Tuesday, February 15, 2011

Finding your base DN in Active Directory

I was trying to do an LDAP query against Active Directory and I was unable to get the query to work.  A good tool to use to troubleshoot this is ldp.exe.  It is installed by default on Windows Server 2008, but I believe its on the Windows Server 2003 disc, just not installed by default.  A typical base DN is DC=microsoft, DC=com.  I was using exactly the same logic and it still wasn't working.  I then found a tool called dsquery.

I was able to use dsquery on my 2008 server.  I haven't had a chance to see if runs on Server 2003.  This is how it can be used to help you.

Open a command prompt (Start->Run->cmd).

If you type "dsquery" (Link) you will get what is below: (I modified it a little bit and added Links)

Description: This tool's commands suite allow you to query the directory
according to specified criteria. Each of the following dsquery commands finds
objects of a specific object type, with the exception of dsquery *, which can
query for any type of object:

  • Type "dsquery computer" - 
    • finds computers in the directory.
  • Type "dsquery contact" - 
    • finds contacts in the directory.
  • Type "dsquery subnet" - 
    • finds subnets in the directory.
  • Type "dsquery group" - 
    • finds groups in the directory.
  • Type "dsquery ou" - 
    • finds organizational units in the directory.
  • Type "dsquery site" - 
    • finds sites in the directory.
  • Type "dsquery server" - 
    • finds AD DCs/LDS instances in the directory.
  • Type "dsquery user" - 
    • finds users in the directory.
  • Type "dsquery quota" - 
    • finds quota specifications in the directory.
  • Type "dsquery partition" - 
    • finds partitions in the directory.
  • Type "dsquery *" - 
    • finds any object in the directory by using a generic LDAP query.

For help on a specific command, type "dsquery <ObjectType> /?" where
<ObjectType> is one of the supported object types shown above.
For example, dsquery ou /?.

The dsquery commands help you find objects in the directory that match
a specified search criterion: the input to dsquery is a search criterion
and the output is a list of objects matching the search. To get the
properties of a specific object, use the dsget commands (dsget /?).

The results from a dsquery command can be piped as input to one of the other
directory service command-line tools, such as dsmod, dsget, dsrm or dsmove.

Commas that are not used as separators in distinguished names must be
escaped with the backslash ("\") character
(for example, "CN=Company\, Inc.,CN=Users,DC=microsoft,DC=com").

Backslashes used in distinguished names must be escaped with a backslash
(for example,
"CN=Sales\\ Latin America,OU=Distribution Lists,DC=microsoft,DC=com").

To find all computers that have been inactive for the last four weeks and
remove them from the directory:

    dsquery computer -inactive 4 | dsrm

To find all users in the organizational unit
"ou=Marketing,dc=microsoft,dc=com" and add them to the Marketing Staff group:

    dsquery user ou=Marketing,dc=microsoft,dc=com |    dsmod group
        "cn=Marketing Staff,ou=Marketing,dc=microsoft,dc=com" -addmbr

To find all users with names starting with "John" and display his office

    dsquery user -name John* | dsget user -office

To display an arbitrary set of attributes of any given object in the
directory use the dsquery * command. For example, to display the
sAMAccountName, userPrincipalName and department attributes of the object
whose DN is ou=Test,dc=microsoft,dc=com:

    dsquery * ou=Test,dc=microsoft,dc=com -scope base
    -attr sAMAccountName userPrincipalName department

To read all attributes of the object whose DN is ou=Test,dc=microsoft,dc=com:

    dsquery * ou=Test,dc=microsoft,dc=com -scope base -attr *

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.


Hopefully this helped you like it helped me!

UPDATED:  Need to add the full config because we missed 2 things, but here is a page I wanted to link to because it talks about how to deny users by using LDAP.



  1. The dsquery tool is built-in to Windows Server 2003 by default. If you are using Windows XP, Vista or Windows 7 then you will need to install the Server 2003 Admin Pack.

  2. Good post!