Retrieving Information About Objects with dsget
You can use the dsget command to retrieve information about objects. The dsget command is useful when you want to get a list of group members or user group membership.
Tip
The primary difference between dsquery and dsget is that dsquery retrieves multiple objects that meet a given criteria, while dsget retrieves information about a single object.
| dsget Command | Comments |
|---|
Get a list of members for a group.
dsget group DN -members
C:\>dsget group "cn=it admins,
ou=east, ou=sales, dc=pearson,
dc=pub" -members
| Retrieves a list of members of the IT Admins group in the sales\east OU.
Figure 8-2 shows the result of this command. |
List group membership for a user.
dsget user dn [-memberof
-expand]
C:\>dsget user "cn=joe,
ou=east, ou=sales, dc=pearson,
dc=pub" -memberof
C:\>dsget user "cn=joe,
ou=east, ou=sales, dc=pearson,
dc=pub" -memberof -expand
| The -memberof switch shows the direct group membership for a user. The -expand switch includes nested group membership.
For example, consider the Domain Users group, which
is a member of the Users group. If a user is added to the Domain Users
group, the user is indirectly a member of the Users group.
The -memberof switch shows the Domain Users group but not the Users group, unless the -expand switch is also included.
Figure 8-3 shows the result of this command. |
Viewing and Modifying AD Permissions with dsacls
Every object in Active Directory Domain Services (AD
DS) has an access control list (DS ACL), which is a list of access
control entries (ACE). Each ACE includes the security identifier (SID)
of an account and the permission. This is the same as in the Security tab of any AD DS object within Active Directory Users and Computers (ADUC), as shown in Figure 3.
Figure 3
shows the permissions assigned to the East OU. Even though these
permissions are assigned by SID, ADUC does a lookup into ADUC to
identify and display the user and group names.
Tip
The Security tab does not show by default. If it isn’t showing, select View and Advanced Features to enable the Security tab (and other advanced features).
| dsacls Command | Comments |
|---|
Show permissions for an object.
dsacls dn
C:\>dsacls "ou=east,ou=sales,
dc=pearson,dc=pub"
| You can view the permissions on any AD DS object simply by entering dn after dsacls. The example shows the permission on the sales\east OU. |
Reset default permissions.
dsacls dn -resetdefaultdacl
C:\>dsacls "ou=east,ou=sales,
dc=pearson,dc=pub" –resetdefaultdacl
| If you made a mistake when modifying permissions on an object, you can always return it to the original permissions with the -resetdefaultdacl switch. |
Note
You can do much more with the dsacls
command, but it’s rare that you need to do so with a script. For
example, you can use an in-depth command to grant a group permission to
change passwords for users in an OU. However, it’s much easier to do so
using the Delegation of Control wizard access in ADUC by right-clicking
over any OU and selecting Delegate Control.
