When Windows 2000 Active Directory (AD) first came out, it revolutionized the world of directory services. However, there were few command-line tools to manage AD. Fortunately, since the release of Windows Server 2003, Microsoft and third-party resources have developed new tools and updated existing tools that improve the manageability of AD. Five tools--AdFind, AdMod, OldCmp, Dsrevoke, and AdRestore--are considered must-haves by command-line aficionados. These tools are beefed up and ready for action in your AD environment.
Even if you prefer a GUI to a command-line interface, it's important to understand the capabilities of these five command-line tools. In many cases, there are no GUI alternatives to accomplish the tasks that these tools perform. Another great benefit of being versant with these tools is that you can use basic batch files to direct their efforts. Wouldn't you like these tools to automatically perform their duties while you take care of other business? You can make it happen with command-line tools. For example, you can use a simple two-line batch script that prompts OldCmp to automatically clean up inactive computer accounts and email you the results.
Let me show you how to use AdFind, AdMod, OldCmp, Dsrevoke, and AdRestore in your AD environment so that you can become more efficient in your daily work. All five tools are free. And, unless I point out otherwise, they all work in both Win2K and Windows 2003 domains.
AdFind
AdFind has been out for a while but has recently been beefed up with some helpful features. AdFind is simply the best command-line tool available for querying AD--it's kind of like Windows 2003's Dsquery command on steroids.
Joe Richards, an AD expert who happens to know a bit about programming, developed AdFind. He has also written a slew of other cool utilities (aka Joeware), including AdMod and OldCmp. You'll find AdFind, AdMod, and OldCmp on his Web site at http://www.joeware.net. After you enter the site, click the Free Win32 C++ Based Tools link.
AdFind has numerous options--too many to cover here. So, I'll cover only the commonly used options. To get a complete list of options, simply run the command
adfind /?
One popular option is the -b option, which you can use to specify the base distinguished name (DN) from which to start a search. If you use this option by itself, AdFind displays the attributes of the object represented by the base DN plus the attributes of any objects contained under the base DN.
AdFind supports all the standard Lightweight Directory Access Protocol (LDAP) query options you might expect. You can use the -f option to specify a Request for Comments (RFC) 2254-compliant LDAP filter and the -s option to specify the scope of the search. To display certain attributes for an object, you can specify those attributes in a space-separated list at the end of the command. (By default, AdFind displays all attributes that have values.)
For example, suppose that in the Workstations organizational unit (OU), you want to find computer objects whose name begins with rallen. For each computer object found, you want AdFind to display the values of the name and whenCreated attributes. You'd use the command
adfind -b "ou=workstations,
dc=rallencorp,dc=com" -f "(&(objectcategory=computer)
(name=rallen*))"
name whenCreated
(Although this command appears on several lines here, you would enter it on one line in the command-shell window. The same holds true for the other multiline commands in this article.) Figure 1 shows sample results from this command.
You can use the -h option to target specific domain controllers (DCs) and the -gc option to query the Global Catalog (GC). If you need to authenticate with credentials other than the credentials with which you logged on, you use the -u and -up options to specify the username and password, respectively. If you want the base DN to be the default naming context of the root domain, the default naming context of the default domain, the configuration naming context, or the schema naming context, you can use the -root, -default, -config, or -schema options, respectively. If you use one of these options, you don't need to use the -b option. For example, the following command queries the GC under the forest root domain tree for all groups whose name starts with HR:
adfind -gc -root
-f "(&(objectcategory=group)
(name=HR*))" name
The features I've covered so far are standard in just about any LDAP query tool. But AdFind doesn't stop there. Here are some additional features AdFind offers:
- You can sort or reverse sort the output based on the value of an attribute with the -sort and -rsort options, respectively.
- You can display deleted objects with the -showdel option.
- You can display how long a query takes to complete with the -elapsed option.
- You can decode Large Integer, time-based attribute values with the -tdc option.
One of my favorite features of AdFind is its ability to display a query's Search Stats output. Search Stats is an LDAP control that returns various performance statistics about the query. For example, the following command displays the Search Stats information about my previous HR query, except this time I'm querying the GC under the default domain:
adfind -stats+only -default -gc
-f "(&(objectcategory=group)
(name=HR*))" name
Figure 2 shows the sample Search Stats output from this command. This information can be extremely useful when you need to debug a particular query or determine how efficient it is. The Search Stats output will include the hit rate of the query (i.e., the number of objects found versus the number of objects looked at), the indexes used, and the expanded query filter. Search Stats returns query information only for Windows 2003 domains.
Previous
)
)
)
Register
AFSCrmoore October 05, 2004 (Article Rating: