Tuesday, March 30, 2010

Installing Active Directory

This post shows you how to install Active Directory.(To view larger images,easily click on them)

STEP 1: Login to the box either locally via console, or through RDP
STEP 2: Go to Start -> Run and type in "dcpromo"



STEP 3: For most cases you will select "Domain Controller for a new domain"






STEP 4: For most cases you will select "Domain in a new forest"



STEP 5: Enter in the FQDN (fully qualified domain name) that you want to use. For example, if your domain was to be called Domain.Com, you would enter Domain.Com. You can also use non existant name spaces such as Domain.Local, or Domain.abc
Afterwards it will also allow to set the NETBIOS name. This is almost always the same name you entered above, only with out the .com (.local, .abc, etc).



STEP 6: The next two screens will be where to place file repositories and service folders. You can accept the defaults.

STEP 7: Some users may now get presented with a DNS screen asking you to configure DNS, or to do it later. Select the middle option (Install and configure for me).




STEP 8: Select the permission type you would like. There are two options. If you will only be using Windows 2003 Server and Windows XP or newer, then select the Second option. otherwise, you would need to use the first option.




STEP 9: Pick a "Directory Services Restore" password. Hopefully you will never have to use this as its quite messy for the inexperienced. In either case, Remember this password.If you want to recover your Active Directory,You will need this password.



STEP 10: At this point in the installation you are presented with a basic "Sumary" page listing the options you have selected. Make sure these are set properly before continuing. once you select "Next", active directory will begin to install, and once it does you will not be able to stop, and you will have to first uninstall in order to go back and fix any problems or misconfigurations later.

STEP 11: Active Directory will take a while, it could be a couple minutes, or as much as half an hour. Once it is done you will have to reboot.


Some useful tips and Warnings:
-Install DNS before installing Active Directory
-Create an additional local admin account if you do not already have one before installation. This account will still be there after AD install, and you can use it to login in case of trouble.
-I highly recomend not changing the NETBIOS name unless you know what you are doing.
-If something happens to your domain controller and you forget the Directory Services Restore password, you may as well reformat.

Dsget

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Dsget

Displays the selected properties of a specific object in the directory. The dsget commands include:

  • dsget computer
  • dsget contact
  • dsget group
  • dsget ou
  • dsget server
  • dsget user
  • dsget subnet
  • dsget site
  • dsget quota
  • dsget partition

dsget computer

Displays the properties of a computer in the directory. There are two variations of this command. The first variation allows you to view the properties of multiple computers. The second variation allows you to view the membership information of a single computer.

Syntax

dsget computer
ComputerDN ...[-dn] [-samid][-sid][-desc][-loc][-disabled][{-sServer -dDomain}][-uUserName] [-p {Password *}] [-c][-q][-l] [{-uc -uco -uci}][-partPartitionDN[-qlimit][-qused]]

dsget computer
ComputerDN[-memberof [-expand]][{-sServer -dDomain}][-uUserName] [-p {Password *}] [-c][-q][-l] [{-uc -uco -uci}]

Parameters

ComputerDN ...

Required. Specifies the distinguished names of the computer object list that you want to view. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command. Compare with ComputerDN in the next command variation.

-dn

Displays the distinguished names of the computers.

-samid

Displays the computer SAM account names.

-sid

Displays the computer security IDs (SIDs).

-desc

Displays the descriptions of the computers.

-loc

Displays the computer locations.

-disabled

Displays the status of the computer accounts. A value yes returned establishes that the account is disabled; a value of no establishes that the account is enabled.

ComputerDN

Required. Specifies the distinguished name of the single computer you want to view.

-memberof

Displays the immediate list of groups of which the computer is a member. This takes a single target object only as input parameter.

-expand

Displays the recursively expanded list of groups of which the computer is a member. This option takes the immediate group membership list of the computer and then recursively expands each group in this list to determine its group memberships as well to arrive at a complete closure set of the groups.

{ -sServer -dDomain}

Connects to a specified remote server or domain. By default, the computer is connected to the domain controller in the logon domain.

-u UserName

Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name:

  • user name (for example, Linda)
  • domain\user name (for example, widgets\Linda)
  • user principal name (UPN) (for example, Linda@widgets.microsoft.com)

-p{ Password *}

Specifies to use either a password or a * to log on to a remote server. If you type *, you are prompted for a password.

-c

Reports errors, but continues with the next object in the argument list when multiple target objects are specified (continuous operation mode). Without this option, the command exits on the first error.

-q

Suppresses all output to standard output (quiet mode).

-l

Displays entries in a list format. By default, entries are displayed in a table format.

{ -uc -uco -uci}

Specifies that output or input data is formatted in Unicode. The following table lists and describes each format.

-part PartitionDN

Connects to the directory partition with the distinguished name of PartitionDN.

-qlimit

Displays the effective quota of the computer within the specified directory partition.

-qused

Displays how much of its quota the computer has used within the specified directory partition.


Value

Description

-uc

Specifies a Unicode format for input from or output to a pipe ().

-uco

Specifies a Unicode format for output to a pipe () or a file.

-uci

Specifies a Unicode format for input from a pipe () or a file.

/?

Displays help at the command prompt.

Remarks
  • If you do not supply a target object at the command prompt, the target object is obtained from standard input (stdin). Stdin data can be accepted from the keyboard, a redirected file, or as piped output from another command. To mark the end of stdin data from the keyboard or in a redirected file, use the end-of-file character (CTRL+Z).
  • Use the dsget command to view properties of a specific object in the directory. For more information about using dsquery * to search for all objects that match a specific criterion, see Related Topics.
  • As a result of dsquery searches, you can pipe returned objects to dsget and obtain object properties. See Examples.
  • If a value that you supply contains spaces, use quotation marks around the text (for example, "CN=DC2,OU=Domain Controllers,DC=Microsoft,DC=Com").
  • If you supply multiple values for a parameter, use spaces to separate the values (for example, a list of distinguished names).
Examples

To display the descriptions of all computers in a given organizational unit whose name starts with "tst", type:

dsquery computer OU=Test,DC=Microsoft,DC=Com -name tst* dsget computer -desc

To display the list of groups, recursively expanded, to which a given computer "MyDBServer" belongs, type:

dsget computer CN=MyDBServer,CN=computers,DC=Microsoft,DC=Com -memberof -expand

dsget contact

Displays the various properties of a contact in the directory.

Syntax

dsget contact
ContactDN ...[-dn][-fn][-mi][-ln][-display][-desc][-office][-tel][-email][-hometel][-pager][-mobile][-fax][-iptel][-title][-dept][-company][{-sServer -dDomain}][-uUserName] [-p {Password *}] [-c][-q][-l] [{-uc -uco -uci}]

Parameters

ContactDN ...

Required. Specifies the distinguished names of the contact objects that you want to view. If this parameter is omitted, its value is taken from standard input (stdin) to support piping of output from another command to input of this command.

-dn

Displays the distinguished names of the contacts.

-fn

Displays the first names of the contacts.

-mi

Displays the middle initials of the contacts.

-ln

Displays the last names of the contacts.

-display

Displays the display names of the contacts.

-desc

Displays the descriptions of the contacts.

-office

Displays the office locations of the contacts.

-tel

Displays the telephone numbers of the contacts.

-email

Displays the e-mail addresses of the contacts.

-hometel

Displays the home telephone numbers of the contacts.

-pager

Displays the pager numbers of the contacts.

-mobile

Displays the mobile phone numbers of the contacts.

-fax

Displays the fax numbers of the contacts.

-iptel

Displays the IP phone number of the contact.

-title

Displays the titles of the contacts.

-dept

Displays the departments of the contacts.

-company

Displays the company information for the contacts.

{ -sServer -dDomain}

Connects to a specified remote server or domain. By default, the computer is connected to the domain controller in the logon domain.

-u UserName

Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name:

  • user name (for example, Linda)
  • domain\user name (for example, widgets\Linda)
  • user principal name (UPN) (for example, Linda@widgets.microsoft.com)

-p{ Password *}

Specifies to use either a password or a * to log on to a remote server. If you type *, you are prompted for a password.

-c

Reports errors, but continues with the next object in the argument list when multiple target objects are specified (continuous operation mode). Without this option, the command exits on the first error.

-q

Suppresses all output to standard output (quiet mode).

-l

Displays entries in a list format. By default, entries are displayed in a table format.

{ -uc -uco -uci}

Specifies that output or input data is formatted in Unicode. The following table lists and describes each format.


Value

Description

-uc

Specifies a Unicode format for input from or output to a pipe ().

-uco

Specifies a Unicode format for output to a pipe () or a file.

-uci

Specifies a Unicode format for input from a pipe () or a file.

/?

Displays help at the command prompt.

Remarks
  • If you do not supply a target object at the command prompt, the target object is obtained from standard input (stdin). Stdin data can be accepted from the keyboard, a redirected file, or as piped output from another command. To mark the end of stdin data from the keyboard or in a redirected file, use the end-of-file character (CTRL+Z).
  • Use the dsget command to view properties of a specific object in the directory. For more information about using dsquery * to search for all objects that match a specific criterion, see Related topics.
  • As a result of dsquery searches, you can pipe returned objects to dsget and obtain object properties.
  • If a value that you supply contains spaces, use quotation marks around the text (for example, "CN=Mike Danseglio,OU=Contacts,DC=Microsoft,DC=Com").
  • If you supply multiple values for a parameter, use spaces to separate the values (for example, a list of distinguished names).
Examples

To display the description and phone numbers for contacts Mike Danseglio and Don Funk, type:

dsget contact "CN=Mike Danseglio,OU=Contacts,DC=Microsoft,DC=Com" "CN=Don Funk,OU=Contacts,DC=Microsoft,DC=Com" -desc -tel

dsget group

Displays the various properties of a group including the members of a group in the directory. There are two variations of this command. The first variation allows you to view the properties of multiple groups. The second variation allows you to view the group membership information of a single group.

Syntax

dsget group
GroupDN ...[-dn][-samid][-sid][-desc][-secgrp][-scope][{-sServer -dDomain}][-uUserName] [-p {Password *}] [-c][-q][-l][{-uc -uco -uci}][-partPartitionDN[-qlimit][-qused]]

dsget group
GroupDN[{-memberof -members}][-expand][{-sServer -dDomain}][-uUserName][-p {Password *}] [-c][-q][-l] [{-uc -uco -uci}]

Parameters

GroupDN ...

Required. Specifies the distinguished names of the group objects that you want to view. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command. Compare with GroupDN in the next command variation.

-dn

Displays that distinguished names of the groups.

-samid

Displays the SAM account names of the groups.

-sid

Displays the group security IDs (SIDs).

-desc

Displays the descriptions of the groups.

-secgrp

Displays information about whether groups are security groups (yes) or a distribution groups (no).

-scope

Display information about whether group scopes are local, global, or universal.

GroupDN

Required. Specifies the distinguished name of the computer you want to view.

{ -memberof -members}

Displays the immediate list of groups of which the group is a member (-memberof). Displays the immediate list of members of the group (-members).

-expand

In the case of the -memberof parameter, requests that the recursively expanded list of groups in which the group is a member be returned. This option takes the immediate group membership list of the group, and then recursively expands each group in this list to determine its group memberships as well to arrive at a complete closure set of the groups.

In case of the -members parameter, requests that the recursively expanded list of members of the group be displayed. This parameter takes the immediate list of members of the group and then recursively expands each group in this list to determine its group memberships as well to arrive at a complete closure set of the members.

{ -sServer -dDomain}

Connects to a specified remote server or domain. By default, the computer is connected to the domain controller in the logon domain.

-u UserName

Specifies the user name with which the user logs on to a remote server. By default, the logged on user name is used. You can specify a user name using one of the following formats:

  • user name (for example, Linda)
  • domain\user name (for example, widgets\Linda)
  • user principal name (UPN) (for example, Linda@widgets.microsoft.com)

-p{ Password *}

Specifies to use either a password or a * to log on to a remote server. If you type *, you are prompted for a password.

-c

Reports errors, but continues with the next object in the argument list when multiple target objects are specified (continuous operation mode). Without this option, the command exits on the first error.

-q

Suppresses all output to standard output (quiet mode).

-l

Displays entries in a list format. By default, entries are displayed in a table format.

{ -uc -uco -uci}

Specifies that output or input data is formatted in Unicode. The following table lists and describes each format.

-part PartitionDN

Connects to the directory partition with the distinguished name of PartitionDN.

-qlimit

Displays the effective quota of the group within the specified directory partition.

-qused

Displays how much of its quota the group has used within the specified directory partition.


Value

Description

-uc

Specifies a Unicode format for input from or output to a pipe ().

-uco

Specifies a Unicode format for output to a pipe () or a file.

-uci

Specifies a Unicode format for input from a pipe () or a file.

/?

Displays help at the command prompt.

Remarks
  • If you do not supply a target object at the command prompt, the target object is obtained from standard input (stdin). Stdin data can be accepted from the keyboard, a redirected file, or as piped output from another command. To mark the end of stdin data from the keyboard or in a redirected file, use the end-of-file character (CTRL+Z).
  • Use the dsget command to view properties of a specific object in the directory. For more information about using dsquery * to search for all objects that match a specific criterion, see Related Topics.
  • As a result of dsquery searches, you can pipe returned objects to dsget and obtain object properties. See Examples.
  • If a value that you supply contains spaces, use quotation marks around the text (for example, "CN=USA Sales,OU=Distribution Lists,DC=Microsoft,DC=Com").
  • If you supply multiple values for a parameter, use spaces to separate the values (for example, a list of distinguished names).
Examples

To display the descriptions of all groups in a given organizational unit whose names start with "adm," type:

dsquery group OU=Test,DC=Microsoft,DC=Com -name adm* dsget group -desc

To display the list of members, recursively expanded, of the group Backup Operators, type:

dsget group "CN=Backup Operators,OU=Test,DC=Microsoft,DC=Com" -members -expand

dsget ou

Displays the various properties of an organizational unit in the directory.

Syntax

dsget ou
OrganizationalUnitDN ...[-dn] [-desc][{-sServer -dDomain}][-uUserName] [-p {Password *}] [-c][-q][-l] [{-uc -uco -uci}]

Parameters

OrganizationalUnitDN ...

Required. Specifies the distinguished names of the organizational units that you want to view. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command.

-dn

Displays the distinguished names of the organizational units.

-desc

Displays the descriptions of the organizational units.

{ -sServer -dDomain}

Connects to a specified remote server or domain. By default, the computer is connected to the domain controller in the logon domain.

-u UserName

Specifies the user name with which the user logs on to a remote server. By default, the logged on user name is used. You can specify a user name using one of the following formats:

  • user name (for example, Linda)
  • domain\user name (for example, widgets\Linda)
  • user principal name (UPN) (for example, Linda@widgets.microsoft.com)

-p{ Password *}

Specifies to use either a password or a * to log on to a remote server. If you type *, you are prompted for a password.

-c

Reports errors, but continues with the next object in the argument list when multiple target objects are specified (continuous operation mode). Without this option, the command exits on the first error.

-q

Suppresses all output to standard output (quiet mode).

-l

Displays entries in a list format. By default, entries are displayed in a table format.

{ -uc -uco -uci}

Specifies that output or input data is formatted in Unicode. The following table lists and describes each format.


Value

Description

-uc

Specifies a Unicode format for input from or output to a pipe ().

-uco

Specifies a Unicode format for output to a pipe () or a file.

-uci

Specifies a Unicode format for input from a pipe () or a file.

/?

Displays help at the command prompt.

Remarks
  • If you do not supply a target object at the command prompt, the target object is obtained from standard input (stdin). Stdin data can be accepted from the keyboard, a redirected file, or as piped output from another command. To mark the end of stdin data from the keyboard or in a redirected file, use the end-of-file character (CTRL+Z).
  • Use the dsget command to view properties of a specific object in the directory. For more information about using dsquery * to search for all objects that match a specific criterion, see Related Topics.
  • As a result of dsquery searches, you can pipe returned objects to dsget and obtain object properties. See Examples.
  • If a value that you supply contains spaces, use quotation marks around the text (for example, "OU=Domain Controllers,DC=Microsoft,DC=Com").
  • If you supply multiple values for a parameter, use spaces to separate the values (for example, a list of distinguished names).
Examples

To display the descriptions of all organizational units in the current domain, type:

dsquery ou domainroot dsget ou -desc

dsget server

This command displays the various properties of a domain controller defined in the directory. There are three variations of this command. The first variation displays the general properties of a specified domain controller. The second variation displays a list of the security principals who own the largest number of directory objects on the specified domain controller. The third variation displays the distinguished names of the directory partitions on the specified server.

Syntax

dsget server
ServerDN ...[-dn] [-desc] [-dnsname] [-site] [-isgc][{-sServer -dDomain}][-uUserName] [-p {Password *}] [-c][-q][-l] [{-uc -uco -uci}]

dsget server
ServerDN[{-sServer -dDomain}][-uUserName] [-p {Password *}] [-c][-q][-l] [{-uc -uco -uci}][-topobjownerDisplay]

dsget server
ServerDN[{-sServer -dDomain}][-uUserName] [-p {Password *}] [-c][-q][-l] [{-uc -uco -uci}][-partPartitionDN]

Parameters

ServerDN ...

Required. Specifies the list of server object distinguished names to view. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command.

-dn

Displays the distinguished names of the servers.

-desc

Displays the descriptions of the servers.

-dnsname

Displays the DNS host names of the servers.

-site

Displays the site names to which the servers belongs.

-isgc

Displays information about whether the server is a global catalog (yes) or not (no).

{ -sServer -dDomain}

Connects to a specified remote server or domain. By default, the computer is connected to the domain controller in the logon domain.

-u UserName

Specifies the user name with which the user logs on to a remote server. By default, the logged on user name is used. You can specify a user name using one of the following formats:

  • user name (for example, Linda)
  • domain\user name (for example, widgets\Linda)
  • user principal name (UPN) (for example, Linda@widgets.microsoft.com)

-p{ Password *}

Specifies to use either a password or a * to log on to a remote server. If you type *, you are prompted for a password.

-c

Reports errors, but continues with the next object in the argument list when multiple target objects are specified (continuous operation mode). Without this option, the command exits on the first error.

-q

Suppresses all output to standard output (quiet mode).

-l

Displays entries in a list format. By default, entries are displayed in a table format.

{ -uc -uco -uci}

Specifies that output or input data is formatted in Unicode. The following table lists and describes each format.

-part PartitionDN

Connects to the directory partition with the distinguished name of PartitionDN.

-topobjowner Display

Displays a sorted list of the security principals (users, computers, security groups, and inetOrgPersons) that own the largest number of directory objects across all directory partitions on the server and the number of directory objects that they own. The number of accounts to display in the list is specified by Display.To display all object owners, type 0. If you do not specify Display, the number of principals listed defaults to 10.


