Does dsquery report on all AD domain accounts regardless of whether they are disabled or not? If I wanted to run a last login dsquery - would it it list entries for both enabled and disabled domain accounts?

Does dsquery report on all AD domain accounts regardless of whether they are disabled or not? AFAIK yes. If you want to display all users / computers, use -limit 0 If I wanted to run a last login dsquery - would it it list entries for both enabled and disabled domain accounts? AFAIK yes. If you want to lost only disabled accounts then use -disabled More here: http://technet.microsoft.com/en-us/library/cc755655(WS.10).aspx This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified IT Professional: Enterprise Administrator

yes, by default DSQUERY USER/COMPUTER -disabled reports all accounts. You can see as result yes or no to use DSQUERY in the most simple way you need to redirect output this way dsquery user -name * -limit 0 | dsget user -fn -ln -samid -disabled | find /i "yes" this will report only disabled account, but it works slowly (must proceed another search command) more advanced syntax but very fast is dsquery * -filter "(&(objectCategory=user)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" -limit 0 | dsget user -fn -ln -samidRegards, Krzysztof

yes, by default DSQUERY USER/COMPUTER -disabled reports all accounts. You can see as result yes or no to use DSQUERY in the most simple way you need to redirect output this way dsquery user -name * -limit 0 | dsget user -fn -ln -samid -disabled | find /i "yes" this will report only disabled account, but it works slowly (must proceed another search command) more advanced syntax but very fast is dsquery * -filter "(&(objectCategory=user)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" -limit 0 | dsget user -fn -ln -samid Regards, Krzysztof I am a bit lost here. (Doesnt take much). Can you show me the syntax for these 4 dsqueries. 1) List all domain accounts that are disabled 2) List all domain account regardless of whether they are disabled or enabled 3) List all last login times for ONLY disabled users 4) List all last login times for all users, regardless of whether they are disabled. Ideally if the syntax could also show me how to write the results out to txt file/csv. Can I run these queries as just a basic domain user, i.e. without domain administrator priveleges

OK, let's start :) I will show you how to do that using DSQUERY command, but for more convenient management you should use additional tools like ADFIND or PowerShell cmdlets. DS Tools are used for simple and less advanced queries. 1) List all domain accounts that are disabled dsquery user -name * -limit 0 | dsget user -fn -ln -samid -disabled | find /i "yes" >>c:\disabled_users.txt or dsquery * -filter "(&(objectCategory=user)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" -limit 0 | dsget user -fn -ln -samid >>c:\disabled_users.txt 2) List all domain account regardless of whether they are disabled or enabled dsquery user -name * -limit 0 | dsget user -fn -ln -samid >>c:\all_users.txt 3) List all last login times for ONLY disabled users dsquery * -filter "(&(objectCategory=user)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" -limit 0 -attr givenName sn sAMAccountName lastLogon >>c:\last_logon.txt for this I would suggest using ADFIND or PowerShell. DSQUERY shows not fixed lastLogon value. ADFIND can be downloaded at http://www.joeware.net/freetools/tools/adfind/index.htm Quest PowerShell can be downloaded from http://www.quest.com/powershell/activeroles-server.aspx 4) List all last login times for all users, regardless of whether they are disabled. dsquery * -filter "(&(objectCategory=user)(objectClass=user))" -limit 0 -attr givenName sn sAMAccountName lastLogon >>c:\last_logon_for_all.txt for this I would suggest using ADFIND or PowerShell. DSQUERY shows not fixed lastLogon value. If you're interested with syntax for ADFIND or PowerShell, just let me know, I will post queries here.Regards, Krzysztof

All of this is complicated by the following: The lastLogon attribute is not replicated. A different value for each user (and computer) is saved on every Domain Controller in the domain. To get the last logon date/time for users, you must query every DC. The lastLogonTimeStamp attribute is only updated during logon if the old value is more than 14 days (by default) in the past. If the value is update, however, it is replicated to all DC's. If you just want to identify accounts no longer used, the lastLogonTimeStamp attribute will be accurate to within 14 days, and should suffice. This can be retrieved in one query. If you really need the exact last logon date, you must query for lastLogon on every DC. The examples given above work fine if you use lastLogonTimeStamp instead of lastLogon. If you use dsquery * to retrieve lastLogon, you will get the value from the one DC that answers the query, but this is unlikely to be the value you want. If you can use a VBScript or PowerShell solution, I have several examples linked here: http://www.rlmueller.net/Last%20Logon.htm Richard Mueller - MVP Directory Services

Yes, you're right. I forgot to add this at the end of my post :) I agree that you shoudl use lastLogonTimeStamp instead of lastLogon. So, anyway, I suggest using PowerShell for that. It's much more convenient in use and more powerful that DS Tools :] Or if you don't want to use PowerShell, use ADFIND, ADMOD from Joe Ware. That's good alternative for "old" DS Tools (anyway, still my favourites ;) ) And I forgot also to answer for the last line in your question. Yes, you can run these queries as regular user, but your workstation requires Administrative Tools or RSAT installed and you can perform only READ queries. Running query on DC(s) requires a permission to log on on a DC.Regards, Krzysztof

