Mis Tools‎ > ‎

Handy CMD commands

FSMO Roles
ntdsutilroles Connections "Connect to server %logonserver%" Quit "selectOperation Target" "List roles for conn server" Quit Quit Quit
 
Domain Controllers
Nltest /dclist:%userdnsdomain%
 
Domain Controller IP Configuration
for /f %i in ("dsquery server -domain %userdnsdomain% -o rdn") do psexec \\%i ipconfig /all
 
Stale computer accounts (180 days)
dsquery computer domainroot -stalepwd 180 -limit 0
 
Stale user accounts (180 days)
dsquery user domainroot -stalepwd 180 -limit 0
 
Disabled user accounts
dsquery user domainroot -disabled -limit 0
 
To Get user's Emails from AD based on users listed in text file

for /f %i in (AdUsers.txt) do @dsquery user -samid %i|dsget user -empid -email>>C:/temp/user-email.txt

 
To get All user's email

dsquery user -samid %i|dsget user -empid -email -L>>C:/temp/user-email.txt


To find member of AD group

dsquery group –name *Group DN* | dsget group -members

 
To find mebers of AD group in current doamin

dsquery * domainroot -filter "(&(objectClass=group)(name=SCCM_Admins))" -l -d %USERDNSDOMAIN% -attr member

 
To find group membership of current user

dsquery * domainroot -filter "(samAccountName=%USERNAME%)" | dsget user -memberof

 
To find group membership of disabled users

dsquery user domainroot -limit 0 -disabled | Dsget user -memberof  

    
AD Database disk usage
for /f %i in ("dsquery server -domain %userdnsdomain% -o rdn") do dir \\%i\admin$\ntds
 
Global Catalog Servers from DNS
dnscmd %logonserver% /enumrecords %userdnsdomain% _tcp | find /i "3268"
 
Global Catalog Servers from AD
dsquery * "CN=Configuration,DC=forestRootDomain" -filter "(&(objectCategory=nTDSDSA)(options:1.2.840.113556.1.4.803:=1))"
 
Users with no logon script
dsquery * domainroot -filter"(&(objectCategory=Person)(objectClass=User)(!scriptPath=*))"-limit 0 -attr sAMAccountName sn givenName pwdLastSet distinguishedName
 
User accounts with no pwd required
dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=32))"
 
User accounts with no pwd expiry (service accounts)
dsquery * domainroot -filter"(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))"
 
User accounts that are disabled
dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=2))"
 
Find DN of Currently Logged On User
dsquery * domainroot -filter "(samAccountName=%USERNAME%)"

Find User With Primary Email Address
dsquery * domainroot -filter "(&(objectClass=User) (mail=<email address>))" -l -d <domain> -attr *

Find User With Any Email Address
dsquery * domainroot -filter "(&(objectClass=User) (proxyAddresses=*<email address>*))" -l -d <domain> -attr *
 
List All Computer Objects

dsquery * domainroot -filter "(objectClass=Computer)" -attr name -l -d <domain>


List Computer Objects in a Specific OU
dsquery * "<base DN>" -filter "(objectClass=Computer)" -attr name -l -d <domain>
 
List all groups if a computer account without giving the DN's  

dsquery computer -name computername1 | dsget computer -memberof | dsget group -samid

 
List all enabled computer accounts in an OU

dsquery computer OU=Test,DC=mydc,DC=com -limit 0 | dsget computer -dn -disabled | find /i " no"

 
List All Domain Controllers
dsquery * "ou=domain controllers,<domain DN>" -filter "(objectClass=Computer)" -attr name -l -d <domain>

Find DN of Computer Object in Current Domain
dsquery computer domainroot -name <computername>
 
DNS Information
for /f %i in ("dsquery server -domain %userdnsdomain% -o rdn") do dnscmd %i /info
 
DNS Zone Detailed information
dnscmd /zoneinfo %userdnsdomain%
 
Garbage Collection and tombstone
dsquery * "cn=Directory Service,cn=WindowsNT,cn=Services,cn=Configuration,DC=forestRootDomain" -attrgarbageCollPeriod
 
Netsh authorised DHCP Servers

netsh dhcp show server 

 
DSQuery authorised DHCP Servers
Dsquery * "cn=NetServices,cn=Services,cn=Configuration, DC=forestRootDomain" -attr dhcpServers
 
DHCP server information  

netsh dhcp server \\DHCP_SERVER show all

 
DHCP server dump
netsh dhcp server \\DHCP_SERVER dump
 
Active DHCP leases
For /f %i in (DHCPServers.txt) do for /f "delims=- " %j in (""netshdhcp server \\%i show scope | find /i "active""") do netsh dhcp server\\%i scope %j show clientsv5
 
DHCP Server Active Scope Info
For /f %i in (DHCPServers.txt) do netsh dhcp server \\%i show scope | find /i "active"

Resolve DHCP clients hostnames
for /f "tokens=1,2,3 delims=," %i in (Output from "Find Subnets
fromDHCP clients") do @for /f "tokens=2 delims=: " %m in (""nslookup
%j |find /i "Name:""") do echo %m,%j,%k,%i

WINS serer information
Netsh wins server \\WINS_SERVER dump
 
Group Policy Verification Tool
gpotool.exe /checkacl /verbose
 
AD OU cmputer membership
dsquery computer -limit 0
 
AD OU user membership
dsquery user -limit 0
 
List Service Principal Names
for /f %i in ("dsquery server -domain %userdnsdomain% -o rdn") do setspn -L %i
 
Compare DC Replica Object Count
dsastat ?s:DC1;DC2;… ?b:Domain ?gcattrs:objectclass ?p:999
 
Check AD ACLs
acldiag dc=domainTree
 
NTFRS Replica Sets
for /f %i in ("dsquery server -domain %userdnsdomain% -o rdn") do ntfrsutl sets %i
 
NTFRS DS View
for /f %i in ("dsquery server -domain %userdnsdomain% -o rdn") do ntfrsutl ds %i
 
Domain Controllers per site
Dsquery * "CN=Sites,CN=Configuration,DC=forestRootDomain" -filter (objectCategory=Server)
 
DNS Zones in AD
for /f %i in ("dsquery server -o rdn") do Dsquery * -s %i domainroot -filter (objectCategory=dnsZone)
 
Enumerate DNS Server Zones
for /f %i in ("dsquery server -o rdn") do dnscmd %i /enumzones
 
Subnet information
Dsquery subnet ?limit 0
 
List Organisational Units
Dsquery OU
 
ACL on all OUs
For /f "delims=|" %i in ("dsquery OU") do acldiag %i
 
Domain Trusts
nltest /domain_trusts /v
 
Print DNS Zones  

cmd DNSServer /zoneprint DNSZone

 
Find two online PCs per subnet
Echo. > TwoClientsPerSubnet.txt & for /f "tokens=1,2,3,4delims=, " %i in (""find /i "pc" "Output from Resolve DHCP clientshostnames""") do for /f "tokens=3 skip=1 delims=: " %m in (""Find /i /c"%l" TwoClientsPerSubnet.txt"") do If %m LEQ 1 for /f %p in (""ping -n1 %i | find /i /c "(0% loss""") do If %p==1 Echo %i,%j,%k,%l
 
AD Subnet and Site Information
dsquery * "CN=Subnets,CN=Sites,CN=Configuration,DC=forestRootDomain" -attr cn siteObject description location
 
AD Site Information
dsquery * "CN=Sites,CN=Configuration,DC=forestRootDomain" -attr cn description location -filter (objectClass=site)
 
Printer Queue Objects in AD
dsquery * domainroot -filter "(objectCategory=printQueue)" -limit 0

Group Membership with user details
dsget group "groupDN" -members | dsget user -samid -fn -mi -ln -display -empid -desc -office -tel -email -title -dept -mgr
 
Total DHCP Scopes
find /i "subnet" "Output from DHCP server information" | find /i "subnet"
 
Site Links and Cost
dsquery * "CN=Sites,CN=Configuration,DC=forestRootDomain" -attr cn costdescription replInterval siteList -filter (objectClass=siteLink)
 
Time gpresult
timethis gpresult /v
 
Check time against Domain
w32tm /monitor /computers:ForestRootPDC
 
Domain Controller Diagnostics
dcdiag /s:%logonserver% /v /e /c
 
Domain Replication Bridgeheads
repadmin /bridgeheads
 
Replication Failures from KCC
repadmin /failcache
 
Inter-site Topology servers per site
Repadmin /istg * /verbose
 
Replication latency
repadmin /latency /verbose
 
Queued replication requests
repadmin /queue *
 
Show connections for a DC
repadmin /showconn *
 
Replication summary
Repadmin /replsummary
 
Show replication partners
repadmin /showrepl * /all
 
All DCs in the forest
repadmin /viewlist *
 
ISTG from AD attributes
dsquery * "CN=NTDS Site Settings,CN=siteName,CN=Sites,CN=Configuration,DC=forestRootDomain" -attr interSiteTopologyGenerator
 
Return the object if KCC Intra/Inter site is disabled for each site
Dsquery site | dsquery * -attr * -filter "(|(Options:1.2.840.113556.1.4.803:=1)(Options:1.2.840.113556.1.4.803:=16))"
 
Find all connection objects
dsquery * forestRoot -filter (objectCategory=nTDSConnection) ?attr distinguishedName fromServer whenCreated displayName
 
Find all connection schedules
adfind -b "cn=Configuration,dc=qraps,dc=com,dc=au" -f "objectcategory=ntdsConnection" cn Schedule -csv

Software Information for each server
 
Check Terminal Services Delete Temp on Exit flag
For /f %i in (Output from "Domain Controllers") do Reg query"\\%i\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer" /v DeleteTempDirsOnExit
 
For each XP workstation, query the current site and what Group Policy info  

@dsquery * domainroot -filter"(&(objectCategory=Computer)(operatingSystem=Windows XPProfessional))" -limit 0 -attr cn > Workstations.txt & @For /f%i in (Workstations.txt) do @ping %i -n 1 >NUL & @if ErrorLevel0 If NOT ErrorLevel 1 @Echo %i & for /f "tokens=3" %k in (""regquery "\\%i\hklm\software\microsoft\windows\currentversion\grouppolicy\history" /v DCName | Find /i "DCName""") do @for /f %m in(""nltest /server:%i /dsgetsite | find /i /v "completedsuccessfully""") do @echo %i,%k,%m

 
Information on existing GPOs  
dsquery * "CN=Policies,CN=System,domainRoot" -filter"(objectCategory=groupPolicyContainer)" -attr displayName cnwhenCreated gPCFileSysPath
 
 Copy all Group Policy .pol files

for /f "tokens=1-8 delims=\" %i in ("dir /b /s\\%userdnsdomain%\sysvol\%userdnsdomain%\policies\*.pol") do @echo copy\\%i\%j\%k\%l\%m\%n\%o %m_%n.pol

 
Domain Controller Netlogon entries
for /f %i in ("dsquery server /o rdn") do echo %i & reg query\\%i\hklm\system\currentcontrolset\services\netlogon\parameters
 
WINS Statistics
for /f "tokens=1,2 delims=," %i in (WINSServers.txt) do netsh wins server \\%i show statistics
 
WINS Record counts per server
for /f "tokens=1,2 delims=," %i in (WINSServers.txt) do netsh wins server \\%i show reccount %i
 
WINS Server Information
for /f "tokens=2 delims=," %i in (WINSServers.txt) do netsh wins server \\%i show info
 
WINS Server Dump
for /f "tokens=2 delims=," %i in (WINSServers.txt) do netsh wins server \\%i dump
 
WINS Static Records per Server
netsh wins server \\LocalWINSServer show database servers={} rectype=1
 
Find policy display name given the GUID
dsquery * "CN=Policies,CN=System,DC=domainRoot" -filter (objectCategory=groupPolicyContainer) -attr Name displayName
 
Find empty groups
dsquery * -filter "&(objectCategory=group)(!member=*)" -limit 0-attr whenCreated whenChanged groupType sAMAccountNamedistinguishedName memberOf
 
Find remote NIC bandwidth
wmic /node:%server% path Win32_PerfRawData_Tcpip_NetworkInterface GET Name,CurrentBandwidth
 
Find remote free physical memory
wmic /node:%Computer% path Win32_OperatingSystem GET FreePhysicalMemory
 
Find remote system information
SystemInfo /s %Computer%
 
Disk statistics, including the number of files on the filesystem
chkdsk /i /c
 
Query IIS web sites
sweb /s %Server% /query "Default Web Site"
 
Check port state and connectivity
portqry -n %server% -e %endpoint% -v
 
Forest/Domain Functional Levels via difde
ldifde -d cn=partitions,cn=configuration,dc=%domain% -r"(|(systemFlags=3)(systemFlags=-2147483648))" -lmsds-behavior-version,dnsroot,ntmixeddomain,NetBIOSName -p subtree -fcon
 
Forest/Domain Functional Levels
dsquery * cn=partitions,cn=configuration,dc=%domain% -filter"(|(systemFlags=3)(systemFlags=-2147483648))" -attrmsDS-Behavior-Version Name dnsroot ntmixeddomain NetBIOSName
 
Find the parent of a process
wmic path Win32_Process WHERE Name="notepad.exe" GET Name,ParentProcessId
 
Lookup SRV records from DNS
nslookup -type=srv _ldap._tcp.dc._msdcs.{domainRoot}
 
Find when the AD was installed
dsquery * cn=configuration,DC=forestRootDomain -attr whencreated -scope base
 
Enumerate the trusts from the specified domain
dsquery * "CN=System,DC=domainRoot" -filter "(objectClass=trustedDomain)" -attr trustPartner flatName
 
Find a DC for each trusted domain
for /f "skip=1" %i in (""dsquery * CN=System,DC=domainRoot -filter(objectClass=trustedDomain) -attr trustPartner"") do nltest /dsgetdc:%i
 
Check the notification packages installed on all DCs
for /f %i in ("dsquery server /o rdn") do @for /f "tokens=4" %m in(""reg query\\%i\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v"Notification Packages" | find /i "Notification""") do @echo %i,%m
 
List ACLs in SDDL format
setacl -on %filepath% -ot file -actn list -lst f:sddl
 
Find out if a user account is currently enabled or disabled
dsquery user DC=%userdnsdomain:.=,DC=% -name %username% | dsget user -disabled -dn
 
Find servers in the domain
dsquery * domainroot -filter "(&(objectCategory=Computer)(objectClass=Computer)(operatingSystem=*Server*))" -limit 0
 
Here is an examle how to gather computer informatins
::************************************************************************************
:: Get system info to text file
:: Created May 10 2010, by Neven Radic, www.ntcenter.ca
::***********************************************************************************
 
if exist c:\%COMPUTERNAME%_System_Report.txt del c:\%COMPUTERNAME%_System_Report.txt
set parm=Localgroup
Echo Geting basic informatin ...
Echo COMPUTERNAME =  %COMPUTERNAME% >>c:\%COMPUTERNAME%_System_Report.txt
Echo ALVer = %ALVer% >>c:\%COMPUTERNAME%_System_Report.txt
Echo USERDNSDOMAIN = %USERDNSDOMAIN% >>c:\%COMPUTERNAME%_System_Report.txt
Echo. >>c:\%COMPUTERNAME%_System_Report.txt

