Directory Services

Guy recommends :
Free Permissions
Analyzer Tool

Solarwinds Free Download of Permissions Analyzer

View the effective permissions for a folder or shared drive. Free download try it now!

DSQuery Command Line Tool for Active Directory 2003

New DS built-in tools for Windows Server 2003

At last I have found a real useful member of the DS family of utilities.  If I need to find a user quickly from the command prompt, I call for DSQuery.

DSQuery Examples


Example 1 - DSQuery to list all the OUs in your domain

Let us find how many Organizational Units are there in your domain? This command will produce a listing of all OUs with this command.


dsquery ou dc=mydom,dc=com
dsquery ou domainroot

Learning Points

Note 1:  dc does NOT mean domain controller, it means domain context.

Note 2:  The dc commands are not case sensitive, but they dislike spaces.
dc=mydom,    dc=com will draw an error.

Note 3:  If you haven't got any OUs (Organizational Units), I seriously suggest that you create some to organize your users.

Note 4:  Best of all, in this scenario, you can substitute domainroot for dc=cp.

Example 2 - To find all users in the default Users folder with DSQuery

In this DSQuery example we just want to trawl the users folder and find out who is in that container.

dsquery user cn=users,dc=cp,dc=com

Learning Points

Note 1:  The default users' folder is actually a container object called cn=users.  My point is if you try ou=users, the command fails.

Note 2:  I queried users, however dsquery requires the singular user, not userS.  Other objects that you can query are computer (not computers!), group or even contact.

Challenge 1:  Substitute OU=xyz for cn=users, where xyz is the name of your OU.  Unfortunately, cn=users domainroot does not work.

Challenge 2:  Substitute computer for user

Guy Recommends:  SolarWinds' Free Bulk Import ToolFree Download Solarwinds Bulk Import Tool

Import users from a spreadsheet.  Just provide a list of the users with their fields in the top row, and save as .csv file.  Then launch this FREE utility and match your fields with AD's attributes, click and import the users.

Optionally, you can provide the name of the OU where the new accounts will be born. Download your FREE bulk import tool.

If you need more comprehensive software, download a free trial of SAM (Server & Application Monitor)

Example 3 - DSQuery to list all your Domain Controllers

Suppose you want to list all of your domain controllers, (not computers).  Which command do you think would supply the information?

dsquery server
dsquery server domainroot
dsquery server dc=cp,dc=com

Learning Points

Note 1:  Amazingly, dsquery server, the simplest command get the job done.

Note 2:  I thank Jim D for pointing out that we want here is the singular 'server'. 

Example 4 - To query the FSMO roles of your Domain Controllers

Here is a wonderful command to find the FSMO roles (Flexible Single Master Roles) -hasfsmo.  The arguments, which correspond to the 5 roles are: schema, rid, name, infr and pdc.


dsquery server -hasfsmo schema

Learning Points

Note 1:  The command is -hasfsmo  not ?hasfsmo as in some documents.

Example 5 - DSQuery to find all users whose name begins with smith*

This DSQuery example shows two ways to filter your output and so home in on what you are looking for.  Let us pretend that we know the user's name but have no idea which OU they are to be found.  Moreover, we are not sure whether their name is spelt Smith, Smithy or Smithye.


dsquery user domainroot -name smith*
dsquery user dc=cp,dc=com -name smith* d
or plain
dsquery user smith*

Learning Points

Note 1:  Remember to type the singular user.

Note 2:  Probably no need to introduce *, you probably realize it's a wildcard.

Note 3:  -name is but one of a family of filters. -desc or -disabled are others.

Guy Recommends: Permissions Analyzer - Free Active Directory ToolFree Permissions Analyzer for Active Directory

I like the Permissions Monitor because it enables me to see quickly WHO has permissions to do WHAT.  When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource.  Give this permissions monitor a try - it's free!

Download Permissions Analyser - Free Active Directory Tool

Example 6 - DSQuery to filter the output with -o rdn

The purpose of -o rdn is to reduce the output to just the relative distinguished name.  In a nutshell rdn strips away the OU=, DC= part which you may not be interested in.

dsquery user -name smith* -o rdn

Learning Points

Note 1:  o is the letter oh (not a number).  In my minds eye o stands for output.

Note 2:  There is a switch -o dn, but this is not a switch I use. 

Summary - DSQuery

Knowledge is power.  The DS family in general and DSQuery in particular, are handy commands for interrogating Active Directory from the command line.  Perhaps the day will come when you need to find a user, computer or group without calling for the Active Users and Computers GUI.  Next try DSGet.

If you like this page then please share it with your friends


See more of the DS family of built-in Active Directory utilities

DSQuery   • DSQuery User   • DSQuery Group    • Free Import CSV Tool

• DSGet - List the properties of an object   • DS Commands   • WSH - Create a user

• DSMod - Modify Active Directory attributes    • DSAdd - Create new accounts


Custom Search

Site Home

Guy Recommends: WMI Monitor for PowershellSolarwinds WMI Monitor

Windows Management Instrumentation (WMI) is most useful for PowerShell scripting.

SolarWinds have produced this Free WMI Monitor to take the guess work out of which WMI counters to use for applications like Microsoft Active Directory, SQL or Exchange Server.

Download your free copy of WMI Monitor

Author: Guy Thomas Copyright © 1999-2014 Computer Performance LTD All rights reserved.

Please report a broken link, or an error to: