A number of my scripts leverage attributes found within an objects Active Directory record. I used to reach to either decl or Apache Directory Studio as per this article on JAMFNation in order to view this information when investigating my scripts.
However, since 10.7 (I think), I have more often found myself using Directory Utility to perform this task. the below is a quick run through on how to use it for this task.
You’ll need to run the below on a Mac bound to an AD Domain. Directory Access needs the then be launched either via the Accounts prefpane in System Preferences or the app bundle in /System/Library/CoreServices/.
Once opened, click “Directory Editor”
Once opened, change the node drop down to your AD Domain.
In the search field, you will be able to enter an objects details & then search for it on the domain. Once you find the object you have been searching for select it. You will now be able to see the objects attributes.
Once you’ve found the attribute you are looking for, selecting it will show it’s value in the lower pane.
Above I have selected the UniqueID attribute of an AD User object, to get this attribute via dscl you can try something like that below.
Replace “Domain Node Name” with the node name in the node drop down, & username with the username of the user you would like to test with.
dscl '<Domain Node Name>' -read /Users/<username> | grep "UniqueID:"
7 thoughts on “Using Directory Utility To View An AD Objects Attributes”
This is super duper handy, thanks!
Do you know of a way to check for the expiration of an AD password using this utility… or any Mac utility at all? The only way I’ve been able to so far is fire up my VM and use the Account Lockout tool. Is there an equivalent for Macs?
Do you want to see password expiry on the users mac or remotely?
If it’s the users mac then, ADPassMon & the v2 fork I did, will accomplish that.
Not sure of any app that can be used remotely.
Remotely, I suppose. Some way to query AD to see what the user’s password status is. The Account Lockout tool on Windows will show bad password attempts and when a password was set (as well as how long until it expires). What I’m trying to figure out is how to see that information on my Mac without having to launch my Windows VM to do it. So far it seems impossible.
MacMule, I’ve noticed that both dscl and the OSX Directory Utility will not return more than 1000 objects from a given AD domain. Do you know if there is a workaround for this? We have over 1000 users and I’m trying to enumerate them all in a script. Thanks in advance.
Nope. Never found a work around I’m afraid. You’ll need to paginate in your script somehow.