OK, let's start :) I will show you how to do that using DSQUERY command, but for more convenient management you should use additional tools like ADFIND or PowerShell cmdlets. DS Tools are used for simple and less advanced queries. 1) List all domain accounts that are disabled dsquery user -name * -limit 0 | dsget user -fn -ln -samid -disabled | find /i "yes" >>c:\disabled_users.txt or dsquery * -filter "(&(objectCategory=user)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" -limit 0 | dsget user -fn -ln -samid >>c:\disabled_users.txt 2) List all domain account regardless of whether they are disabled or enabled dsquery user -name * -limit 0 | dsget user -fn -ln -samid >>c:\all_users.txt 3) List all last login times for ONLY disabled users dsquery * -filter "(&(objectCategory=user)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" -limit 0 -attr givenName sn sAMAccountName lastLogon >>c:\last_logon.txt for this I would suggest using ADFIND or PowerShell. DSQUERY shows not fixed lastLogon value. ADFIND can be downloaded at http://www.joeware.net/freetools/tools/adfind/index.htm Quest PowerShell can be downloaded from http://www.quest.com/powershell/activeroles-server.aspx 4) List all last login times for all users, regardless of whether they are disabled. dsquery * -filter "(&(objectCategory=user)(objectClass=user))" -limit 0 -attr givenName sn sAMAccountName lastLogon >>c:\last_logon_for_all.txt for this I would suggest using ADFIND or PowerShell. DSQUERY shows not fixed lastLogon value. If you're interested with syntax for ADFIND or PowerShell, just let me know, I will post queries here. Regards, Krzysztof Thanks so much - With regards to: 1) List all domain accounts that are disabled dsquery user -name * -limit 0 | dsget user -fn -ln -samid -disabled | find /i "yes" >>c:\disabled_users.txt or dsquery * -filter "(&(objectCategory=user)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" -limit 0 | dsget user -fn -ln -samid >>c:\disabled_users.txt 2) List all domain account regardless of whether they are disabled or enabled dsquery user -name * -limit 0 | dsget user -fn -ln -samid >>c:\all_users.txt 3) List all last login times for ONLY disabled users dsquery * -filter "(&(objectCategory=user)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" -limit 0 -attr givenName sn sAMAccountName lastLogon >>c:\last_logon.txt for this I would suggest using ADFIND or PowerShell. DSQUERY shows not fixed lastLogon value. ADFIND can be downloaded at http://www.joeware.net/freetools/tools/adfind/index.htm Quest PowerShell can be downloaded from http://www.quest.com/powershell/activeroles-server.aspx 4) List all last login times for all users, regardless of whether they are disabled. dsquery * -filter "(&(objectCategory=user)(objectClass=user))" -limit 0 -attr givenName sn sAMAccountName lastLogon >>c:\last_logon_for_all.txt Can you explain what each piece of the syntax in the above 4 is doing for future reference?

Yes of course, here you are dsquery * means that you want to perform LDAP search -filter defines what you want to search within LDAP query "(&(objectClass=User)(objectCategory=User))" tells DSQUERY that LDAP query should look into schema for class USER and object USER (there are defined its attributes). You can extend this query by adding additional attributes. This basic query means that all user accounts will be returned. You can be much more specific if you are looking for particular attribute within user propertoed (i.e. employeeID which is unavilable in GUI) For this syntax looks like this "(&(objectClass=User)(objectCategory=User)(employeeID=EmployeeIDNumber)" -> query will return only this user which employeeID equals to value specified, where employeeIDNumber is requested value -limit 0 means that all results will be returned. By default DSQUERY returns only first 1000 records -attr tells LDAP which attributes you want to get from requested object. To find available attributes place * (astrisk) after -attr givenName attribute to display First Name (stored in LDAP under this property) sn Last Name sAMAccountName user login name lastLogon int64 value of last log on time on a DC where query was run or sent to use lastLogonTimeStamp as Richard Mueller suggested, it's much more appropriate that lastLogon (meaning described in his post above) >>c:\last_logon_for_all.txt sends all queries into flat text file on C-Drive into file name last_logon_for_all.txt If you wish any other explenation, do not hesitate to ask.Regards, Krzysztof

