3rd Party Tools for Managing Active Directory
Some Third-Party Gems since Active Directory is based on LDAP standards, you can query and modify it using any tool that can speak LDAP. Many third-party vendors have released fee-based tools to assist you in administering Active Directory, but sometimes you find a treasure that has been made available to the community at no charge. Such is the case with a collection created by Directory Services MVP Joe Richards, available for download from joeware.net/freetools. There you’ll find numerous tools to serve many different functions. Three that I turn to again and again are adfind, admod, and oldcmp.
Adfind and Admod
Adfind and admod are similar to dsquery and dsmod; adfind is a command-line query tool for Active Directory, and admod can create, delete, or modify one or more Active Directory objects.
Unlike the ds* tools that have multiple submenus and different switches depending on the type of object, adfind and admod have a consistent syntax regardless of the type of query or modification you’re trying to perform. The basic syntax for adfind is:
adfind –b <Search Base> -s <Search Scope> -f <Search Filter>
attributesDesired
So a query for the DN and description of all computer objects within your domain would be:
adfind –b dc=contoso,dc=com –s subtree –f (objectclass=computer) dn
description
A query for all user objects would look like this:
adfind –b dc=contoso,dc=com –s subtree –f "(&(objectcategory=person)
(objectclass=user))" dn description
Notice that except for the contents of the LDAP query, the syntax has not changed.
As you work with adfind, you’ll find a number of shortcut operators that can save you a lot of typing. For example, the -default switch can replace -b dc=contoso,dc=com in the previous example and search your entire domain; -gc searches against a global catalog (GC) and returns all users in your Active Directory forest. You can also use the -rb switch to set a relative base for your search; if you want to search the Training OU in the phl.east.us.contoso.com domain, you can save yourself quite a bit of effort by simply specifying –default –rb ou=Training rather than –b ou=Training, dc=phl,dc=east,dc=us,dc=contoso,dc=com.
Adfind can also perform a number of advanced search functions that can’t be easily managed at the command line otherwise, including those shown in Figure 4.
An example using the –asq switch would be "Show me the group memberships of the members of the HelpDesk," like this:
adfind –default –rb cn=HelpDesk,ou=IT –asq member memberOf
Admod, as its name suggests, is used to modify objects within Active Directory. As with adfind, there are no specialized submenus with particular syntaxes to remember; admod uses the same syntax regardless of the type of object you’re working with. You can also use admod to add, move, rename, delete, and even undelete objects simply by adding the appropriate switch, such as -add, -rm, -move, -undel. And just as with dsquery and dsmod, you can also use the | character to pipe the results of an adfind query into admod.
Note that performing an undelete with admod simply performs a tombstone reanimation operation, in which most of the objects attributes have been removed. To fully restore an object and all of its attributes, you’ll still need to perform an authoritative restore of the object.
Oldcmp
There’s one additional joeware tool I consider an indispensable part of my automation toolkit: oldcmp, which scans your Active Directory database for computer accounts that have not been used in a specified number of weeks and can do the following:
- Create a report of accounts without taking any action against them
- Disable the unused computer accounts
- Move the computer accounts to a different OU that you designate
- Delete the computer accounts outright
Note that because oldcmp has the potential to wreak serious havoc on your directory, it has a number of built-in safety features. It will not delete any account that has not already been disabled (and without manually specifying a "No really, I mean it!" command-line switch). It will not modify more than 10 objects at a time without a similar "No really, I mean it!" switch, and it absolutely will not do anything to the computer account for a domain controller.
Despite the now-misleading name of the tool, Joe has updated oldcmp so that it will perform similar functions for user accounts that have not been used for a certain amount of time as well.
For a small Active Directory environment or one where you’re only working with one or two additions or changes at a time, the GUI tools such as Active Directory Users and Computers might be sufficient for day-to-day administration. But if you’re adding and modifying large numbers of objects on a daily basis or simply want a more streamlined solution for your administrative tasks, moving to the command line can greatly speed up the process of creating, modifying, and deleting objects within Active Directory. As you’ve seen, there are a number of flexible and powerful tools available free of charge, both built right into Windows and downloadable from members of the Active Directory community. Any of these tools has the ability to greatly enhance your productivity as an Active Directory administrator, and together they become even more essential to your daily work life.
Recommended Microsoft Office Downloads : September 28 Ed | Word: Compatibility Pack for End Users
Leave a Reply