Windows DevCenter    
 Published on Windows DevCenter (
 See this if you're having trouble printing code examples

Active Directory Cookbook

Overview of the New Active Directory Tools in Windows Server 2003

by Robbie Allen, author of Active Directory Cookbook

Manageability was one of the key areas Microsoft wanted to improve with the release of Windows Server 2003, and it succeeded by delivering a new set of tools that address manageability shortcomings in several different ways. Although Windows 2000 provided a number of tools for querying and managing Active Directory, there were some major gaps; specifically, there were relatively few command line tools for manipulating and searching Active Directory. Many Windows administrators prefer to use graphical tools, but command line tools are still extremely useful, especially when it comes to automating common tasks.

Another sore point for Windows 2000 administrators was in the area of group policy management. Microsoft provided relatively few group policy tools, which led many organizations to purchase third-party tools just to manage them. And right at the top of the list of things that make Windows 2000 administrators cringe is the thought of trying to troubleshoot account lockout problems, which most organizations have had to deal with at one point or another.

Fortunately, Microsoft addressed all of these issues and more in Windows Server 2003. In this article, I'll review the new tools available for Windows Server 2003 and where you can get them.

Related Reading

Active Directory Cookbook
By Robbie Allen

AD Prep (adprep.exe)

Before you can start upgrading your Windows 2000 domain controllers to Windows Server 2003, you have to run the new adprep command. If you've installed Exchange 2000 before, then you are familiar with the ForestPrep and DomainPrep commands you have to run before you install the first Exchange server in the forest. Microsoft took the same approach for upgrading a forest to Windows Server 2003. The adprep.exe /forestprep command should be run against the Schema FSMO master because it extends the schema with several new attributes and classes. It also makes modifications to the Configuration container. The adprep.exe /domainprep command must be run against a domain controller in every domain, preferably the Infrastructure FSMO master, in the forest. It populates new objects in the domain and adjusts some ACLs.

The adprep.exe utility can be found in \i386 directory on a Windows Server 2003 CD.

Account Lockout Tools

From a security perspective, having the capability to lock out users after several consecutive invalid logons is a good thing. However, in practice, enabling account lockouts in Windows 2000 Active Directory often resulted in a flood of calls to your support center. It was very easy for users to lock themselves out, especially after changing their passwords. Now Microsoft provides several new tools that can help troubleshoot account lockout problems. And unlike a lot of the tools I describe in this article, you can run these tools on Windows 2000.

AcctInfo Property Page

This new property page, shown in Figure 1, is installed in the Active Directory Users and Computers snap-in. It displays password and lockout information for a user including the time the password was last set, when it expires, the last logon timestamp, and other logon properties.

Figure 1. The AcctInfo Property Page


This DLL can be used by a script or program to find the process or application that is trying to authenticate using bad credentials.


This command displays services that run under the credentials of a user and finds any mapped drives that are using user credentials.


This script enables Kerberos logging.


This tool can search for specific events in the event log across multiple servers at once. EventCombMT is also available in the Windows Server 2003 Resource Kit.


This tool, shown in Figure 2, allows you to query every domain controller in a domain to determine where a specific user is locked out and when the account was locked. You can then unlock the account on the servers where it is locked.

Figure 2. The Lockout Status Tool


The %systemroot%\debug\netlogon.log file contains a lot of information that can be useful for troubleshooting logon or account lockout problems. One of the problems with using netlogon.log is that it can quickly grow very large and become difficult to parse. The nlparse command is a simple tool that allows you to specify the types of messages you want to extract from the netlogon.log file so you can view only those messages.

The account lockout tools can be downloaded from here.

DS utilities

If you prefer using command line tools to graphical tools, then you probably weren't very satisfied with the tools available for Windows 2000. Fortunately, Microsoft has made big strides with Windows Server 2003. You can add, modify, remove, and query objects using the new DS command line utilities.

Here is the list of DS utilities that are available as part of the Windows Server 2003 in the %systemroot%\system32 directory:


With the dsadd command, you can create computer, contact, group, OU, user and quota objects. To view the attributes you can set when creating an object, run "dsadd <type> /?" from the command line where <type> is one of the object types dsadd supports (e.g., user).


With the dsget command, you can view the attributes of computer, contact, subnet, group, OU, site, server, user, quota, and partition objects. To view the attributes you can display for an object type, run "dsget <type> /?" from the command line where <type> is one of the object types dsget supports (e.g., ou).


With the dsmod command, you can modify computer, contact, group, OU, user, server, quota and partition objects. To view the attributes you can set when modifying an object, run "dsmod <type> /?" from the command line where <type> is one of the object types dsmod supports (e.g., computer).


The dsmove command allows you to move objects within a domain.


The dsrm command allows you to remove individual objects or containers and all child objects.


With the dsquery command, you can search Active Directory for specific object types (computer, contact, subnet, group, OU, site, server, user, quota, and partition objects). View the help information for each object type (e.g., run "dsquery user /?") to see the attributes you can search on. You can also perform generic LDAP queries using the "dsquery *" command.

Group Policy Tools

The group policy tools in Windows Server 2003 have come a long way since Windows 2000. Here are some of the new group policy tools you should make sure you are familiar with:

Group Policy Management Console (gpmc.msc)

The Group Policy Management Console (GPMC), shown in Figure 3, is the one-stop shop for your group policy management needs. With it, you can do everything from creating and copying GPOs and to importing and exporting them. It also provides a handy scripting interface that allows you to automate anything you can do through the graphical interface.

Figure 3. The Group Policy Management Console

You can download GPMC from here.

Resultant Set of Policies (rsop.msc)

If you've ever wondered what group policy settings are applied to a computer, but didn't know how to find out, you now have a simple solution with the Resultant Set of Policies (RSoP) snap-in. The RSoP snap-in allows you to view the user and computer settings that are applied to the computer the user running the tool is logged onto.

The RSoP snap-in is available with Windows Server 2003.

Default Group Policy Restore Command (dcgpofix.exe)

Have you ever modified the domain or domain controller group policy objects and wanted to revert back to the default settings? With Windows 2000, the only way to do this was by manually comparing the settings with an untouched version of those group policy objects. With Windows Server 2003, you can use the dcgpofix command to revert back to the original version.

This tool is available in the %systemroot%\system32 directory on Windows Server 2003.

Group Policy Refresh Command (gpupdate.exe)

The gpupdate command allows you refresh the group policy settings on a computer.

This tool is available in the %systemroot%\system32 directory on Windows Server 2003.

Redirect Default Users and Computers Containers

Some tools allow you to create a user or computer account without specifying a container to put them in. In this situation, the default users container (e.g., cn=users,dc=rallencorp,dc=com) or computers container (e.g., cn=computers,dc=rallencorp,dc=com) will be used. With Windows 2000, these default containers were hardcoded and could not be changed. With Windows Server 2003, you can now change them.

redirusr.exe and redircmp.exe

The redirusr command changes the default users container for a Windows Server 2003 domain. The redircmp command changes the default computers container. Both commands take a single parameter, which is the distinguished name of the new container or OU to set as the default.

These tools are available in the %systemroot%\system32 directory on Windows Server 2003.

Rename Domain (rendom.exe)

Under Windows 2000, once you've named a domain, there was no changing it. This caused problems for many companies that merged or needed to change the name of their domain for organizational or legal reasons. Using the Rename Domain command, you can rename a Windows Server 2003 domain. But this shouldn't be done without a lot of planning because during the rename operation, you need to reboot every computer that is a member of the domain, including all the domain controllers. Also, you cannot currently rename domains that have Exchange 2000 installed.

You can download the Rename Domain command from here.

Robbie Allen is the coauthor of Active Directory, 2nd Edition and the author of the Active Directory Cookbook.

Return to the O'Reilly Network.

Copyright © 2009 O'Reilly Media, Inc.