NIST's guidance for a Zero Trust Architecture

Editor's Pick

How to locate objects in Active Directory

What you’ll learn

Active Directory (AD) objects are the building blocks of an AD network. They are entities that represent a resource such as users, computers, or printers that are a part of the network. You can learn more about objects here.

When initially creating an AD network, it will be easier to search for objects. However, as the network grows, finding users or computers manually may become a daunting task. To make locating objects in Active Directory easier, there are several functions you can use. In this article, we will look deeper into how you can search in Active Directory using the dsquery command line tool and the Find dialogue box.

Searching for objects in AD

Searching for objects would become necessary for multiple reasons. You may want to modify the permissions on an OU for example, or you may want to delete a group or a computer that is not needed anymore. More often, you would need to search for a user or a computer.

Each object in AD is defined by a set of information about them called object attributes. For example, a user object has attributes such as First Name, Distinguished Name, and Telephone Number. These attributes provide additional information about the object, and the attribute values would be given while creating the objects. These object attributes can also be used to lookup the objects and find them easily. Each object has a few attributes that are commonly used to find them in the network.

Every object in Active Directory has a unique distinguished name (DN). So, if you remember the DNs, it becomes the easiest method to search for objects in the network. A distinguished name would usually consist of attributes such as the common name, organizational unit (OU), and domain component (DC).

Methods to perform an Active Directory search for objects

There are two methods you can use to perform an object search in Active Directory. They are:

  • Using the DSquery command line tool.
  • Using the Find dialogue box in Active Directory Users and Computers console.

1. Using the DSquery command line tool

Dsquery is a search service command-line tool. It first came built-in with Windows Server 2008. To perform an Active Directory lookup using dsquery, you must have Active Directory Domain Services (AD DS) server role installed. You can use this tool from Command Prompt that is elevated. To run an elevated command prompt:

  • Click Start, and find the Command Prompt tool.
  • Right-click on the tool, and click Run as Administrator.

After the Command Prompt window opens, you can find users, contacts, and groups, or any object you want using certain commands. Here is a list of commands, and what they are used for:

  • Dsquery user – To find a user object using specified parameters
  • Dsquery contact –To find a contact object using specified parameters
  • Dsquery group – To find a group object using specified parameters
  • Dsquery computer – To find a computer object using specified parameters
  • Dsquery OU – To find an OU using specified parameters
  • Dsquery site – To find a site using specified parameters
  • Dsquery subnet – To find a subnet using specified parameters
  • Dsquery server – To find a server using specified parameters
  • Dsquery partition – To find partition objects using specified parameters
  • Dsquery quota – To find quota specifications using specified parameters
  • Dsquery – This command can be used to find any object using a generic LDAP query and the parameters that are specified.
Using the DSquery command line tool to locate AD objects
Using the DSquery Command Line tool

2. Using the Find dialogue box in Active Directory Users and Computers console

An alternative way to look up objects is using the Find function in Active Directory Users and Computers (ADUC). The FInd box is located in the console’s toolbar, and clicking the box will fire up a Find Users, Contacts, and Groups dialogue box. Let’s take a look at how you can use the Find box for an AD search.

Once the Find Users, Contacts, and Groups dialogue box are opened, select the type of object you want to find from the Find: box. Then, you can choose the container in which you can search for the object. Click the Browse… button to choose the container. You can choose to search the entire AD network if you’re unsure of which container the object is located in. However, if the AD network is big, it will be easier to find users and computers if the search is narrowed down to a specific container. After the object type is chosen, you will find fields where you can enter keywords related to the object. For example, if the object type is User, you will have fields like name and description. If it is a computer object, you will have fields such as the computer name and computer owner.

Once the keywords are entered, hit Find Now. The results will be displayed at the bottom of the same dialogue box under Search results.

3. Using Custom Search

You can also use the Custom Search option to search for objects using specific criteria. Under the list of options in the Find field, choose the Custom Search option. You will be provided with several fields.

For example, if you want to find a specific user from the country of the United States. Here’s how to perform the search.

  • Click the Field button, and then select User -> Country.
  • Select the condition type as Is, and type United States as the value.
  • You can add more fields if you want to narrow down the search further.
  • Click on Find Now.

The search results will be displayed in the bottom part of the dialogue box.

Related posts
Active Directory PoliciesEditor's Pick

Managing GPOs with Group Policy Management Console

Editor's Pick

Group Policy Management Console (GPMC) – Part II

Leave a Reply

Your email address will not be published. Required fields are marked *