Display all groups which is „Domain Users“ group member
dsquery group -name "domain users" | dsget group -memberof -expand | dsget group -samid
Display attribute rIDAvailablePool, this attribute specifies the space from which RID pools are allocated.
dsquery * "cn=rid manager$,cn=system,dc=domain,dc=com" -attr ridAvailablePool
Display list of users not logged since 1.11.2010
dsquery * "ou=users,dc=domain,dc=com" -filter "(&(objectCategory=user)(lastLogonTimestamp<=129330396000000000))" | dsget user -samid
Search a computer on the network by description - useful if description contain full user name
dsquery computer -desc *smith* | dsget computer -samid -desc
List groups a user is a member of
dsquery user -samid *userlogin* |dsget user -memberof -expand
dsquery user -samid *userlogin* |dsget user -memberof -expand |dsget group -samid
This command return the user accounts where is "Hide from Exchange address lists" parameter FALSE
dsquery * "ou=users,dc=myDomain,dc=cz" -limit 1000 -attr distinguishedName showInAddressBook | findstr /i "global"
Display all users atributes
dsquery * "ou=users,dc=myDomain,dc=cz" -attr *
Change MaxPageSize value to 3000 (default 1000)
C:\Temp\x>type change.txt
dn: CN=Extended Timeout,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=X
changetype: add
instanceType: 4
lDAPAdminLimits: MaxPageSize=3000
objectClass: queryPolicy
C:\Temp\x>ldifde -i -f change.txt -v -c DC=X "DC=domena,DC=cz"
Connecting to "server1.domena.cz"
Logging in as current user using SSPI
Importing directory from file "change.txt"
Loading entries
1: CN=Extended Timeout,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domena,DC=cz
Entry modified successfully.
1 entry modified successfully.
The command has completed successfully
http://support.microsoft.com/default.aspx?scid=kb;en-us;315071&sd=tech
Script disable user acount and remove all groups from memberOf attribute except „Domain Users“.
@echo off
setlocal enableextensions enabledelayedexpansion
set tmp1=temp1.txt
set tmp2=temp2.txt
:user
set user=""
set /p user=Login :
if /I %user%=="" goto user
:start
set log=%user%.log
echo [%date% %time%] >> %log%
net user %user% /active:no /domain
dsquery user -samid %user% | dsget user -memberof | dsget group -samid > %tmp1%
type %tmp1% >> %log%
findstr /i /v "samid" %tmp1% | findstr /i /v "dsget succeeded" | findstr /c:"domain users" /i /v > %tmp2%
del %tmp1%
for /f "tokens=* delims= " %%a in ('type %tmp2%') do echo %%a >> %tmp1%
del %tmp2%
for /f "delims=" %%x in ('type %tmp1%') do (
set "str=%%x"
for /l %%a in (1,1,256) do if "!str:~-1!"==" " set "str=!str:~0,-1!"
echo.!str!>> %tmp2%
)
for /f "tokens=1 delims=" %%a in (%tmp2%) do (
net group "%%a" %user% /delete /domain
net localgroup "%%a" %user% /delete /domain
)
echo. >> %log% & echo [%date% %time%] >> %log%
dsquery user -samid %user% | dsget user -memberof | dsget group -samid >> %log%
del /f /q %tmp1% %tmp2%