Displays the properties of a group in the directory, including its members. There are two variations of this command. The first variation allows you to view the properties of multiple groups. The second variation displays the group membership information of a single group.

Dsget is a command-line tool that is built into Windows Server 2008. It is available if you have the AD DS server role installed. To use dsget, you must run the dsget command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.

Syntax

dsget group <GroupDN> [-dn] [-samid] [-sid] [-desc] [-secgrp] [-scope] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}] [-part <PartitionDN> [-qlimit] [-qused]]
dsget group <GroupDN> [{-memberof | -members}] [-expand] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]

Parameters

Parameter Description

<GroupDN> (first variation)

Required. Specifies the distinguished names of the group objects that you want to view. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command. Compare this parameter with GroupDN in the second variation.

-dn

Displays that distinguished names of the groups.

-samid

Displays the Security Account Manager (SAM) account names of the groups.

-sid

Displays the group security IDs (SIDs).

-desc

Displays the descriptions of the groups.

-secgrp

Displays whether groups are security groups (yes) or distribution groups (no).

-scope

Displays information about whether group scopes are local, global, or universal.

<GroupDN> (second variation)

Required. Specifies the distinguished name of the group that you want to view.

{-memberof | -members}

Displays the immediate list of groups of which the group is a member (-memberof) or displays the immediate list of members of the group (-members).

-expand

For the -memberof parameter, displays the recursively expanded list of groups in which the group is a member. This option takes the immediate membership list of the group, and then also recursively expands each group in this list to determine its group memberships to arrive at a complete closure set of the groups.

For the -members parameter, displays the recursively expanded list of members of the group. This parameter takes the immediate list of members of the group and then also recursively expands each group in this list to determine its group memberships to arrive at a complete closure set of the members.

{-s <Server>| -d <Domain>}

Connects to a remote server or domain that you specify. By default, dsget connects the computer to the domain controller in the logon domain.

-u <UserName>

Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name:

  • user name (for example, Linda)

  • domain\user name (for example, widgets\Linda)

  • user principal name (UPN) (for example, Linda@widgets.contoso.com)

-p {<Password> | *}

Specifies to use either a password or an asterisk (*) to log on to a remote server. If you type *, dsget prompts you for a password.

-c

Reports errors, but continues with the next object in the argument list when you specify multiple target objects (continuous operation mode). If you do not supply this parameter, dsget group exits when the first error occurs.

-q

Suppresses all output to standard output (quiet mode).

-l

Displays entries in a list. By default, dsget display entries in a table.

{-uc| -uco| -uci}

Specifies that dsget formats output or input data in Unicode. The following table shows each format.

Value Description

-uc

Specifies to use the Unicode format for input from or output to a pipe (|).

-uco

Specifies to use the Unicode format for output to a pipe (|) or a file.

-uci

Specifies to use the Unicode format for input from a pipe (|) or a file.

-part <PartitionDN>

Connects a computer to the directory partition with the distinguished name of PartitionDN.

-qlimit

Displays the effective quota of the group within the directory partition that you specify for the -part parameter.

-qused

Displays how much of its quota a group has used in the directory partition that you specify for the -part parameter.

/?

Displays help at the command prompt.

Remarks

  • If you do not supply a target object at the command prompt, dsget obtains the target object from standard input (stdin). Dsget can accept stdin from the keyboard, from a redirected file, or as piped output from another command. To mark the end of stdin data from the keyboard or in a redirected file, use the end-of-file character (CTRL+Z)..

  • Use dsget to view the properties of a specific object in the directory.

  • As a result of dsquery searches, you can pipe returned objects to dsget and obtain object properties.

  • If a value that you supply contains spaces, use quotation marks around the text, for example, "CN=USA Sales,OU=Distribution Lists,DC=Contoso,DC=Com".

  • If you supply multiple values for a parameter, use spaces to separate the values, for example, a list of distinguished names.

Examples

To display the descriptions of all groups in an organizational unit (OU) named Test whose names start with "adm," type:

dsquery group OU=Test,DC=Contoso,DC=Com -name adm* | dsget group -desc

To display the list of members, recursively expanded, of the Backup Operators group, type:

dsget group "CN=Backup Operators,OU=Test,DC=Contoso,DC=Com" -members -expand