Blog

On Monday I published an article on the importance of FSMO roles. Today let's talk about 5 quick and easy Active Directory queries that can be used to give you valuable information about a Windows domain.

DSQuery

DSQuery is a tool that is built into Windows Server 2003 and Server 2008, so no extra installations are necessary on those platforms. If you are using Windows XP, Vista or Windows 7 then you will need to install the Server 2003 Admin Pack ("Adminpak" on the Microsoft site). When you install it on Windows 7 you will get a warning that can be safely ignored. Some portions of the Admin Pack won't work correctly under Windows 7 but DSQuery works just fine!

Query #1: Domain Computers

Our first query will allow us to retrieve the NetBIOS names of all of the computers in our domain. This list can easily be leveraged in scripts for collecting information, validating settings or updating settings remotely:

dsquery * domainroot -scope subtree -filter objectcategory=computer -attr name -limit 0

Query #2: FSMO Roles

In the article on FSMO roles I discussed the meaning and importance of these roles. Here's a list of quick and easy queries that will show you which servers hold the various FSMO roles in your domain:

dsquery server -hasfsmo rid
dsquery server -hasfsmo pdc
dsquery server -hasfsmo name
dsquery server -hasfsmo schema
dsquery server -hasfsmo infr

Query #3: Locked Out Users/Users who Can't Lock Out

The next query will allow us to find users who have not logged in since last being locked out or whose accounts are set to never lock out. Both are very interesting for us as IT auditors!

dsquery * domainroot -filter "(&(objectcategory=person)(objectclass=user)(lockoutTime=*))" -limit 0

Query #4: Domain Users

Of course, it's extremely useful to be able to pull a list of all of the users in the domain as well. This list can be compared to the list of current employees to quickly and easily determine whether or not accounts are being disabled or deleted appropriately.

dsquery user -limit 0

Query #5: Group Membership Inventory

Our last query allows you to determine both the direct and inherited group memberships for all groups in the domain. Of course, this should be a significant part of any baseline that an auditor generates for an Active Directory. This is fantastic for troubleshooting permission issues but it's also great for keeping track of sensitive group memberships:

dsquery group -limit 0 | dsget group -members -expand

For a comprehensive course on how to identify critical controls, validate that the correct controls are in place and validate processes, consider the SANS 6 day course, "Advanced System & Network Auditing". David Hoelzer is the SANS IT Audit Curriculum Lead and the author of several SANS IT Audit related courses.