Creating Snapshots With ADExplorer

Source:http://www.frickelsoft.net/blog/?p=160

Those who already looked into Server 2008 (I hope almost all of you did!) surely have noticed of read about Server 2008’s snapshot capability. You can take snapshots of the directory database to save them away to mount them later using the dsadmin tool to have it run besides your current AD. The clue is that you can make some before-after-comparison with the snapshot you took a few days, hours, minutes before you made a change to the directory.

Obviously, the built-in tool isn’t really nice when it comes to comparing the live database with the snapshot. Mounting and dismounting instances isn’t either. So I’d like to take the opportunity to write a few words about ADExplorer. ADExplorer is one of the free Sysinternals tools. You can grab it free fromhttp://technet.microsoft.com/en-us/sysinternals/bb963907. What’s cool about ADExplorer is that it allows you to make snapshots of your AD, just like you know it from regmon and filemon (they merged to procmon afaik). Do a ‘before’ snapshot, do a ‘after’ snapshot and let the tool compare them.

The usage is pretty easy. You first connect to the domain you want.

You can browse the domain and the objects in a ADSIedit-way. Changes and deletions as well as editing objects can be done as easy. Some point in time, when you feel the directory runs great, you might want to create a snapshot. You go select “File”, “Create Snapshot”.

Enter a description and a name (“Vorher” is German and equivalent to “before” in this context :-). The file is saved with a *.dat extension. Note that, once you have dumped the directory to the snapshot, you should save the .dat file on a place somewhere safe. You surely don’t want all naming contexts be in wrong hands. I’d basically treat the export like a backup – lock it up.

We do some modifications and after them, we feel like doing a second snapshot and then comparing the two. Fast said, even faster done. We create the second snapshot just like the first – and save it on a place somewhere safe. To compare to two shortcuts, we restart ADExplorer. This time, we don’t choose the domain but use the “Enter the path of previous snapshot to load” option.

It loads the snapshot and you can browse – again in ADSIEdit-style – the snapshot you took a while ago. For comparison, we go select “Compare”, “Compare Snapshot”. Already bored? Okay, here comes the cool stuff:

You get to choose, what objects and attributes the tool needs to compare! The first box lets you choose the second snapshot. After that, you can tick all objects and attributes you want to be added to the comparison and which ones ignored. This is a kind of filtering, if you’re searching for something specific. Clicking okay generates the comparison.

This is what it put out for me. You can see I deleted a user called “Jack Black” (the first line indicates user creation – “Object missing in first”, the last line indicates object deletion, “Object missing in second”. That is because the user is moved from its original OU to the “Deleted Objects” container). Also, the user object of Florian got a few changes. Someone added a street, the location and a few more attributes. You can also see that the administrator logged on several times and that the lastLogon and logonCount numbers differ. You can see the before and after values in the log.

I like the tool. It allows quick comparison of before-after-snapshots and can be loaded on every machine (in case you want to view the snapshots on your desktop). Exactly what you could need when evaluating some application that modifies the directory – or test AD functions  and you need to track down the attributes and objects the function changes (that use case is geek-only, of course! 😉

Move a Computer Object to an OU

source: http://technet.microsoft.com/en-us/library/cc731094(WS.10).aspx

I want to move a computername to the good OU depending of the SERVERNAME

In my company we use the name convention MTL1ASTT01:

MTL is the city name

1 is the site number

A for application

STT custom info

01 number of the server

In our Active Directory we use:

DOMAIN.local > GLOBAL > %SITENAME% > SERVERS

So if want to get the SITENAME from the Servername i would use the code below:

echo. Getting Sitename from the Computer name…

Set SITENAME=%COMPUTERNAME%:0,4%

echo. SITENAME is %SITENAME%

dsmove “CN=%COMPUTERNAME%,OU=COMPUTERS,DC=DOMAIN,DC=LOCAL” -newparent OU=Servers,OU=%SITENAME%,OU=GLOBAL,DC=DOMAIN,DC=LOCAL

Active Directory – Saved Queries (ADUC MMC)

Tags: AD Active Directory ADUC mmc saved queries query ldap

Windows XP Computers with Service Pack 2 Installed

(&(objectCategory=computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 2))

Windows XP Computers with Service Pack 1 Installed

(&(operatingSystem=Windows XP*l)(operatingSystemServicePack=Service Pack 1)))

Windows XP Computers with No Service Pack Installed

Notice the “!” before operating SystemServicePack and the “*”. The “!” means NOT so the statement reads “NOT equal to anything” instead of NULL or empty quotes (””) like some other languages.

(&(operatingSystem=Windows XP Professional)(!operatingSystemServicePack=*)))

Windows Server 2003 No Service Pack 1

(&(objectCategory=computer)(operatingSystem=Windows Server 2003)(!operatingSystemServicePack=*))

Windows Server 2003 Service Pack 1 Installed

(&(objectCategory=computer)(operatingSystem=Windows Server 2003)(operatingSystemServicePack=Service Pack 1))

Windows 2000 Professional

(&(objectCategory=computer)(operatingSystem=Windows 2000 Professional))

Windows 2000 Server

(&(objectCategory=computer)(operatingSystem=Windows 2000 Server))

All Windows Server 2003 Servers

(&(objectCategory=computer)(operatingSystem=Windows Server 2003))

SQL Servers (running on Windows 2003) (please verify in your environment)

(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*)(operatingSystem=Windows Server 2003))

SQL Servers any Windows Server OS

(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*)(operatingSystem=Windows Server*))

Exchange Servers (running on Windows 2003) (please verify in your environment)

(&(objectCategory=computer)(servicePrincipalName=exchangeMDB*)(operatingSystem=Windows Server 2003))

Exchange Servers any Windows Server OS

(&(objectCategory=computer)(servicePrincipalName=exchangeMDB*)(operatingSystem=Windows Server*))

Windows Vista SP1

(&(objectCategory=computer)(operatingSystem=Windows Vista*)(operatingSystemServicePack=Service Pack 1))

Windows Server 2008 Enterprise

(&(objectCategory=computer)(operatingSystem=Windows Server® 2008 Enterprise)(operatingSystemServicePack=Service Pack 1))

Windows Server 2008 (all versions)

(&(objectCategory=computer)(operatingSystem=Windows Server® 2008*))

Notice the ® in the Windows 2008 values, it needs to be in the query or there won’t be any results.

Groups Like Service (finds any group name that contains the word service)

(objectcategory=group)(samaccountname=*service*)

Description Like Service (finds accounts in which the description contains the word service)

(objectcategory=person)(description=*service*)

Groups Like Admin (finds any groups whose name contains the word admin)

(objectcategory=group)(samaccountname=*admin*)

Universal Groups (finds groups with universal scope)

(groupType:1.2.840.113556.1.4.803:=8)

Groups with No Members (finds groups that have no members in them)

(objectCategory=group)(!member=*)

Note: The ! symbol means “Not” and * means “Has a value,” so the combination of the two evaluates to “Doesn’t have a value.”

Global, Domain Local, or Universal Groups (finds any group defined as a Global Group, a Domain Local Group, or a Universal Group)

(groupType:1.2.840.113556.1.4.804:=14)

Global, Domain Local, or Universal Groups with No Members (finds any group defined as a Global Group, a Domain Local Group, or a Universal Group that has no members)

(groupType:1.2.840.113556.1.4.804:=14)(!member=*)

User Like Service (finds any account ID that has a name containing the word service)

(objectcategory=person)(samaccountname=*service*)

Password Does Not Expire (finds user accounts with nonexpiring passwords)

(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)

No Employee ID (finds any user account that has no employeeid value)

(objectcategory=person)(!employeeid=*)

No Login Script (finds accounts that don’t run a logon script)

(objectcategory=person)(!scriptPath=*)

