Active Directory Forest Wide User Search
I always have to look this up, I’m not sure what is going on with my memory:
dsquery user forestroot -name search When you are working on large Active Directories this is somewhat handy. Just replace search with the name you are after, helpfully it supports wildcard.
Blocking Internet Explorer from Automatically Upgrading Via Windows Update
You have a few options for doing this especially if you are using something like WSUS. However if you aren’t, then a registry change via group policy or logon script is probably the best option. Here is a a registry file that will block automatic upgrade to internet explorer 8 and 9:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup\8.0] "DoNotAllowIE80"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup\9.0] "DoNotAllowIE90"=dword:00000001 If you are only interested in blocking one version of internet explorer then just remove the appropriate lines.
Quickly find FSMO Roles
Use netdom to find where the current FSMO roles are assigned in Active Directory:
netdom query fsmo This will return something like:
Schema master DC01.local Domain naming master DC02.local PDC DC01.local RID pool manager DC02.local Infrastructure master DC01.local The command completed successfully. The ‘netdom query’ command can also return other useful information. Valid types include:
Server, Workstation, DC, OU and Trust
Finding the Functional Levels of Active Directory
There a quite a few ways of finding the Fuctional levels of Active Directory. Dsquery is a good option as it usually is distributed with windows. This will give you the Domain Functional Level:
dsquery * DC=DOMAIN, DC=LOCAL -scope base -attr msDS-Behavior-Version ntMixedDomain Replace DOMAIN and LOCAL with your directory details. You can check the result with the following table: 0, 0 Windows 2000 Native domain Level 0, 1 Windows 2000 Mixed domain Level 2, 0 Windows 2003 Domain Level 3, 0 Windows 2008 Domain Level 4, 0 Windows 2008 R2 Domain Level To find the Active Directory Schema Version:
Checking for Mangled Attributes in Windows 2000 Forests with Adfind
From link: The Microsoft Exchange 2000 schema defines three non-Request for Comments (RFC)-compliant attributes: houseIdentifier, Secretary, and labeledURI. The Microsoft Windows 2000 InetOrgPerson Kit redefines the Secretary attribute and the labeledURI attribute. The adprep /forestprep command in Microsoft Windows Server 2003 has redefined all three attributes as described in Request for Comments (RFC) 2798. If Exchange 2000 created these three attributes before you ran the Windows 2000 InetOrgPerson Kit, the LdapDisplayName attribute for the houseIdentifier attribute becomes conflicted or mangled after the new RFC-compliant definitions are added by Windows Server 2003 adprep /forestprep replication.
Finding Group Membership from Active Directory with Dsquery
Use the following:
dsquery user -samid "username" | dsget user -memberof -expand The -expand option will include nestled groups.
Finding and Listing Email Addresses from Active Directory Groups with Powershell
Get hold of the excellent Quest Free PowerShell Commands for Active Directory, then once installed use the following command from the powershell (Quest) console:
Get-QADGroupMember group name -Indirect | select name, email Change group name to the AD group you are interested in querying. Indirect will give you results from nestled grouping. This works for distribution groups as well as other types. Use the following to output the results to a csv file:
Creating a Report of ALL SMTP email addresses from Active Directory
Ldifde -d DC=domain,DC=co,DC=uk -r (&(mailnickname=*)) -l proxyAddresses -f Report.txt
Exporting info from AD as CSV
If you want to export AD info as CSV then csvde is the cmd for you, for example:
csvde -s clyde -f users.csv -r objectClass=user -l givenName, sn, name, sAMAccountName
Searching Active Directory
This is a quick way to search Active Directory from the cmd line:
dsquery user -name * -limit 0 Just pop the name or name + wildcard where the * is. If you want to reduce the output to the relative distinguished name then just add:
dsquery user -name * -limit 0 -o rdn