Yes of course, here you are dsquery * means that you want to perform LDAP search -filter defines what you want to search within LDAP query "(&(objectClass=User)(objectCategory=User))" tells DSQUERY that LDAP query should look into schema for class USER and object USER (there are defined its attributes). You can extend this query by adding additional attributes. This basic query means that all user accounts will be returned. You can be much more specific if you are looking for particular attribute within user propertoed (i.e. employeeID which is unavilable in GUI) For this syntax looks like this "(&(objectClass=User)(objectCategory=User)(employeeID=EmployeeIDNumber)" -> query will return only this user which employeeID equals to value specified, where employeeIDNumber is requested value -limit 0 means that all results will be returned. By default DSQUERY returns only first 1000 records -attr tells LDAP which attributes you want to get from requested object. To find available attributes place * (astrisk) after -attr givenName attribute to display First Name (stored in LDAP under this property) sn Last Name sAMAccountName user login name lastLogon int64 value of last log on time on a DC where query was run or sent to use lastLogonTimeStamp as Richard Mueller suggested, it's much more appropriate that lastLogon (meaning described in his post above) >>c:\last_logon_for_all.txt sends all queries into flat text file on C-Drive into file name last_logon_for_all.txt If you wish any other explenation, do not hesitate to ask. Regards, Krzysztof Are you still monitoring this thread, I am having issues? It runs the query for number 1 and outputs to c:\disabled_users.txt, however, the command shell reports and error Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. H:\>dsquery user -name * -limit 0 | dsget user -fn -ln -samid -disabled | find / i "yes" >>c:\disabled_users.txt dsget failed:The server is not operational. type dsget /? for help. H:\> It also only reports a couple (2) of hundred users in the disabled report, whereas an active directory users and computers report returns over 500! So the stats dont add up. Yes if I run: dsquery * -filter "(&(objectCategory=user)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" -limit 0 | dsget user -fn -ln -samid >>c:\disabled_users.txt it returns 715 users, and ADUC disabled query only returns 519 users? But the second script doesnt return any errors...

A possible explanation for the first query raising an error, but not the second, is that you have a user with a quote character, ("), in their Common Name, and this user is not disabled. Is this possible? In your second query, the standard filter for users is "(&(objectCategory=person)(objectClass=user))". I've never used your version, with "(objectCategory=user)", but I get the same number of objects, so I believe it should be OK. Still, do you get the same results using "(objectCategory=person)"? I would trust the dsquery command. Richard Mueller - MVP Directory Services

I'm not sure but I saw something similar in the past when Domain Functional Level was set up below Windows Server 2003? As I know below this level DS Tools can have some issues. Can you check what is your DFL, please? They work in 2003 mode for sure (I tested them before posting :) ). Maybe it's connected to space in name(s) as Richard mentioned (that's the only known explanation for me why it returned only 2 people), you can try to add (") quote charecter within that syntax dsquery user -name "*" -limit 0 | dsget user -fn -ln -samid -disabled | find /i "yes" >>c:\disabled_users.txt According to the results from ADUC and DSQUERY, I would also trust DS Tools' output rather that ADUC but I have no idea what could cause this difference. objectCategory=user also can be replaced by =person but I prefer using the first one (as I know each user object is a member of user and person category, so it's only personal preference:) ) Hope, I could help.Regards, Krzysztof

A possible explanation for the first query raising an error, but not the second, is that you have a user with a quote character, ("), in their Common Name, and this user is not disabled. Is this possible? In your second query, the standard filter for users is "(&(objectCategory=person)(objectClass=user))". I've never used your version, with "(objectCategory=user)", but I get the same number of objects, so I believe it should be OK. Still, do you get the same results using "(objectCategory=person)"? I would trust the dsquery command. Richard Mueller - MVP Directory Services will give it a go in a min... With regards to a user with " in their common name, not to sure, I guess their could be, how can you check in ADUC?

A possible explanation for the first query raising an error, but not the second, is that you have a user with a quote character, ("), in their Common Name, and this user is not disabled. Is this possible? In your second query, the standard filter for users is "(&(objectCategory=person)(objectClass=user))". I've never used your version, with "(objectCategory=user)", but I get the same number of objects, so I believe it should be OK. Still, do you get the same results using "(objectCategory=person)"? I would trust the dsquery command. Richard Mueller - MVP Directory Services Yeah get the same - this is weird, the 2nd query now returns the exact same as ADUC - I have re-run the exact same query...

I'm not sure but I saw something similar in the past when Domain Functional Level was set up below Windows Server 2003? As I know below this level DS Tools can have some issues. Can you check what is your DFL, please? They work in 2003 mode for sure (I tested them before posting :) ). Maybe it's connected to space in name(s) as Richard mentioned (that's the only known explanation for me why it returned only 2 people), you can try to add (") quote charecter within that syntax dsquery user -name "*" -limit 0 | dsget user -fn -ln -samid -disabled | find /i "yes" >>c:\disabled_users.txt According to the results from ADUC and DSQUERY, I would also trust DS Tools' output rather that ADUC but I have no idea what could cause this difference. objectCategory=user also can be replaced by =person but I prefer using the first one (as I know each user object is a member of user and person category, so it's only personal preference:) ) Hope, I could help. Regards, Krzysztof I beleive its 2003 functional domain - anyway to double check?

The only difference I have seen or heard of in any of the command line utilities in W2k8 vs. W2k3 is in dsmod group. In W2k3 dsmod group can add contacts to groups (and also remove), but this fails in W2k8. I tested your command syntax on both W2k3 and W2k8 R2. I know this is unlikely, but to check if any of your Common Names have the double quote character, you can use this command: dsquery * -filter "(cn=*\"*)" If this returns any users, then the dsget command will raise an error if the DN of the user is piped to it. The quote character must be escaped, but dsquery does not escape it. Richard Mueller - MVP Directory Services