Dsget user
Applies To: Windows Server 2008
Displays the properties of a user in the directory. There are two variations of this command. The first variation displays the properties of multiple users. The second variation displays the group membership information of a single user.
Dsget is a command-line tool that is built into Windows Server 2008. It is available if you have the AD DS server role installed. To use dsget, you must run the dsget command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
For examples of how to use this command, see Examples.
Syntax
dsget user <UserDN> [-dn] [-samid] [-sid] [-upn] [-fn] [-mi] [-ln] [-display] [-empid] [-desc] [-office] [-tel] [-email] [-hometel] [-pager] [-mobile] [-fax] [-iptel] [-webpg] [-title] [-dept] [-company] [-mgr] [-hmdir] [-hmdrv] [-profile] [-loscr] [-mustchpwd] [-canchpwd] [-pwdneverexpires] [-disabled] [-acctexpires] [-reversiblepwd] [{-uc | -uco | -uci}] [-part <PartitionDN> [-qlimit] [-qused]]
dsget user <UserDN> [-memberof] [-expand][{-uc | -uco | -uci}]
Parameters
Parameter | Description |
---|---|
<UserDN> (first variation) |
Required. Displays the distinguished names of the user objects that you want to view. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command. Compare this parameter with UserDN in the second variation. |
-dn |
Displays the distinguished names of the users. |
-samid |
Displays the Security Account Manager (SAM) account names of the users. |
-sid |
Displays the user security identifiers (SIDs). |
-upn |
Displays the user principal names (UPNs) of the users. |
-fn |
Displays the first names of the users. |
-mi |
Displays the middle initials of the users. |
-ln |
Displays the last names of the users. |
-display |
Displays the display names of the users. |
-empid |
Displays the employee IDs of the users. |
-desc |
Displays the descriptions of the users. |
-full |
Displays the full names of the users. |
-office |
Displays the office locations of the users. |
-tel |
Displays the telephone numbers of the users. |
Displays the e-mail addresses of the users. |
|
-hometel |
Displays the home telephone numbers of the users. |
-pager |
Displays the pager numbers of the users. |
-mobile |
Displays the mobile phone numbers of the users. |
-fax |
Displays the fax numbers of the users. |
-iptel |
Displays the user IP phone numbers. |
-webpg |
Displays the user Web page URLs. |
-title |
Displays the titles of the users. |
-dept |
Displays the departments of the users. |
-company |
Displays the company information of the users. |
-mgr |
Displays the managers of the users. |
-hmdir |
Displays the drive letter to which the home directory of the user is mapped to if the home directory path is a UNC path. |
-hmdrv |
Displays the user's home drive letter if home directory is a UNC path. |
-profile |
Displays the user profile paths. |
-loscr |
Displays the user logon script paths. |
-mustchpwd |
Displays whether users must change their passwords at the time of next logon (yes) or not (no). |
-canchpwd |
Displays whether users can change their password (yes) or not (no). |
-pwdneverexpires |
Displays whether the user passwords never expires (yes) or not (no). |
-disabled |
Displays whether user accounts are disabled for logon (yes) or not (no). |
-acctexpires |
Displays the dates when user accounts expire. If the accounts never expire, this command returns never. |
-reversiblepwd |
Displays whether the user passwords are allowed to be stored using reversible encryption (yes) or not (no). |
<UserDN> (second variation) |
Required. Displays the distinguished name of the user whose group membership you want to view. |
-memberof |
Displays the immediate list of groups of which the user is a member. |
-expand |
Displays the recursively expanded list of groups of which the user is a member. This option takes the immediate group membership list of the user, and then recursively expands each group in this list to determine its group memberships as well to arrive at a complete closure set of the groups. |
{-uc| -uco| -uci} |
Specifies that dsget formats output or input data in Unicode. The following list explains each format.
|
-part <PartitionDN> |
Connects a computer to the directory partition with the distinguished name of PartitionDN. |
-qlimit |
Displays the effective quota of the user within the directory partition that you specify with the -part parameter. |
-qused |
Displays how much of the quota the user has used within the specified directory partition that you specify with the -part parameter. |
/? |
Displays help at the command prompt. |
Remarks
If you do not supply a target object at the command prompt, dsget obtains the target object from standard input (stdin). Dsget can accept stdin from the keyboard, from a redirected file, or as piped output from another command. To mark the end of stdin data from the keyboard or in a redirected file, use the end-of-file character (CTRL+Z).
Use dsget to view the properties of a specific object in the directory.
As a result of dsquery searches, you can pipe returned objects to dsget and obtain object properties.
The -canchpwd parameter estimates whether a user can change his password based on the way that it interprets the access control lists (ACLs) on the user object. To know for certain whether a user can change a password, that user must try to change it. This non-authoritative answer is not specific to dsget user. It is also inherent in the User Properties dialog box in Active Directory Users and Computers in Microsoft Management Console (MMC).
If you do not specify property parameters for dsget user, the default user properties that appear are distinguished name, SAM account name, and description.
If you specify the -memberof parameter, it overrides all other parameters and only the membership list for the user appears.
To find users whose passwords are set to never expire, you can use Windows PowerShell. For more information, see Finding Users Whose Passwords Never Expire (https://go.microsoft.com/fwlink/?LinkID=200044).
Examples
To find all users in an organizational unit (OU) named Test whose name starts with "jon" and to show their descriptions, type:
dsquery user OU=Test,dc=ms,dc=tld -name jon* | dsget user -desc
To show the list of groups, recursively expanded, to which the user Mike Danseglio belongs, type:
dsget user "CN=Mike Danseglio,CN=users,dc=ms,dc=tld" -memberof -expand
Additional references
Change History
Date | Revision |
---|---|
August 19, 2010 |
Added a link to more information about how to use Windows PowerShell to find users who have passwords set to never expire. |