The dsget utility can be used to view various information about Active Directory catalog objects. In this article we will show how to use the dsget group command to list info about different groups in the AD domain.
To use the Dsget command, the Microsoft Windows Administration Tools Pack – Adminpak.msi (for Windows XP/Windows Server 2003 and below) or Active Directory Domain Services (AD DS) Tools from the Remote Server Administration Tools (RSAT) package (in modern versions of Windows) must be installed on your computer.
The dsget group command without parameters displays a list of all groups in the Active Directory domain (if there are a large number of groups in the domain, the command will run for a rather long time). To get the properties of a specific AD group, run the following command:
dsget group "CN=Domain Admins,CN=Users,DC=theitbros,DC=com"
The group name must be specified in the DistinguishedName (DN) format.
By default, the group DN and its description are displayed.
The full syntax and attributes available for the dsget group command is:
dsget group[-dn] [-samid] [-sid] [-desc] [-secgrp] [-scope] [{-s | -d }] [-u ] [-p { | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}] [-part [-qlimit] [-qused]]
For example, to find out the group SID, run:
dsget group "CN=Domain Admins,CN=Users,DC=theitbros,DC=com" -sid
To check the group type: Security (yes) or Distribution (no), run:
dsget group "CN=Domain Admins,CN=Users,DC=theitbros,DC=com" -secgrp
To determine group membership allows another dsget group command optional parameters: -Members and -Memberof. The -Members parameter indicates which users and groups are included to this group, and the -Memberof parameter — which groups this group belongs to. Suppose you want to list current members of the Domain Admins group. Run the command:
dsget group "CN=Domain Admins,CN=Users,DC=theitbros,DC=com" –members
To display a complete list of users, including nested groups (recursively), run:
dsget group "CN=Domain Admins,CN=Users,DC=theitbros,DC=com" –members -expand Similarly, you can get a list of groups in which this group consists: dsget group "CN=Domain Admins,CN=Users,DC=theitbros,DC=com" –memberof -expand
As you can see, the last two commands, when displaying the list of users/groups, return them in DN format, which is not very convenient. Therefore, to get usernames (or other fields) you need to use the command in conjunction with dsget user:
dsget group "CN=Domain Admins,CN=Users,DC=theitbros,DC=com" -members | dsget user -samid -upn -desc
As you remember, the group name for the dsget group command must be specified in the distinguishedName format. In order not to specify the DN of the group, you can use the dsget group command together with the dsquery command. For example, to get a list of users in the ‘Domain Admins’ group and export it to a text file, run the command:
dsquery group -samid "Domain Admins" | dsget group -members > c:\ps\exportgoupmembers.txt
As you can see, now you do not need to specify the group DN.
If you do not know the exact name of the group, you can specify only part of the name. The wildcard character *is used. For example, you want to find all the groups whose names begin with NY:
dsquery group -name NY* | dsget group -dn -scope -secgrp
In a similar way, you can list, for example, all email addresses of users who consist in a group and save the list to a CSV file:
dsquery group -samid "Domain Admins" | dsget group -members | dsget user -email >admin_emails.csv
The post Viewing Active Directory Groups Using DSGet Group appeared first on TheITBros.
