To export a list of all computers and non domain controller servers in an Active Directory OU, use dsquery.exe. For example, to export all computers in mydomain.com’s servers OU to machines.txt :
DSQUERY COMPUTER “OU=servers,DC=mydomain,DC=com” -o rdn -limit 1000 > c:\machines.txt
Use -limit when you want to return more than the default 100 results. Note that -rdn will producte the relative distinguished name (which means no OU=,DC= in the name).
Full dsquery syntax:
Syntax: dsquery computer [{<StartNode> | forestroot | domainroot}]
[-o {dn | rdn | samid}] [-scope {subtree | onelevel | base}]
[-name <Name>] [-desc <Description>] [-samid <SAMName>]
[-inactive <NumWeeks>] [-stalepwd <NumDays>] [-disabled]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-q] [-r] [-gc]
[-limit <NumObjects>] [{-uc | -uco | -uci}]
Parameters:
Value Description
{<StartNode> | forestroot | domainroot}
The node where the search will start:
forest root, domain root, or a node
whose DN is <StartNode>.
Can be “forestroot”, “domainroot”
or an object DN.
If “forestroot” is specified, the search is done
via the global catalog. Default: domainroot.
-o {dn | rdn | samid} Specifies the output format.
Default: distinguished name (DN).
-scope {subtree | onelevel | base}
Specifies the scope of the search:
subtree rooted at start node (subtree);
immediate children of start node only (onelevel);
the base object represented by start node (base).
Note that subtree and domain scope
are essentially the same for any start node
unless the start node represents a domain root.
If forestroot is specified as <StartNode>,
subtree is the only valid scope.
Default: subtree.
-name <Name> Finds computers whose name matches the value
given by <Name>, e.g., “jon*” or “*ith”
or “j*th”.
-desc <Description> Finds computers whose description matches
the value given by <Description>,
e.g., “jon*” or “*ith” or “j*th”.
-samid <SAMName> Finds computers whose SAM account name
matches the filter given by <SAMName>.
-inactive <NumWeeks> Finds computers that have been inactive (stale)
for at least <NumWeeks> number of weeks.
-stalepwd <NumDays> Finds computers that have not changed their
password for at least <NumDays> number of days.
-disabled Finds computers with disabled accounts.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller
(DC) with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in
user. User name can be: user name,
domain\user name, or user principal name (UPN).
-p <Password> Password for the user <UserName>.
If * then prompt for password.
-q Quiet mode: suppress all output to
standard output.
-r Recurse or follow referrals during search.
Default: do not chase referrals during search.
-gc Search in the Active Directory global catalog.
-limit <NumObjects> Specifies the number of objects matching the
given criteria to be returned, where <NumObjects>
is the number of objects to be returned.
If the value of <NumObjects> is 0, all
matching objects are returned.
If this parameter is not specified, by default
the first 100 results are displayed.
{-uc | -uco | -uci} -uc Specifies that input from or output
to pipe is formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
The dsquery commands help you find objects in the directory that match
a specified search criterion: the input to dsquery is a search criteria
and the output is a list of objects matching the search. To get the
properties of a specific object, use the dsget commands (dsget /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, “CN=John Smith,CN=Users,DC=microsoft,DC=com”).
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To find all computers in the current domain whose name starts with “ms”
and whose description starts with “desktop”, and display their DNs:
dsquery computer domainroot -name ms* -desc desktop*
To find all computers in the organizational unit (OU) given
by ou=sales,dc=micrsoft,dc=com and display their DNs:
dsquery computer ou=sales,dc=microsoft,dc=com
See also:
dsquery computer /? – help for finding computers in the directory.
dsquery contact /? – help for finding contacts in the directory.
dsquery subnet /? – help for finding subnets in the directory.
dsquery group /? – help for finding groups in the directory.
dsquery ou /? – help for finding organizational units in the directory.
dsquery site /? – help for finding sites in the directory.
dsquery server /? – help for finding servers in the directory.
dsquery user /? – help for finding users in the directory.
dsquery quota /? – help for finding quotas in the directory.
dsquery partition /? – help for finding partitions in the directory.
dsquery * /? – help for finding any object in the directory by using a
generic LDAP query.
Directory Service command-line tools help:
dsadd /? – help for adding objects.
dsget /? – help for displaying objects.
dsmod /? – help for modifying objects.
dsmove /? – help for moving objects.
dsquery /? – help for finding objects matching search criteria.
dsrm /? – help for deleting objects.
dsquery failed:The parameter is incorrect.
type dsquery /? for help.
June 15, 2009 at 2:14 pm
what are vertual servers???
September 11, 2009 at 8:57 pm
Hi,
Thanks for sharing your insightful thoughts and suggestions – very cool and helpful indeed.
In the spirit of sharing helpful information, thought I’d mention that one of my Microsoft colleagues informed us about a cool FREE tool from a Microsoft partner, that offers over 50 super-helpful Active Directory security reports, such as which accounts are locked out, which accounts are set to expire in the next few days, which security groups are nested, where all a user may have permissions etc.
The tool is called Gold Finger, and it is developed by a company called Paramount Defenses. You can download it from http://www.paramountdefenses.com/goldfinger.php
Why bother writing complicated scripts, using unsupported command-line tools or paying for such tools, when you can use a 100% AUTOMATED, GUI based, FREE solution that is not only SUPPORTED but also ENDORSED by Microsoft?!
If you’re into Active Directory security, then this tool is a must-have. Thought I’d share this helpful tip with you!
Sincerely,
JohnM