Using DSQUERY to get the members of a Group in AD

[Bob Randall]

Can anyone give the the correct syntax (if it exists) to use the DSQUERY
command line tool to query the members of a specific group in AD? I have
tried many combonations and I cant seem to figure it out. I tried:

dsquery user OU=xxx, DC=yyy,DC=ZZZ

but I don't know what should go after that. I also tried the dsquery group
method with no luck. Does anyone know the correct way??

Thanks!

Bob Randall

[ptwilliams]

C:\>dsget group "CN=GroupName,DC=domain-name,DC=com" -members

If you need to specify a server and/ or credentials, append the following on
the end:

-s dc01 -u userName -p *

--
Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

[Bob Randall]

Perfect - thanks a lot!

[ptwilliams]

No problem! :-)

[Mik]

I am trying the same thing but I keep getting this error:

dsget failed:A referral was returned from the server.

Any ideas what this is?

[Paul Williams [MVP]]

What command are you typing?

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

[Paul Williams [MVP]]

I don't understand that. DSGET will chase referrals. I just used that same
command to output the members of a group in the root domain from a child
domain.

What else can you tell me about your environment?

[Paul Williams [MVP]]

Weird. I can't see why that command won't work. Unless the domain you are
using is different to your DNS domain?

Try the same thing with adfind (download from www.joeware.net)

adfind -b cn=group,cn=users,dc=domain-name,dc=com member -nodn

[DA]

I get that with scripts that enumerate object in AD when I run the script
logged on to a domain different from that I'm trying to search. Try it first
making sure you're logged on to the domain you're searching and you might
have it work doing the command as a batch file and doing "run as" and
specifying creds in the search domain.

[ntumanguil@hotmail]

Hi Paul,

Sorry, Can you help me to give a dsquery command to get all inactive
domain clients from specific OU?

Thanks,
Nap

--
ntumanguil@hotmail
------------------------------------------------------------------------
ntumanguil@hotmail's Profile: http://forums.techarena.in/members/153755.htm
View this thread: http://forums.techarena.in/active-directory/76662.htm

http://forums.techarena.in

[Richard Mueller [MVP]]

"ntumanguil@hotmail" <ntumanguilho...@DoNotSpam.com> wrote in
message news:ntumanguilho...@DoNotSpam.com...

>
> Hi Paul,
>
> Sorry, Can you help me to give a dsquery command to get all inactive
> domain clients from specific OU?
>
> Thanks,
> Nap
>

After checking the dsquery syntax help at a command prompt, I got:

dsquery user "ou=Sales,ou=West,dc=MyDomain,dc=com" -inactive 4

This queries for users in the specified OU that have not logged on in the
last 4 weeks. However, the domain must be at Windows 2003 functional level
for this to work. Otherwise you can use:

dsquery user "ou=Sales,ou=West,dc=MyDomain,dc=com" -stalepwd 30

to find users that have not changed their password in the specified number
of days. Or, if your domain does not support -inactive and you don't want to
use -stalepwd, you can run a VBScript program that retrieves the lastLogon
attribute for all users. Such a program must query every Domain Controller
in the domain. See this link:

http://www.rlmueller.net/Last%20Logon.htm

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--