|
|
In this chapter, we will discuss Active Directory modification tools in detail. These tools allow administrators to find necessary directory objects and edit their attribute values; manipulate various domain objects (computer account, domain trusts, secure channels, etc.); export specified objects to a file, and import (create) objects from a file in the same or another domain. All listed operations can be performed with either a single directory object or a number of objects.
Since Active Directory may contain a huge number of directory objects and have a complex domain structure, it is necessary to have the ability to locate, or pick out the necessary objects quickly and view (edit) their attributes. You can use for that purpose the following facilities.
The search option of Active Directory client software (built-in features of Windows 2000/XP/.NET, or the Active Directory Client Extension, DSClient). DSClient can be installed on any Windows platform. The Find window allows you to look for standard objects (users, groups, computers, etc.) as well as to use the common and custom queries. (See the "Configuring Search Option on a Client Computer" section in Chapter 8, "Common Administrative Tasks.")
Active Directory Users and Computers snap-in — this snap-in has a Filter option that allows you to narrow the scope of viewed objects. The Find option allows you to locate and select objects for manipulating within a domain as well as in the entire forest (since it is able to work with Global Catalog). Moreover, the Windows.NET version of that snap-in introduces Saved Queries that allows the administrator to work with defined sets of selected directory objects. (The snap-in was discussed in Chapter 7, "Domain Manipulation Tools.")
AdsVw.exe and Ldp.exe (ADSI SDK and Support Tools) — these powerful tools allow you to compose complex queries and apply them to a domain as well as to the entire forest. AdsVw.exe can open a number of query windows simultaneously. (Both of these tools are described later in this chapter.)
DsQuery.exe and DsGet.exe — the standard Windows .NET tools (they do not work on Windows 2000 systems!) that use the LDAP protocol (therefore, they can query both Windows 2000- and Windows .NET-based domains) and can find directory objects of various types as well as display their attributes. Search operations can be performed within a single domain or entire forest.
Search.vbs — a script from the Support Tools pack. Can search within a single domain and work with the LDAP provider only.
Windows Domain Manager (NetDom.exe) (Support Tools) — can display specific information about domains (FSMO role owners, trusts, etc.) as well as perform modifications.
The Search.vbs script is a simple, handy tool that allows you to retrieve the attributes of the specified objects. By default, the script displays the Ads Paths of the children of the object specified by its distinguished name. These children objects may be of any type.
Administrators or any other users may use the script on any Windows platform, provided that the Windows Scripting Host (WSH) is installed. This is a unique instrument, since the other search tools require Windows 2000/XP/.NET.
Caution | The Search.vbs script does not display certain object attributes, such as objectGUID, objectSID, lastLogon (these are attributes of "complex" types, such as OctetString, Largelnteger, etc.), and some others. What is worse, the script has an internal bug, which sometimes produces an erroneous output when such attributes are included in the returned parameters list (for instance, search for a user's objectSID, lastLogon, and cn attributes). Analyzing the listing of the script will help you to better understand the methods of retrieving data of various types (see also Chapter 16, "Active Directory Service Interfaces (ADSI)") while composing your own scripts. |
The script outputs the data found as a sequence of lines in the following format:
attributeName object# [=] propertyValue
If the script cannot display a property value, it outputs only the first two components, e.g., objectSID 1. If a property has an empty value or is not defined, the "=" character is added, e.g., description 1 =.
A few examples of using Search.vbs are presented below.
Suppose you want to verify whether a known GUID really belongs to a directory object, or you want to check the name of this object. You may use the following command:
C:\>search "LDAP://<GUID=075f1790071a854d82ee5556c3a11d64>"/S:base
The resulting output will be similar to:
<LDAP://<GUID=075f1790071a854d82ee5556c3a11d64>>; (ObjectCategory=*); ADsPath; base Finished the query. Found 1 objects. ADsPath 1 = LDAP://OU=Staff, DC=net, DC=dom
You may also widen the scope of the search (i.e., use the /s:oneLevel or /S:subTree parameter and get the base object's children names), or specify output of additional attributes.
Note | If the object's name is all you want to know, you may also use the Guid2obj.exe utility from the Windows 2000 Resource Kit. You should provide the object GUID as a parameter, and the tool will retrieve the distinguished name of the object from the nearest global catalog server. |
Sometimes, it is necessary to know what policies (GPOs) exist in a domain, and which names they go by in administrative snap-ins. You could look up the value of the display Name attribute for each policy object in the CN=Policies, CN=System subtree of a domain container. However, it is much faster to use Search.vbs. The query might look like this:
search "LDAP://DC=net, DC=dom"/C: (objectClass=GroupPolicyContainer) /S:subtree /P: cn, displayName
Possible resulting output:
<LDAP://DC=net, DC=dom>; ((objectClass=GroupPolicyContainer)); cn, displayName; subtree Finished the query. Found 5 objects. cn 1 = {31B2F340-016D-11D2-945F-00C04FB984F9} displayName 1 = Default Domain Policy cn 2 = {6AC1786C-016F-11D2-945F-00C04fB984F9} displayName 2 = Default Domain Controllers Policy cn 3 = {9EFADC61-8833-4970-9CE3-AF705E197908} displayName 3 = NET-Site GPO cn 4 = {3DE99CCC-C0F6-4F21-BE9C-E6D3F7EB6370} displayName 4 = ADMINs OU's GPO cn 5 = {55EAC8BC-D3C7-4B11-AA00-ECB7620A7FB9} displayName 5 = COMPs OU's GPO
As you can see, there are three additional GPOs (one for the site and 2 for OUs) in the domain, besides the default ones.
The same operation could be done using the following command:
dsquery * -filter objectClass=GroupPolicyContainer -attr cn displayName
|
|