Beyond Net User – Part 2: DS Commands

By Tim Medin | February 6, 2018

In the previous post we discussed some of the limitations of Net commands. Most notably, the output limitation (doesn’t show all groups) and it doesn’t allow for flexible searching. In this post we’ll discuss the DS commands to get around these limitations.

DSGet, DSQuery, DS*

While these tools are useful, they aren’t always available. As a pen tester and red teamer, I have to live with what I can find on the systems I come across. I find that these tools are still more widespread than the latest PowerShell Active Directory cmdlets, at least on non-system administrator systems. Here is a useful Stack Overflow post on the subject.

Recursive Searches

In the last post, we discussed a limitation in net group in that it doesn’t show groups in other groups. The DS commands do! As a reminder, let’s take a look at what we saw with net group when looking at the list of domain administrators.

Now let’s do the same search, but use the dsquery and dsget.

dsquery group -name "Domain Admins" | dsget group -expand -members

This shows us all the good stuff in the group, including the groups and users in those groups no matter how far down they are! Recursion FTW!
Flexible Searches
Some organizations will append or prepend text to the username or display name for administrative, privileged, or service accounts. The dsquery command allows us to search for these accounts using a more flexible seach. The command below will search for users with “(admin)” in the display name.

dsquery user -name *(admin)*

We can also search based on the username with -samid.

dsquery user -samid *admin*

You can find more search methods by looking at dsquery user /?.

These searches are MUCH better than what we get with just net user.


One of the nicest features of the DS commands is that they work well together on the pipeline. I can take the previous “(admin)” search and pipe it into dsget user to get a better look at the user information.

We can get the memberships of each by them by adding two options: -memberof -expand

As you can see these commands are quite powerful and are a significant upgrade from net user.

Dumping LSASS Like it’s 2019

By Red Siege | March 4, 2024

By Alex Reid, Current Red Siege Intern   A long-time tactic of threat actors and offensive security professionals alike, tampering with LSASS.exe in order to recover credentials remains a highly […]

Learn More
Dumping LSASS Like it’s 2019

Better Living Through OpenSSH Config Files

By Red Siege | February 15, 2024

By: Justin Palk, Senior Security Consultant   SSH is an incredibly valuable tool for penetration testing. It provides us with a secure channel for administering machines, remotely executing tools, transferring […]

Learn More
Better Living Through OpenSSH Config Files

GraphStrike: Anatomy of Offensive Tool Development

By Red Siege | January 22, 2024

By: Alex Reid, Current Red Siege Intern Introduction This blog post accompanies the release of an open source tool called GraphStrike which can be found here. Those familiar with my […]

Learn More
GraphStrike: Anatomy of Offensive Tool Development

Find Out What’s Next

Stay in the loop with our upcoming events.