To export a list of all computers and non domain controller servers in an Active Directory OU, use dsquery.exe. For example, to export all computers in mydomain.com’s servers OU to machines.txt :
DSQUERY COMPUTER “OU=servers,DC=mydomain,DC=com” -o rdn -limit 1000 > c:\machines.txt
Use -limit when you want to return more than the default 100 results. Note that -rdn will producte the relative distinguished name (which means no OU=,DC= in the name).
Full dsquery syntax:
Syntax: dsquery computer [{<StartNode> | forestroot | domainroot}]
[-o {dn | rdn | samid}] [-scope {subtree | onelevel | base}]
[-name <Name>] [-desc <Description>] [-samid <SAMName>]
[-inactive <NumWeeks>] [-stalepwd <NumDays>] [-disabled]
[{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-q] [-r] [-gc]
[-limit <NumObjects>] [{-uc | -uco | -uci}]
Parameters:
Value Description
{<StartNode> | forestroot | domainroot}
The node where the search will start:
forest root, domain root, or a node
whose DN is <StartNode>.
Can be “forestroot”, “domainroot”
or an object DN.
If “forestroot” is specified, the search is done
via the global catalog. Default: domainroot.
-o {dn | rdn | samid} Specifies the output format.
Default: distinguished name (DN).
-scope {subtree | onelevel | base}
Specifies the scope of the search:
subtree rooted at start node (subtree);
immediate children of start node only (onelevel);
the base object represented by start node (base).
Note that subtree and domain scope
are essentially the same for any start node
unless the start node represents a domain root.
If forestroot is specified as <StartNode>,
subtree is the only valid scope.
Default: subtree.
-name <Name> Finds computers whose name matches the value
given by <Name>, e.g., “jon*” or “*ith”
or “j*th”.
-desc <Description> Finds computers whose description matches
the value given by <Description>,
e.g., “jon*” or “*ith” or “j*th”.
-samid <SAMName> Finds computers whose SAM account name
matches the filter given by <SAMName>.
-inactive <NumWeeks> Finds computers that have been inactive (stale)
for at least <NumWeeks> number of weeks.
-stalepwd <NumDays> Finds computers that have not changed their
password for at least <NumDays> number of days.
-disabled Finds computers with disabled accounts.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller
(DC) with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in
user. User name can be: user name,
domain\user name, or user principal name (UPN).
-p <Password> Password for the user <UserName>.
If * then prompt for password.
-q Quiet mode: suppress all output to
standard output.
-r Recurse or follow referrals during search.
Default: do not chase referrals during search.
-gc Search in the Active Directory global catalog.
-limit <NumObjects> Specifies the number of objects matching the
given criteria to be returned, where <NumObjects>
is the number of objects to be returned.
If the value of <NumObjects> is 0, all
matching objects are returned.
If this parameter is not specified, by default
the first 100 results are displayed.
{-uc | -uco | -uci} -uc Specifies that input from or output
to pipe is formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
The dsquery commands help you find objects in the directory that match
a specified search criterion: the input to dsquery is a search criteria
and the output is a list of objects matching the search. To get the
properties of a specific object, use the dsget commands (dsget /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, “CN=John Smith,CN=Users,DC=microsoft,DC=com”).
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To find all computers in the current domain whose name starts with “ms”
and whose description starts with “desktop”, and display their DNs:
dsquery computer domainroot -name ms* -desc desktop*
To find all computers in the organizational unit (OU) given
by ou=sales,dc=micrsoft,dc=com and display their DNs:
dsquery computer ou=sales,dc=microsoft,dc=com
See also:
dsquery computer /? – help for finding computers in the directory.
dsquery contact /? – help for finding contacts in the directory.
dsquery subnet /? – help for finding subnets in the directory.
dsquery group /? – help for finding groups in the directory.
dsquery ou /? – help for finding organizational units in the directory.
dsquery site /? – help for finding sites in the directory.
dsquery server /? – help for finding servers in the directory.
dsquery user /? – help for finding users in the directory.
dsquery quota /? – help for finding quotas in the directory.
dsquery partition /? – help for finding partitions in the directory.
dsquery * /? – help for finding any object in the directory by using a
generic LDAP query.
Directory Service command-line tools help:
dsadd /? – help for adding objects.
dsget /? – help for displaying objects.
dsmod /? – help for modifying objects.
dsmove /? – help for moving objects.
dsquery /? – help for finding objects matching search criteria.
dsrm /? – help for deleting objects.
dsquery failed:The parameter is incorrect.
type dsquery /? for help.
{ 4 comments… read them below or add one }
what are vertual servers???
Hi,
Thanks for sharing your insightful thoughts and suggestions – very cool and helpful indeed.
In the spirit of sharing helpful information, thought I’d mention that one of my Microsoft colleagues informed us about a cool FREE tool from a Microsoft partner, that offers over 50 super-helpful Active Directory security reports, such as which accounts are locked out, which accounts are set to expire in the next few days, which security groups are nested, where all a user may have permissions etc.
The tool is called Gold Finger, and it is developed by a company called Paramount Defenses. You can download it from http://www.paramountdefenses.com/goldfinger.php
Why bother writing complicated scripts, using unsupported command-line tools or paying for such tools, when you can use a 100% AUTOMATED, GUI based, FREE solution that is not only SUPPORTED but also ENDORSED by Microsoft?!
If you’re into Active Directory security, then this tool is a must-have. Thought I’d share this helpful tip with you!
Sincerely,
JohnM
Hi awesome blog there. keep it up.I seriously like to read your blog.Last of all have good day
Hi
I’m trying to get a list of all computer accounts with computer name and its corresponding username listed in one file. I know there are commands
–> dsquery computer -name *
—> dsquery user -name *
which give you username and computer name in different files.
I want to get it in one list with computer name and its corresponding username.
Thanks in advance
{ 1 trackback }