Value

Description

-uc

Specifies a Unicode format for input from or output to a pipe ().

-uco

Specifies a Unicode format for output to a pipe () or a file.

-uci

Specifies a Unicode format for input from a pipe () or a file.

/?

Displays help at the command prompt.

Remarks
  • If you do not supply a target object at the command prompt, the target object is obtained from standard input (stdin). Stdin data can be accepted from the keyboard, a redirected file, or as piped output from another command. To mark the end of stdin data from the keyboard or in a redirected file, use the end-of-file character (CTRL+Z).
  • Use the dsget command to view properties of a specific object in the directory. For more information about using dsquery * to search for all objects that match a specific criterion, see Related Topics.
  • As a result of dsquery searches, you can pipe returned objects to dsget and obtain object properties. See Examples.
  • If a value that you supply contains spaces, use quotation marks around the text (for example, "CN=My Server,CN=Servers,CN=Site10,CN=Sites,CN=Configuration,DC=Microsoft,DC=Com").
  • If you supply multiple values for a parameter, use spaces to separate the values (for example, a list of distinguished names).
  • The properties requested by this command may reside either in the Server object for the domain controller or in the NTDSDSA object corresponding to the server.
Examples

To find all domain controllers for domain widgets.microsoft.com and display their DNS host name and site name, type:

dsquery server -domain widgets.microsoft.com dsget server -dnsname -site

To show if a domain controller with the name DC1 is also a global catalog server, type:

dsget server CN=DC1,CN=Servers,CN=Site10,CN=Sites,CN=Configuration,DC=Microsoft,DC=Com -isgc

To display a sorted list of security principals who own the largest number of objects on the domain controller server1.widgets.microsoft.com, type:

dsget server CN=server1,CN=widgets,DC=Microsoft,DC=com -topobjowner

dsget user

Display the various properties of a user in the directory. There are two variations of this command. The first variation allows you to view the properties of multiple users. The second variation allows you to view the group membership information of a single user.

Syntax

dsget user
UserDN ...[-dn][-samid] [-sid][-upn] [-fn] [-mi] [-ln] [-display] [-empid][-desc][-office] [-tel] [-email] [-hometel] [-pager] [-mobile][-fax] [-iptel][-webpg][-title][-dept][-company][-mgr][-hmdir][-hmdrv][-profile][-loscr][-mustchpwd][-canchpwd][-pwdneverexpires][-disabled][-acctexpires][-reversiblepwd][{-uc -uco -uci}][-partPartitionDN[-qlimit][-qused]]

dsget user
UserDN[-memberof] [-expand][{-uc -uco -uci}]

Parameters

UserDN ...

Required. Specifies the distinguished names of the user objects that you want to view. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command. Compare with UserDN in the next command variation.

-dn

Displays the distinguished names of the users.

-samid

Displays the SAM account names of the users.

-sid

Displays the user security IDs (SIDs).

-upn

Displays the user principal names of the users.

-fn

Displays the first names of the users.

-mi

Displays the middle initials of the users.

-ln

Displays the last names of the users.

-display

Displays the display names of the users.

-empid

Displays the employee IDs of the users.

-desc

Displays the descriptions of the users.

-full

Displays the full names of the users.

-office

Displays the office locations of the users.

-tel

Displays the telephone numbers of the users.

-email

Displays the e-mail addresses of the users.

-hometel

Displays the home telephone numbers of the users.

-pager

Displays the pager numbers of the users.

-mobile

Displays the mobile phone numbers of the users.

-fax

Displays the fax numbers of the users.

-iptel

Displays the user IP phone numbers.

-webpg

Displays the user Web page URLs.

-title

Displays the titles of the users.

-dept

Displays the departments of the users.

-company

Displays the company information for the users.

-mgr

Displays the user managers of the users.

-hmdir

Displays the drive letter to which the home directory of the user is mapped to if the home directory path is a UNC path.

-hmdrv

Displays the user's home drive letter if home directory is a UNC path.

-profile

Displays the user profile paths.

-loscr

Displays the user logon script paths.

-mustchpwd

Displays information about whether users must change their passwords at the time of next logon (yes) or not (no).

-canchpwd

Displays information about whether users can change their password (yes) or not (no).

-pwdneverexpires

Displays information about whether the user passwords never expires (yes) or not (no).

-disabled

Displays information about whether user accounts are disabled for logon (yes) or not (no).

-acctexpires

Displays dates indicating when user accounts expire. If the accounts never expire, never is displayed.

-reversiblepwd

Displays information about whether the user passwords are allowed to be stored using reversible encryption (yes) or not (no).

UserDN

Required. Specifies the distinguished name of the user you want to view.

-memberof

Displays the immediate list of groups of which the user is a member.

