Using dsquery group

dsquery group searches Active Directory for groups that match specified credentials.You can use dsquery group to find groups and then send a list of those to another command. For example, you could use dsquery group to query AD for all groups without any members and have those results imported into dsmod to delete all the empty groups. Dsquery.exe group uses the following syntax.Table 4.14 explains all the syntax and available switches in detail.

dsquery group [{<StartNode> | forestroot | domainroot}] [-o {dn | rdn | samid}] [-scope {subtree | onelevel | base}] [-name <Name>] [-desc <Description>] [-samid <SAMName>] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [-r] [-gc] [-limit <NumObjects>] [{-uc | -uco | -uci}]

Table 4.14 Understanding dsquery group Syntax

Value

Description

{<StartNode> | forestroot | domainroot}

-scope {subtree | onelevel | base}

-desc <Description>

-samid <SAMName>

The node where the search starts: forest root, domain root, or a node whose DN is <StartNode>. Can be "forestroot," "domain-root," or an object DN. If "forestroot" is specified, the search is done via the global catalog. Default: domainroot.

Specifies the output format. Default: DN.

Specifies the scope of the search: subtree rooted at start node (subtree); immediate children of start node only (onelevel); the base object represented by start node (base). Note that subtree and domain scope are essentially the same for any start node unless the start node represents a domain root. If forestroot is specified as <StartNode>, subtree is the only valid scope. Default: subtree.

Finds groups whose name matches the value given by <Name>; e.g., "jon*" or "*ith" or "j*th."

Finds groups whose description matches the value given by <Description>; e.g., "jon*" or "*ith" or "j*th."

Finds groups whose SAM account name matches the value given by <SAMName>.

-s <Server> connects to the domain controller(DC) with name <Server>. -d <Domain> connects to a DC in domain <Domain>.

Default: a DC in the log-on domain.

Connects as <UserName>. Default: the loggedon user. Username can be: username, domain\username, or user principal name (UPN).

Password for the user <UserName>. If * is specified, you are prompted for a password.

Quiet mode: suppresses all output to standard output.

Recurses or follows referrals during search. Default: do not chase referrals during search.

Searches in the Active Directory global catalog.

Value

Description

-limit <NumObjects>

Specifies the number of objects matching the given criteria to be returned, where <NumObjects> is the number of objects to be returned. If the value of <NumObjects> is 0, all matching objects are returned. If this parameter is not specified, by default the first 100 results are displayed.

-uc specifies that input from or output to pipe is formatted in Unicode.

-uco specifies that output to pipe or file is formatted in Unicode.

-uci specifies that input from pipe or file is formatted in Unicode.

Was this article helpful?

+1 0

Post a comment