The dsquery user command is very easy to use and
surprisingly powerful. For instance, from your Windows XP desktop, you can query your Windows 2000 SP3+ domain,
or Windows Server 2003 domain, for the distinguished name of all members of the sales organizational unit (OU)
who have not logged on in 4 weeks:
dsquery user ou=sales,dc=jsiinc,dc=com -inactive 4
NOTE: See What can I do with the DSGET USER command?
When you type dsquery user /?, you receive:
Description: Finds users in the directory per given criteria.
Syntax: dsquery user [{<StartNode> | forestroot | domainroot}]
[-o {dn | rdn | upn | samid}]
[-scope {subtree | onelevel | base}]
[-name <Name>] [-desc <Description>] [-upn <UPN>]
[-samid <SAMName>] [-inactive <NumWeeks>] [-stalepwd <NumDays>]
[-disabled] [{-s <Server> | -d <Domain>}] [-u <UserName>]
[-p {<Password> | *}] [-q] [-r] [-gc] [-limit <NumObjects>]
[{-uc | -uco | -uci}]
Parameters:
Value Description
{<StartNode> | forestroot | domainroot}
The node where the search will start:
forest root, domain root, or a node
whose DN is <StartNode>.
Can be "forestroot", "domainroot" or an
object DN. If "forestroot" is specified,
the search is done via the global catalog.
Default: domainroot.
-o {dn | rdn | upn | samid}
Specifies the output format.
Default: distinguished name (DN).
-scope {subtree | onelevel | base}
Specifies the scope of the search:
subtree rooted at start node (subtree);
immediate children of start node only (onelevel);
the base object represented by start node (base).
Note that subtree and domain scope
are essentially the same for any start node
unless the start node represents a domain root.
If forestroot is specified as <StartNode>,
subtree is the only valid scope.
Default: subtree.
-name <Name> Finds users whose name matches the filter
given by <Name>, e.g., "jon*" or "*ith"
or "j*th".
-desc <Description> Finds users whose description matches the
filter given by <Description>, e.g., "jon*" or
"*ith" or "j*th".
-upn <UPN> Finds users whose UPN matches the filter given
by <UPN>.
-samid <SAMName> Finds users whose SAM account name matches the
filter given by <SAMName>.
-inactive <NumWeeks> Finds users that have been inactive
(not logged on) for at least <NumWeeks>
number of weeks.
-stalepwd <NumDays> Finds users that have not changed their password
for at least <NumDays> number of days.
-disabled Finds users whose account is disabled.
{-s <Server> | -d <Domain>}
-s <Server> connects to the domain controller
(DC) with name <Server>.
-d <Domain> connects to a DC in domain <Domain>.
Default: a DC in the logon domain.
-u <UserName> Connect as <UserName>. Default: the logged in
user. User name can be: user name,
domain\user name, or user principal name (UPN).
-p <Password> Password for the user <UserName>.
If * is specified, then you are prompted
for a password.
-q Quiet mode: suppress all output to
standard output.
-r Recurse or follow referrals during search.
Default: do not chase referrals during search.
-gc Search in the Active Directory global catalog.
-limit <NumObjects> Specifies the number of objects matching the
given criteria to be returned, where <NumObjects>
is the number of objects to be returned.
If the value of <NumObjects> is 0, all
matching objects are returned. If this parameter
is not specified, by default the first
100 results are displayed.
{-uc | -uco | -uci} -uc Specifies that input from or output to pipe
is formatted in Unicode.
-uco Specifies that output to pipe or file is
formatted in Unicode.
-uci Specifies that input from pipe or file is
formatted in Unicode.
Remarks:
The dsquery commands help you find objects in the directory that match
a specified search criterion: the input to dsquery is a search criteria
and the output is a list of objects matching the search. To get the
properties of a specific object, use the dsget commands (dsget /?).
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
Examples:
To find all users in a given organizational unit (OU)
whose name starts with "jon" and whose account has been disabled
for logon and display their user principal names (UPNs):
dsquery user ou=Test,dc=microsoft,dc=com -o upn -name jon* -disabled
To find all users in only the current domain, whose names end with "smith"
and who have been inactive for 3 weeks or more, and display their DNs:
dsquery user domainroot -name *smith -inactive 3
To find all users in the OU given by ou=sales,dc=microsoft,dc=com and display
their UPNs:
dsquery user ou=sales,dc=microsoft,dc=com -o upn
See also:
dsquery computer /? - help for finding computers in the directory.
dsquery contact /? - help for finding contacts in the directory.
dsquery subnet /? - help for finding subnets in the directory.
dsquery group /? - help for finding groups in the directory.
dsquery ou /? - help for finding organizational units in the directory.
dsquery site /? - help for finding sites in the directory.
dsquery server /? - help for finding servers in the directory.
dsquery user /? - help for finding users in the directory.
dsquery quota /? - help for finding quotas in the directory.
dsquery partition /? - help for finding partitions in the directory.
dsquery * /? - help for finding any object in the directory by using a
generic LDAP query.
Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.
dsquery failed:The parameter is incorrect.
type dsquery /? for help.