When we first began developing the content for the book, we struggled with how to capture the fact that you can do things multiple ways with Active Directory. You may be familiar with the famous computer science motto: TIMTOWTDI, or There Is More Than One Way To Do It. With Active Directory, there are often At Least Three Ways To Do It! You can perform a task with a graphical user interface (GUI), such as ADSI Edit, LDP, or the Active Directory Users and Computers snap-in; you can use a command-line interface (CLI), such as the ds utilities (i.e., dsadd, dsmod, dsrm, dsquery, dsget), nltest, netdom, or ldifde, or freeware tools such as adfind and admod from http://www.joeware.net; and, finally, you can perform the same task using a scripting language, such as VBScript, Perl, or PowerShell. Since people prefer different methods, and no single method is necessarily better than another, we decided to write solutions to the recipes using one of each. That means instead of just a single solution per recipe, we include up to three solutions using GUI, CLI, and programmatic examples; in some cases you’ll find more than one option for a given solution, as in the case where there is more than one command-line utility to perform a particular task. However, in cases where one of the methods cannot be used or would be too difficult to use to accomplish a given recipe, only the applicable methods are covered.

We also took this approach with the programmatic solutions; we use VBScript for the programming language, primarily because it is widely used among Windows administrators and is the most straightforward from a code perspective when using Active Directory Service Interface (ADSI) and Windows Script Host (WSH). For those familiar with other languages, such as Visual Basic, Perl, and JScript, it is very easy to convert code from VBScript.

The downside to using VBScript is that it does not have all of the facilities necessary to accomplish some complicated tasks. Therefore, we use Perl in a few recipes that require a complicated programmatic solution. For those of you who wish that all of the solutions were written with Perl instead of VBScript, you can go to http://www.rallenhome.com/books/adcookbook2/code.html to download the code.

A special note regarding PowerShell coverage in this text: PowerShell is a new command-line and scripting language introduced by Microsoft. PowerShell’s claim to fame is its use of a predictable Verb-Noun syntax that can be leveraged regardless of the technology that it is managing: Get-Object, Get-ChildItem, Get-Mailbox, etc. This predictable syntax is driven by the use of cmdlets (pronounced “command-lets”) that can be created by individuals and software vendors alike. The first Microsoft product to rely on PowerShell was Exchange 2007, which includes a rich set of cmdlets to perform Exchange management tasks. In fact, there are certain tasks in Exchange 2007 that can only be performed using PowerShell!

The challenge that Active Directory administrators face with PowerShell lies in the fact that, as of the release of Windows Server 2008, a set of PowerShell cmdlets has not been produced by Microsoft to support Active Directory administration tasks. AD administrators still have the ability to leverage PowerShell in other ways, most notably through the use of cmdlets that have been created by third-party vendors or members of the Directory Services community. Many of these third-party cmdlets are freely available for download from the Internet; as we reference these third-party cmdlets throughout the text, we will also reference their source. The downside is that, since these cmdlets are provided by third-party vendors or individual contributors, there are currently significant “gaps” in what can be done with these cmdlets.

If you are familiar with .NET programming, it is possible to use PowerShell to interface with Active Directory by using native .NET classes and methods, such as the DirectoryEntry and DirectorySearcher classes within System.DirectoryServices. We have chosen to focus on tasks in this book that can be accomplished relatively easily using these native .NET classes and methods; readers who are looking for more in-depth coverage of these topics should consult The .NET Developer’s Guide to Directory Services Programming referenced in the Recipe 1.6 section at the end of this chapter. PowerShell can also access the Active Directory Scripting Interface (ADSI) in a similar manner to VBScript; in these cases, PowerShell syntax will largely resemble the VBScript syntax to perform the same task. Additionally, you will find several references to third-party PowerShell cmdlets such as those released by Quest (http://www.quest.com) and SDM Software (http://www.sdmsoftware.com).

Another challenge with writing this book is that there are now multiple versions of Active Directory deployed on most corporate networks. The initial version released with Windows 2000 was followed by Windows Server 2003 and an incremental update to Windows Server 2003 R2, and recently Microsoft released Windows Server 2008, which provides a lot of updates and new features. We’ve decided to go with the approach of making everything work under the most recent version of Active Directory first, and earlier versions of Windows second. In fact, the majority of the solutions will work unchanged with Windows 2000, 2003, and R2. For the recipes or solutions that are specific to a particular version, we include a note mentioning the version it is targeted for. In particular, since the Windows 2000 operating system is nearing the end of its supported lifecycle, the majority of our focus will be on Windows Server 2003 and later. Most GUI and programmatic solutions will work unchanged with all three versions, but Microsoft introduced several new CLIs with Windows Server 2003 and R2, most of which cannot be run on the Windows 2000 operating system. Typically, you can still use these newer tools on a Windows XP or later computer to manage Windows 2000 Active Directory.

A best practice for managing Active Directory is to create separate administrator accounts that you grant elevated privileges, instead of letting administrators use their normal user account that they use to access other Network Operating System (NOS) resources. This is beneficial because an administrator who wants to use elevated privileges has to log on with his administrative account explicitly instead of having the rights implicitly, which could lead to accidental changes in Active Directory. Assuming you employ this method, then you must provide alternate credentials when using tools to administer Active Directory unless you log on to a machine, such as a domain controller, with the administrative credentials.

There are several options for specifying alternate credentials. Many GUI and CLI tools have an option to specify a user and password to authenticate with. If the tool you want to use does not have that option, you can use the runas command instead. The following command would run the enumprop command from the Resource Kit under the credentials of the administrator account in the adatum.com domain:

> runas /user:administrator@adatum.com
/netonly "enumprop "LDAP://dc1/dc=adatum,dc=com""

You can also open up a Windows command prompt using alternate credentials, which will allow you to run commands using these elevated credentials until you close the command prompt window. To open a command prompt using the runas command, simply type runas /user:administrator@adatum.com cmd.

To run a Microsoft Management Console (MMC) console with alternate credentials, simply use mmc as the command to run from runas:

> runas /user:administrator@adatum.com /netonly "mmc"

This will create an empty MMC console from which you can add consoles for any snap-ins that have been installed on the local computer.

There is another option for running MMC snap-ins with alternate credentials. Click on the Start menu and browse to the tool you want to open, hold down the Shift key, and then right-click on the tool. If you select Run As, you will be prompted to enter credentials to run the tool under.

Another issue to be aware of when following the instructions in the recipes is whether you need to target a specific domain controller. In the solutions in this book, we typically do not target a specific domain controller. When you don’t specify a domain controller, you are using a serverless bind and there is no guarantee as to precisely which server you will be hitting. Depending on your environment and the task you need to do, you may want to target a specific domain controller so that you know where the query or change will be taking place. Also, serverless binding can work only if the DNS for the Active Directory forest is configured properly and your client can query it. If you have a standalone Active Directory environment that has no ties to your corporate DNS, you may need to target a specific domain controller for the tools to work.

We mentioned earlier that in the GUI and CLI examples we do not provide instructions for targeting a specific domain controller to perform a task. Instead, we rely on serverless binds in most cases. The same applies to the scripted solutions. A serverless bind for the RootDSE looks like the following in VBScript:

set objRootDSE = GetObject("LDAP://RootDSE")

That code will query the RootDSE for a domain controller in the domain of the currently logged-on user. You can target a specific domain instead by simply specifying the domain name in the ADsPath:

set objRootDSE = GetObject("LDAP://apac.adatum.com/RootDSE")

And similarly, you can target a specific domain controller by including the server name in the ADsPath:

set objRootDSE = GetObject("LDAP://dc1/RootDSE")

So depending on how your environment is set up and what forest you want to query, you may or may not need to specify a domain or server name in the code.

Just as you might need to run the GUI and CLI tools with alternate credentials, you may also need to run your scripts and programs with alternate credentials. One way is to use the runas method described earlier when invoking the script. A better option would be to use the Scheduled Tasks service to run the script under credentials you specify when creating the task. And yet another option is to hardcode the credentials in the script. Obviously, this is not very appealing in some scenarios because credentials can change over time, and as a security best practice you do not want the username and password contained in a script to be easily viewable by others. Nevertheless, it is a necessary evil, especially when developing against multiple forests, and we’ll describe how it can be done with ADSI and ADO. As an alternative, you can configure a script to prompt you for the username and password during the actual running of the script.

With ADSI, you can use the IADsOpenDSObject::OpenDSObject method to specify alternate credentials. You can quickly turn any ADSI-based example in this book into one that authenticates as a particular user.

For example, a solution to print out the description of a domain might look like:

set objDomain = GetObject("LDAP://dc=apac,dc=adatum,dc=com")
WScript.Echo "Description: " & objDomain.Get("description")

Using OpenDSObject, it takes only one additional statement to make the same code authenticate as the administrator in the domain:

set objLDAP = GetObject("LDAP:")
set objDomain = objLDAP.OpenDSObject( _
    "LDAP://dc=apac,dc=adatum,dc=com", _
    "administrator@apac.adatum.com", _
    "MyPassword", _
    0)
WScript.Echo "Description: " & objDomain.Get("description")

