Dsquery

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Dsquery

Queries Active Directory according to specified criteria. Each of the following dsquery commands finds objects of a specific object type, with the exception of dsquery *, which can query for any type of object:

  • dsquery computer

  • dsquery contact

  • dsquery group

  • dsquery ou

  • dsquery site

  • dsquery server

  • dsquery user

  • dsquery quota

  • dsquery partition

  • dsquery *

dsquery computer

Finds computers in the directory that match specified search criteria.

Syntax

dsquery computer [{StartNode| forestroot | domainroot}] [-o {dn | rdn | samid}] [-scope {subtree | onelevel | base}] [-name Name] [-desc Description] [-samid SAMName] [-inactive NumberOfWeeks] [-stalepwd NumberOfDays] [-disabled] [{-s Server| -d Domain}] [-u UserName] [-p {Password|*}] [-q] [-r] [-gc] [-limit NumberOfObjects] [{-uc | -uco | -uci}]

Parameters
  • {StartNode| forestroot | domainroot}
    Specifies the node where the search will start. You can specify the forest root (forestroot), domain root (domainroot), or a node’s distinguished name (StartNode). If forestroot is specified, the search is done using the global catalog. The default value is domainroot.
  • -o {dn | rdn | samid}
    Specifies the format in which the list of entries found by the search will be displayed. A dn value displays the distinguished name of each entry. A rdn value displays the relative distinguished name of each entry. A samid value displays the SAM account name of each entry. By default, the dn format is used.
  • -scope {subtree | onelevel | base}
    Specifies the scope of the search. A value of subtree indicates that the scope is a subtree rooted at start node. A value of onelevel indicates the immediate children of start node only. A value of base indicates the single object represented by start node. If forestroot is specified as StartNode, subtree is the only valid scope. By default, the subtree search scope is used.
  • -name Name
    Searches for computers whose name attributes (value of CN attribute) matches Name. For example, "jon*" or "*ith" or "j*th".
  • -desc Description
    Searches for computers whose description attribute matches Description. For example, "jon*" or "*ith" or "j*th".
  • -samid SAMName
    Searches for computers whose SAM account name matches SAMName.
  • -inactive NumberOfWeeks
    Searches for all computers that have been inactive (stale) for the specified number of weeks.
  • -stalepwd NumberOfDays
    Searches for all computers that have not changed their password for the specified number of days.
  • -disabled
    Searches for all computers whose accounts are disabled.
  • {-s Server | -d Domain}
    Connects to a specified remote server or domain. By default, the computer is connected to the domain controller in the logon domain.
  • -u UserName
    Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name:

    • user name (for example, Linda)

    • domain\user name (for example, widgets\Linda)

    • user principal name (UPN) (for example, Linda@widgets.microsoft.com)

  • -p {Password|*}
    Specifies to use either a password or a * to log on to a remote server. If you type *, you are prompted for a password.
  • -q
    Suppresses all output to standard output (quiet mode).
  • -r
    Specifies that the search use recursion or follow referrals during search. By default, the search will not follow referrals during search.
  • -gc
    Specifies that the search use the Active Directory global catalog.
  • -limit NumberOfObjects
    Specifies the number of objects that match the given criteria to be returned. If the value of NumberOfObjects is 0, all matching objects are returned. If this parameter is not specified, by default the first 100 results are displayed.
  • {-uc | -uco | -uci}
    Specifies that output or input data is formatted in Unicode. The followingtable lists and describes each format.

    Value Description

    -uc

    Specifies a Unicode format for input from or output to a pipe (|).

    -uco

    Specifies a Unicode format for output to a pipe (|) or a file.

    -uci

    Specifies a Unicode format for input from a pipe (|) or a file.

  • /?
    Displays help at the command prompt.
Remarks
  • The results from a dsquery search can be piped as input to one of the other directory service command-line tools, such as dsget, dsmod, dsmove, or dsrm.

  • If a value that you supply contains spaces, use quotation marks around the text (for example, "CN=Mike Danseglio,CN=Users,DC=Microsoft,DC=Com").

  • If you supply multiple values for a parameter, use spaces to separate the values (for example, a list of distinguished names).

Examples

To find all computers in the current domain whose name starts with "ms" and whose description starts with "desktop", and display their distinguished names, type:

dsquery computer domainroot -name ms* -desc desktop*

To find all computers in the organizational unit given by OU=Sales,dc=microsoft,DC=Com and display their distinguished names, type:

dsquery computer OU=Sales,DC=Microsoft,DC=Com

dsquery contact

Finds contacts in the directory that match specified search criteria.

Syntax

dsquery contact [{StartNode| forestroot | domainroot}] [-o {dn | rdn}] [-scope {subtree | onelevel | base}] [-name Name] [-desc Description] [{-s Server| -d Domain}] [-u UserName] [-p {Password| *}] [-q] [-r] [-gc] [-limit NumberOfObjects] [{-uc | -uco | -uci}]

Parameters
  • {StartNode| forestroot | domainroot}
    Specifies the node where the search will start. You can specify the forest root (forestroot), domain root (domainroot), or a node’s distinguished name (StartNode). If forestroot is specified, the search is done using the global catalog. The default value is domainroot.
  • -o {dn | rdn}
    Specifies the format in which the list of entries found by the search will be displayed. A dn value displays the distinguished name of each entry. A rdn value displays the relative distinguished name of each entry.
  • -scope {subtree | onelevel | base}
    Specifies the scope of the search. A value of subtree indicates that the scope is a subtree rooted at start node. A value of onelevel indicates the immediate children of start node only. A value of base indicates the single object represented by start node. If forestroot is specified as StartNode, subtree is the only valid scope. By default, the subtree search scope is used.
  • -name Name
    Searches for contacts whose name attributes (value of CN attribute) matches Name. For example, "jon*" or "*ith" or "j*th".
  • -desc Description
    Searches for contacts whose description attribute matches Description. For example, "jon*" or "*ith" or "j*th".
  • {-s Server| -d Domain}
    Connects to a specified remote server or domain. By default, the computer is onnected to the domain controller in the logon domain.
  • -u UserName
    Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name:

    • user name (such as, Linda)

    • domain\user name (such as, widgets\Linda)

    • user principal name (UPN) (such as, Linda@widgets.microsoft.com)

  • -p {Password|*}
    Specifies to use either a password or a * to log on to a remote server. If you type *, you are prompted for a password.
  • -q
    Suppresses all output to standard output (quiet mode).
  • -r
    Specifies that the search use recursion or follow referrals during search. By default, the search will not follow referrals during search.
  • -gc
    Specifies that the search use the Active Directory global catalog.
  • -limit NumberOfObjects
    Specifies the number of objects that match the given criteria to be returned. If the value of NumberOfObjects is 0, all matching objects are returned. If this parameter is not specified, by default the first 100 results are displayed.
  • {-uc | -uco | -uci}
    Specifies that output or input data is formatted in Unicode. The following table lists and describes each format.

    Value Description

    -uc

    Specifies a Unicode format for input from or output to a pipe (|).

    -uco

    Specifies a Unicode format for output to a pipe (|) or a file.

    -uci

    Specifies a Unicode format for input from a pipe (|) or a file.

  • /?
    Displays help at the command prompt.
Remarks
  • The results from a dsquery search can be piped as input to one of the other directory service command-line tools, such as dsget, dsmod, dsmove, or dsrm.

  • If a value that you supply contains spaces, use quotation marks around the text (for example, "CN=Mike Danseglio,CN=Users,DC=Microsoft,DC=Com").

  • If you supply multiple values for a parameter, use spaces to separate the values (for example, a list of distinguished names).

Examples

To find all contacts in the current domain whose name starts with "te", and display their distinguished names, type:

dsquery contact domainroot -name te*

To find all contacts in the organizational unit given by OU=Sales,DC=microsoft,DC=Com and display their distinguished names, type:

dsquery contact OU=Sales,DC=Microsoft,DC=Com

dsquery group

Finds groups in the directory that match the specified search criteria. If the predefined search criteria in this command is insufficient, use the more general version of the query command, dsquery *.

Syntax

dsquery group [{StartNode| forestroot | domainroot}] [-o {dn | rdn | samid}] [-scope {subtree | onelevel | base}] [-name Filter] [-desc Filter] [-samid Filter] [{-s Server| -d Domain}] [-u UserName] [-p {Password| *}] [-q] [-r] [-gc] [-limit NumberOfObjects] [{-uc | -uco | -uci}]

Parameters
  • [{StartNode| forestroot | domainroot}
    Specifies the node where the search will start. You can specify the forest root (forestroot), domain root (domainroot), or a node’s distinguished name (StartNode). If forestroot is specified, the search is done using the global catalog. The default value is domainroot.
  • -o {dn | rdn | samid}
    Specifies the format in which the list of entries found by the search will be displayed. A dn value displays the distinguished name of each entry. A rdn value displays the relative distinguished name of each entry. A samid value displays the SAM account name of each entry. By default, the dn format is used.
  • -scope {subtree | onelevel | base}
    Specifies the scope of the search. A value of subtree indicates that the scope is a subtree rooted at start node. A value of onelevel indicates the immediate children of the start node only. A value of base indicates the single object represented by start node. If forestroot is specified as StartNode, subtree is the only valid scope. By default, the subtree search scope is used.
  • -name Name
    Searches for groups whose name attributes (value of CN attribute) matches Name. For example, "jon*" or "*ith" or "j*th".
  • -desc Description
    Searches for groups whose description attribute matches Description. For example, "jon*" or "*ith" or "j*th".
  • -samid SAMName
    Searches for groups whose SAM account name matches SAMName.
  • {-s Server| -d Domain}
    Connects to a specified remote server or domain. By default, the computer is connected to the domain controller in the logon domain.
  • -u UserName
    Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name:

    • user name (for example, Linda)

    • domain\user name (for example, widgets\Linda)

    • user principal name (UPN) (for example, Linda@widgets.microsoft.com)

  • -p {Password|*}
    Specifies to use either a password or a * to log on to a remote server. If you type *, you are prompted for a password.
  • -q
    Suppresses all output to standard output (quiet mode).
  • -r
    Specifies that the search use recursion or follow referrals during search. By default, the search will not follow referrals during search.
  • -gc
    Specifies that the search use the Active Directory global catalog.
  • -limit NumberOfObjects
    Specifies the number of objects that match the given criteria to be returned. If the value of NumberOfObjects is 0, all matching objects are returned. If this parameter is not specified, by default the first 100 results are displayed.
  • {-uc | -uco | -uci}
    Specifies that output or input data is formatted in Unicode. The following table lists and describes each format.

    Value Description

    -uc

    Specifies a Unicode format for input from or output to a pipe (|).

    -uco

    Specifies a Unicode format for output to a pipe (|) or a file.

    -uci

    Specifies a Unicode format for input from a pipe (|) or a file.

  • /?
    Displays help at the command prompt.
Remarks
  • The results from a dsquery search can be piped as input to one of the other directory service command-line tools, such as dsget, dsmod, dsmove, or dsrm.

  • If a value that you supply contains spaces, use quotation marks around the text (for example, "CN=Mike Danseglio,CN=Users,DC=Microsoft,DC=Com").

  • If you supply multiple values for a parameter, use spaces to separate the values (for example, a list of distinguished names).

Examples

To find all groups in the current domain whose name starts with "ms" and whose description starts with "admin", and display their distinguished names, type:

dsquery group domainroot -name ms* -desc admin*

To find all groups in the domain given by DC=Microsoft,DC=Com and display their distinguished names, type:

dsquery group DC=Microsoft,DC=Com

dsquery ou

Finds organizational units in the directory that match the specified search criteria. If the predefined search criteria in this command is insufficient, use the more general version of the query command, dsquery *.

Syntax

dsquery ou [{StartNode| forestroot | domainroot}] [-o {dn | rdn}][-scope {subtree | onelevel | base}][-name Name] [-desc Description] [{-s Server| -d Domain}] [-u UserName] [-p {Password| *}] [-q] [-r] [-gc] [-limit NumberOfObjects] [{-uc | -uco | -uci}]

Parameters
  • {StartNode| forestroot | domainroot}
    Specifies the node where the search will start. You can specify the forest root (forestroot), domain root (domainroot), or a node’s distinguished name (StartNode). If forestroot is specified, the search is done using the global catalog. The default value is domainroot.
  • -o {dn | rdn}
    Specifies the format in which the list of entries found by the search will be displayed. A dn value displays the distinguished name of each entry. A rdn value displays the relative distinguished name of each entry.
  • -scope {subtree | onelevel | base}
    Specifies the scope of the search. A value of subtree indicates that the scope is a subtree rooted at start node. A value of onelevel indicates the immediate children of the start node only. A value of base indicates the single object represented by start node. If forestroot is specified as StartNode, subtree is the only valid scope. By default, the subtree search scope is used.
  • -name Name
    Searches for organizational units whose name attributes (value of CN attribute) matches Name. For example, "jon*" or "*ith" or "j*th".
  • -desc Description
    Searches for organizational units whose description attribute matches Description. For example, "jon*" or "*ith" or "j*th".
  • {-s Server| -d Domain}
    Connects to a specified remote server or domain. By default, the computer is connected to the domain controller in the logon domain.
  • -u UserName
    Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name:

    • user name (for example, Linda)

    • domain\user name (for example, widgets\Linda)

    • user principal name (UPN) (for example, Linda@widgets.microsoft.com)

  • -p {Password | *}
    Specifies to use either a password or a * to log on to a remote server. If you type *, you are prompted for a password.
  • -q
    Suppresses all output to standard output (quiet mode).
  • -r
    Specifies that the search use recursion or follow referrals during search. By default, the search will not follow referrals during search.
  • -gc
    Specifies that the search use the Active Directory global catalog.
  • -limit NumberOfObjects
    Specifies the number of objects that match the given criteria to be returned. If the value of NumberOfObjects is 0, all matching objects are returned. If this parameter is not specified, by default the first 100 results are displayed.
  • {-uc | -uco | -uci}
    Specifies that output or input data is formatted in Unicode. The following table lists and describes each format.

    Value Description

    -uc

    Specifies a Unicode format for input from or output to a pipe (|).

    -uco

    Specifies a Unicode format for output to a pipe (|) or a file.

    -uci

    Specifies a Unicode format for input from a pipe (|) or a file.

