -dn
    Displays the distinguished names of the users.
    -samid
    Displays the SAM account names of the users.
    -sid
    Displays the user security IDs (SIDs).
    -upn
    Displays the user principal names of the users.
    -fn
    Displays the first names of the users.
    -mi
    Displays the middle initials of the users.
    -ln
    Displays the last names of the users.
    -display
    Displays the display names of the users.
    -empid
    Displays the employee IDs of the users.
    -desc
    Displays the descriptions of the users.
    -full
    Displays the full names of the users.
    -office
    Displays the office locations of the users.
    -tel
    Displays the telephone numbers of the users.
    -email
    Displays the e-mail addresses of the users.
    -hometel
    Displays the home telephone numbers of the users.
    -pager
    Displays the pager numbers of the users.
    -mobile
    Displays the mobile phone numbers of the users.
    -fax
    Displays the fax numbers of the users.
    -iptel
    Displays the user IP phone numbers.
    -webpg
    Displays the user Web page URLs.
    -title
    Displays the titles of the users.
    -dept
    Displays the departments of the users.
    -company
    Displays the company information for the users.
    -mgr
    Displays the user managers of the users.
    -hmdir
    Displays the drive letter to which the home directory of the user is mapped to if the home directory path is a UNC path.
    -hmdrv
    Displays the user's home drive letter if home directory is a UNC path.
    -profile
    Displays the user profile paths.
    -loscr
    Displays the user logon script paths.
    -mustchpwd
    Displays information about whether users must change their passwords at the time of next logon (yes) or not (no).
    -canchpwd
    Displays information about whether users can change their password (yes) or not (no).
    -pwdneverexpires
    Displays information about whether the user passwords never expires (yes) or not (no).
    -disabled
    Displays information about whether user accounts are disabled for logon (yes) or not (no).
    -acctexpires
    Displays dates indicating when user accounts expire. If the accounts never expire, never is displayed.
    -reversiblepwd
    Displays information about whether the user passwords are allowed to be stored using reversible encryption (yes) or not (no).
    UserDN
    Required. Specifies the distinguished name of the user you want to view.
    -memberof
    Displays the immediate list of groups of which the user is a member.
    -expand
    Displays the recursively expanded list of groups of which the user is a member. This option takes the immediate group membership list of the user, and then recursively expands each group in this list to determine its group memberships as well to arrive at a complete closure set of the groups.
    {-uc | -uco | -uci}
    Specifies that output or input data is formatted in Unicode. The following table lists and describes each format.
    -part PartitionDN
    Connect to the directory partition with the distinguished name of PartitionDN.
    -qlimit
    Displays the effective quota of the user within the specified directory partition.
    -qused
    Displays how much of the quota the user has used within the specified directory partition. Value Description
    -uc Specifies a Unicode format for input from or output to a pipe (|).
    -uco Specifies a Unicode format for output to a pipe (|) or a file.
    -uci Specifies a Unicode format for input from a pipe (|) or a file.


    All Active Directory command line tools are documented in Windows Server 2003 online help. Just open up the Help link off the start menu and type in dsget as a search criteria and you will find all of the parameters documented. The long list of parameters above are a copy/paste from the Windows Server 2003 online help.

    -------------------------

    As I mentioned in an earlier post, both
    dsquery and dsget can be used as standalone commands to return a list of objects or object attributes respectively, -=or=- dsquery can be used to return a list of objects which can then be directly piped into a dsget command to return attributes of the queried objects.

    Here are a few examples which directly addresses what the original author of this post was looking for.


    Consider the following Active Directory where our user objects are stored in the default "Users" container that is built into Active Directory:



    The following screenshot shows two commands.


    The first command uses dsquery to query all user objects in the default built-in Users contaner (CN=Users). It then pipes the list of user objects into a dsget command which outputs the Email address of all the user objects that were piped into it.


    The second command uses dsquery to query all user objects in the default built-in Users contaner (CN=Users). It then pipes the list of user objects into a dsget command which outputs the UPN of all the user objects that were piped into it.






