EvilSaint Wordmark

DSQuery

20 Jun 2022, 3:23 p.m.
20 Apr 2022, 9:33 a.m.
07:44 minutes

Dsquery is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. It allows you to find any objects in the directory using a Lightweight Directory Access Protocol (LDAP) query. To use it, you must run the dsquery command from an elevated command prompt.

    DSQuery

    Open DS Query GUI Window

    rundll32 dsquery,OpenQueryWindow

    Users

    Query Users From Local server (default 100)

    dsquery user

    List Users Remote Server (Unlimited or 2000 results)

    dsquery user -s 10.100.1.254 -limit 0
dsquery user -s 10.100.1.254 -limit 2000

    Query a specific user

    dsquery user -samid <username> -s <DC IP Address>
dsquery user -samid Administrator -s 10.100.1.254

    List AD Users starting with ‘b’, don’t limit the number of results returned and request particular fields.

    dsquery user -name "b*" -s 10.100.1.254 -limit 0 | dsget user -samid -sid -fn -ln -email -dept -disabled -reversiblepwd -mustchpwd -canchpwd -acctexpires -s 10.100.1.254

    How to Reset Active Directory User’s Password from Command Line

    dsquery user -samid enter_username_here | dsmod user -pwd enter_new_pw_here -mustchpwd no

    Find out if a user account is currently enabled or disabled.

    dsquery user DC=%userdnsdomain:.=,DC=% -name %username% | dsget user -disabled -dn

    Stale user accounts

    dsquery user domainroot -stalepwd 100 -limit 0

    Disabled user accounts

    dsquery user domainroot -disabled -limit 0

    Remotely Reset the Active Directory User’s password from the command line.

    psexec domain_controller_ip dsquery user -samid enter_username_here | dsmod user -pwd enter_new_pw_here -mustchpwd no enter_new_pw_here

    Computers

    List all computers

    dsquery computer -limit 0
dsquery computer -s 10.100.1.254
dsquery computer -d marvel.lab

    Stale computer accounts

    dsquery computer domainroot -stalepwd 180 -limit 0

    Loop through Domain Computers and run a command

    Loop through all the computers in the domain (Great for Adding Further Queries)

    for /f %i in ('dsquery computer -o rdn) do echo %i

    Group

    List all groups with Admin in the name

    dsquery group -name "*Admin*" -s 10.100.1.254
dsquery group -name "*Admin*" -s 10.100.1.254 | dsget group -members -expand -s 10.100.1.254

    List all members of all group(s)

    dsquery group -name "*" -s 10.100.1.254 | dsget group -members -expand -s 10.100.1.254

    List all users in security group

    dsquery group -name "" | dsget group -members -expand | dsget user -fn -ln -disabled

    Servers

    Get Domain Controllers

    dsquery server -s 10.100.1.254

    Global Catalog (-isgc)

    dsquery server -isgc

    Loop through Domain servers and run a command

    Loop over a list of DC’s using dsquery (Great for Adding Further Queries)

    for /f %i in ('dsquery server -o rdn') do echo %i

    Domain Controller IP Configuration

    for /f %i in ('dsquery server -domain %userdnsdomain% -o rdn') do psexec //%i ipconfig /all

    AD Database disk usage

    for /f %i in ('dsquery server -domain %userdnsdomain% -o rdn') do dir //%i/admin$/ntds

    Domain Controller Netlogon entries

    for /f %i in ('dsquery server -o rdn') do echo %i & reg query //%i/hklm/system/currentcontrolset/services/netlogon/parameters

    DNS Zones in AD

    for /f %i in ('dsquery server -o rdn') do Dsquery * -s %i domainroot -filter (objectCategory=dnsZone)

    Enumerate DNS Server Zones

    for /f %i in ('dsquery server -domain %userdnsdomain% -o rdn') do dnscmd %i /enumzones

    Sites

    Return the object if KCC Intra/Inter site is disabled for each site

    dsquery site | dsquery * -attr * -filter "(|(Options:1.2.840.113556.1.4.803:=1)(Options:1.2.840.113556.1.4.803:=16))"

    Return the object if KCC Intra/Inter site is disabled for each site

    dsquery site | dsquery * -attr * -filter "(|(Options:1.2.840.113556.1.4.803:=1)(Options:1.2.840.113556.1.4.803:=16))"

    Subnets

    Subnet information

    dsquery subnet -limit 0

    OU

    List Organisational Units

    dsquery OU

    ACL on all OUs

    for /f "delims=|" %i in ('dsquery OU') do acldiag %i

    Custom Queries

    Remember all below queries can have the following added:

    • s 10.100.1.254 will make the command query a remote server. d marvel.lab will make the command query a DC in the domain limit 0 this option will allow ldap to return unlimited results as apposed to the default of 100 records. If 0 is given then the result set will be unlimited.

    Servers

    Find servers in the domain

    dsquery * domainroot -filter "(&(objectCategory=Computer)(objectClass=Computer)(operatingSystem=*Server*))"

    Domain Controllers per site

    dsquery * "CN=Sites,CN=Configuration,DC=MARVEL,DC=LAB" -filter "(objectCategory=Server)"

    Global Catalog Servers from AD

    dsquery * "CN=Configuration,DC=MARVEL,DC=LAB" -filter "(&(objectCategory=nTDSDSA)(options:1.2.840.113556.1.4.803:=1))"

    DSQuery authorised DHCP Servers

    dsquery * "cn=NetServices,cn=Services,cn=Configuration,DC=MARVEL,DC=LAB" -attr dhcpServers

    Users

    Export all usernames and email addresses

    dsquery * -filter "(&(objectCategory=person)(objectClass=user)(mail=*))" -attr sAMAccountName name mail

    User accounts that are not disabled

    dsquery * -filter "(&(objectCategory=Person)(objectClass=User)(!userAccountControl:1.2.840.113556.1.4.803:=2))"

    User accounts that are disabled

    dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=2))"

    Users with no logon script

    dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(!scriptPath=*))" -attr sAMAccountName sn givenName pwdLastSet distinguishedName

    User accounts with no password required

    dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=32))"

    User accounts with no password expiry

    dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))"

    Find user by account name.

    dsquery * domainroot -filter "(samAccountName=Black.Widow)" -attr *

    Find a user by their email address.

    dsquery * domainroot -filter "(&(objectClass=User) (mail=Black.Widow@marvel.lab))" -attr *

    Find users with passwords set never to expire.

    dsquery * domainroot -filter "(&(objectClass=User) (userAccountControl>=65536))" -attr samAccountName userPrincipalName userAccountControl

    Groups

    Find users in Domain Admin Group.

    dsquery * -filter "&(objectCategory=group)(CN=Domain Admins)" | dsget group -members | dsget user -dn -samid -sid -fn -ln -display -email

    Find empty groups.

    dsquery * -filter "&(objectCategory=group)(!member=*)" -limit 0 -attr whenCreated whenChanged groupType sAMAccountName distinguishedName memberOf

    Group Policies

    Information on existing GPOs

    dsquery * "CN=Policies,CN=System,DC=MARVEL,DC=LAB" -filter "(objectCategory=groupPolicyContainer)" -attr displayName cnwhenCreated gPCFileSysPath

    Find the policy display name given the GUID.

    dsquery * "CN=Policies,CN=System,DC=MARVEL,DC=LAB" -filter "(objectCategory=groupPolicyContainer)" -attr Name displayName

    Useful Information

    Forest/Domain Functional Levels

    dsquery * "cn=partitions,cn=configuration,DC=MARVEL,DC=LAB" -filter "(|(systemFlags=3)(systemFlags=-2147483648))" -attr msDS-Behavior-Version Name dnsroot ntmixeddomain NetBIOSName

    Find when the AD was installed.

    dsquery * "CN=configuration,DC=MARVEL,DC=LAB" -attr whencreated -scope base

    Return the AD Schema

    dsquery * "CN=schema,CN=configuration,DC=MARVEL,DC=LAB" -scope base -attr whenCreated whenChanged objectVersion
    13 Windows 2000 Server operating system
    30 Windows Server 2003 operating system
    31 Windows Server 2003 R2 operating system
    44 Windows Server 2008 operating system (AD DS)
    47 Windows Server 2008 R2 operating system (AD DS)
    56 Windows Server 2012 operating system (AD DS)
    69 Windows Server 2012 R2 operating system (AD DS)
    87 Windows Server 2016 operating system (AD DS)
    88 Windows Server v1803 operating system (AD DS)

    Trusts

    Enumerate the trusts from the specified domain

    dsquery * "CN=System,DC=MARVEL,DC=LAB" -filter "(objectClass=trustedDomain)" -attr trustPartner flatName

    Find a DC for each trusted domain

    for /f "skip=1" %i in ('"dsquery * CN=System,DC=MARVEL,DC=LAB -filter (objectClass=trustedDomain) -attr *"') do nltest /dsgetdc:%i

    Sites & Subnets

    AD Site Information

    dsquery * "CN=Sites,CN=Configuration,DC=MARVEL,DC=LAB" -attr cn description location -filter "(objectClass=site)"

    Site Links and Cost

    dsquery * "CN=Sites,CN=Configuration,DC=MARVEL,DC=LAB" -attr cn costdescription replInterval siteList -filter "(objectClass=siteLink)"

    AD Subnet and Site Information

    dsquery * "CN=Subnets,CN=Sites,CN=Configuration,DC=MARVEL,DC=LAB" -attr cn siteObject description location

    Captcha: What's the standard TCP port of the following service?

    captcha

    0 comments