Using DSquery to find member of in AD

[DodgeViper]

I'm trying to get a list of what a user is member of i.e. permissions, directory access, groups etc.

I've tried using dsquery but when I run the command "dsquery user" it lists all the users in the domain, but how can I get it to list info about a specific user?

[sc302 Veteran]

I think you want to use dsget. but I don't think it will do what you are looking for. what you want are two different things. One is to scan active directory for group membership the other is to scan folders for directory accessability/permissions. This is where network design really comes into play and understanding how to build one. It sounds as if you are taking over someone elses mess and trying to figure it out, all I can say is get your clicker going. Take a look at what is being shared. You can use the perms command to be able to see what permissions x user has over the computer/server. perms is part of the 2003 resource kit which is free to dl from microsoft.

There is probably a third party tool that has the capability you are looking for, and it will more than likely cost.

How I would do it is look at the groups, find out the members of each group, find out what these members need access to. Look at the shares, see who has access to each share (this can be done by right clicking on my computer and clicking on manage, going into shared folders, then going into shares you can easily see all of the shares on one computer and you can easily manage the shares from here). It is a lot of work, but so is reading a text file and figuring out how to create said text file. Bottom line, it isn't easy, I have done this hundreds of times over (taking over a mess).

[-Viper-]

you need to pipe your commands... try something like this

dsquery user -name "*UserName*" | dsget user -memberOf

what this will do it query AD for a specific user and take the output of that and list what groups the user is a member of.

if you do dsget user /? it will give you everything you can get about the user as well.

Hope that helps

[+BudMan MVC]

I think point sc302 was trying to make - is sure you can find the group memberships of a user, but that is not going to tell you where those groups have permissions or what they are, etc.

You might want to check out

http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx

and

http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx

[sc302 Veteran]

  On 23/06/2010 at 16:12, BudMan said:

I think point sc302 was trying to make - is sure you can find the group memberships of a user, but that is not going to tell you where those groups have permissions or what they are, etc.

You might want to check out

http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx

and

http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx

was I not clear on that?

[+BudMan MVC]

No you were clear, atleast to me - but I took it as the other poster did not catch the meaning of your post, atleast he made no mention that group membership will not give him what I took as what the user was after.

"permissions, directory access, groups etc."

[-Viper-]

Sorry, I was just trying to imply that what I gave him would give him everything he needed, more that he did not want to get a listing of everyone in the domain, but rather one user.

I will go back to my corner and be quiet.