    Consider the next Active Directory (which is just a slight variation of the above example) where our user objects are stored in the Marketing OU which is a sub-OU of the Production OU in the contoso.com Active Directory domain:



    The only thing I'm pointing out in this second example is that the built-in "Users" container in AD is addressed as CN=Users (CN stands for "Common Name"). Whereas an OU in AD is addressed as OU=xxx (OU stands for "Organizational Unit"). When OUs are nested, they are presented in the following format: OU=child ou,OU=parent ou,DC=contoso,DC=com


    The following screenshot shows two commands.


    The first command uses dsquery to query all user objects in the Marketing OU (OU=Marketing). It then pipes the list of user objects into a dsget command which outputs the Email address of all the user objects that were piped into it.


    The second command uses dsquery to query all user objects in the Marketing OU (OU=Marketing). It then pipes the list of user objects into a dsget command which outputs the UPN of all the user objects that were piped into it.





    Getting the information above piped into a text file is the last part and very easy:


    Code:
    dsquery user "OU=Marketing,OU=Production,DC=Contoso,DC=com" | dsget user -samid -Email > c:\mytextfile.txt
    The command above would output text into c:\mytextfile.txt
    The output that goes in the text file would look like:



    ---------------------------


    Other potentially useful examples:





    Show me the samid and upn name of all disabled user accounts in the domain

    Code:
    C:\>dsquery user -disabled | dsget user -samid -upn
    samid upn
    Guest
    krbtgt
    B03EED71-B218-46F9-B
    dsget succeeded

    Show me the samid and upn of each user account in the domain and show me when the user account expires

    Code:
    C:\>dsquery user | dsget user -samid -upn -acctexpires
    samid upn acctexpires
    Administrator never
    Guest never
    krbtgt never
    jason jason@contoso.com never
    TsInternetUser never
    arcada arcada@contoso.com never
    nav nav@contoso.com never
    storc01 storc01@contoso.com never
    vcenter vcenter@contoso.com never
    amy amy@contoso.com never
    cluster cluster@contoso.com never
    si_rev si_rev@contoso.com never
    george george@contoso.com never
    B03EED71-B218-46F9-B never
    sim sim@contoso.com never
    schedule schedule@contoso.com never
    sql sql@contoso.com never
    dsget succeeded

    Show me the samid and upn of each user account in the domain and show me when the user account expires. Send output to a file called c:\log.txt

    Code:
    C:\>dsquery user | dsget user -samid -upn -acctexpires > c:\log.txt

    Show me the samid and upn name of each user account in the Production OU in the CONTOSO.COM domain with a password age of 14 days or older and also show me if the account is flagged for "user must change password" and if the user account is allowed to change its password

    Code:
    C:\>dsquery user "OU=Production,DC=contoso,DC=com" -stalepwd 14 | dsget user -samid -upn -mustchpwd -canchpwd
    samid upn mustchpwd canchpwd
    Administrator no yes
    Guest yes no
    krbtgt no yes
    jason jason@contoso.com no yes
    TsInternetUser no no
    arcada arcada@contoso.com no yes
    nav nav@contoso.com no yes
    storc01 storc01@contoso.com no yes
    vcenter vcenter@contoso.com no yes
    amy amy@contoso.com no yes
    cluster cluster@contoso.com no no
    si_rev si_rev@contoso.com no no
    george george@contoso.com no no
    B03EED71-B218-46F9-B no yes
    sim sim@contoso.com no no
    schedule schedule@contoso.com no yes
    dsget succeeded
    enumerate all the groups a user belongs to, even nested ones:

    Code:
    dsquery user -samid usnername | dsget user -memberof -expand
    Last edited by Mohamed Fouad; 03-05-2010 at 03:15 PM.


  2. Facebook Comments - تعليقـك على الفيس بوك يسعدنا ويطور مجهوداتنـا


  3. Forum Ads:

  4. Forum Ads:

    اضفط هنا لمعرفة تفاصيل الإعلانات بالموقع


  5. Forum Ads:

    -->

  6. #2

    Default

    Thanks Mohamed,
    Some examples of dealing with AD via these tools:

    Create User
    dsadd user "CN=Ahmed Mohamed Ali,OU=Temp,OU=Egypt,OU=Common Users,OU=User Accounts,DC=Expert,DC=com,DC=eg" -upn E00001@Expert.com.eg -samid E00001 -display "Ahmed Mohamed Ali" -dept "Finance" -pwd 123456789 -mustchpwd yes -disabled yes -title "Banker" -desc "Banker" -company "Expert EGYPT" -office "Cairo Branch" -fn "Ahmed" -mi "Mohame" -ln "Ali" -memberof "CN=Cairo Staff,OU=Egypt,OU=Groups,DC=Expert,DC=com,DC=eg"

    Note:
    - When the users is ready to logon to his PC, Enable the user account, and inform him to logon with password: 123456789
    - I would recommend creating the User in a temp empty OU first, and after confirming that everything is OK, you can move them top their desired OU.
    - The '-mi "xxxxxx"' field must NOT exceed 6 characters, that's by design.
    - This example assumes that "require complex password" is disabled.

    Add Telephon and Mobile info to a User

    dsmod user "CN=Ahmed Mohamed Ali,OU=Egypt,OU=Common Users,OU=User Accounts,DC=Expert,DC=com,DC=eg" -tel "0020211111111" -mobile "20101111111"
    Create Global Security Group

    dsadd group "CN=Finance,OU=egypt,ou=Groups,DC=Expert,DC=com,DC= eg" -samid Finance -secgrp yes -scope G
    Add Members to a Group

    dsmod group "CN=Finance,OU=egypt,ou=Groups,DC=Expert,DC=com,DC= eg" -addmbr "CN=Ahmed Mohamed Ali,OU=Temp,OU=Egypt,OU=Common Users,OU=User Accounts,DC=Expert,DC=com,DC=eg"
    Dump objects details inside an OU to a .CSV file

    CSVDE -d "OU=Egypt,OU=Users,DC=Expert,DC=com,DC=eg" -f "C:\Documents and Settings\Administrator\Desktop\Users_Egypt.csv"


    Get User Email in a text file, from his SAMID

    Create this batch and name it like Useremail.bat
    @echo offdsquery user -samid %1 | dsget user -email | Find "@" >usermail.txtRun it as
    Useremail.bat AMohamedand get the result in usermail.txt

    Get The User DN from the SAMID

    DSQuery User -samid AMohamed
    Change a Domain Account’s Password[1]


    Using the following command you reset user DoeJ his password to Pa$$word1!
    dsquery user -samid DoeJ | dsmod user -pwd Pa$$word1!


    If you use * instead of Pa$$word1!, you will be asked for a password. iIf you are logged on to a domain controller you can also use the net user command, the equivalent command in this case would be:


    net user DoeJ Pa$$word1!

    You can also use the net user command from your workstation:
    net user DoeJ Pa$$word1! /domain
    Last edited by Ibrahim Soliman; 05-05-2010 at 03:52 PM.

  7. #3
    Join Date
    Nov 2007
    Location
    Arab world!
    Posts
    6,169
    Blog Entries
    4
    Rep Power
    10

  8. Forum Ads:

Similar Threads

  1. Replies: 0
    Last Post: 23-03-2013, 01:58 AM
  2. Active Directory Partitions
    By Mohamed Fouad in forum Microsoft
    Replies: 0
    Last Post: 08-11-2010, 03:42 PM
  3. Active Directory SRV Records
    By Mohamed Fouad in forum Microsoft
    Replies: 0
    Last Post: 27-05-2010, 02:11 PM
  4. Replies: 5
    Last Post: 30-01-2010, 03:45 PM
  5. What's New in Active Directory
    By Mohamed Fouad in forum Microsoft
    Replies: 1
    Last Post: 04-02-2008, 05:15 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

أقسام المنتدى

الروابط النصية

تابع جروبنا على الفيس بوك

صفحة Egypt Engineers على الفيس بوك

تابعنا على linkedin

جروبنا على الياهو جروب