8/8/2019 Active Directory Windows Support Tools

1/2

The Active Directory Windows Support Tools

Many Active Directory specific support tools are found in the Windows Support Tools toolkit. You can usethese tools to configure, manage and troubleshoot Active Directory. The Windows Support Tools can befound on the Windows Server 2003 CD in Tools folder. Before you can use these tools, you have to installit from the Windows Server 2003 CD. The Active Directory specific support tools are summarized in thenext section:

y Acldiag.exe:Used to determine whether a user has been granted access or denied access to an

object in Active Directory.y Adsiedit.msc: Used to add, move and delete objects; and to change or delete object attributes.

y Dcdiag.exe:Used to determine the state of domain controllers in the forest/enterprise.

y Dfsutil.exe:Used to manage the Distributed File System (DFS) and to view DFS information.

y Dsacls.exe:Used to manage ACLs for Active Directory objects.

y Dsastat.exe:For comparing the naming contexts on the domain controllers.

y Ldifde:Used to create, delete and change objects on computers running Windows XP

Professional and Windows Server 2003.

y Ldp.exe:Used to carry out Lightweight Directory Access Protocol (LDAP) functions on Active

Directory.y Movetree.exe:Used to move objects from one domain to another domain.

y Netdom.exe:Can be used to manage domains and trust relationships.

y Nltest.exe:Can be used to view information on primary domain controllers, trusts and replication.

y Repadmin.exe:Used to monitor, diagnose, and manage replication issues.y Replmon.exe:Used to monitor and manage replication through a graphical user interface (GUI).

y Sdcheck.exe:Displays the security descriptor for Active Directory objects, and can be used to

check ACL propagation, replication and whether the ACLs are being inherited correctly.y Setspn.exe: Used to view, change or delete the Service Principal Names (SPN) directory

property for a service account in Active Directory.

y Sidwalker.exe:Used to configure ACLs on objects that belonged to either moved or deleted

accounts.

Active Directory Command-Line Tools

You can also use a number of command-line tools to manage Active Directory. Windows Server 2003introduced a set of DS command-line tools that can be used to administer Active Directory. The

command-line tools available for Active Directory management functions are summarized below:

y Cacls: Used to view and change user and group permissions to resources. Through Cacls, you

can change the discretionary access control lists (DACLs) on files.

The syntax for Cacls is: Cacls filename. The switches for the command are:

o /t, modifies the DACLs on files in the directory, and subdirectorieso /e, edits the DACL.o /r username, revokes the rights of the user

o /c, errors that occurred when changing the DACL is ignored.o /g username:permission, grants rights (f - Full Control, r - Read, w - Write, c - Change, n -

None) to a user.o /p username:permission, replaces a user's rights.o /d username, denies access for the particular user

y Cmdkey: Used to view, create, edit and delete usernames, passwords and credentials. A few

switches for the command are listed below:

8/8/2019 Active Directory Windows Support Tools

2/2

o /add:targetname, adds a username/password to the list. Indicates the domain/computerfor the entry.

o /user:username, username that the entry is related to.o /generic, adds generic credentials

o /smartcard, credentials are obtained from a smart card

o /pass:password, password to be stored for the entry.

y Csvde: This tool used to import and export data from Active Directory.

y Dcgpofix: Used to return GPOs to their original state, that is, the state that they were in when firstinstalled.

y Dsget: Used to view properties of a specified object in Active Directory. The commands that canbe utilized are:

o dsget user, to view a user's propertieso dsget group, to view a group's propertieso dsget computer, to view a computer's propertieso dsget site, to view a site's propertieso dsget subnet, to view a subnet's propertieso dsget ou, to view an organizational unit's properties

o dsget contact, to view a contact's propertieso dsget server, to view a domain controller's propertieso dsget partition, to view a directory partition's properties

o dsget quota, to view a quota's propertiesy Dsadd: Used to create objects in Active Directory including users, groups, computers, OUs,

contacts and quota specifications. The commands that can be utilized are:

o dsadd user, used to add a usero dsadd group, used to add a groupo dsadd computer, used to add a computero dsadd ou, used to add an OU.

o dsadd contact, used to add a contacto dsadd quota, used to add a quota specification

y Dsmod: Used to modify the attributes of an existing object in Active Directory. The commandsthat can be utilized are:

o dsmod user, used to modify a user's attributes

o dsmod group, used to modify a group's attributes

o dsmod computer, used to modify a computer's propertieso dsmod ou, used to modify an organizational unit's attributeso dsmod contact, used to modify a contact

o dsmod server, used to modify a domain controller's propertieso dsmod partition, used to modify a directory partitiono dsmod quota, used to modify a quota's properties

y Dsmove: Used to move an Active Directory object to a new container within the domain.

y Dsrm: Used to remove an Active Directory object or container.

y Dsquery: Used to locate or find object(s) that match the defined search criteria.

y Ldifde: Used to create, delete and modify objects from the Active Directory directory, to import or

export user/group information, and to extend the Active Directory schema.

y Ntdsutil: Used to manage domains, information in the Active Directory directory and log files. Youcan also use Ntdsutil when needing to do an authoritative restore of Active Directory. The tool is

also used to manage SIDs and the master operation roles.y Whoami: Used to view information on the user that is currently logged on.