Home » Work
Category Archives: Work
Examples of AD from the Command-line
User Information
Find DN of Currently Logged On User
Paste code as is:
dsquery * domainroot -filter “(samAccountName=%USERNAME%)”
Find User With Primary Email Address
Retrieve user object matching given address as primary SMTP e-mail.
Syntax:
dsquery * domainroot -filter “(&(objectClass=User) (mail=))” -l -d -attr *
Example:
dsquery * domainroot -filter “(&(objectClass=User) (mail=John.Doe@mydom.com))” -l -d mydom.local -attr *
Find User With Any Email Address
Retrieve user object matching any assigned e-mail address.
Syntax:
dsquery * domainroot -filter “(&(objectClass=User) (proxyAddresses=**))” -l -d -attr *
Example:
dsquery * domainroot -filter “(&(objectClass=User) (proxyAddresses=*John.Doe@mydom.com*))” -l -d mydom.local -attr *
Find Email of User when DN is Known
Retrieve user object matching given DN and show primary SMTP e-mail address.
Syntax:
dsquery * domainroot -filter “(distinguishedName=)” -d -l -attr mail
Example:
dsquery * domainroot -filter “(distinguishedName=CN=Kerekes\, Charlie,OU=Knoxville,DC=mydom,DC=local)” -d mydom.local -l -attr mail
Find Hidden GAL Recipients
Retrieve all user objects that are hidden from the Global Address List in Exchange.
Syntax:
dsquery * domainroot -filter “(&(objectClass=User) (msExchHideFromAddressLists=TRUE))” -l -d -attr displayName
Example:
dsquery * domainroot -filter “(&(objectClass=User) (msExchHideFromAddressLists=TRUE))” -l -d mydom.local -attr displayName
Users With Password Set to Never Expire
Retrieve list of users with the “Password never expires” attribute set.
Syntax:
dsquery * domainroot -filter “(&(objectClass=user) (userAccountControl>=65536))” -attr sAMAccountName userPrincipalName userAccountControl -d
Example:
dsquery * domainroot -filter “(&(objectClass=user) (userAccountControl>=65536))” -attr sAMAccountName userPrincipalName userAccountControl -d mydom.local
Group Information
List Members of a Group
Querying AD for group membership is a multi-step process. The reason is that AD stores group membership in two places. The first place is the most obvious—in the member attribute of the group object. The second is not as obvious—as an integer value in the primaryGroupID attribute of user objects.
For most scenarios, querying the member attribute of group objects will provide a complete list of members. However, if the group in question is set as a default group for any user object, that user will not be listed in the member attribute.
Query the Group’s “Member” Attribute
The sample below lists all members stored in the member attribute of the group. If this query is not showing all members, you will need to perform the queries in the next section as well.
Syntax:
dsquery * domainroot -filter “(&(objectClass=group)(name=))” -l -d -attr member
Example:
dsquery * domainroot -filter “(&(objectClass=group)(name=Help Desk Associates))” -l -d mydom.local -attr member
Query the User’s “primaryGroupID” Attribute
First, we determine the primary group ID for the group in question. We do this by finding the SID of the group object; the last segment of the SID is used as the primary group ID.
Syntax:
dsquery * domainroot -filter “(&(objectClass=group)(name=))” -l -d -attr objectSid
Example:
dsquery * domainroot -filter “(&(objectClass=group)(name=Help Desk Associates))” -l -d mydom.local -attr objectSid
The above query will produce an output similar to this:
S-1-5-21-123456789-1234567890-9876543211-1169
Now we are ready to find all user objects that have the above group set as their default.
Syntax:
dsquery * domainroot -filter “(&(objectClass=user)(primaryGroupID=))” -l -d -attr cn
Example:
dsquery * domainroot -filter “(&(objectClass=user)(primaryGroupID=1169))” -l -d mydom.local -attr cn
List Group Members with Additional User Attributes
If we want more than the DN of group members, we need to use a FOR statement to first generate the list of members, then query each member object for the desired attributes.
Please be aware that the example below queries only the member attribute of the group and will miss any user objects with this group as their default. See the above section for details about the primaryGroupID attribute.
Syntax:
for /F “delims=*” %i IN (‘dsquery * domainroot -filter “(&(objectClass=group)(name=))” -l -d -attr member’) DO @dsquery * domainroot -filter “(distinguishedName=%i)” -attr
Example:
for /F “delims=*” %i IN (‘dsquery * domainroot -filter “(&(objectClass=group)(name=Help Desk Associates))” -l -d mydom.local -attr member’) DO @dsquery * domainroot -filter “(distinguishedName=%i)” -attr displayName samAccountName mail
Computer Information
List All Computer Objects
Syntax:
dsquery * domainroot -filter “(objectClass=Computer)” -attr name -l -d
Example:
dsquery * domainroot -filter “(objectClass=Computer)” -attr name -l -d mydom.local
List Computer Objects in a Specific OU
This example lists all computer objects stored in the mydom.local/Servers/Exchange OU.
Syntax:
dsquery * “” -filter “(objectClass=Computer)” -attr name -l -d
Example:
dsquery * “ou=Exchange,ou=Servers,dc=mydom,dc=local” -filter “(objectClass=Computer)” -attr name -l -d mydom.local
List All Domain Controllers
Syntax:
dsquery * “ou=domain controllers,
” -filter “(objectClass=Computer)” -attr name -l -d
Example:
dsquery * “ou=domain controllers,dc=mydom,dc=local” -filter “(objectClass=Computer)” -attr name -l -d mydom.local
Find DN of Computer Object in Current Domain
The DN contains the full directory path of the computer object and can be helpful in locating the computer using the GUI tools in a complex AD structure.
Syntax:
dsquery * domainroot -filter “(&(objectClass=Computer) (name=))”
Example:
dsquery * domainroot -filter “(&(objectClass=Computer) (name=exch19))”
Is very frustrated with Exchange
Is very frustrated with our Exchange providers broken Outlook Anywhere OOF and OAB!
Tired of working on Exchange
I’m tired of working on Exchange 2007 problems. Now I am going to play video games for a while. #break
Restoring Exchange/Outlook contacts…
Now moving on to finding and restoring the hundreds (thousands?) of lost Exchange/Outlook contacts from migration. #e2k7
Windows7 is working great…
Windows7 is working GREAT from my install. The corporate IT deploy image is horrible and starting to give win7 a bad name in our org. #win7
Unhappy with current Win7 image…
very unhappy with current Win7 Enterprise image! need to build image and show IT how a corporate deployment image is supposed to work. #win7
Making IT profitable?
So you have a truly great IT department, from the CIO down, but IT is still a cost center. Why not offer their services to other organization at fair market value and at least make it a zero sum cost?
— More to follow soon —
Jobless in Seattle
It’s been a few days since I was laid off from Zillow.com and I thought I jot down some of the things that have been going on.
On Friday, October 17, I got the news that 40+ colleagues and I were being let go from Zillow in an effort to reduce company spending. Our official final day of employment would be the next Tuesday, October 21, 2008. This really did not come as much of a shock to me, but others being laid off were very surprised and upset. I feel that Zillow.com did a good job of handling the difficult task of downsizing the company. I will not go into specifics but will say the severance package was fair, especially in light of the current economy.
Zillow Release
At Zillow we are trying to launch new code to our website 24 times a year, or approximately every other week. By new code I’m not including bug fixes. I’m talking about new features, services, views, reports, and such thing that really change the customers experience on our site. This also includes major software backend services, that may not be plainly visible but fundamentally and/or architecturally change the way we provide access to our vast amounts of data. Bug fixes get rolled out each day for a couple of days following the Release.
Today was a Release day, but the new code and data deployment had to be backed out before it actually Released To Web (RTW). We usually pull half our “services” from live use and deploy the new bits. When the new stuff is “prop’ed” and ready we do functional testing. It was during this time that problems were discovered and everything that had been updated needed to be reverted back to the old software. Time consuming and sometime error prone after an already long days work.
Data had also been updated but it was first thought those changes were 100% backward compatible with the old software release code. The short of it is, “wrong. we are seeing all kinds of data exceptions!”
Now a long day has become a real long day, and sliding downhill into the abyss of exhaustion.
Thursday is going to be an interesting day in the office.