It is now estimated that Microsoft has products on 90% of the world's PCs.  As such, it makes good sense to become familiar with and certified in their operating systems and products. Certifications like Microsoft's MCSE and MCSA are worth-while pursuits in preparing oneself for administering and trouble-shooting Active Directory and Microsoft client operating systems.  Additional resources are: Microsoft Certification Member Site.

I openly and vigorously support Linux and open source development.  While that may be the case, one might argue that open source development, as we know it, was made possible by its competitor, Microsoft.  Consider the advantage that having the same operating system and environment on so many millions of PCs has had for software development in the last two decades, whether its origin be open source or Microsoft. Now as to what the future may hold, who knows?

A. Installing 2008

Let’s take a look at Windows 2008 Enterprise Server (sometimes affectionately called “Longhorn”). It is a pleasure to install and configure. Video Tutorials:

1. 2008 Installation - Part 1 
2. 2008 Installation - Part 2 

B. 2008 Active Directory
Let’s look at the difference between a stand-alone server, a member server that is joined to a domain, and a domain controller that is an integral part of Active Directory. We will run “dcpromo.exe” to create the first forest and domain tree on our network. This will modify local logon privileges so that we only have domain-logon privileges. Only the administrator account will be allowed to log on locally, unless we grant the privilege to other users in the default domain controllers policy.

The Active Directory database, “ntds.dit” will be written and the “SysVol” folder will be shared to provide for Kerberos-encrypted Group Policy replication across the network. Operations master roles will be assigned, DNS will be configured and new administrative tools will be available. We will set up our FQDN and explore its structure and look at AGUDLP and delegating authority over OUs. Video Tutorials:

1. 2008 Active Directory Setup - Part 1 
2. 2008 Active Directory Setup - Part 2 
3. 2008 Active Directory Setup - Part 3 

C. Installing Vista
Vista provides a pleasant installation experience. In addition, you can launch recovery console and repair a Vista installation from the DVD. Vista comes in several flavors from Vista Home Basic to Vista Ultimate. Video Tutorials:

1. Vista Installation - Part 1 
2. Vista Installation - Part 2 

D. Vista Features and Configuration
Vista has some great new features: Desktop gadgets, User Account Control (maybe not so great), a new look (the aero shell), a new backup tool and a new search tool to name a few. It also has (if you purchase Ultimate) many of the things we like about XP.  We will look at configuring Vista, tweaking it for better performance, shutting off that pesky user account control, local security policy, creating groups and users, AGUDLP, auditing, ACEs, DACLs and file system access. Video Tutorials:

1. Post Installation Tasks 1 
2. Post Installation Tasks 2 
3. Post Installation Tasks 3  
4. Post Installation Tasks 4 
5. Post Installation Tasks 5 
6. Post Installation Tasks 6 

Windows Server Operating Systems – 2008, 2003 and 2000
With the advent 2000 Professional and Server 2000, Microsoft introduced Active Directory. Active Directory was a bold move forward in the client-server market. It offered significant improvements over their previous NT client-server model. Let’s look at some of those improvements and enhancements that have made Microsoft dominant in the market:

Installation: 2000/2003/2008 are installed from a CD or DVD or over the network with services such as RIS and PXE compliant bootable interfaces. There are many different versions from “Standard”, to “Advanced”, to “Enterprise” to “Datacenter”. They support differing numbers of CPUs and amounts of memory. For proper application of the permissions system, NTFS should be used as the file system. MS Server products work well as stand-alone or in multi-boot configurations. 2000 and 2003 use a similar installation process to XP Pro and 2000 Pro. The MBR accesses the boot loader (ntldr) and checks the “boot.ini” file for a path to any selected OS on a particular partition.

2008 (or Longhorn, if you prefer – yeeeha!) uses a boot process like Vista. In both Vista and 2008, there was a departure from the simple ASCII text “boot.ini” file. Instead, these operating systems utilize a BCD database to store their boot configuration data. Rather than editing a text file, you must use “bcdedit.exe” from the command prompt to modify boot data. Examples:

Bcdedit /create {legacy} /d “XP Professional”
Bcdedit /set {legacy} device boot
Bcdedit /set {legacy} path \ntldr

Here’s a link to TECHNet’s Entry on the subject: BCDEdit .

Multi-boot configurations and virtualization can be used with each of these Windows server operating systems.

Continued Use of NTFS: NTFS (New Technology File System) was a significant improvement over FAT32. It surpassed the limitations of FAT32 by allowing partition and data sizes as large as 2 Terabytes. With NTFS Microsoft also added a rich permissions and access control architecture. Any file or directory under NTFS supports user ownership and group membership. An object under NTFS has ACEs (Access Control Entries) on a DACL (Discretionary Access Control List). Permissions on objects are cumulative in cases where a user is a member of multiple groups.

Directories and objects may inherit permissions in a hierarchy. Permissions may be “implicitly” or “explicitly” denied to users. To implicitly deny means to simply “not allow” and flows better within the inheritance hierarchy. To explicitly deny overrides any other cumulative permissions in the hierarchy. In addition to standard permissions, advanced permissions are available under NTFS. Users may grant or take ownership, and object access; both failure and denial, may be audited and logged.

In addition to file NTFS permissions, share permissions combine to regulate object access on a network. Objects shared on a network have the most restrictive combination of SHARE and NTFS permissions. A user’s access token is checked against these to permit or deny access. These permissions and abilities work tightly with Group Policy to provide a sophisticated permissions system.

NTFS accomplishes these things by storing all file data as “metadata”. It uses 16-bit values for name encoding and a Master File Table (MFT) to store metadata about every file, directory and other metadata on an NTFS volume. This allows minimal fragmentation and enhances performance, reliability and disk space utilization. When Active Directory was introduced, Microsoft expanded NTFS to allow fields for indexing of every object in the file system.

Continued Use of Users, Groups and OUs: Groups continued to be used to administer permissions with the advent of AD.  Under Microsoft’s strategy, an administrator will most efficiently administer a network through the process of “AGUDLP”. Let’s elaborate:

A = add the USER
G = to a global security GROUP
U = if necessary, add the global group to a UNIVERSAL group
DL = add the global or universal group to a DOMAIN LOCAL group
P = assign PERMISSIONS to the domain local group

This makes administration efficient because once an organization is divided by function and department; groups can be created with well-defined roles and permissions. Then to grant a user a particular set of cumulative permissions, the admin only has to add them to the right global security groups. These groups are then made members of domain local groups with the appropriate permissions to objects.

This also makes processing permissions more efficient, as fewer access control entries will need to be checked against discretionary access controls lists for objects in AD, enhancing performance. I like to think of AGUDLP as “All Good Utopian Dogs Love Pizza” - you could probably think of a better mnemonic device.  ;-)

In addition, AD added the OU (Organizational Unit). In many ways it can replace a domain as a division of authority, administration and delegation. OUs can simplify domain structure by allowing administrators to be delegated over functional or geographical OUs instead of sub-domains. They can be nested to fit hybrid configurations of organizations organized by function and then location, or location and then function.   

Multi-Master Architecture: Microsoft left the single-master model of NT behind when they introduced Active Directory. Rather than a single writeable PDC and multiple BDCs, an Active Directory environment only has DCs (Domain Controllers). With AD, authentication of network users is centralized on DCs as opposed to being stored locally in a workstation’s SAM database. When you use the server wizard or run “dcpromo.exe” for the first time on a network, a “forest” is created and a primary domain “tree”. That DC is a global catalog server, the first to hold the Active Directory data. This first server has 5 operations master roles that are later spread out among domain controllers to balance the load:

1 – Domain Naming Master
2 – RID Master
3 – PDC Emulator
4 – Schema Master
5 – Infrastructure Master

1- The Domain Naming Master controls naming domains throughout the forest and ensures that no two domain names are identical.

2 - The RID Master issues out banks of SIDs (Security Identifiers) to domain controllers in increments of 100. These SIDs create unique identifiers for objects in Active Directory as they are created and modified.

3 - The PDC Emulator synchronizes the timing of replication in Active Directory and acts as a PDC when running a 2003 or 2000 domain in mixed mode with NT BDCs.

4 - The Schema Master maintains the network schema. It is like a skeleton or scaffolding in Active Directory, it represent the actual class structure of objects in the way AD was coded. The schema is modifiable and scalable to an organization’s needs and allows attributes to be added to AD for further customization when necessary. Many applications that are “Active Directory Aware” or “Integrated” require modification of the schema. An example of this would be Exchange 2003 or 2007. Installing this application requires modification of the schema and schema admin privileges. It actually changes the structure of the user class object so that each user object can have an associated mailbox object in AD.

5 - The Infrastructure Master maintains the metadata and structure of domains and sub-domains in a tree, and along with the PDC Emulator, assists in resolving replication conflicts.

In AD’s multi-master structure, if a DC fails, any other DC can have the failed DC’s operations master role(s) transferred to it. In addition, unlike the old NT model, all DCs may modify, add and delete users, groups and objects simultaneously. This makes AD extremely fault tolerant and enhances load balancing. A problem created by the multi-master format of AD arises from replication conflicts. What happens when two or more administrators make conflicting changes on different domain controllers?

Normally, when a user or object is added or modified on a DC in AD, the changes will be replicated in time-synchronized Kerberos-encrypted bursts around the network, until all the DCs achieve “convergence” – a state of synchronization. You could almost compare this to the way link state table information converges between routing tables on an OSPF network.

When there is a conflict, AD has a method of dealing with it and deciding a “winner” in the struggle. Each object when added, changed or deleted receives a serial number that is incremented with each change. In addition, once the DCs have synchronized with the PDC Emulator, each change receives a time stamp marking when it occurred. Any object or change with a higher serial number AND a more recent time stamp will overwrite an object with a lower serial number OR a less recent time stamp. I think it is pure genius! Eureka!

So that’s how Microsoft made every DC writeable. Thus, you can afford a few DC failures and still breathe easy. The network will still keep running.

Replication is efficient because the ISTG (Inter-Site Topology Generator) attempts to find the most efficient route from one DC to another with a minimal number of hops.

Distributed File Systems: This works with AD’s multi-master architecture. It functions a bit like mirroring, but with entire servers as opposed to drives. On a normal file server, when it goes down, no one can access its files until it comes back up. Under “DFS”, a distributed files system is created in AD. In this way, ADI zones are populated with SRV records mapping services queried by hosts to multiple servers. Two or more file servers can be set up on different IPs at different locations, yet AD users only see a single transparent link. If a file server goes down, the DFS is still accessible to end users – they don’t need to select or be provided with an alternate UNC/URL. How’s that for fault tolerance?

Active Directory Publishing and Indexing: Allows AD objects on a user’s LAN to be found by searching the AD database. Printers can be published and located by site-link information based on their IP subnet and geographical location.  

Group Policy: Microsoft included a rich mixture of security settings and desktop control with 2000, 2003 and 2008. With Group Policy, administrators can create security policies that are applied to an entire network. This includes things like:

• Password complexity - for mandating the use of strong, encrypted passwords.

• Password history – to prevent users from re-using old passwords.

• Account lockout policies and thresholds – to cut down on the risks of brute force attacks.

• Local Logon Privileges – determine who may log on locally

• Network Access Privileges - determine who may log on from the network

• Desktop settings – control what users in different groups can and cannot do from their desktops, mandate wallpaper and control Active Desktop

• IE settings – complete control of the web browser

• Software Installation – force software installs and updates across the network or prevent software installation

These are just a few of Group Policy’s features, it would take too long to try and cover them all.

In 2000 GP (Group Policy) is controlled via a MMC snap-in. With 2003, Microsoft introduced the GPMC (Group Policy Management Console) and greatly enhanced GP administration. Included are tools for running RSOP (Resultant Set of Policy) queries for resolving conflicts. Just how do these GP conflicts occur?

GP is cumulative when not in conflict. You may create multiple GPs with the last one being applied as dominant over any conflicting ones underneath it. There are exceptions to this rule - you can apply the “Enforce” option in 2003 (post-GPMC) or “No Override” option in 2000/2003 (pre-GPMC). When applied at a higher level, such as a site, domain or parent OU, this setting prevents any conflicting policy in a child OU or object from overriding the original “Enforced” policy above it. In addition, there is a “Block Policy Inheritance” setting that allows filtering a child object from any policy applied to a parent above it, as long as that policy is not “Enforced”. Like NTFS, GP follows an inheritance hierarchy.

Related to GP is the “Security Configuration and Analysis” tool and “Security Templates” that may be applied to provide common default security levels for different environments.    

Active Directory Integrated DNS and Secure Dynamic Update: Any modern network relies on DNS for hostname resolution. Standard DNS implementations involve a standard primary and secondary zone. The primary zone is the only writeable zone, and multiple secondary zones are read-only. DNS records (A and PTR) are transferred through zone transfers, which may be scheduled by time or the number of updates that have occurred within a certain threshold. These transfers are un-encrypted and vulnerable to hackers and prying eyes. They can be captured and used to harm a network or poison its DNS servers.

ADI DNS allows DNS information to be transferred from one server to another in the AD replication process. This means several things. One, the information is protected as it is encrypted with Kerberos. Two, it is automatically transferred in the replication process, so no zone transfers need to be scheduled. It also allows additional SRV record information to enhance performance along with standard A records (forward lookup, host -> IP) and PTR records (reverse lookup, IP -> host).

Also, in cooperation with DHCP, ADI DNS allows “Secure Dynamic Update”. Regular Dynamic Update is found in both Linux and Microsoft networks. It allows a client (or a DHCP server on the client’s behalf) to automatically update DNS information with A/PTR/SRV records when it boots up and joins the network. This is convenient over manual entries, but poses a security risk, as any unauthenticated host can join. Under Secure Dynamic Update, only hosts with computer accounts in AD have permission to update their records in DNS, making it more difficult for hackers to poison DNS servers or spoof hosts.

Full VPN and NAT Support in RRAS: 2008, 2003 and 2000 provide a rich set of features with Routing and Remote Access (RRAS). They are fully functional routers with static routing tables and dynamic routing protocols like RIP v1/v2 and OSPF. They are integrated NAT (Network Address Translation) servers for connecting a network’s LAN and WAN points, hiding private IPs from the public and allowing multiple private IPs to utilize one public IP. Included within this NAT capability are firewalls and filtering options for incoming and outgoing traffic.  They allow multiple encrypted VPN tunnels to be created over a single broadband connection via virtual PPTP and LT2P ports. They use MPPE with PPTP and IPSec policies and encryption with L2TP to allow encrypted, secure remote access. They can allocate remote IPs from an internal database or from an authorized DHCP server.

IPSec and Kerberos Encrypted Replication: Through Kerberos and IPSec, AD secures and encrypts replication traffic from prying eyes. There are REQUIRE (Secure Server), REQUEST and RESPOND options for negotiating different levels of security between hosts and servers. Hash-generated certificates, pre-shared keys and Kerberos may be used for authentication.

Terminal Services: With 2000, Microsoft made Terminal Services available. Under Terminal Services, organizations can use DCs as application servers. This enables users on primitive hardware, or those without certain applications, to log into a server and use applications installed on the server. This is similar to the way RDP allows one to remote desktop into XP or Vista. This can provide tremendous savings by allowing companies to “time-share” applications and use modern software without upgrading primitive hardware.

Remote Desktop Administration and Remote Assistance: Allows remote management of servers, DCs and hosts across the network. Similar in functionality to VNC, but these features are built-in. Remote Assistance invitations may be created and sent via email or copied as file attachments. These allow remote control and collaboration when resolving problems on a system.

Customizable Management Consoles: MMCs (Microsoft Management Consoles) allow customizable toolboxes and tools to be created by adding “snap-ins” that make system administration and configuration more convenient.

Dynamic Disks and Software RAID Support: With 2000 and continuing to Vista/2008, disk volumes could be made “dynamic”. This enables striping (RAID-0) and spanning multiple physical drives into a single volume. It also allows mirroring (RAID-1). In 2008 and Vista, software RAID configurations like RAID-5 with distributed parity are supported.

Integrated Web and FTP Servers With Multiple Authentication: IIS (Internet Information Services) and FTP are integrated into 2000, 2003 and 2008. These file and web services are more resilient than their counterparts in the client operating systems – 2000 Pro, XP and Vista. Microsoft allows basic authentication, anonymous access and certificate–based logins through IIS and its FTP service.

Secure Single-Logon Access Tokens: During logon, an access token is built via a TGT (Ticket Granting Ticket) accessing the KDC (Key Distribution Center) and a Global Catalog server. A list of permissions verified against access control entries is generated and cached as local logon credentials. This allows fast and efficient access to objects in AD that the authenticated user account has access to.

In 2003, “Universal Group Membership Caching” improved efficiency in inter-site replication across WANs by caching these credentials for up to 10 logons, negating the need to access a GC each time across slower WAN links.   

Roaming User Profiles: Users who travel frequently on the network can have roaming profiles set up in their user objects and in Group Policy. This way, no matter which workstation they log into, they will have their usual files in a remote “My documents” folder on a file server and access to their desktop settings and wallpaper. This appears to be “local” to them; it is transparent to the user.

Conclusion: Active Directory and the Windows server products 2000, 2003 and 2008 have a lot to offer. There are many services and features we have not yet mentioned such as:

“Certificate Services” for encryption recovery agents, digital signatures and public and private keys in PKIs (Public Key Infrastructures). One should note that once this is installed on a DC, you cannot change its hostname until you uninstall the service. This cuts down on counterfeits and spoofing certificates.

“Shadow Copy” was added with 2003 – it allows backups to be made of locked files and object already in use by cleverly copying a copy of them.   

“Shadow Copying Shared Folders” allows files to be recovered once deleted from network shares or previous versions to be accessed when files were modified. These are just a few services MS server products offer!

©2008 C. Germany

Scripting: Here are some new command line tools added with the advent of 2003 and 2008 Server.  These will appeal to you if you like administering a network using the BASH prompt in Linux/Unix.  The thing to watch with these is the LDAP context when passing it in as a string.  Be careful not to confuse child objects with parent objects, and watch sub-domains and parent domains.

dsadd - creates an object (user, computer, OU).  Examples: dsadd OU "ou=MyPersonalSpace, dc=Denver, dc=nwtraders, dc=msft" -d nwtraders.msft -u Administrator -p P@ssw0rd dsadd OU "ou=Villians, ou=TopSecret, dc=nwtraders, dc=msft" -d nwtraders.msft -u Administrator -p P@ssw0rd dsadd OU "ou=TopSecret, dc=nwtraders, dc=msft" -d nwtraders.msft -u Administrator -p P@ssw0rd dsadd user "cn=JamesBond, ou=TopSecret, dc=nwtraders, dc=msft" -d nwtraders.msft -u Administrator -p P@ssw0rd dsadd user "cn=TigerWoods, ou=denver, dc=nwtraders, dc=msft" -d denver.nwtraders.msft -u Administrator -p P@ssw0rd dsadd user "cn=GoldFinger, ou=Villians, ou=TopSecret, dc=nwtraders, dc=msft" -samID GFinger -fn Gold -ln Finger -display GoldFinger -pwd P@ssw0rd dsadd user "cn=Cobra, ou=Villians, ou=TopSecret, dc=nwtraders, dc=msft" -pwd P@ssw0rd -disabled no -desc "Cobra shall rule the world!" -fn Cobra -ln Destroyer dsadd user "cn=DrEEEvil, ou=Villians, ou=TopSecret, dc=nwtraders, dc=msft" -pwd P@ssw0rd -disabled no -desc "Will it be an EEEvill petting zoo Scott?" -fn Dr -ln EEEvil Adding Users With Group Membership and Other Attributes dsadd user "cn=Beano, ou=Accounting, ou=TopSecret, dc=nwtraders, dc=msft" -samID Beano -fn Bean -ln Counter -display Beano -pwd P@ssw0rd -memberof "CN=Accounting,OU=Accounting,OU=TopSecret,DC=nwtraders,DC=msft" -d nwtraders.msft dsadd computer "cn=BlackBox, ou=TopSecret, dc=nwtraders, dc=msft" -d nwtraders.msft -u Administrator -p P@ssw0rd dsadd group "cn=New_Group, ou=TopSecret, dc=nwtraders, dc=msft" -d nwtraders.msft -u Administrator -p P@ssw0rd dsadd group "cn=GolfPlayers, ou=jeffcorp, dc=nwtraders, dc=msft" -d nwtraders.msft -u Administrator -p P@ssw0rd   dsmod - modifies an object that already exists in AD. Example syntax: dsmod user UserDN -upn UPN -fn FirstName -ln LastName -mi MiddleInitial -display DisplayName -pwd Password -desc Description -office TheirOffice -tel TelePhoneNumber -email TheirEmail -hometel HoemTelePhone -pager TheirPager -mobile MobilePhone -fax TheirFax -iptel IPTelephone -webpg TheirWebPage -title TheirTitle -dept TheirDepartment -company TheirCompany -mgr TheirManager -hmdir TheirHomeDirectory  -hmdrv TheirHomeDrive -profile UserProfile -loser ScriptPath -mustchpwd MustChangeTheirPassword(yes/no) -canchpwd CanChangePassword(yes/no) -reversiblepwd ReversiblePassword(yes/no) -pwdneverexpires PasswordNeverExpires(yes/no) -acctexpires AccountExpires(Num of Days) -disabled Disabled(yes/no) - -u UserName  -p Password Shortcut Attributes: -s Server  -d Domain  -u UserName  -p Password Examples: dsmod user "cn=GoldFinger, ou=Villians, ou=TopSecret, dc=nwtraders, dc=msft" -fn Disgusting -ln Dutch -pwd G01dFinger -disabled no -office "Dr. Evil's Lair" -tel 1-800-555-HURT -email skinproblems@villians.org -webpg http://www.dutchperverts.com -company Eeeeeeeeeevillllllll -canchpwd no -desc "Villian from Austin Powers" -d nwtraders.msft -u Administrator -p P@ssw0rd dsmod user "cn=Yoda, ou=TopAgents, ou=TopSecret, dc=nwtraders, dc=msft" -desc "Master of the Force" -email yoda@nwtraders.msft  -hometel 0070000007 -mi Y -d nwtraders.msft -u Administrator -p P@ssw0rd dsmod user "cn=DrEEEvil, ou=Villians, ou=TopSecret, dc=nwtraders, dc=msft" -desc "And will it be an EEEEvil petting zoo, Scott?"   dsrm - remove/delete an Active Directory object.  Examples: Remove an OU dsrm "ou=Expendible, ou=TopSecret, dc=nwtraders, dc=msft" -d nwtraders.msft -u Administrator -p P@ssw0rd Remove a User dsrm "cn=Beano, ou=Accounting, ou=TopSecret, dc=nwtraders, dc=msft" –d nwtraders.msft   dsquery - queries AD for specified objects and their attributes within the specified LDAP scope.  Examples:  Query for users with old passwords:    dsquery user -stalepwd NumberofDays Query user Account by name:            dsquery user -name Ja* Query computer Account by name:    dsquery computer -name Go* Query disabled user accounts:          dsquery user "ou=Villians, ou=TopSecret, dc=nwtraders, dc=msft" -disabled Query for computer Description:        dsquery computer "ou=TopSecret, dc=nwtraders, dc=msft" -desc Chi* Query all users in AD with J*:            dsquery user -name J* Query all users in TopSecret OU with J*:    dsquery user "ou=TopSecret, dc=nwtraders, dc=msft" J* Redirect Query:  dsquery user "ou=TopSecret, dc=nwtraders, dc=msft" > TopSecretJUsers.txt    Advanced examples with dsquery: To find all users in the organizational unit "ou=Marketing,dc=microsoft,dc=com" and add them to the Marketing Staff group: dsquery user ou=Marketing,dc=microsoft,dc=com | dsmod group "cn=Marketing  Staff,ou=Marketing,dc=microsoft,dc=com" -addmbr To find all users with names starting with "John" and display his office number:       dsquery user -name John* | dsget user -office To display an arbitrary set of attributes of any given object in the directory use the dsquery * command. For example, to display the sAMAccountName, userPrincipalName and department attributes of the object whose DN is ou=Test,dc=microsoft,dc=com:         dsquery * ou=Test,dc=microsoft,dc=com -scope base -attr sAMAccountName userPrincipalName department To read all attributes of the object whose DN is ou=Test,dc=microsoft,dc=com:         dsquery * ou=Test,dc=microsoft,dc=com -scope base -attr *    dsget - returns a subcomponent or attribute of an object when used with dsquery.  The dsget commands support            piping of input to allow you to pipe results from the dsquery commands as input to the dsget commands            and display detailed information on the objects found by the dsquery commands.   Examples: dsget computer - displays properties of computers in the directory. dsget contact - displays properties of contacts in the directory. dsget subnet - displays properties of subnets in the directory. dsget group - displays properties of groups in the directory. dsget ou - displays properties of ou's in the directory. dsget server - displays properties of servers in the directory. dsget site - displays properties of sites in the directory. dsget user - displays properties of users in the directory. dsget quota - displays properties of quotas in the directory. dsget partition - displays properties of partitions in the directory. Examples: To find all users with names starting with "John" and display their office numbers: dsquery user -name John* | dsget user -office To display the sAMAccountName, userPrincipalName and department attributes of the object whose DN is ou=Test,dc=microsoft,dc=com: dsquery * ou=Test,dc=microsoft,dc=com -scope base -attr sAMAccountName userPrincipalName department To read all attributes of any object use the dsquery * command. For example, to read all attributes of the object whose DN is ou=Test,dc=microsoft,dc=com:    dsquery * ou=Test,dc=microsoft,dc=com -scope base -attr *   piping - takes the output of one command and feeds it as the input into another command.  Examples: dsquery user "ou=Villians, ou=TopSecret, dc=nwtraders, dc=msft" -disabled | dsmod user -desc  "Test" dsquery user "ou=Villians, ou=TopSecret, dc=nwtraders, dc=msft" -disabled | dsget user -desc dsquery user "ou=Villians, ou=TopSecret, dc=nwtraders, dc=msft" -disabled | dsget user -desc dsquery user "ou=Villians, ou=TopSecret, dc=nwtraders, dc=msft" -disabled | dsmod user -ln "Disabled Account" dsquery user "ou=Villians, ou=TopSecret, dc=nwtraders, dc=msft" -disabled | dsrm -noprompt dsquery user “ou=Trainees, ou=TopSecret, dc=nwtraders, dc=msft” –disabled | dsrm –noprompt dsquery user “ou=Trainees, ou=TopSecret, dc=nwtraders, dc=msft” –name s* | dsrm -noprompt dsquery computer -inactive 4 | dsrm –noprompt   *Note: "-noprompt" is necessary when piping with dsrm and other commands. dsmove - moves an object from one container to another.  Example: dsmove "cn=DrEvil, ou=EnemyAgents, ou=TopSecret, dc=nwtraders, dc=msft" -newparent "ou=Research, ou=TopSecret, dc=nwtraders, dc=msft" dsmove succeeded:cn=DrEvil,ou=EnemyAgents,ou=TopSecret,dc=nwtraders,dc=msft   LDIFDE.exe The command to execute it is: ldifde -i -k -f LDIF.ldf -b Administrator nwtraders.msft P@ssw0rd Create an ASCII file called "AddMe.ldf" to use with the command above: dn: cn=GoldMember, ou=Villians, ou=TopSecret, dc=nwtraders, dc=msft Changetype: Add objectClass: user sAMAccountName: GoldMember userPrincipalName: GoldMember@nwtraders.msft displayName: GoldMember userAccountControl: 514 dn: CN=Maxwell, OU=Gadgets, OU=TopSecret, DC=nwtraders, DC=msft changeType: add objectClass: User dn: CN=Planck, OU=Gadgets, OU=TopSecret, DC=nwtraders, DC=msft changeType: add objectClass: User dn: CN=Einstein, OU=Gadgets, OU=TopSecret, DC=nwtraders, DC=msft changeType: add objectClass: User dn: OU=Intelligence, OU=TopSecret, DC=nwtraders, DC=msft changeType: add objectClass: organizationalUnit dn: OU=DoubleAgents, OU=TopSecret, DC=nwtraders, DC=msft changeType: add objectClass: organizationalUnit dn: OU=NewRecruits, OU=TopSecret, DC=nwtraders, DC=msft changeType: add objectClass: organizationalUnit With ldifde, each object's attribute must be on a separate line.  Each attribute name ends with a semicolon ":".  You can create new objects, you can also use ldifde to modify objects that already exist.   CSVDE.exe The command to execute it is: csvde -i -f CSVDEAddUser.csv -b Administrator nwtraders.msft P@ssw0rd Create an ASCII file called "AddMe.csv" to use with the command above: DN, objectClass, sAMAccountName, userPrincipalName, displayName, userAccountControl "cn=DrEvil, ou=EnemyAgents, ou=TopSecret, dc=nwtraders, dc=msft", user, DrEvil, DrEvil@nwtraders.msft, Dr Evil, 514 "cn=BritneySpeares, ou=EnemyAgents, ou=TopSecret, dc=nwtraders, dc=msft", user, BritneySpeares, BritneySpeares@nwtraders.msft, Britney S, 514 With csvde, each object must be on the same line separated by commas, and although you can create new objects, you can not use CSVDE to modify objects that already exist.

Combining Command Line Tools into a Batch File:

REM --- Below is a batch file using the dsadd command to create our "TopSecret" AD Lab Setup REM --- It will create parent and child OUs, Global Groups, and users in each OU as well as make REM --- them members of the appropriate global group. REM ------Create OUs (Parent OU First) ---------------- dsadd OU "ou=TopSecret, dc=nwtraders, dc=msft" -d nwtraders.msft dsadd OU "ou=TopAgents, ou=TopSecret, dc=nwtraders, dc=msft" -d nwtraders.msft dsadd OU "ou=Research, ou=TopSecret, dc=nwtraders, dc=msft" -d nwtraders.msft dsadd OU "ou=EnemyAgents, ou=TopSecret, dc=nwtraders, dc=msft" -d nwtraders.msft dsadd OU "ou=Trainees, ou=TopSecret, dc=nwtraders, dc=msft" -d nwtraders.msft dsadd OU "ou=Accounting, ou=TopSecret, dc=nwtraders, dc=msft" -d nwtraders.msft REM ------Create User in Parent OU ---------------- dsadd user "cn=spyadmin, ou=TopSecret, dc=nwtraders, dc=msft" -samID spyadmin -fn spy -ln admin -display spyadmin -pwd P@ssw0rd -d nwtraders.msft REM ------Create Accounting Group ---------------- dsadd group "cn=Accounting, ou=Accounting, ou=TopSecret, dc=nwtraders, dc=msft" -d nwtraders.msft -u administrator -p P@ssw0rd REM ------Create User in Accounting OU and Add to Accounting Group----- dsadd user "cn=Beano, ou=Accounting, ou=TopSecret, dc=nwtraders, dc=msft" -samID Beano -fn Bean -ln Counter -display Beano -pwd P@ssw0rd -memberof "CN=Accounting,OU=Accounting,OU=TopSecret,DC=nwtraders,DC=msft" -d nwtraders.msft REM ------Create User in Accounting OU and Add to Accounting Group----- dsadd user "cn=Melvin, ou=Accounting, ou=TopSecret, dc=nwtraders, dc=msft" -samID Melvin -fn Mel -ln Gibson -display Melvin -pwd P@ssw0rd -memberof "CN=Accounting,OU=Accounting,OU=TopSecret,DC=nwtraders,DC=msft" -d nwtraders.msft REM ------Create TopAgents Global Group ---------------- dsadd group "cn=TopAgents, ou=TopAgents, ou=TopSecret, dc=nwtraders, dc=msft" -d nwtraders.msft -u administrator -p P@ssw0rd REM ------Create User in TopAgents OU and Add to TopAgents Group ----- dsadd user "cn=JamesBond, ou=TopAgents, ou=TopSecret, dc=nwtraders, dc=msft" -samID JamesBond -fn James -ln Bond -display JamesBond -pwd P@ssw0rd -memberof "CN=TopAgents,OU=TopAgents,OU=TopSecret,DC=nwtraders,DC=msft" -d nwtraders.msft REM ------Create User in TopAgents OU and Add to TopAgents Group ----- dsadd user "cn=Yoda, ou=TopAgents, ou=TopSecret, dc=nwtraders, dc=msft" -samID Yoda -fn Yoda -ln TheForce -display Yoda -pwd P@ssw0rd -memberof "CN=TopAgents,OU=TopAgents,OU=TopSecret,DC=nwtraders,DC=msft" -d nwtraders.msft REM ------Create Trainees Global Group ---------------- dsadd group "cn=Trainees, ou=Trainees, ou=TopSecret, dc=nwtraders, dc=msft" -d nwtraders.msft -u administrator -p P@ssw0rd REM ------Create User in Trainees OU and Add to Trainees Group ----- dsadd user "cn=ScoobyDoo, ou=Trainees, ou=TopSecret, dc=nwtraders, dc=msft" -samID ScoobyDoo -fn Scooby -ln Doo -display ScoobyDoo -pwd P@ssw0rd -memberof "CN=Trainees,OU=Trainees,OU=TopSecret,DC=nwtraders,DC=msft" -d nwtraders.msft REM ------Create User in Trainees OU and Add to Trainees Group ----- dsadd user "cn=SpongeBob, ou=Trainees, ou=TopSecret, dc=nwtraders, dc=msft" -samID SpongeBob -fn Sponge -ln Bob -display SpongeBob -pwd P@ssw0rd -memberof "CN=Trainees,OU=Trainees,OU=TopSecret,DC=nwtraders,DC=msft" -d nwtraders.msft REM ------Create Research Global Group ---------------- dsadd group "cn=Research, ou=Research, ou=TopSecret, dc=nwtraders, dc=msft" -d nwtraders.msft -u administrator -p P@ssw0rd REM ------Create User in Research OU and Add to Research Group ----- dsadd user "cn=Einstein, ou=Research, ou=TopSecret, dc=nwtraders, dc=msft" -samID Einstein -fn Smarty -ln Pants -display Einstein -pwd P@ssw0rd -memberof "CN=Research,OU=Research,OU=TopSecret,DC=nwtraders,DC=msft" -d nwtraders.msft REM ------Create User in Research OU and Add to Research Group ----- dsadd user "cn=Tesla, ou=Research, ou=TopSecret, dc=nwtraders, dc=msft" -samID Tesla -fn Nicolas -ln Tesla -display Tesla -pwd P@ssw0rd -memberof "CN=Research,OU=Research,OU=TopSecret,DC=nwtraders,DC=msft" -d nwtraders.msft REM ------Create EnemyAgents Global Group ---------------- dsadd group "cn=EnemyAgents, ou=EnemyAgents, ou=TopSecret, dc=nwtraders, dc=msft" -d nwtraders.msft -u administrator -p P@ssw0rd REM ------Create User in EnemyAgents OU and Add to EnemyAgents Group ----- dsadd user "cn=DrEvil, ou=EnemyAgents, ou=TopSecret, dc=nwtraders, dc=msft" -samID DrEvil -fn Dr -ln Evil -display DrEvil -pwd P@ssw0rd -memberof "CN=EnemyAgents,OU=EnemyAgents,OU=TopSecret,DC=nwtraders,DC=msft" -d nwtraders.msft REM ------Create User in EnemyAgents OU and Add to EnemyAgents Group ----- dsadd user "cn=MarthaStewart, ou=EnemyAgents, ou=TopSecret, dc=nwtraders, dc=msft" -samID MarthaStewart -fn Martha -ln Stewart -display MarthaStewart -pwd P@ssw0rd -memberof "CN=EnemyAgents,OU=EnemyAgents,OU=TopSecret,DC=nwtraders,DC=msft" -d nwtraders.msft