Echo ----------------------------------------------------------------------------------------------------- >>c:\%COMPUTERNAME%_System_Report.txt
Echo. >>c:\%COMPUTERNAME%_System_Report.txt
Echo Geting SCCM Client informatin ...
Echo SCCM Client reports   ------------------------------------------------------------------------------- >>c:\%COMPUTERNAME%_System_Report.txt
Echo. >>c:\%COMPUTERNAME%_System_Report.txt
cscript %temp%\SMSClientInfo.vbs >>c:\%COMPUTERNAME%_System_Report.txt
Echo Geting SCCM Client AD informatin ...
Echo SCCM Client AD LookUp   ------------------------------------------------------------------------------- >>c:\%COMPUTERNAME%_System_Report.txt
cscript %temp%\Client_AD_Tool.vbs >>c:\%COMPUTERNAME%_System_Report.txt
Echo. >>c:\%COMPUTERNAME%_System_Report.txt
Echo Where computer is in AD: >>c:\%COMPUTERNAME%_System_Report.txt
dsquery computer -name %computername% >>c:\%COMPUTERNAME%_System_Report.txt
Echo. >>c:\%COMPUTERNAME%_System_Report.txt
Echo What groups computer is a member of: >>c:\%COMPUTERNAME%_System_Report.txt
dsquery computer -name %computername% | dsget computer -memberof >>c:\%COMPUTERNAME%_System_Report.txt

Echo ----------------------------------------------------------------------------------------------------- >>c:\%COMPUTERNAME%_System_Report.txt
Echo. >>c:\%COMPUTERNAME%_System_Report.txt
Echo RSOP: >>c:\%COMPUTERNAME%_System_Report.txt
REM gpresult /H >>c:\%computername%_rsop.html
gpresult /Z >>c:\%COMPUTERNAME%_System_Report.txt
Echo ----------------------------------------------------------------------------------------------------- >>c:\%COMPUTERNAME%_System_Report.txt
Echo. >>c:\%COMPUTERNAME%_System_Report.txt
Echo NETSTAT: >>c:\%COMPUTERNAME%_System_Report.txt
REM netstat -a >>c:\%COMPUTERNAME%_System_Report.txt

Echo ----------------------------------------------------------------------------------------------------- >>c:\%COMPUTERNAME%_System_Report.txt
Echo. >>c:\%COMPUTERNAME%_System_Report.txt
Echo Geting Active Services ...
NET START >>c:\%COMPUTERNAME%_System_Report.txt
REM WMIC /APPEND:c:\%COMPUTERNAME%_System_Report.txt SERVICE
Echo ----------------------------------------------------------------------------------------------------- >>c:\%COMPUTERNAME%_System_Report.txt
Echo. >>c:\%COMPUTERNAME%_System_Report.txt
Echo Geting installed products ...
WMIC /APPEND:c:\%COMPUTERNAME%_System_Report.txt PRODUCT
Echo ----------------------------------------------------------------------------------------------------- >>c:\%COMPUTERNAME%_System_Report.txt
Echo. >>c:\%COMPUTERNAME%_System_Report.txt
Echo Geting system roles ...
ServerManagerCmd.exe -query >>c:\%COMPUTERNAME%_System_Report.txt
Echo ----------------------------------------------------------------------------------------------------- >>c:\%COMPUTERNAME%_System_Report.txt
Echo. >>c:\%COMPUTERNAME%_System_Report.txt
Echo Geting Local Groups Members ... >>c:\%COMPUTERNAME%_System_Report.txt
Echo ----------------------------------------------------------------------------------------------------- >>c:\%COMPUTERNAME%_System_Report.txt
Echo. >>c:\%COMPUTERNAME%_System_Report.txt
for /F "tokens=*" %%* in ('net localgroup ^| find "*"') do call :Sub %%*
set parm=Group
REM Run only on DC
:: for /F "tokens=*" %%* in ('net groups /domain ^| find "*"') do call :Sub %%*
notepad c:\%COMPUTERNAME%_System_Report.txt
goto :eof
:Sub
set name=%*
echo Group name: %name%
echo %parm% name: %name:~1% >> c:\%COMPUTERNAME%_System_Report.txt
net %parm% "%name:~1%" | find /i /v "completed successfully" | more +6 >>c:\%COMPUTERNAME%_System_Report.txt