CMD Commands for Active Directory (PowerShell & DSQUERY)

Active Directory can be queried from command line using PowerShell or legacy dsquery commands.

PowerShell Active Directory Commands

List all users:

Get-ADUser -Filter *

Find specific user:

Get-ADUser -Identity "username"

Search user by name:

Get-ADUser -Filter "Name -like '*John*'"

List all computers:

Get-ADComputer -Filter *

List all groups:

Get-ADGroup -Filter *

Get domain info:

Get-ADDomain

Get domain controllers:

Get-ADDomainController -Filter *

Enable PowerShell AD Module

If Get-ADUser doesn't work, enable the module:

Windows Server:

Import-Module ActiveDirectory

Windows 10/11: Install RSAT (Remote Server Administration Tools) from Settings > Apps > Optional Features.

Then run:

Import-Module ActiveDirectory

Legacy DSQUERY Commands

Works without PowerShell module on domain-joined machines.

Find all users:

dsquery user

Find user by name:

dsquery user -name "John*"

Find all computers:

dsquery computer

Find all groups:

dsquery group

Find disabled accounts:

dsquery user -disabled

Find inactive computers (90 days):

dsquery computer -inactive 12

12 weeks = 90 days approximately.

Get Detailed User Info

PowerShell - show all properties:

Get-ADUser -Identity "username" -Properties *

DSGET (legacy):

dsquery user -name "username" | dsget user -display -email -mobile

Find User's Group Memberships

PowerShell:

Get-ADPrincipalGroupMembership -Identity "username"

DSGET:

dsget user "CN=Username,OU=Users,DC=domain,DC=com" -memberof

Find Members of a Group

PowerShell:

Get-ADGroupMember -Identity "GroupName"

DSGET:

dsget group "CN=GroupName,OU=Groups,DC=domain,DC=com" -members

Check if User is Locked Out

PowerShell:

Get-ADUser -Identity "username" -Properties LockedOut | Select-Object Name,LockedOut

Unlock user:

Unlock-ADAccount -Identity "username"

Reset User Password

Set-ADAccountPassword -Identity "username" -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "NewPassword123!" -Force)

Force password change at next logon:

Set-ADUser -Identity "username" -ChangePasswordAtLogon $true

Search for Computer

By name:

Get-ADComputer -Filter "Name -like '*DESKTOP*'"

By operating system:

Get-ADComputer -Filter "OperatingSystem -like '*Windows 11*'" -Properties OperatingSystem

Export Results to CSV

PowerShell:

Get-ADUser -Filter * -Properties DisplayName,EmailAddress | Export-Csv users.csv -NoTypeInformation

Creates CSV file with user data.

Common Filters

Users created in last 30 days:

$date = (Get-Date).AddDays(-30)
Get-ADUser -Filter "Created -gt '$date'" -Properties Created

Users never logged in:

Get-ADUser -Filter "LastLogonDate -notlike '*'" -Properties LastLogonDate

Computers not logged in for 90 days:

$date = (Get-Date).AddDays(-90)
Get-ADComputer -Filter "LastLogonDate -lt '$date'" -Properties LastLogonDate

Troubleshooting

"Get-ADUser not recognized": Import ActiveDirectory module or install RSAT.

"Unable to contact server": Not on domain network or domain controller unreachable.

"Access denied": Need domain admin or appropriate AD permissions.

DSQUERY returns nothing: Check syntax, ensure domain-joined, verify network connection.

Bottom Line

PowerShell (modern):

Get-ADUser -Filter * | Find users
Get-ADComputer -Filter * | Find computers
Get-ADGroup -Filter * | Find groups

DSQUERY (legacy):

dsquery user | Find users
dsquery computer | Find computers
dsquery group | Find groups

PowerShell is more powerful but requires ActiveDirectory module. DSQUERY works on domain-joined machines without additional setup.

Both require domain network connection and appropriate permissions.