Chapter 12: Manipulating Active Directory Objects

In this chapter, we will discuss Active Directory modification tools in detail. These tools allow administrators to find necessary directory objects and edit their attribute values; manipulate various domain objects (computer account, domain trusts, secure channels, etc.); export specified objects to a file, and import (create) objects from a file in the same or another domain. All listed operations can be performed with either a single directory object or a number of objects.

Finding Information in Active Directory

Since Active Directory may contain a huge number of directory objects and have a complex domain structure, it is necessary to have the ability to locate, or pick out the necessary objects quickly and view (edit) their attributes. You can use for that purpose the following facilities.

GUI Tools

• The search option of Active Directory client software (built-in features of Windows 2000/XP/.NET, or the Active Directory Client Extension, DSClient). DSClient can be installed on any Windows platform. The Find window allows you to look for standard objects (users, groups, computers, etc.) as well as to use the common and custom queries. (See the "Configuring Search Option on a Client Computer" section in Chapter 8, "Common Administrative Tasks.")

• Active Directory Users and Computers snap-in — this snap-in has a Filter option that allows you to narrow the scope of viewed objects. The Find option allows you to locate and select objects for manipulating within a domain as well as in the entire forest (since it is able to work with Global Catalog). Moreover, the Windows.NET version of that snap-in introduces Saved Queries that allows the administrator to work with defined sets of selected directory objects. (The snap-in was discussed in Chapter 7, "Domain Manipulation Tools.")

• AdsVw.exe and Ldp.exe (ADSI SDK and Support Tools) — these powerful tools allow you to compose complex queries and apply them to a domain as well as to the entire forest. AdsVw.exe can open a number of query windows simultaneously. (Both of these tools are described later in this chapter.)

Command-line Tools

• DsQuery.exe and DsGet.exe — the standard Windows .NET tools (they do not work on Windows 2000 systems!) that use the LDAP protocol (therefore, they can query both Windows 2000- and Windows .NET-based domains) and can find directory objects of various types as well as display their attributes. Search operations can be performed within a single domain or entire forest.

• Search.vbs — a script from the Support Tools pack. Can search within a single domain and work with the LDAP provider only.

• Windows Domain Manager (NetDom.exe) (Support Tools) — can display specific information about domains (FSMO role owners, trusts, etc.) as well as perform modifications.

Active Directory Search Tool (Search.vbs) (ST)

The Search.vbs script is a simple, handy tool that allows you to retrieve the attributes of the specified objects. By default, the script displays the Ads Paths of the children of the object specified by its distinguished name. These children objects may be of any type.

Administrators or any other users may use the script on any Windows platform, provided that the Windows Scripting Host (WSH) is installed. This is a unique instrument, since the other search tools require Windows 2000/XP/.NET.

Output Data Format

The script outputs the data found as a sequence of lines in the following format:

 attributeName object# [=]  propertyValue 

If the script cannot display a property value, it outputs only the first two components, e.g., objectSID 1. If a property has an empty value or is not defined, the "=" character is added, e.g., description 1 =.

A few examples of using Search.vbs are presented below.

Example 1. Searching for an Object Using Its GUID

Suppose you want to verify whether a known GUID really belongs to a directory object, or you want to check the name of this object. You may use the following command:

  C:\>search  "LDAP://<GUID=075f1790071a854d82ee5556c3a11d64>"/S:base 

The resulting output will be similar to:

  <LDAP://<GUID=075f1790071a854d82ee5556c3a11d64>>;  (ObjectCategory=*); ADsPath; base Finished the query. Found 1 objects. ADsPath  1 = LDAP://OU=Staff, DC=net, DC=dom  

You may also widen the scope of the search (i.e., use the /s:oneLevel or /S:subTree parameter and get the base object's children names), or specify output of additional attributes.

Example 2. Finding All Policies in a Domain

Sometimes, it is necessary to know what policies (GPOs) exist in a domain, and which names they go by in administrative snap-ins. You could look up the value of the display Name attribute for each policy object in the CN=Policies, CN=System subtree of a domain container. However, it is much faster to use Search.vbs. The query might look like this:

  search "LDAP://DC=net, DC=dom"/C:  (objectClass=GroupPolicyContainer) /S:subtree  /P: cn, displayName 

Possible resulting output:

  <LDAP://DC=net, DC=dom>; ((objectClass=GroupPolicyContainer)); cn,  displayName; subtree Finished the query. Found 5 objects. cn 1 =  {31B2F340-016D-11D2-945F-00C04FB984F9} displayName 1 = Default Domain Policy cn 2 =  {6AC1786C-016F-11D2-945F-00C04fB984F9} displayName 2 = Default Domain Controllers Policy cn 3 =  {9EFADC61-8833-4970-9CE3-AF705E197908} displayName 3 = NET-Site GPO cn 4 =  {3DE99CCC-C0F6-4F21-BE9C-E6D3F7EB6370} displayName 4 = ADMINs OU's GPO cn 5 =  {55EAC8BC-D3C7-4B11-AA00-ECB7620A7FB9} displayName 5 = COMPs OU's GPO  

As you can see, there are three additional GPOs (one for the site and 2 for OUs) in the domain, besides the default ones.

The same operation could be done using the following command:

  dsquery * -filter  objectClass=GroupPolicyContainer -attr cn  displayName