-expand

Displays the recursively expanded list of groups of which the user is a member. This option takes the immediate group membership list of the user, and then recursively expands each group in this list to determine its group memberships as well to arrive at a complete closure set of the groups.

{ -uc -uco -uci}

Specifies that output or input data is formatted in Unicode. The following table lists and describes each format.

-part PartitionDN

Connect to the directory partition with the distinguished name of PartitionDN.

-qlimit

Displays the effective quota of the user within the specified directory partition.

-qused

Displays how much of the quota the user has used within the specified directory partition.


Value

Description

-uc

Specifies a Unicode format for input from or output to a pipe ().

-uco

Specifies a Unicode format for output to a pipe () or a file.

-uci

Specifies a Unicode format for input from a pipe () or a file.

/?

Displays help at the command prompt.

Remarks
  • If you do not supply a target object at the command prompt, the target object is obtained from standard input (stdin). Stdin data can be accepted from the keyboard, a redirected file, or as piped output from another command. To mark the end of stdin data from the keyboard or in a redirected file, use the end-of-file character (CTRL+Z).
  • Use the dsget command to view properties of a specific object in the directory. For more information about using dsquery * to search for all objects that match a specific criterion, see Related Topics.
  • As a result of dsquery searches, you can pipe returned objects to dsget and obtain object properties. See Examples.
  • The -canchpwd is an estimate on whether the user is allowed to change his password. This estimate has to do with the way the access control lists (ACLs) on the object are interpreted in order to arrive at the yes or no answer. The precise certainty regarding a user's ability to change a password can only be known by trying to change the password. This non-authoritative answer is not specific to this command-line tool, but is also inherent in the User Properties dialog box in Active Directory Users and Computers in Microsoft Management Console (MMC).
  • When none of the specific property parameters are specified for the dsget user command, the default set of user properties to display include the following: distinguished name, SAM account name, and description.
  • When the -memberof parameter is specified, it overrides all other parameters and only the membership list for the user is displayed.
Examples

To find all users in a given organizational unit whose name starts with "jon" and show their descriptions, type:

dsquery user OU=Test,dc=ms,dc=tld -name jon* dsget user -desc

To show the list of groups, recursively expanded, to which a given user "Mike Danseglio" belongs, type:

dsget user "CN=Mike Danseglio,CN=users,dc=ms,dc=tld" -memberof -expand

dsget subnet

Displays properties of a subnet defined in the directory.

Syntax

dsget subnet
SubnetDN ...[-dn][-desc] [-loc] [-site][{-sServer -dDomain}][-uUserName] [-p {Password *}][-c][-q][-l] [{-uc -uco -uci}]

Parameters

SubnetDN ...

Required. Specifies the common names of one or more subnets that you want to view.

-dn

Displays the distinguished names of the subnets. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command.

-desc

Displays the descriptions of the subnets.

-loc

Displays the subnet locations.

-site

Displays the site names associated with the subnets.

{ -sServer -dDomain}

Connects to a specified remote server or domain. By default, the computer is connected to the domain controller in the logon domain.

-u UserName

Specifies the user name with which the user logs on to a remote server. By default, the logged on user name is used. You can specify a user name using one of the following formats:

  • user name (for example, Linda)
  • domain\user name (for example, widgets\Linda)
  • user principal name (UPN) (for example, Linda@widgets.microsoft.com)

-p{ Password *}

Specifies to use either a password or a * to log on to a remote server. If you type *, you are prompted for a password.

-c

Reports errors, but continues with the next object in the argument list when multiple target objects are specified (continuous operation mode). Without this option, the command exits on the first error.

-q

Suppresses all output to standard output (quiet mode).

-l

Displays entries in a list format. By default, entries are displayed in a table format.

{ -uc -uco -uci}

Specifies that output or input data is formatted in Unicode. The following table lists and describes each format.


Value

Description

-uc

Specifies a Unicode format for input from or output to a pipe ().

-uco

Specifies a Unicode format for output to a pipe () or a file.

-uci

Specifies a Unicode format for input from a pipe () or a file.

/?

Displays help at the command prompt.

Remarks
  • If you do not supply a target object at the command prompt, the target object is obtained from standard input (stdin). Stdin data can be accepted from the keyboard, a redirected file, or as piped output from another command. To mark the end of stdin data from the keyboard or in a redirected file, use the end-of-file character (CTRL+Z).
  • Use the dsget command to view properties of a specific object in the directory. For more information about using dsquery * to search for all objects that match a specific criterion, see Related Topics.
  • As a result of dsquery searches, you can pipe returned objects to dsget and obtain object properties.
  • If a value that you supply contains spaces, use quotation marks around the text.
  • If you supply multiple values for a parameter, use spaces to separate the values (for example, a list of subnet common names).
Examples

To display all relevant properties for the subnets 206.73.118.0/24 and 207.209.68.0/24, type:

dsget subnet "206.73.118.0/24" "207.209.68.0/24"

dsget site

Displays the various properties of a site defined in the directory.

Syntax

dsget site
SiteCN ...[-dn] [-desc] [-autotopology] [-cachegroups] [-prefGCsite][{-sServer -dDomain}][-uUserName] [-p {Password *}] [-c][-q][-l] [{-uc -uco -uci}]

Parameters

SiteCN ...

Required. Specifies the common name of one or more sites that you want to view. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command.

-dn

Displays the distinguished names of the sites.

-desc

Displays the descriptions of the sites.

-autotopology

Displays information about whether automatic intersite topology generation is enabled (yes) or disabled (no) for specified sites.

-cachegroups

Displays information about whether caching of universal group memberships for this site is enabled (yes) or disabled (no) to support logons that do not check the global catalog.

-prefGCsite

Displays the name of the preferred global catalog site used to refresh universal group membership caching for this site's domain controllers, if universal group membership caching has been enabled.

{ -sServer -dDomain}

Connects to a specified remote server or domain. By default, the computer is connected to the domain controller in the logon domain.

-u UserName

Specifies the user name with which the user logs on to a remote server. By default, the logged on user name is used. You can specify a user name using one of the following formats:

  • user name (for example, Linda)
  • domain\user name (for example, widgets\Linda)
  • user principal name (UPN) (for example, Linda@widgets.microsoft.com)

-p{ Password *}

Specifies to use either a password or a * to log on to a remote server. If you type *, you are prompted for a password.

-c

Reports errors, but continues with the next object in the argument list when multiple target objects are specified (continuous operation mode). Without this option, the command exits on the first error.

-q

Suppresses all output to standard output (quiet mode).

-l

Displays entries in a list format. By default, entries are displayed in a table format.

{ -uc -uco -uci}

Specifies that output or input data is formatted in Unicode. The following table lists and describes each format.


Value

Description

-uc

Specifies a Unicode format for input from or output to a pipe ().

-uco

Specifies a Unicode format for output to a pipe () or a file.

-uci

Specifies a Unicode format for input from a pipe () or a file.

/?

Displays help at the command prompt.

Remarks
  • If you do not supply a target object at the command prompt, the target object is obtained from standard input (stdin). Stdin data can be accepted from the keyboard, a redirected file, or as piped output from another command. To mark the end of stdin data from the keyboard or in a redirected file, use the end-of-file character (CTRL+Z).
  • Use the dsget command to view properties of a specific object in the directory. For more information about using dsquery * to search for all objects that match a specific criterion, see Related Topics.
  • As a result of dsquery searches, you can pipe returned objects to dsget and obtain object properties. See Examples.
  • If a value that you supply contains spaces, use quotation marks around the text (for example, "CN=Mike Danseglio,CN=Users,DC=Microsoft,DC=Com").
  • If you supply multiple values for a parameter, use spaces to separate the values (for example, a list of distinguished names).
Examples

To find all sites in the forest and display their descriptions, type:

dsquery site dsget site -dn -desc

dsget quota

Displays the properties of a quota specification defined in the directory. A quota specification determines the maximum number of directory objects a given security principal can own in a specific directory partition.

Syntax

dsget quota
ObjectDN ... [-dn] [-acct] [-qlimit] [{-sServer -dDomain}][-uUserName] [-p {Password *}] [-c][-q][-l] [{-uc -uco -uci}]

Parameters

ObjectDN...

Required. Specifies the distinguished names of the quota objects to view. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command.

-dn

Displays the distinguished names of the quota objects.

-acct

Displays the distinguished names of the accounts to which the quotas are assigned.

-qlimit

Displays the quota limits for the specified quotas. An unlimited quota displays as "-1".

{ -sServer -dDomain}

Connects to a specified remote server or domain. By default, the computer is connected to the domain controller in the logon domain.

-u UserName

Specifies the user name with which the user logs on to a remote server. By default, the logged on user name is used. You can specify a user name using one of the following formats:

  • user name (for example, Linda)
  • domain\user name (for example, widgets\Linda)
  • user principal name (UPN) (for example, Linda@widgets.microsoft.com)

-p{ Password *}

Specifies to use either a password or a * to log on to a remote server. If you type *, you are prompted for a password.

-c

Reports errors, but continues with the next object in the argument list when multiple target objects are specified (continuous operation mode). Without this option, the command exits on the first error.

-q

Suppresses all output to standard output (quiet mode).

-l

Displays entries in a list format. By default, entries are displayed in a table format.

{ -uc -uco -uci}

Specifies that output or input data is formatted in Unicode. The following table lists and describes each format.


Value

Description

-uc

Specifies a Unicode format for input from or output to a pipe ().

-uco

Specifies a Unicode format for output to a pipe () or a file.

-uci

Specifies a Unicode format for input from a pipe () or a file.

/?

Displays help at the command prompt.

Remarks
  • If you do not specify a target object at the command prompt, the target object is obtained from standard input (stdin). Stdin data can be accepted from the keyboard, a redirected file, or as piped output from another command. To mark the end of stdin data from the keyboard or in a redirected file, use CTRL+Z for End of File (EOF).
  • If you do not specify any of the optional parameters, the distinguished names of the quota specifications, the accounts to which the quotas are assigned, and the quota limits are all displayed.
  • Use the dsget command to view properties of a specific object in the directory. For more information about using dsquery * to search for all objects that match a specific criterion, see Related Topics.
  • As a result of dsquery searches, you can pipe returned objects to dsget and obtain object properties. For more information, see the Examples section of this topic.
  • If a value that you use contains spaces, use quotation marks around the text (for example, "CN=Mike Danseglio,CN=Users,DC=Microsoft,DC=Com").
  • If you use multiple values for a parameter, use spaces to separate the values (for example, a list of distinguished names).
Examples

To display the account to which the quota is assigned, and the quota limit for the quota specification "CN=quota1,dc=marketing,dc=northwindtraders,dc=com", type:

dsget quota CN=quota1,dc=marketing,dc=northwindtraders,dc=com -acct -qlimit

dsget partition

Displays the properties of a directory partition.

Syntax

dsget partition
ObjectDN ... [-dn] [-qdefault] [-qtmbstnwt] [-topobjownerDisplay] [{-sServer -dDomain}][-uUserName] [-p {Password *}] [-c][-q][-l] [{-uc -uco -uci}]

Parameters

ObjectDN...

Required. Specifies the distinguished names (also known as DN) of the partition objects to view. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command.

-dn

Displays the distinguished names of the directory partition objects.

-qdefault

Displays the default quota that applies to any security principal (for example, user, group, computer, or iNetOrg person) creating an object in the directory partition, if no specific quota specification governs that security principal. An unlimited quota displays as "-1".

-qtmbstnwt

Displays the percent by which the tombstone object count should be reduced when calculating quota usage.

-topobjowner Display

Displays a sorted list of the security principals (users, computers, security groups, and inetOrgPersons) that own the largest number of objects in the specified directory partition and the number of directory objects that they own. The number of accounts to display in the list is specified by Display. To display all object owners, type 0. If you do not specify Display, the number of principals listed defaults to 10.

{ -sServer -dDomain}

Connects to a specified remote server or domain. By default, the computer is connected to the domain controller in the logon domain.

-u UserName

Specifies the user name with which the user logs on to a remote server. By default, the logged on user name is used. You can specify a user name using one of the following formats:

  • user name (for example, Linda)
  • domain\user name (for example, widgets\Linda)
  • user principal name (UPN) (for example, Linda@widgets.microsoft.com)

-p{ Password *}

Specifies to use either a password or a * to log on to a remote server. If you type *, you are prompted for a password.

-c

Reports errors, but continues with the next object in the argument list when multiple target objects are specified (continuous operation mode). Without this option, the command exits on the first error.

-q

Suppresses all output to standard output (quiet mode).

-l

Displays entries in a list format. By default, entries are displayed in a table format.

{ -uc -uco -uci}

Specifies that output or input data is formatted in Unicode. The following table lists and describes each format.


Value

Description

-uc

Specifies a Unicode format for input from or output to a pipe ().

-uco

Specifies a Unicode format for output to a pipe () or a file.

-uci

Specifies a Unicode format for input from a pipe () or a file.

/?

Displays help at the command prompt.

Remarks
  • If you do not specify a target object at the command prompt, the target object is obtained from standard input (stdin). Stdin data can be accepted from the keyboard, a redirected file, or as piped output from another command. To mark the end of stdin data from the keyboard or in a redirected file, use CTRL+Z for End of File (EOF).
  • When none of the optional parameters is specified, the distinguished name of the directory partition object is displayed.
  • When -topobjowner is specified, it overrides any other specified parameters, so that only the results of -topobjowner are displayed.
  • Use the dsget command to view properties of a specific object in the directory. For more information about using dsquery * to search for all objects that match a specific criterion, see Related Topics.
  • As a result of dsquery searches, you can pipe returned objects to dsget and obtain object properties. For more information, see the Examples section of this topic.
  • If a value that you use contains spaces, use quotation marks around the text (for example, "CN=Mike Danseglio,CN=Users,DC=Microsoft,DC=Com").
  • If you use multiple values for a parameter, use spaces to separate the values (for example, a list of distinguished names).
Examples

To display all directory partitions in the forest northwindtraders.com that begin with "application" along with the top three object owners from each partition, type: "CN=quota1,dc=marketing,dc=northwindtraders,dc=com", type:

dsquery server -forest -part application* dsget server -part dsget partition -topjobowner 3