The Active Directory Windows Support Tools

Many Active Directory specific support tools are found in the Windows Support Tools toolkit. You can use
these tools to configure, manage and troubleshoot Active Directory. The Windows Support Tools can be
found on the Windows Server 2003 CD in Tools folder. Before you can use these tools, you have to install
it from the Windows Server 2003 CD. The Active Directory specific support tools are summarized in the
next section:

 Acldiag.exe: Used to determine whether a user has been granted access or denied access to an
object in Active Directory.
 Adsiedit.msc: Used to add, move and delete objects; and to change or delete object attributes.
 Dcdiag.exe: Used to determine the state of domain controllers in the forest/enterprise.
 Dfsutil.exe: Used to manage the Distributed File System (DFS) and to view DFS information.
 Dsacls.exe: Used to manage ACLs for Active Directory objects.
 Dsastat.exe: For comparing the naming contexts on the domain controllers.
 Ldifde: Used to create, delete and change objects on computers running Windows XP
Professional and Windows Server 2003.
 Ldp.exe: Used to carry out Lightweight Directory Access Protocol (LDAP) functions on Active
Directory.
 Movetree.exe: Used to move objects from one domain to another domain.
 Netdom.exe: Can be used to manage domains and trust relationships.
 Nltest.exe: Can be used to view information on primary domain controllers, trusts and replication.
 Repadmin.exe: Used to monitor, diagnose, and manage replication issues.
 Replmon.exe: Used to monitor and manage replication through a graphical user interface (GUI).
 Sdcheck.exe: Displays the security descriptor for Active Directory objects, and can be used to
check ACL propagation, replication and whether the ACLs are being inherited correctly.
 Setspn.exe: Used to view, change or delete the Service Principal Names (SPN) directory
property for a service account in Active Directory.
 Sidwalker.exe: Used to configure ACLs on objects that belonged to either moved or deleted
accounts.

Active Directory Command-Line Tools

You can also use a number of command-line tools to manage Active Directory. Windows Server 2003
introduced a set of DS command-line tools that can be used to administer Active Directory. The
command-line tools available for Active Directory management functions are summarized below:

 Cacls: Used to view and change user and group permissions to resources. Through Cacls, you
can change the discretionary access control lists (DACLs) on files.

The syntax for Cacls is: Cacls filename. The switches for the command are:

o /t, modifies the DACLs on files in the directory, and subdirectories

o /e, edits the DACL.
o /r username, revokes the rights of the user
o /c, errors that occurred when changing the DACL is ignored.
o /g username:permission, grants rights (f - Full Control, r - Read, w - Write, c - Change, n
-None) to a user.
o /p username:permission, replaces a user's rights.
o /d username, denies access for the particular user
 Cmdkey: Used to view, create, edit and delete usernames, passwords and credentials. A few
switches for the command are listed below:
 o /add:targetname, adds a username/password to the list. Indicates the domain/computer
for the entry.
o /user:username, username that the entry is related to.
o /generic, adds generic credentials
o /smartcard, credentials are obtained from a smart card
o /pass:password, password to be stored for the entry.

 Csvde: This tool used to import and export data from Active Directory.
 Dcgpofix: Used to return GPOs to their original state, that is, the state that they were in when first
installed.
 Dsget: Used to view properties of a specified object in Active Directory. The commands that can
be utilized are:
o dsget user, to view a user's properties
o dsget group, to view a group's properties
o dsget computer, to view a computer's properties
o dsget site, to view a site's properties
o dsget subnet, to view a subnet's properties
o dsget ou, to view an organizational unit's properties
o dsget contact, to view a contact's properties
o dsget server, to view a domain controller's properties
o dsget partition, to view a directory partition's properties
o dsget quota, to view a quota's properties
 Dsadd: Used to create objects in Active Directory including users, groups, computers, OUs,
contacts and quota specifications. The commands that can be utilized are:
o dsadd user, used to add a user
o dsadd group, used to add a group
o dsadd computer, used to add a computer
o dsadd ou, used to add an OU.
o dsadd contact, used to add a contact
o dsadd quota, used to add a quota specification
 Dsmod: Used to modify the attributes of an existing object in Active Directory. The commands
that can be utilized are:
o dsmod user, used to modify a user's attributes
o dsmod group, used to modify a group's attributes
o dsmod computer, used to modify a computer's properties
o dsmod ou, used to modify an organizational unit's attributes
o dsmod contact, used to modify a contact
o dsmod server, used to modify a domain controller's properties
o dsmod partition, used to modify a directory partition
o dsmod quota, used to modify a quota's properties
 Dsmove: Used to move an Active Directory object to a new container within the domain.
 Dsrm: Used to remove an Active Directory object or container.
 Dsquery: Used to locate or find object(s) that match the defined search criteria.
 Ldifde: Used to create, delete and modify objects from the Active Directory directory, to import or
export user/group information, and to extend the Active Directory schema.
 Ntdsutil: Used to manage domains, information in the Active Directory directory and log files. You
can also use Ntdsutil when needing to do an authoritative restore of Active Directory. The tool is
also used to manage SIDs and the master operation roles.
 Whoami: Used to view information on the user that is currently logged on.