VBScripting:

'Script 1  Variables and Assignment Option Explicit Dim x Dim UserName x = 0 UserName = inputbox("What is your name?") msgbox("Nice to meet you " & UserName & "!") 'Script 2   Looping Option Explicit Dim x x = 0 For x = 1 To 10 Step 1        msgbox("Hello " & x & " time(s).") Next 'Script 3    Concatenation and Underscoring Option Explicit Dim x Dim UserName Dim HoldMe x = 0 UserName = inputbox("What is your name?") msgbox("Nice to meet you " & UserName & "!") For x = 1 To 5 Step 1       HoldMe = inputbox("Welcome to the universe, " & UserName & "!", _                      "Welcome to the Universe " & UserName & "!", _                      "No, I don't want to. You can't make me!", 1200*x, 1200*x) Next 'Script 4      If/Else Decision Structure Option Explicit Dim x Dim UserChoice UserChoice = inputbox("Do you want to play a game?") If ucase(UserChoice) = "YES" OR ucase(UserChoice) = "Y" Then            msgbox("Yay! You want to play a game!") Else            msgbox("Party Pooper! You need to get a life!") End If 'Script 5      Multiple "If" Decision Structures, Logical NOT, AND and OR Option Explicit Dim x Dim UserChoice UserChoice = inputbox("Do you want to play a game?") If ucase(UserChoice) = "YES" OR ucase(UserChoice) = "Y" Then        msgbox("Yay! You want to play a game!") End If If ucase(UserChoice) = "NO" OR ucase(UserChoice) = "N" Then        msgbox("Party Pooper! You need to get a life!") End If If ucase(UserChoice) <> "NO" AND ucase(UserChoice) <> "N" AND ucase(UserChoice) <> "YES" AND ucase(UserChoice) <> "Y" Then          msgbox("Invalid Input!") End If 'Script 6     Select Case Decision Structures Option Explicit Dim x Dim UserChoice UserChoice = inputbox("Do you want to play a game?") select case ucase(UserChoice) case "YES"                      msgbox("Yay! Let's have fun!") case "Y"                     msgbox("Yay! Let's have fun!") case "NO"                    msgbox("Party pooper!") case "N"                    msgbox("Party pooper!") case else                    msgbox("Invalid Input") end select 'Script 7   Carriage Returns and Line Feeds Option Explicit Dim x Dim UserName UserName = inputbox("What is your name?") msgbox("You are beautiful, " & UserName & "!") msgbox("You are smart, " & UserName & "!") msgbox("You are witty, " & UserName & "!") msgbox("Everyone loves you, " & UserName & "!") msgbox("Want the truth, " & UserName & "?") msgbox("They are watching you, " & UserName & "...") msgbox("They know where you live, " & UserName & ".") msgbox("They know just what buttons to push, " & UserName & ".") msgbox("You are inconsequential to them, " & UserName & ".") msgbox("They are not your friends, " & UserName & ".") msgbox("Run away from them, they will destroy you " & UserName & ".") msgbox("Only they know who they are, " & UserName & ".") msgbox("You are beautiful, " & UserName & "!" & Chr(10) & Chr(13) & _ "You are smart, " & UserName & "!" & Chr(10) & Chr(13) & _ "You are witty, " & UserName & "!" & Chr(10) & Chr(13) & _ "Everyone loves you, " & UserName & "!" & Chr(10) & Chr(13) & _ "Want the truth, " & UserName & "?" & Chr(10) & Chr(13) & _ "They are watching you, " & UserName & "..." & Chr(10) & Chr(13) & _ "They know where you live, " & UserName & "." & Chr(10) & Chr(13) & _ "They know just what buttons to push, " & UserName & "." & Chr(10) & Chr(13) & _ "You are inconsequential to them, " & UserName & "." & Chr(10) & Chr(13) & _ "They are not your friends, " & UserName & "." & Chr(10) & Chr(13) & _ "Run away from them, they will destroy you " & UserName & "." & Chr(10) & Chr(13) & _ "Only they know who they are, " & UserName & "." & Chr(10) & Chr(13) & Chr(10) & Chr(13) & _ "You don't see it coming, do you " & UserName & "? You just don't know...") 'Script 8   Creating an OU Set objDom = GetObject("LDAP://dc=nwtraders, dc=msft") Set objOU = objDom.Create("OrganizationalUnit","OU=SpaceBalls1") objOU.setInfo 'Script 9   Creating and Enabling Users ' Note: You MUST set the password 1st before you can enable the account. Set objOU = GetObject("LDAP://ou=Villians, ou=TopSecret, dc=nwtraders, dc=msft") Set objUser = objOU.Create("User","cn=User1") objUser.Put "SAMAccountName", "User1" objUser.setInfo objUser.ChangePassword "", "P@ssw0rd" objUser.AccountDisabled = FALSE objUser.setInfo Set objOU2= GetObject("LDAP://ou=Villians, ou=TopSecret, dc=nwtraders, dc=msft") Set objUser = objOU2.Create("User","cn=User2") objUser.Put "SAMAccountName", "User2" objUser.setInfo objUser.ChangePassword "", "P@ssw0rd" objUser.AccountDisabled = FALSE objUser.setInfo