HowTo: Export a list of all computers in an AD OU

by admin on June 11, 2009

To export a list of all computers and non domain controller servers in an Active Directory OU, use dsquery.exe.  For example, to export all computers in mydomain.com’s servers OU to machines.txt :

DSQUERY COMPUTER “OU=servers,DC=mydomain,DC=com” -o rdn -limit 1000 > c:\machines.txt
 
Use -limit when you want to return more than the default 100 results.  Note that -rdn will producte the relative distinguished name (which means no OU=,DC= in the name).
 
Full dsquery syntax:
 
Syntax:     dsquery computer [{<StartNode> | forestroot | domainroot}]
           [-o {dn | rdn | samid}] [-scope {subtree | onelevel | base}]
           [-name <Name>] [-desc <Description>] [-samid <SAMName>]
           [-inactive <NumWeeks>] [-stalepwd <NumDays>] [-disabled]
           [{-s <Server> | -d <Domain>}] [-u <UserName>]
           [-p {<Password> | *}] [-q] [-r] [-gc]
           [-limit <NumObjects>] [{-uc | -uco | -uci}]
 
 
Parameters:
Value                       Description
{<StartNode> | forestroot | domainroot}
                           The node where the search will start:
                           forest root, domain root, or a node
                           whose DN is <StartNode>.
                           Can be “forestroot”, “domainroot”
                           or an object DN.
                           If “forestroot” is specified, the search is done
                           via the global catalog. Default: domainroot.
-o {dn | rdn | samid}       Specifies the output format.
                           Default: distinguished name (DN).
-scope {subtree | onelevel | base}
                           Specifies the scope of the search:
                           subtree rooted at start node (subtree);
                           immediate children of start node only (onelevel);
                           the base object represented by start node (base).
                           Note that subtree and domain scope
                           are essentially the same for any start node
                           unless the start node represents a domain root.
                           If forestroot is specified as <StartNode>,
                           subtree is the only valid scope.
                           Default: subtree.
-name <Name>                Finds computers whose name matches the value
                           given by <Name>, e.g., “jon*” or “*ith”
                           or “j*th”.
-desc <Description>         Finds computers whose description matches
                           the value given by <Description>,
                           e.g., “jon*” or “*ith” or “j*th”.
-samid <SAMName>            Finds computers whose SAM account name
                           matches the filter given by <SAMName>.
-inactive <NumWeeks>        Finds computers that have been inactive (stale)
                           for at least <NumWeeks> number of weeks.
-stalepwd <NumDays>         Finds computers that have not changed their
                           password for at least <NumDays> number of days.
-disabled                   Finds computers with disabled accounts.
{-s <Server> | -d <Domain>}
                           -s <Server> connects to the domain controller
                           (DC) with name <Server>.
                           -d <Domain> connects to a DC in domain <Domain>.
                           Default: a DC in the logon domain.
-u <UserName>               Connect as <UserName>. Default: the logged in
                           user. User name can be: user name,
                           domain\user name, or user principal name (UPN).
-p <Password>               Password for the user <UserName>.
                           If * then prompt for password.
-q                          Quiet mode: suppress all output to
                           standard output.
-r                          Recurse or follow referrals during search.
                           Default: do not chase referrals during search.
-gc                         Search in the Active Directory global catalog.
-limit <NumObjects>         Specifies the number of objects matching the
                           given criteria to be returned, where <NumObjects>
                           is the number of objects to be returned.
                           If the value of <NumObjects> is 0, all
                           matching objects are returned.
                           If this parameter is not specified, by default
                           the first 100 results are displayed.
{-uc | -uco | -uci}         -uc Specifies that input from or output
                           to pipe is formatted in Unicode.
                           -uco Specifies that output to pipe or file is
                           formatted in Unicode.
                           -uci Specifies that input from pipe or file is
                           formatted in Unicode.
 
Remarks:
The dsquery commands help you find objects in the directory that match
a specified search criterion: the input to dsquery is a search criteria
and the output is a list of objects matching the search. To get the
properties of a specific object, use the dsget commands (dsget /?).
 
If a value that you supply contains spaces, use quotation marks
around the text (for example, “CN=John Smith,CN=Users,DC=microsoft,DC=com”).
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
 
Examples:
To find all computers in the current domain whose name starts with “ms”
and whose description starts with “desktop”, and display their DNs:
 
   dsquery computer domainroot -name ms* -desc desktop*
 
To find all computers in the organizational unit (OU) given
by ou=sales,dc=micrsoft,dc=com and display their DNs:
 
   dsquery computer ou=sales,dc=microsoft,dc=com
 
See also:
dsquery computer /? – help for finding computers in the directory.
dsquery contact /? – help for finding contacts in the directory.
dsquery subnet /? – help for finding subnets in the directory.
dsquery group /? – help for finding groups in the directory.
dsquery ou /? – help for finding organizational units in the directory.
dsquery site /? – help for finding sites in the directory.
dsquery server /? – help for finding servers in the directory.
dsquery user /? – help for finding users in the directory.
dsquery quota /? – help for finding quotas in the directory.
dsquery partition /? – help for finding partitions in the directory.
dsquery * /? – help for finding any object in the directory by using a
generic LDAP query.
 
Directory Service command-line tools help:
dsadd /? – help for adding objects.
dsget /? – help for displaying objects.
dsmod /? – help for modifying objects.
dsmove /? – help for moving objects.
dsquery /? – help for finding objects matching search criteria.
dsrm /? – help for deleting objects.
dsquery failed:The parameter is incorrect.
type dsquery /? for help.

{ 4 comments… read them below or add one }

mukugize asaph June 15, 2009 at 2:14 pm

what are vertual servers???

Reply

John McIntyre September 11, 2009 at 8:57 pm

Hi,

Thanks for sharing your insightful thoughts and suggestions – very cool and helpful indeed.

In the spirit of sharing helpful information, thought I’d mention that one of my Microsoft colleagues informed us about a cool FREE tool from a Microsoft partner, that offers over 50 super-helpful Active Directory security reports, such as which accounts are locked out, which accounts are set to expire in the next few days, which security groups are nested, where all a user may have permissions etc.

The tool is called Gold Finger, and it is developed by a company called Paramount Defenses. You can download it from http://www.paramountdefenses.com/goldfinger.php

Why bother writing complicated scripts, using unsupported command-line tools or paying for such tools, when you can use a 100% AUTOMATED, GUI based, FREE solution that is not only SUPPORTED but also ENDORSED by Microsoft?!

If you’re into Active Directory security, then this tool is a must-have. Thought I’d share this helpful tip with you!

Sincerely,
JohnM

Reply

Agetiaine January 6, 2010 at 1:50 pm

Hi awesome blog there. keep it up.I seriously like to read your blog.Last of all have good day

Reply

Scorpio March 8, 2010 at 12:50 pm

Hi

I’m trying to get a list of all computer accounts with computer name and its corresponding username listed in one file. I know there are commands
–> dsquery computer -name *
—> dsquery user -name *
which give you username and computer name in different files.
I want to get it in one list with computer name and its corresponding username.

Thanks in advance

Reply

Leave a Comment

{ 1 trackback }

Previous post:

Next post: