Object Management Flashcards
Object Management Facts
a small number of objects to create or modify
Use the Active Directory Users and Computers MMC snap-in to create, organize, and delete objects in Active Directory. Active Directory Users and Computers can be started from:Server Manager Administrative Tools (from the Control Panel or Start menu) Running dsa.msc
Active Directory Service Interfaces Editor (ADSI Edit) acts as a low-level GUI editor for common administrative tasks such as adding, deleting, and moving objects. It runs within the Microsoft Management Console (MMC). You can use ADSI Edit to query, view, and edit attributes that are not exposed through other MMC snap-ins (such as Active Directory Users and Computers).
Use the following command prompt tools to manage Active Directory objects, either from a command prompt or within a script.
Dsadd creates a new object in Active Directory.
Dsquery finds objects that match the search criteria (allows a search through the whole forest). The command returns a list of objects that match the search criteria. Use Dsquery * to search all object types.
Dsget retrieves property information about an object. Use the -expand switch to show nested group membership for users.
Dsmod modifies or changes the properties of an object.
Dsmove moves objects from one location to another and renames an object.
Dsrm removes (deletes) objects. Use the -subtree option to delete a container object and all objects below that object.
Movetree moves an OU and its objects (it does not move computer objects).
Netdom adds computer objects, joins a computer to a domain, and moves computer objects.
Be aware of the following facts about using the Ds commands to work with Active Directory objects:
When using the command Prompt, follow the command with the type of object you want to edit (e.g. user, computer, or group). For example, to create a new user account, use the Dsadd user command, followed by the various parameters required to configure the object.
For all commands except for Dsquery, you must identify the object or objects you want to modify. For example, Dsget returns properties of a specific object, while Dsquery returns a list of objects that match the query parameters.
When moving objects, you should typically use Active Directory Users and Computers instead of Dsmove. Active Directory Users and Computers performs additional actions that Dsmove does not.
Bulk Object Management Facts
The Csvde command imports and exports Active Directory objects using a comma-separated list file.
Csvde can read existing information from Active Directory (export) or create new objects in Active Directory (import).You cannot use Csvde to modify existing objects in Active Directory.
Common uses for Csvde include:
Using Csvde to export objects from one Active Directory system (or an Exchange 5.5 database) and import them into a different Active Directory database.
Using a database program to create a CSV file, modifying the file, and importing the objects into Active Directory.
Csvde switches include:
-i to import objects
-e to export objects
-f to identify the filename
Note: When you export user accounts with Csvde, passwords are not exported. You cannot import passwords for user accounts using Csvde.
The Ldifde command imports, exports, modifies, and deletes objects in Active Directory using LDAP Data Interchange Format (LDIF) files.
Ldifde files include a changeType parameter that identifies the action to take using the data in the file:
Add
Modify
Delete
Common uses for Ldifde include:
Using Ldifde to export a set of Active Directory objects, modifying various attributes, and then re-importing the file to change the attributes.
Exporting or importing data that exists on non-Active Directory LDAP directories.
Ldifde switches include:
-i to import objects
-e to export objects
-f to identify the filename
Note: When you export user accounts with Ldifde, passwords are not exported. You can change passwords for existing user accounts using a .ldif file, but you cannot create new user accounts with a password. To export user accounts and import them with a password, use the following process:
Export the user accounts. The unicodePwd field will be blank. Import the user accounts to create the accounts. The user accounts will be disabled, and the user will be forced to change the password at next logon. Modify the .ldif file to change the operation to modify existing objects. Add a password for each user account and add entries to enable the account.
Run Ldifde using the file with the passwords to modify the existing user accounts.
Windows PowerShell is a command line environment designed for automating administration and maintenance for Windows Server 2008. PowerShell uses specialized commands, known as cmdlets, to create and manage Active Directory objects. Cmdlets can execute single commands or large scripts which, for example, can import a CSV file and use the information to create new Active Directory users.
Be aware of the following:
Stringing together the actions of two or more cmdlets is known as pipelining (also called piping). Output from the first cmdlet is fed into the second cmdlet (and so on).
Using cmdlets scripts to create and manage accounts in Active Directory requires a thorough knowledge of programming.
The Ldp utility allows you to search for and view the properties of multiple Active Directory objects. It is a GUI-based, Windows Explorer-like utility with a scope pane on the left that is used for navigating through the Active Directory namespace, and a details pane on the right that is used for displaying results.
The Active Directory Migration Tool (ADMT) is a GUI-based utility that helps you restructure your Active Directory organization or migrate objects from one domain to another.
You can move objects to different domains within the same forest (intraforest), or to domains in other forests (interforest).
Use the SID history feature to enable migrated accounts to be able to continue to access resources in the original domain. For intraforest moves, SID history is enabled automatically.
Use a SID mapping file to map security objects in one domain with security objects in another domain. For example, you can translate group membership in one domain and have users added to similar groups in the target domain.
Use the password migration DLL to migrate passwords between forests. Passwords remain protected throughout the migration process. Passwords are automatically migrated for intraforest move operations.
For interforest migration, the target forest must trust the source forest. Trusts already exist within a forest.
