Dsquery
The Dsquery command queries Active Directory for objects that match a specific criteria set. The command's basic syntax is:
dsquery object_type [{StartNode | forestroot | domainroot}] [-o {dn | rdn | samid}] [-scope {subtree | onelevel | base}] [-name Name] [-desc Description] [-upn UPN] [-samid SAMName] [-inactive NumberOfWeeks] [-stalepwd NumberOfDays] [-disabled] [{-s Server | -d Domain}] [-u UserName] [-p {Password | *}]
As you can see, there are numerous parameters and options for each parameter. In fact, there are even more than the common items listed here. Do not let the list overwhelm you. First, many of the switches are shared with other directory service commands—so as you learn about a switch in any one command, you will be able to apply that knowledge to other commands. Second, you will not need to know the switches in detail to pass the 70-290 certification exam, and you can always use a reference when applying the commands to real-world tasks.
Note When using DNs in a command parameter, enclose the name in quotation marks when it includes spaces. If a subcomponent of the distinguished name includes a backslash or comma, see the online help topic listed earlier.
Exam Tip To meet the objectives of the 70-290 certification exam, you must understand the role and use of each command and how the commands interrelate, and you must be able to achieve specific tasks with the DS commands: pay careful attention to the examples provided in this lesson.
The basic parameters of Dsquery are summarized in Table 3-4. Table 3-4 Parameters for the Dsquery Command
Parameter
Description
{StartNode | forestroot domainroot}
Query scope object type Required. The object type represents the object class(es) that will be searched. The object type can include computer, subnet, contact, group, OU, site, server, user, or the wildcard "*" to represent any object class. This lesson will focus on the command's use in querying for the user object type.
Optional. Specifies the node from which the search begins. You can specify the forest root (forestroot), domain root (domain-root), or a node's DN (StartNode). If forestroot is specified, the search is performed using the global catalog. The default value is domainroot.
Optional. Specifies the scope of the search. A value of subtree indicates that the scope is a subtree rooted at StartNode. A value of onelevel indicates the immediate children of StartNode only. A value of base indicates the single object represented by StartNode. If forestroot is specified as StartNode, subtree is the only valid scope. By default, the subtree search scope is used.
How to display the result set
-o {dn | rdn | samid} Specifies the format in which the list of entries found by the search will be outputted or displayed. A dn value displays the distinguished name of each entry. An rdn value displays the relative distinguished name of each entry. A samid value displays the Security Accounts Manager (SAM) account name of each entry. By default, the dn format is used.
-scope {subtree | onelevel | base}
Query criteria
-name Name
-desc Description
-upn UPN -samid SAMName
-inactive NumberOfWeeks
-stalepwd NumberOfDays
Searches for users whose name attributes (value of CN attribute) matches Name. You can use wildcards. For example, "jon*" or "*ath" or "j*th" would each produce a result set that includes users named Jonathan.
Searches for users whose description attribute matches Description. You can use wildcards.
Searches for users whose UPN attribute matches UPN.
Searches for users whose SAM account name matches SAMName. You can use wildcards.
Searches for all users that have been inactive (stale) for the specified number of weeks.
Searches for all users who have not changed their passwords for the specified number of days.
Lesson 2 Creating Multiple User Objects 3-21 Table 3-4 Parameters for the Dsquery Command
Parameter Description
-disabled Searches for all users whose accounts are disabled.
Domain controller and credentials used for the command
{-s Server | -d Domain} Connects to a specified remote server or domain.
-u UserName Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name:
■ domain\user name (for example, widgets\Linda)
■ UPN (for example, Linda@widgets.microsoft.com)
-p {Password | *} Specifies to use either a password or a * to log on to a remote server. If you type *, you are prompted for a password.
Examine the command used as an example at the beginning of the chapter:
dsquery user "OU=Employees,DC=Contoso,DC=Com" -stalepwd 60
You can now identify the following components of the command:
■ Query Scope The query scope is made up of two components. The first is the target object type, user. The second is the target object identity, StartNode, which is the DN of the Employees OU.
■ Query Criteria Password has been inactive for 60 days or more: -stalepwd 60.
■ How To Display The Result Set DNs. Because no -o switch was used, the command will output using the default format: a list of DNs of objects meeting the criteria within the scope.
Piping Dsquery Results To Other Directory Service Commands Dsquery is often used to generate a list of objects against which other DS commands will operate. This is accomplished by piping the output of Dsquery to a second command. For example:
dsquery user "OU=Employees,DC=Contoso,DC=Com" -stalepwd 60| dsmod user -mustchpwd yes
This command line queries the Employees OU for users who have not changed their password for 60 days and pipes the resulting list of objects to Dsmod, which configures each object with the property "User Must Change Password At Next Logon." The other DS commands accept DNs as their input.
Exam Tip Inactivity is specified in weeks, but password changes are specified in days.
To understand how the command line works, let's begin by looking at an example of Dsmod (which we will discuss in more detail later in the chapter):
dsmod user "CN=Dan Holme,OU=Employees,DC=Contoso,DC=Com" -mustchpwd yes
This command modifies the account of the user Dan Holme and sets the flag requiring the user to change passwords at the next logon. Again you can see common elements:
■ The target object type: user
■ The target object identity: Dan Holme. The DN of objects including users, groups, and computers begins with the common name (CN) of the object followed by its parent OUs and domain.
■ The switch -mustchpwd, which indicates the "Must Change Password" property, and the value yes, which sets the flag.
You can imagine it would get tiring to enter this command multiple times for each user who should be required to change passwords. Luckily, you can enter the target object parameter not only as a DN but by piping a list of objects to the command. Piping refers to a process through which the output of one command is directed to another command rather than to the command console. It is called "piping" because you use the pipe symbol ("|") to redirect a command's output.
Look at the following command:
dsquery user "OU=Employees, DC=Contoso,DC=Com" -stalepwd 60 | dsmod user -mustchpwd yes
Notice the familiar Dsquery command that produces a list of users who have not changed passwords for 60 days or more. It is followed by the pipe symbol, indicating that its output (by default, a list of DNs) is redirected. Following the pipe is the Dsmod command without a target object specified. That syntax tells the Dsmod command to receive the input from the Dsquery command. It is no coincidence that the target object identity parameter of a directory service command takes the DN of an object and that the Dsquery command produces, by default, a list of DNs. The Dsmod command will be repeated for each item in the list produced by Dsquery, so together these two commands—Dsquery piped into Dsmod—will set the change password flag for each user account in the Employees OU that has not changed passwords for the last 60 days or more.
We will return to examine Dsmod in more detail. But to wrap up our discussion of Dsquery and piping its results to other commands, let's reiterate that the Dsquery command is often used to produce a list of objects meeting a set of criteria and to pipe that list of objects into one of the other directory service commands.
Post a comment