It is just as easy to authenticate in ADO code as well. Take the following example, which queries all computer objects in the apac.adatum.com domain:

strBase = "<LDAP://dc=apac,dc=adatum,dc=com>;"
strFilter = "(&(objectclass=computer)(objectcategory=computer));"
strAttrs = "cn;"
strScope = "subtree"

set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)
objRS.MoveFirst
while Not objRS.EOF
    Wscript.Echo objRS.Fields(0).Value
    objRS.MoveNext
wend

Now, by adding two lines (in bold), we can authenticate with the administrator account:

strBaseDN = "<LDAP://dc=apac,dc=adatum,dc=com>;"
strFilter = "(&(objectclass=computer)(objectcategory=computer));"
strAttrs  = "cn;"
strScope  = "subtree"

set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Properties("User ID") = "administrator@apac.adatum.com"
objConn.Properties("Password") = "MyPassword"
objConn.Open "Active Directory Provider"
set objRS = objConn.Execute(strBaseDN & strFilter & strAttrs & strScope)
objRS.MoveFirst
while Not objRS.EOF
    Wscript.Echo objRS.Fields(0).Value
    objRS.MoveNext
wend

To authenticate with ADO, you need to set the User ID and Password properties of the ADO connection object. We used the UPN of the administrator for the user ID. With ADSI and ADO, you can use a UPN, NT 4.0 style account name (e.g., APAC\Administrator), or distinguished name for the user ID.

An important part of any script is error checking. Error checking allows your programs to gracefully identify any issues that arise during execution and take the appropriate action. Another best practice is to define variables before you use them and clean them up after you are done with them. In this book, most of the programmatic solutions do not include any error checking, predefined variables, or variable cleanup. Admittedly, this is not setting a good example, but if we included extensive error checking and variable management, it would have made this book considerably longer with little added value to the reader. The goal is to provide you with a code snippet that shows you how to accomplish a task, not provide robust scripts that include all the trimmings.

Error checking with VBScript is pretty straightforward. At the beginning of the script include the following declaration:

On Error Resume Next

This tells the script interpreter to continue even if errors occur. Without that declaration, anytime an error is encountered the script will abort. When you use On Error Resume Next, you need to use the Err object to check for errors after any step where a fatal error could occur. The following example shows how to use the Err object:

On Error Resume Next
set objDomain = GetObject("LDAP://dc=adatum,dc=com")

If Err.Number <> 0 then
   Wscript.Echo "An error occured getting the domain object: " & Err.
Description
   Wscript.Quit
end if

Two important properties of the Err object are Number, which if nonzero signifies an error, and Description, which will contain the error message.

As far as variable management goes, it is always a good practice to include the following at the beginning of every script:

Option Explicit

When this is used, every variable in the script must be declared or an exception will be generated when you attempt to run the script. Variables are declared in VBScript using the Dim keyword. After you are done with a variable, it is a good practice to set it to Nothing so you release any resources bound to the variable, and don’t accidentally re-use the variable with its previous value. The following code shows a complete example for printing the display name for a domain with error checking and variable management included:

Option Explicit
On Error Resume Next

Dim objDomain
set objDomain = GetObject("LDAP://cn=users,dc=adatum,dc=com")

if Err.Number <> 0 then
   Wscript.Echo "An error occurred getting the domain object: " & Err.Description
   Wscript.Quit
end if

Dim strDescr
strDescr = objDomain.Get("description")
if Err.Number <> 0 then
   Wscript.Echo "An error occurred getting the description: " & Err.Description
   Wscript.Quit
end if

WScript.Echo "Description: " & strDescr

objDomain = Nothing
strDescr = Nothing

If you have any questions about the complete syntax or usage information for any of the command-line tools we use, you should first take a look at the help information for the tools. The vast majority of CLI tools provide syntax information by simply passing /? as a parameter. For example:

> dsquery /?

The Microsoft Support website is a great source of information and is home of the Microsoft Knowledge Base (MS KB) articles. Throughout the book, we include references to pertinent MS KB articles where you can find more information on the topic. You can find the complete text for a KB article by searching on the KB number at the following website: http://support.microsoft.com/default.aspx. You can also append the KB article number to the end of this URL to go directly to the article: http://support.microsoft.com/kb/<ArticleNumber>.

MSDN contains a ton of information on Active Directory and the programmatic interfaces to Active Directory, such as ADSI and LDAP. We sometimes reference MSDN pages in recipes. Unfortunately, there is no easy way to reference the exact page we’re talking about unless we provided the URL or navigation to the page, which would more than likely change by the time the book was printed. Instead we provide the title of the page, which you can use to search on via the following site: http://msdn.microsoft.com/library.

If you have a question about a particular topic, a good starting point is to search the newsgroups using Google’s Groups search engine (http://groups.google.com). Just like its web search engine, the group search engine is very fast and is an invaluable resource when trying to locate information.

In addition to the Resource Kit books, the following books are good sources of information: