JSI Tip 7330. What can I do with the DSQUERY USER command?

The dsquery user command is very easy to use and surprisingly powerful. For instance, from your Windows XP desktop, you can query your Windows 2000 SP3+ domain, or Windows Server 2003 domain, for the distinguished name of all members of the sales organizational unit (OU) who have not logged on in 4 weeks:

dsquery user ou=sales,dc=jsiinc,dc=com -inactive 4

NOTE: See What can I do with the DSGET USER command?

When you type dsquery user /?, you receive:

Description:  Finds users in the directory per given criteria.Syntax:     dsquery user [{ | forestroot | domainroot}]            [-o {dn | rdn | upn | samid}]            [-scope {subtree | onelevel | base}]            [-name ] [-desc ] [-upn ]            [-samid ] [-inactive ] [-stalepwd ]            [-disabled] [{-s  | -d }] [-u ]            [-p { | *}] [-q] [-r] [-gc] [-limit ]            [{-uc | -uco | -uci}]Parameters:Value                       Description{ | forestroot | domainroot}                            The node where the search will start:                            forest root, domain root, or a node                            whose DN is .                            Can be "forestroot", "domainroot" or an                            object DN. If "forestroot" is specified,                            the search is done via the global catalog.                            Default: domainroot.-o {dn | rdn | upn | samid}                            Specifies the output format.                            Default: distinguished name (DN).-scope {subtree | onelevel | base}                            Specifies the scope of the search:                            subtree rooted at start node (subtree);                            immediate children of start node only (onelevel);                            the base object represented by start node (base).                            Note that subtree and domain scope                            are essentially the same for any start node                            unless the start node represents a domain root.                            If forestroot is specified as ,                            subtree is the only valid scope.                            Default: subtree.-name                 Finds users whose name matches the filter                            given by , e.g., "jon*" or "*ith"                            or "j*th".-desc          Finds users whose description matches the                            filter given by , e.g., "jon*" or                            "*ith" or "j*th".-upn                   Finds users whose UPN matches the filter given                            by .-samid             Finds users whose SAM account name matches the                            filter given by .-inactive         Finds users that have been inactive                            (not logged on) for at least                             number of weeks.-stalepwd          Finds users that have not changed their password                            for at least  number of days.-disabled                   Finds users whose account is disabled.{-s  | -d }                            -s  connects to the domain controller                            (DC) with name .                            -d  connects to a DC in domain .                            Default: a DC in the logon domain.-u                Connect as . Default: the logged in                            user. User name can be: user name,                            domainuser name, or user principal name (UPN).-p                Password for the user .                            If * is specified, then you are prompted                            for a password.-q                          Quiet mode: suppress all output to                            standard output.-r                          Recurse or follow referrals during search.                            Default: do not chase referrals during search.-gc                         Search in the Active Directory global catalog.-limit          Specifies the number of objects matching the                            given criteria to be returned, where                             is the number of objects to be returned.                            If the value of  is 0, all                            matching objects are returned. If this parameter                            is not specified, by default the first                            100 results are displayed.{-uc | -uco | -uci}         -uc Specifies that input from or output to pipe                            is formatted in Unicode.                            -uco Specifies that output to pipe or file is                            formatted in Unicode.                            -uci Specifies that input from pipe or file is                            formatted in Unicode.Remarks:The dsquery commands help you find objects in the directory that matcha specified search criterion: the input to dsquery is a search criteriaand the output is a list of objects matching the search. To get theproperties of a specific object, use the dsget commands (dsget /?).If a value that you supply contains spaces, use quotation marksaround the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").If you enter multiple values, the values must be separated by spaces(for example, a list of distinguished names).Examples:To find all users in a given organizational unit (OU)whose name starts with "jon" and whose account has been disabledfor logon and display their user principal names (UPNs):    dsquery user ou=Test,dc=microsoft,dc=com -o upn -name jon* -disabledTo find all users in only the current domain, whose names end with "smith"and who have been inactive for 3 weeks or more, and display their DNs:    dsquery user domainroot -name *smith -inactive 3To find all users in the OU given by ou=sales,dc=microsoft,dc=com and displaytheir UPNs:    dsquery user ou=sales,dc=microsoft,dc=com -o upnSee also:dsquery computer /? - help for finding computers in the directory.dsquery contact /? - help for finding contacts in the directory.dsquery subnet /? - help for finding subnets in the directory.dsquery group /? - help for finding groups in the directory.dsquery ou /? - help for finding organizational units in the directory.dsquery site /? - help for finding sites in the directory.dsquery server /? - help for finding servers in the directory.dsquery user /? - help for finding users in the directory.dsquery quota /? - help for finding quotas in the directory.dsquery partition /? - help for finding partitions in the directory.dsquery * /? - help for finding any object in the directory by using ageneric LDAP query.Directory Service command-line tools help:dsadd /? - help for adding objects.dsget /? - help for displaying objects.dsmod /? - help for modifying objects.dsmove /? - help for moving objects.dsquery /? - help for finding objects matching search criteria.dsrm /? - help for deleting objects.dsquery failed:The parameter is incorrect.type dsquery /? for help.