Using DSQUERY to get the members of a Group in AD

Discussion in 'Active Directory' started by Bob Randall, Apr 6, 2005.

  1. Bob Randall

    Bob Randall Guest

    Can anyone give the the correct syntax (if it exists) to use the DSQUERY
    command line tool to query the members of a specific group in AD? I have
    tried many combonations and I cant seem to figure it out. I tried:

    dsquery user OU=xxx, DC=yyy,DC=ZZZ

    but I don't know what should go after that. I also tried the dsquery group
    method with no luck. Does anyone know the correct way??


    Bob Randall
    Bob Randall, Apr 6, 2005
    1. Advertisements

  2. Bob Randall

    ptwilliams Guest

    C:\>dsget group "CN=GroupName,DC=domain-name,DC=com" -members

    If you need to specify a server and/ or credentials, append the following on
    the end:

    -s dc01 -u userName -p *
    ptwilliams, Apr 6, 2005
    1. Advertisements

  3. Bob Randall

    Bob Randall Guest

    Perfect - thanks a lot!
    Bob Randall, Apr 6, 2005
  4. Bob Randall

    ptwilliams Guest

    No problem! :)
    ptwilliams, Apr 6, 2005
  5. Bob Randall

    Mik Guest

    I am trying the same thing but I keep getting this error:

    dsget failed:A referral was returned from the server.

    Any ideas what this is?
    Mik, Feb 6, 2006
  6. What command are you typing?
    Paul Williams [MVP], Feb 7, 2006
  7. Bob Randall

    Mik Guest

    dsget group "CN=Group,CN=users,DC=domain,DC=ca" -members
    Mik, Feb 7, 2006
  8. Bob Randall

    Mik Guest

    We are running AD (2003) in native mode and Exchange 2003 in mixed mode with
    2 Exch 5.5 servers. It is a simple single domain forest with about 2000

    Not sure what else may help?


    Mik, Feb 8, 2006
  9. Weird. I can't see why that command won't work. Unless the domain you are
    using is different to your DNS domain?

    Try the same thing with adfind (download from

    adfind -b cn=group,cn=users,dc=domain-name,dc=com member -nodn
    Paul Williams [MVP], Feb 10, 2006
  10. Bob Randall

    DA Guest

    I get that with scripts that enumerate object in AD when I run the script
    logged on to a domain different from that I'm trying to search. Try it first
    making sure you're logged on to the domain you're searching and you might
    have it work doing the command as a batch file and doing "run as" and
    specifying creds in the search domain.
    DA, Jun 22, 2006
  11. After checking the dsquery syntax help at a command prompt, I got:

    dsquery user "ou=Sales,ou=West,dc=MyDomain,dc=com" -inactive 4

    This queries for users in the specified OU that have not logged on in the
    last 4 weeks. However, the domain must be at Windows 2003 functional level
    for this to work. Otherwise you can use:

    dsquery user "ou=Sales,ou=West,dc=MyDomain,dc=com" -stalepwd 30

    to find users that have not changed their password in the specified number
    of days. Or, if your domain does not support -inactive and you don't want to
    use -stalepwd, you can run a VBScript program that retrieves the lastLogon
    attribute for all users. Such a program must query every Domain Controller
    in the domain. See this link: Logon.htm
    Richard Mueller [MVP], Nov 11, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.