No Profile Path (finds accounts that don’t have roaming profiles)

(objectcategory=person)(!profilepath=*)

Must Change Password and Not Disabled (finds nondisabled accounts that must change their password at next logon)

(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)

UserList Exclude Disabled Account (finds all user accounts except those that are disabled)

(objectCategory=person)(objectClass=user)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)

Locked Out Accounts (finds all locked out accounts)

(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=16)

Domain Local Groups (finds groups with Domain Local scope)

(groupType:1.2.840.113556.1.4.803:=4)

Users with Email Address (finds accounts that have an email address)

(objectcategory=person)(mail=*)

Users with No Email Address (finds accounts with no email address)

(objectcategory=person)(!mail=*)

Find Groups that contains the word admin

(objectcategory=group)(samaccountname=*admin*)

Find users who have admin in description field

(objectcategory=person)(description=*admin*)

Find all Universal Groups

(groupType:1.2.840.113556.1.4.803:=8)

Empty Groups with No Members

(objectCategory=group)(!member=*)

Finds all groups defined as a Global Group, a Domain Local Group, or a Universal Group

(groupType:1.2.840.113556.1.4.804:=14)

Find all User with the name Bob

(objectcategory=person)(samaccountname=*Bob*)

Find user accounts with passwords set to never expire

(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)

Find all users that never log in to domain

(&(&(objectCategory=person)(objectClass=user))(|(lastLogon=0)(!(lastLogon=*))))

Find user accounts with no log on script

(objectcategory=person)(!scriptPath=*)

Find user accounts with no profile path

(objectcategory=person)(!profilepath=*)

Finds non disabled accounts that must change their password at next logon

(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)

Finds all disabled accounts in active directory

(objectCategory=person)(objectClass=user)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)

Finds all locked out accounts

(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=16)

Finds Domain Local Groups

(groupType:1.2.840.113556.1.4.803:=4)

Finds all Users with Email Address set

(objectcategory=person)(mail=*)

Finds all Users with no Email Address

(objectcategory=person)(!mail=*)

Find all Users, Groups or Contacts where Company or Description is Contractors

(|(objectcategory=user)(objectcategory=group)(objectcategory=contact))(|(description=North*)(company=Contractors*))

Find all Users with Mobile numbers 712 or 155

(objectcategory=user)(|(mobile=712*)(mobile=155*))

Find all Users with Dial-In permissions

(objectCategory=user)(msNPAllowDialin=TRUE)

Find All printers with Color printing capability

Note: server name must be changed

(&(&(&(uncName=*Servername*)(objectCategory=printQueue)(printColor=TRUE))))

Find Users Mailboxes Overriding Exchange Size Limit Policies

(&(&(&objectCategory=user)(mDBUseDefaults=FALSE)))

Find all Users that need to change password on next login.

(&(objectCategory=user)(pwdLastSet=0))

Find all Users that are almost Locked-Out

Notice the “>=” that means “Greater than or equal to”.

(objectCategory=user)(badPwdCount>=2)

Find all Computers that do not have a Description

(objectCategory=computer)(!description=*)

Find all users with Hidden Mailboxes

(&(objectCategory=person)(objectClass=user)(msExchHideFromAddressLists=TRUE))

Find all Windows 2000 SP4 computers

(&(&(&(objectCategory=Computer)(operatingSystem=Windows 2000 Professional)(operatingSystemServicePack=Service Pack 4))))

Find all Windows XP SP2 computers

(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 2))))))))

Find all Windows XP SP3 computers

(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 3))))))))

Find all Vista SP1 computers

(&(&(&(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows Vista*)(operatingSystemServicePack=Service Pack 1)))))

Find All Workstations

(sAMAccountType=805306369)

Find all 2003 Servers Non-DCs

(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2003*)))

Find all 2003 Servers – DCs

(&(&(&(samAccountType=805306369)(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server 2003*))))

Find all Server 2008

(&(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2008*))))