Questions[dsquery](server)

I'm trying to get a list of users that are members of an Active Directory group that are not disabled. The best I've been able to find so far is:

dsquery group -name "Group name" | dsget group -members -expand  | dsget user -samid -disabled -c | findstr /c:" no "

...admitting that the the final 'findstr' is a total hack (and it unfortunately also strips the column headings.)

I have been able to find the following dsquery command that gives a list of all non-disabled users:

dsquery * -filter "(&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" -limit 0 | dsget user -samid -c

...but adding a memberOf parameter only works for groups the users are immediately members of; it doesn't recurse like dsget group's -expand does.

So is there a way to combine these, or get dsquery to recurse, or have I gone as far as I can without using PowerShell? (Which I can't because its tools depend on Active Directory Web Services which isn't present on Samba-based domain controllers as of Samba 4.9.5 at least.)

After executing some queries (dsquery computer domainroot -stalepwd), using dsquery, I was told this command connects to the available DC and for this reason the results might be untruthful because the DC's do not replicate computer accounts password.

After some research I wasn’t able to understand if this true or not, meaning: When I'm using the command "dsquery computer domainroot -stalepwd" would the result take into account all the DC's information or the one I’m connecting to by default?

Thanks in advance!

JFA

I am trying to create a batch file that asks to enter source samid and destination samid. Then using dsquery and dsget find out what security groups source samid is assigned to and assign destination samid to those security groups using dsmod.

Everything works except the dsmod group command. It doesn't do anything and batch file stops. If I literally put "CN=marketing,OU=test group,DC=abc,DC=com" instead of %%g and "CN=test1,OU=test group,DC=abc,DC=com" instead of %dusercn%, it works fine.

any help would be awesome!!!

thank you.

echo off
echo %date% at %time% 
set /p susername=enter source user name:
set /P dusername=enter destination user name:
echo %susername%
echo %dusername%
set dusercn=
%dusercn%=dsquery user -samid %dusername%
echo %dusercn%
for /f "tokens=*" %%g in ('dsquery user -samid %susername% ^|dsget user -memberof') do (
  dsmod group %%g -addmbr %dusercn%
)
echo completed
pause

How can I find all groups for a specific user (groups for which the user is assigned) using dsquery?

I was wondering if there is a way to update the 'Company' field for a large group of users within Active Directory? I would like to match all users with a company ending in a certain string.

It would take way too long to change this for each user individually.