Querying is a commonly used operation in network directories, and Active Directory is not an exception. Active Directory may contain a huge number of objects, whose precise locations are frequently unknown. Querying the directory rather than browsing the directory tree is preferable for both users and administrators. Users of AD-based domains have the following instruments (some of them are available to all clients, including down level systems, and others only work on Windows 2000/XP/.NET systems) which assist the user in finding one or more objects in Active Directory:
Built-in search features (see the next section) — the most convenient way for a user to find a shared folder or printer, user, group, or other common directory object. All other tools are intended for administrators.
DsQuery.exe and Dsget.exe — the standard Windows .NET command-line search utilities (see Chapter 12, "Manipulating Active Directory Objects").
The ADSI Edit snap-in (from the Support Tools) — using this tool, an administrator can create powerful queries and modify objects in all directory partitions (see Chapter 7, "Domain Manipulation Tools").
The Search.vbs script (from the Support Tools) — the simplest query tool that uses the LDAP protocol. Can be used on any Windows platforms (see Chapter 12).
Active Directory Administration Tool (Ldp.exe from the Support Tools) and Active Directory Browser (AdsVw.exe from ADSI SDK) — complicated administrative tools that also allow an administrator to browse through the directory tree and modify objects. Ldp.exe uses the LDAP protocol and is the only tool that can retrieve deleted objects. AdsVw.exe uses both LDAP and WinNT protocols, and works with AD-based (Windows 2000 and Windows .NET) and Window NT domains (see Chapter 12).
The Guid2obj.exe utility (from the Windows 2000 Resource Kit) — a specialized tool that can determine the distinguished name of an object from its GUID.
Most of the listed tools require a good understanding of LDAP filter syntax. Only then will you be able to quickly and precisely find or choose the necessary objects.
By default, users — those who are aware of this option — can search Active Directory for various objects by using the Find command from the context menu of a domain displayed in the Directory folder (in My Network Places). This option is available on computers running Windows 2000 and has been removed from Windows XP/.NET. (One can also use the Active Directory Users and Computer snap-in installed on a client computer.) There are two specialized commands called from the Start | Search menu: For printers and For People.
It is possible to provide users with powerful search features and add a shortcut for these operations to the desktop or any folder. You need to perform the following steps:
Right click the desktop and select New | Shortcut from the context menu.
Enter the following string (case sensitive!) in the Type the location of the item field, and click Next:
In the next window, enter a name for the shortcut and click Finish.
You might also wish to move the created shortcut to some folder or menu.
After clicking the shortcut, the user will see the search window similar to the one shown in Fig. 7.14. From that window, it is possible to find users, contacts, groups, printers, OUs, etc.
This feature works fine on all Windows systems (from Windows 95 to Windows NT 4.0) provided that the Active Directory Client Extension (DSClient.exe from the Windows 2000 Server CD; see also links in Appendix A). (Windows 2000/XP/.NET systems have that client as a built-in feature.) Just keep in mind that you must not enter a space between the dsquery and OpenQueryWindow parameters.