  • /?
    Displays help at the command prompt.
Remarks
  • The results from a dsquery search can be piped as input to one of the other directory service command-line tools, such as dsget, dsmod, dsmove, or dsrm.

  • If a value that you supply contains spaces, use quotation marks around the text (for example, "CN=Mike Danseglio,CN=Users,DC=Microsoft,DC=Com").

  • If you supply multiple values for a parameter, use spaces to separate the values (for example, a list of distinguished names).

Examples

To find all organizational units in the current domain whose name starts with "ms" and whose description starts with "sales," and display their distinguished names, type:

dsquery ou domainroot -name ms* -desc sales*

To find all organizational units in the domain given by DC=Microsoft,DC=Com and display their distinguished names, type:

dsquery ou DC=Microsoft,DC=Com

dsquery site

Finds sites in the directory that match the specified search criteria. If the predefined search criteria in this command is insufficient, use the more general version of the query command, dsquery *.

Syntax

dsquery site [-o {dn | rdn}] [-name Name] [-desc Description] [{-s Server| -d Domain}] [-u UserName] [-p {Password|*}] [-q] [-r] [-gc] [-limit NumberOfObjects] [{-uc | -uco | -uci}]

Parameters
  • -o {dn | rdn}
    Specifies the format in which the list of entries found by the search will be displayed. A dn value displays the distinguished name of each entry. A rdn value displays the relative distinguished name of each entry.
  • -name Name
    Searches for sites whose name attributes (value of CN attribute) matches Name. For example, "NA*" or "Europe*".
  • -desc Description
    Searches for computers whose description attribute matches Description. For example, "corp*" or "*nch".
  • {-s Server| -d Domain}
    Connects to a specified remote server or domain. By default, the computer is connected to the domain controller in the logon domain.
  • -u UserName
    Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name:

    • user name (for example, Linda)

    • domain\user name (for example, widgets\Linda)

    • user principal name (UPN) (for example, Linda@widgets.microsoft.com)

  • -p {Password | *}
    Specifies to use either a password or a * to log on to a remote server. If you type *, you are prompted for a password.
  • -q
    Suppresses all output to standard output (quiet mode).
  • -r
    Specifies that the search use recursion or follow referrals during search. By default, the search will not follow referrals during search.
  • -gc
    Specifies that the search use the Active Directory global catalog.
  • -limit NumberOfObjects
    Specifies the number of objects that match the given criteria to be returned. If the value of NumberOfObjects is 0, all matching objects are returned. If this parameter is not specified, by default the first 100 results are displayed.
  • {-uc | -uco | -uci}
    Specifies that output or input data is formatted in Unicode. The following table lists and describes each format.

    Value Description

    -uc

    Specifies a Unicode format for input from or output to a pipe (|).

    -uco

    Specifies a Unicode format for output to a pipe (|) or a file.

    -uci

    Specifies a Unicode format for input from a pipe (|) or a file.

  • /?
    Displays help at the command prompt.
Remarks
  • The results from a dsquery search can be piped as input to one of the other directory service command-line tools, such as dsget, dsmod, dsmove, or dsrm.

  • If a value that you supply contains spaces, use quotation marks around the text (for example, "CN=Mike Danseglio,CN=Users,DC=Microsoft,DC=Com").

  • If you supply multiple values for a parameter, use spaces to separate the values (for example, a list of distinguished names).

Examples

To find all sites in North America with name starting with "north" and display their distinguished names, type:

dsquery site -name north*

To list the relative distinguished names of all sites defined in the directory, type:

dsquery site -o rdn

dsquery server

Finds domain controllers according to specified search criteria. If the predefined search criteria in this command is insufficient, use the more general version of the query command, dsquery *.

Syntax

dsquery server [-o {dn | rdn}] [-forest] [-domain DomainName] [-site SiteName] [-name Name] [-desc Description] [-hasfsmo {schema | name | infr | pdc | rid}] [-isgc] [{-s Server| -d Domain}] [-u UserName] [-p {Password|*}] [-q] [-r] [-gc] [-limit NumberOfObjects] [{-uc | -uco | -uci}]

Parameters
  • -o {dn | rdn}
    Specifies the format in which the list of entries found by the search will be displayed. A dn value displays the distinguished name of each entry. A rdn value displays the relative distinguished name of each entry. By default, the dn formatis used.
  • -forest
    Searches for all domain controllers (server objects) that are part of the current forest.
  • -domain DomainName
    Searches for all domain controllers (server objects) that are part of the domain whose DNS name is given by DomainName. Note that this parameter is not necessary if all domain controllers in the current domain are to be displayed, since that is the search criterion when no other criterion is specified.
  • -site SiteName
    Searches for all domain controllers (server objects) that are part of site SiteName.
  • -name Name
    Searches for server objects whose name attributes (value of CN attribute) matches Name. For example, "jon*" or "*ith" or "j*th".
  • -desc Description
    Searches for server objects whose description attribute matches Description. For example, "jon*" or "*ith" or "j*th".
  • [-hasfsmo {schema | name | infr | pdc | rid}
    Searches for the domain controller (server object) that holds the requested operations master role. A value of schema requests the schema master of the forest. A value of name requests the domain naming master of the forest. A value of infr requests the infrastructure master of the forest. A value of pdc requests the primary domain controller (PDC) role owner of the domain given by the -domain parameter (or the current domain is used). A value of rid requests the relative ID master (RID master) of the domain given by the -domain parameter (or the current domain is used). For the infr, pdc and rid operations master roles, if no domain is specified with the -domain parameter, the current domain is used.
  • -isgc
    Searches for all domain controllers (server objects) in the scope specified by any of the -forest, -domain, or -site parameters that are global catalog servers. If none of the above scope parameters are specified, find all global catalogs in the current domain.
  • {-s Server| -d Domain}
    Connects to a specified remote server or domain. By default, the computer is connected to the domain controller in the logon domain.
  • -u UserName
    Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name:

    • user name (for example, Linda)

    • domain\user name (for example, widgets\Linda)

    • user principal name (UPN) (for example, Linda@widgets.microsoft.com)

  • -p {Password|*}
    Specifies to use either a password or a * to log on to a remote server. If you type *, you are prompted for a password.
  • -q
    Suppresses all output to standard output (quiet mode).
  • -r
    Specifies that the search use recursion or follow referrals during search. By default, the search will not follow referrals during search.
  • -gc
    Specifies that the search use the Active Directory global catalog.
  • -limit NumberOfObjects
    Specifies the number of objects that match the given criteria to be returned. If the value of NumberOfObjects is 0, all matching objects are returned. If this parameter is not specified, by default the first 100 results are displayed.
  • {-uc | -uco | -uci}
    Specifies that output or input data is formatted in Unicode. The following table lists and describes each format.

    Value Description

    -uc

    Specifies a Unicode format for input from or output to a pipe (|).

    -uco

    Specifies a Unicode format for output to a pipe (|) or a file.

    -uci

    Specifies a Unicode format for input from a pipe (|) or a file.

  • /?
    Displays help at the command prompt.
Remarks
  • The results from a dsquery search can be piped as input to one of the other directory service command-line tools, such as dsget, dsmod, dsmove, or dsrm.

  • If a value that you supply contains spaces, use quotation marks around the text (for example, "CN=Mike Danseglio,CN=Users,DC=Microsoft,DC=Com").

  • If you supply multiple values for a parameter, use spaces to separate the values (for example, a list of distinguished names).

Examples

To find all domain controller in the current domain, type:

dsquery server

To find all domain controllers in the forest and display their relative distinguished names, type:

dsquery server -o rdn -forest

To find all domain controllers in the site whose name is United States and display their relative distinguished names, type:

dsquery server -o rdn -site United States

To find the domain controller in the forest that holds the schema operations master role, type:

dsquery server –forest –hasfsmo schema

To find all domain controllers in the domain widgets.microsoft.com that are global catalog servers:

dsquery server –domain widgets.microsoft.com -isgc

dsquery user

Finds users in the directory that match the specified search criteria. If the predefined search criteria in this command is insufficient, use the more general version of the query command, dsquery *.

Syntax

dsquery user [{StartNode| forestroot | domainroot}] [-o {dn | rdn | upn | samid}] [-scope {subtree | onelevel | base}] [-name Name] [-desc Description] [-upn UPN] [-samid SAMName] [-inactive NumberOfWeeks] [-stalepwd NumberOfDays] [-disabled] [{-s Server| -d Domain}] [-u UserName] [-p {Password| *}] [-q] [-r] [-gc] [-limit NumberOfObjects] [{-uc | -uco | -uci}]

Parameters
  • {StartNode| forestroot | domainroot}
    Specifies the node where the search will start. You can specify the forest root (forestroot), domain root (domainroot), or a node’s distinguished name (StartNode). If forestroot is specified, the search is done using the global catalog. The default value is domainroot.
  • [-o {dn | rdn | upn | samid}
    Specifies the format in which the list of entries found by the search will be displayed. A dn value displays the distinguished name of each entry. A rdn value displays the relative distinguished name of each entry. A upn value displays the user principal name of each entry. A samid value displays the SAM account name of each entry. By default, the dn format is used.
  • -scope {subtree | onelevel | base}
    Specifies the scope of the search. A value of subtree indicates that the scope is a subtree rooted at start node. A value of onelevel indicates the immediate children of start node only. A value of base indicates the single object represented by start node. If forestroot is specified as StartNode, subtree is the only valid scope. By default, the subtree search scope is used.
  • -name Name
    Searches for users whose name attributes (value of CN attribute) matches Name. For example, "jon*" or "*ith" or "j*th".
  • -desc Description
    Searches for users whose description attribute matches Description. For example, "jon*" or "*ith" or "j*th".
  • -upn UPN
    Searches for users whose UPN attribute matches UPN.
  • -samid SAMName
    Searches for users whose SAM account name matches SAMName.
  • -inactive NumberOfWeeks
    Searches for to find all users that have been inactive (stale) for at least the specified number of weeks.
  • -stalepwd NumberOfDays
    Searches for all users that have not changed their password for at least the specified number of days.
  • -disabled
    Searches for all users whose accounts are disabled.
  • {-s Server| -d Domain}
    Connects to a specified remote server or domain. By default, the computer is connected to the domain controller in the logon domain.
  • -u UserName
    Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name:

    • user name (for example, Linda)

    • domain\user name (for example, widgets\Linda)

    • user principal name (UPN) (for example, Linda@widgets.microsoft.com)

  • -p {Password| *}
    Specifies to use either a password or a * to log on to a remote server. If you type *, you are prompted for a password.
  • -q
    Suppresses all output to standard output (quiet mode).
  • -r
    Specifies that the search use recursion or follow referrals during search. By default, the search will not follow referrals during search.
  • -gc
    Specifies that the search use the Active Directory global catalog.
  • -limit NumberOfObjects
    Specifies the number of objects that match the given criteria to be returned. If the value of NumberOfObjects is 0, all matching objects are returned. If this parameter is not specified, by default the first 100 results are displayed.
  • {-uc | -uco | -uci}
    Specifies that output or input data is formatted in Unicode. The following table lists and describes each format.

    Value Description

    -uc

    Specifies a Unicode format for input from or output to a pipe (|).

    -uco

    Specifies a Unicode format for output to a pipe (|) or a file.

    -uci

    Specifies a Unicode format for input from a pipe (|) or a file.

  • /?
    Displays help at the command prompt.
Remarks
  • The results from a dsquery search can be piped as input to one of the other directory service command-line tools, such as dsget, dsmod, dsmove, or dsrm.

  • If a value that you supply contains spaces, use quotation marks around the text (for example, "CN=Mike Danseglio,CN=Users,DC=Microsoft,DC=Com").

  • If you supply multiple values for a parameter, use spaces to separate the values (for example, a list of distinguished names).

Examples

To display the user principal names of all users in a given organizational unit whose name starts with "Jon" and whose account has been disabled for logon, type:

dsquery user OU=Test,DC=Microsoft,DC=Com -o upn -name jon* -disabled

To display the distinguished names of all users in only the current domain whose names end with "Smith" and who have been inactive for 3 weeks or more, type:

dsquery user domainroot -name *smith -inactive 3

To display the user principal names of all users in the organizational unit given by OU=Sales,DC=Microsoft,DC=Com, type:

dsquery user OU=Sales,DC=Microsoft,DC=Com -o upn

dsquery quota

Finds quota specifications in the directory that match the specified search criteria. A quota specification determines the maximum number of directory objects a given security principal can own in a given directory partition. If the predefined search criteria in this command is insufficient, use the more general version of the query command, dsquery *.

Syntax

dsquery quota {domainroot |ObjectDN} [-o {dn | rdn}] [-acct Name] [-qlimit Filter] [-desc Description] [{-s Server| -d Domain}] [-u UserName] [-p {Password|*}] [-q] [-r] [-gc] [-limit NumberOfObjects] [{-uc | -uco | -uci}]

Parameters
  • {domainroot |ObjectDN}
    Required. Specifies where the search should begin. Use ObjectDN to specify the distinguished name (also known as DN), or use domainroot to specify the root of the current domain.
  • -o {dn | rdn}
    Specifies the format in which the list of entries found by the search will be displayed. The following table lists and describes each format.
<table>
<colgroup>
<col style="width: 50%" />
<col style="width: 50%" />
</colgroup>
<thead>
<tr class="header">
<th>Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p><strong>dn</strong></p></td>
<td><p>Displays the distinguished name of each entry. This is the default value.</p></td>
</tr>
<tr class="even">
<td><p><strong>rdn</strong></p></td>
<td><p>Displays the relative distinguished name of each entry.</p></td>
</tr>
</tbody>
</table>
  • -acct Name
    Specifies to find the quota specifications assigned to the security principal (user, group, computer, or InetOrgPerson) as represented by Name. The -acct option can be provided in the form of the distinguished name of the security principal or the Domain\SAMAccountName of the security principal.
  • -qlimit Filter
    Specifies to find quota specifications whose limit matches Filter.
  • -desc Description
    Searches for quota objects that have a description attribute that matches Description (for example, "jon*" or "*ith" or "j*th").
  • {-s Server| -d Domain}
    Connects to a specified remote server or domain. By default, the computer is connected to a domain controller in the logon domain.
  • -u UserName
    Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name:

    • user name (for example, Linda)

    • domain\user name (for example, widgets\Linda)

    • user principal name (UPN) (for example, Linda@widgets.microsoft.com)

  • -p {Password|*}
    Specifies to use either a password or a * to log on to a remote server. If you type *, you are prompted for a password.
  • -q
    Suppresses all output to standard output (quiet mode).
  • -r
    Specifies that the search use recursion or follow referrals during search. By default, the search does not follow referrals.
  • -gc
    Specifies that the search use the Active Directory global catalog.
  • -limit NumberOfObjects
    Specifies the number of objects that match the given criteria to be returned. If the value of NumberOfObjects is 0, all matching objects are returned. If this parameter is not specified, the first 100 results are displayed by default.
  • {-uc | -uco | -uci}
    Specifies that output or input data is formatted in Unicode. The following table lists and describes each format.

    Value Description

    -uc

    Specifies a Unicode format for input from or output to a pipe (|).

    -uco

    Specifies a Unicode format for output to a pipe (|) or a file.

    -uci

    Specifies a Unicode format for input from a pipe (|) or a file.

  • /?
    Displays help at the command prompt.
Remarks
  • The results from a dsquery search can be piped as input to one of the other directory service command-line tools, such as dsget, dsmod, dsmove, or dsrm.

  • If a value that you use contains spaces, use quotation marks around the text (for example, "CN=Mike Danseglio,CN=Users,DC=Microsoft,DC=Com").

  • If you use multiple values for a parameter, use spaces to separate the values (for example, a list of distinguished names).

  • When you specify values for Description, you can use the wildcard character (*) (for example, "NA*," "*BR," and "NA*BA").

  • Any value for Filter that you specify with qlimit is read as a string. You must always use quotation marks around this parameter. Any value ranges you specify using <=, =, or >= must also be inside quotation marks (for example, -qlimit "=100", -qlimit "<=99", -qlimit">=101"). To find quotas with no limit, use "-1".

Examples

To list all accounts in the current domain that have quota specifications assigned to them, type:

dsquery quota domainroot

To list all users named Jon in the SALES domain partition, type:

dsquery user -name jon* | dsquery quota domainroot -acct

dsquery partition

Finds partition objects in the directory that match the specified search criteria. If the predefined search criteria in this command is insufficient, then use the more general version of the query command, dsquery *.

Syntax

dsquery partition [-o {dn | rdn}] [-part Filter] [{-s Server| -d Domain}][-u UserName] [-p {Password|*}] [-q] [-r] [-gc] [-limit NumberOfObjects] [{-uc | -uco | -uci}]

Parameters
  • -o {dn | rdn}
    Specifies the format in which the list of entries found by the search will be displayed. The following table lists and describes each format.
<table>
<colgroup>
<col style="width: 50%" />
<col style="width: 50%" />
</colgroup>
<thead>
<tr class="header">
<th>Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p><strong>dn</strong></p></td>
<td><p>Displays the distinguished name of each entry. This is the default value.</p></td>
</tr>
<tr class="even">
<td><p><strong>rdn</strong></p></td>
<td><p>Displays the relative distinguished name of each entry.</p></td>
</tr>
</tbody>
</table>
  • -part Filter
    Fids partition objects whose common name (CN) matches the filter given by Filter.
  • {-s Server| -d Domain}
    Connects to a specified remote server or domain. By default, the computer is connected to a domain controller in the logon domain.
  • -u UserName
    Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name:

    • user name (for example, Linda)

    • domain\user name (for example, widgets\Linda)

    • user principal name (UPN) (for example, Linda@widgets.microsoft.com)

  • -p {Password|*}
    Specifies to use either a password or a * to log on to a remote server. If you type *, you are prompted for a password.
  • -q
    Suppresses all output to standard output (quiet mode).
  • -r
    Specifies that the search use recursion or follow referrals during search. By default, the search does not follow referrals.
  • -gc
    Specifies that the search use the Active Directory global catalog.
  • -limit NumberOfObjects
    Specifies the number of objects that match the given criteria to be returned. If the value of NumberOfObjects is 0, all matching objects are returned. If this parameter is not specified, the first 100 results are displayed by default.
  • {-uc | -uco | -uci}
    Specifies that output or input data is formatted in Unicode. The following table lists and describes each format.

    Value Description

    -uc

    Specifies a Unicode format for input from or output to a pipe (|).

    -uco

    Specifies a Unicode format for output to a pipe (|) or a file.

    -uci

    Specifies a Unicode format for input from a pipe (|) or a file.

  • /?
    Displays help at the command prompt.
Remarks
  • The results from a dsquery search can be piped as input to one of the other directory service command-line tools, such as dsget, dsmod, dsmove, or dsrm.

  • If a value that you use contains spaces, use quotation marks around the text (for example, "CN=Mike Danseglio,CN=Users,DC=Microsoft,DC=Com").

  • If you use multiple values for a parameter, use spaces to separate the values (for example, a list of distinguished names).

  • When you specify values for Description, you can use the wildcard character (*) (for example, "NA*," "*BR," and "NA*BA").

Examples

To list the distinguished names of all directory partitions in the current forest, type:

dsquery partition

To list the distinguished names of all directory partitions in the forest whose common name begins with SQL, type:

dsquery -part SQL*

dsquery *

Finds any objects in the directory according to criteria using an LDAP query.

Syntax

dsquery * [{ObjectDN| forestroot | domainroot}] [-scope {subtree | onelevel | base}] [-filter LDAPFilter] [-attr {AttributeList|*}] [-attrsonly] [-l][{-s Server| -d Domain}] [-u UserName] [-p {Password|*}] [-q] [-r] [-gc] [-limit NumberOfObjects] [{-uc | -uco | -uci}]

Parameters
  • {ObjectDN| forestroot | domainroot}
    Specifies the node where the search will start. You can specify the forest root (forestroot), domain root (domainroot), or a node’s distinguished name (ObjectDN). If forestroot is specified, the search is done using the global catalog. The default value is domainroot.
  • -scope {subtree | onelevel | base}
    Specifies the scope of the search. A value of subtree indicates that the scope is a subtree rooted at start node. A value of onelevel indicates the immediate children of start node only. A value of base indicates the single object represented by start node. If forestroot is specified as StartNode, subtree is the only valid scope. By default, the subtree search scope is used.
  • -filter LDAPFilter
    Specifies an explicit search filter LDAPFilter specified in the LDAP search filter format to be used for this search. For example, a valid search filter would be (&(objectCategory=Person)(sn=smith*)). The default LDAPFilter is (objectClass=*).
  • -attr {AttributeList|*}
    Specifies that the semicolon separated LDAP display names included in AttributeList are the only attributes for each entry in the result set that should be displayed. If the value of this parameter is specified as the *, all attributes present on the object in the result set are displayed. If this option is selected, the default output format is a list format, regardless of whether the -L parameter is specified. The default AttributeList is a distinguished name.
  • -attrsonly
    Specifies that only the attribute types present on the entries in the result set, and not their values, should be displayed. The default is to display both the attribute type and the value.
  • -l
    Displays entries in a list format. By default, entries are displayed in a table format. For more information on display formats for this command, see Remarks.
  • {-s Server| -d Domain}
    Connects to a specified remote server or domain. By default, the computer is connected to the domain controller in the logon domain.
  • -u UserName
    Specifies the user name with which user will log on to the remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name:

    • user name (for example, Linda)

    • domain\user name (for example, widgets\Linda)

    • user principal name (UPN) (for example, Linda@widgets.microsoft.com)

  • -p {Password|*}
    Specifies to use either a password or a * to log on to a remote server. If you type *, you are prompted for a password.
  • -q
    Suppresses all output to standard output (quiet mode).
  • -r
    Specifies that the search use recursion or follow referrals during search. By default, the search will not follow referrals during search.
  • -gc
    Specifies that the search use the Active Directory global catalog.
  • -limit NumberOfObjects
    Specifies the number of objects that match the given criteria to be returned. If the value of NumberOfObjects is 0, all matching objects are returned. If this parameter is not specified, by default the first 100 results are displayed.
  • {-uc | -uco | -uci}
    Specifies that output or input data is formatted in Unicode. The following table lists and describes each format.

    Value Description

    -uc

    Specifies a Unicode format for input from or output to a pipe (|).

    -uco

    Specifies a Unicode format for output to a pipe (|) or a file.

    -uci

    Specifies a Unicode format for input from a pipe (|) or a file.

  • /?
    Displays help at the command prompt.
Remarks
  • The results from a dsquery search can be piped as input to one of the other directory service command-line tools, such as dsget, dsmod, dsmove, or dsrm.

  • If a value that you supply contains spaces, use quotation marks around the text (for example, "CN=Mike Danseglio,CN=Users,DC=Microsoft,DC=Com").

  • If you supply multiple values for a parameter, use spaces to separate the values (for example, a list of distinguished names).

Examples

To display, in table format, the SAM account names, user principal names, and departments of all users in the current domain whose SAM account name begins with the string "Jon", type:

dsquery * domainroot -filter "((objectCategory=Person)(objectClass=User)(sAMAccountName=Jon*)) -attr sAMAccountName userPrincipalName department

To read the SAM account names, User principal names, and department attributes of the object whose distinguished name is OU=Test,DC=Microsoft,DC=Com, type:

dsquery * OU=Test,DC=Microsoft,DC=Com -scope base -attr sAMAccountName userPrincipalName department

To read all attributes of the object whose distinguished name is OU=Test,DC=Microsoft,DC=Com, type:

dsquery * OU=Test,DC=Microsoft,DC=Com -scope base -attr *

Formatting legend

Format Meaning

Italic

Information that the user must supply

Bold

Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output

See Also

Concepts

Directory service command-line tools
Command-line reference A-Z
Command shell overview