Problem

You want to copy one user’s group membership to another user.

Solution

Using a graphical user interface

1. Open the ADUC snap-in.
2. In the left pane, right-click on the domain and select Find.
3. Select the appropriate domain beside In.
4. Beside Name, type the name of the user you want to transfer groups from and click Find Now.
5. In the Search Results window, double-click on the user.
6. Click the Member Of tab.
7. For each group you want to add another user in, do the following:
   1. Double-click on the group.
   2. Click the Members tab.
   3. Click the Add button.
   4. d. Find the user you want to add in the object picker and click OK.
   5. e. Click OK.

Using a command-line interface

The following command line will add <NewUserDN> to all of the groups that <CurrentUserDN> is a member of:

        > for /F "usebackq delims=""" %i in ('dsget user
        "<CurrentUserDN>" -memberof') do dsmod group %i -addmbr "<NewUserDN>"

If you want to get fancy and remove <CurrentUserDN> from each of the groups in the same operation, simply add an -rmmbr option on the end:

        > for /F "usebackq delims=""" %i in ('dsget user
        "<CurrentUserDN>" -memberof') do dsmod group %i -addmbr "<NewUserDN>"
        -rmmbr "<CurrentUserDN>"

Using VBScript

        ' This code adds the "new" user to the groups the "current"
        ' user is a member of
        ' ------ SCRIPT CONFIGURATION -----
        strCurrentUserDN = "<CurrentUserDN>"
        ' e.g. cn=jsmith,ou=Sales,dc=rallencorp,dc=com
        strNewUserDN = "<NewUserDN>"

        ' ------ SCRIPT CONFIGURATION ------

        Const ADS_PROPERTY_APPEND = 3
        set  
objCurrentUser = GetObject("LDAP://" &  
strCurrentUserDN )
        set objNewUser = GetObject("LDAP://" & strNewUserDN )

        on error resume next
        WScript.Echo "Transfering groups from " & strCurrentUserDN & " to " & strNewUserDN
        for each strGroupDN in objCurrentUser.GetEx("memberOf")
           set objGroup = GetObject("LDAP://" & strGroupDN)
           objGroup.PutEx ADS_PROPERTY_APPEND, "member", Array( strNewUserDN )
           objGroup.SetInfo
           if Err then
              WScript.Echo "Error adding user to group: " & strGroupDN
           else
              WScript.Echo "Added user to group: " & strGroupDN
           end if
        next

Discussion

Employees come and go; people take on new responsibilities and move on to new jobs. It is common to have movement within an organization. When this happens, typically someone is replacing the person that is moving on. The new person needs to get up to speed as quickly as possible, including getting accounts set up and access to any necessary resources. A big part of this includes getting added to the correct groups. You can help facilitate this by using one of the processes outlined in the Solution section to help the user gain access to the exact same groups that the former employee was a member of.

One important issue to point out is that the memberOf attribute, which was used in the Solution section to determine a user’s group membership, contains only the groups that are visible to the DC that’s being queried; this can vary depending on whether the DC in question is a Global Catalog and whether the user belongs to any universal groups. Any groups the user is a member of outside of the user’s domain will not be transferred. To transfer universal group membership outside of a domain, you will need to perform a query against the global catalog for all group objects that have a member attribute that contains the DN of the user. You can also search the Global Catalog for the memberOf attribute for a given user to determine a user’s universal group memberships.

Problem

You want to enable or disable a user account.

Solution

Using a graphical user interface

1. Open the ADUC snap-in.
2. In the left pane, right-click on the domain and select Find.
3. Select the appropriate domain beside In.
4. Type the name of the user beside Name and click Find Now.
5. In the Search Results window, right-click on the user and select Enable Account to enable or Disable Account to disable.
6. Click OK.

Using a command-line interface

To enable a user, use the following command:

        > dsmod user <UserDN> -disabled no

To disable a user, use the following command:

        > dsmod user <UserDN> -disabled yes

Using VBScript

        ' This code will enable or disable a user.
        ' ------ SCRIPT CONFIGURATION ------
        ' Set to FALSE to disable account or TRUE to enable account
        strDisableAccount = FALSE
        strUserDN = "<UserDN>" ' e.g. cn=jsmith,cn=Users,dc=rallencorp,dc=com
        ' ------ END CONFIGURATION --------

        set objUser = GetObject("LDAP://" & strUserDN)
        if objUser.AccountDisabled = TRUE then
           WScript.Echo "Account for " & objUser.Get("cn") & " currently disabled"
           if strDisableAccount = FALSE then
              objUser.AccountDisabled = strDisableAccount
              objUser.SetInfo
              WScript.Echo "Account enabled"
           end if
        else
           WScript.Echo "Account currently enabled"
           if strDisableAccount = TRUE then
              objUser.AccountDisabled = strDisableAccount
              objUser.SetInfo
              WScript.Echo "Account disabled"
           end if
        end if

Discussion

Account status is used to control whether a user is allowed to log on or not. When an account is disabled, the user is not allowed to log on to her workstation with the account or to access AD controlled resources.

There is an IADsUser:: AccountDisabled property that allows you to determine and change the status. Set the method FALSE to enable the account or trUE to disable.

Problem

A user is having account lockout problems and you need to determine from where and how it is getting locked out.

Solution

Using a graphical user interface

LockoutStatus is a new program available for Windows 2000 or Windows Server 2003 that can help identify which domain controller’s users are getting locked out. It works by querying the lockout status of a user against all domain controllers in the user’s domain.

To determine the lockout status of a user:

1. Launch LockoutStatus and select File Select Target from the menu.
2. Enter the target user name and the domain of the user.
3. Click OK.

At this point, each domain controller in the domain will be queried and the results will be displayed.

Discussion

The lockoutstatus.exe tool is just one of many that are available in the new ” Account Lockout and Management” toolset provided by Microsoft. These new lockout tools are intended to help administrators with account lockout problems that were very difficult to troubleshoot given the tools available under Windows 2000.Along with the tool mentioned in the Solution section, here are a few others that are included in the set:

ALockout.dll

A script that uses this DLL called EnableKerbLog.vbs (included with the toolset), can be used to enable logging of application authentication. This can help identify applications that are using bad credentials and causing account lockouts.

ALoInfo.exe

Displays services and shares that are using a particular account name. It can also print all the users and their password age.

NLParse.exe

A filter tool for the netlogon.log files. You can use it to extract just the lines that relate to account lockout information.

EventCombMT

A utility to parse Event Logs from multiple servers, either to collect all entries together or to search for individual events across multiple computers. This is extremely useful when troubleshooting user account lockouts, for example, by determining which computer is causing the account lockout.

All of the new Account Lockout tools can be downloaded from:

http://microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Problem

You want to copy an existing user account, which may be serving as a template, to create a new account.

Solution

Using a graphical user interface

1. Open the ADUC snap-in.
2. In the left pane, browse to the parent container of the template user object.
3. In the right pane, right-click on the user and select Copy.
4. Enter the name information for the new user and click Next.
5. Enter a password, check any options you want enabled, and click Next.
6. Click Finish.

Using VBScript

        ' This code copies the attributes in the Attrs array from an
        ' existing object to a new one.
        ' ------ SCRIPT CONFIGURATION ------
        arrAttrs = Array("department","co","title","l", "c", "st")
        strParentDN = "<ParentContainer>" ' e.g. cn=Users,dc=rallencorp,dc=com
        strTemplateUser = "<TemplateUserName>" ' e.g. template-user-sales
        strNewUser = "<NewUserName>" ' e.g. jdoe
        strPassword = "<Password>"
        ' ------ END CONFIGURATION ---------

        Const ADS_UF_NORMAL_ACCOUNT = 512 ' from ADS_USER_FLAG_ENUM

        Set objTemplate = GetObject("LDAP://cn=" & strTemplateUser & _
                                    "," & strParentDN)
        Set objParent = GetObject("LDAP://" & strParentDN)
        Set objUser = objParent.Create("user", "cn=" & strNewUser)

        objUser.Put "sAMAccountName", strNewUser

        for each strAttr in arrAttrs
           objUser.Put strAttr, objTemplate.Get(strAttr)
        next

        objUser.SetInfo
        objUser.SetPassword(strPassword)
        objUser.SetInfo

        objUser.Put "userAccountControl", ADS_UF_NORMAL_ACCOUNT
        objUser.AccountDisabled = FALSE
        objUser.SetInfo

        WScript.Echo "Successfully created user"

Discussion

Copying a user consists of copying the attributes that are common among a certain user base, which can include department, address, and perhaps even organizational information. ADUC actually uses attributes that are marked in the schema as “Copied when duplicating a user” to determine which attributes to copy. The VBScript solution just used a hard-coded set of attributes.

Using a graphical user interface

To copy a user in ADUC, you have to browse to the user object. If you locate the user by using Find instead, the Copy option is not available when right-clicking a user in the search results window.

Using VBScript

ADSI has a CopyHere method, but it is available only for the NDS provider. It was not implemented for the LDAP provider and so copying a user via a single method is not supported.

Problem

You want to move a user object to a different container or OU.

Solution

Using a graphical user interface

1. Open the ADUC snap-in.
2. If you need to change domains, right-click on “Active Directory Users and Computers” in the left pane, select Connect to Domain, enter the domain name, and click OK.
3. In the left pane, right-click on the domain and select Find.
4. Type the name of the user and click Find Now.
5. In the Search Results window, right-click on the user and select Move.
6. Browse to and select the new parent container or OU.
7. Click OK.

In Windows Server 2003 and above, you can also drag and drop objects from one container or OU into another.

Using a command-line interface

You can move an object using either the built-in DSMove utility or AdMod. DSMove takes the following syntax:

        > dsmove "<UserDN>" -newparent "<NewParentDN>"

To move an object using AdMod, do the following:

        > admod -b "<Current User DN>" -move "<New Parent DN>"

Using VBScript

        ' This code moves a user from one container to another.
        ' ------ SCRIPT CONFIGURATION ------
        strUserDN = "<UserDN>"    ' e.g. cn=rallen,cn=users,dc=rallencorp,dc=com
        strOUDN = "<NewParentDN>" ' e.g. ou=Sales,dc=rallencorp,dc=com
        ' ------ END CONFIGURATION ---------
        Set objUser = GetObject("LDAP://" & strUserDN)
        Set objOU = GetObject("LDAP://" & strOUDN)
        objOU.MoveHere objUser.ADsPath, objUser.Name

Discussion

Moving a user object between OUs in the same domain has no direct impact on the actual user in terms of any security or distribution groups that the user is a member of. The only thing to be cautious of is the impact of moving the user to a new OU that may have different security settings or GPOs applied to it.

Problem

You want to set one or more of the user profile attributes.

Solution

Using a graphical user interface

1. Open the ADUC snap-in.
2. In the left pane, right-click on the domain and select Find.
3. Select the appropriate domain beside In.
4. Beside Name, type the name of the user and click Find Now.
5. In the Search Results window, double-click on the user.
6. Click the Profile tab.
7. Modify the various profile settings as necessary.
8. Click OK.

Using a command-line interface

You can update a user’s profile attributes using either DSMod or AdMod. DSMod uses the following syntax:

        > dsmod user "<UserDN>" -loscr < 
ScriptPath> -profile < 
ProfilePath>
        -hmdir <HomeDir> -hmdrv <DriveLetter>

AdMod uses the following syntax:

        > admod b "<UserDN>" <attribute>::<NewValue>

Using VBScript

        ' This code sets the various profile related attributes for a user.
        strUserDN = "<UserDN>" ' e.g. cn=jsmith,cn=Users,dc=rallencorp,dc=com
        set objUser = GetObject("LDAP://" & strUserDN)
        objUser.Put " 
homeDirectory", "\\fileserver\" & objUser.Get("sAMAccountName")
        objUser.Put " 
homeDrive", "z:"
        objUser.Put "profilePath", "\\fileserver\" & _
                    objUser.Get("sAMAccountName") & "\profile"
        objUser.Put "scriptPath", "login.vbs"
        objUser.SetInfo
        Wscript.Echo "Profile info for " & objUser.Get("sAMAccountName") & " updated"

Discussion

The four attributes that make up a user’s profile settings include the following:

homeDirectory

UNC path to home directory

homeDrive

Drive letter (e.g., Z:) to map home directory

profilePath

UNC path to profile directory

scriptPath

Path to logon script

When you set the homeDirectory attribute, the folder being referenced needs to already exist.

Problem

You want to create a large number of user objects, either for testing purposes or to initially populate Active Directory with your employee, customer, or student user accounts.

Solution

Using a command-line interface

The following example uses a for-do loop in combination with dsadd to create 1,000 users under the bulk OU in the rallencorp.com domain with usernames such as User1, User2, User3, etc. The password is set, but no other attributes are configured. You can modify the dsadd syntax to populate additional attributes, as well.

        > for /L %i in (1,1,1000) do dsadd user cn=User%i,ou=bulk,dc=rallencorp,dc=com
        -pwd User%i

You can also use the ldifde utility to perform a bulk import of unique usernames. Create an .LDF file using the following syntax (separate multiple entries with a blank line in-between):

        dn: CN=Robbie Allen, OU=Training, DC=rallencorp, DC=com
        changetype: add
        cn: Robbie Allen
        objectClass: user
        samAccountName: rallen

Once you’ve created the LDIF file containing your user records, import the file using the following command:

        > ldifde i f <filename.ldf> -s <servername>

You may notice that the LDIF file does not specify the user’s password; this attribute must be modified after the user object has been created.

Using VBScript

        ' This code creates a large number of users with incremented user names
        ' e.g. User1, User2, User3, ….
        ' ------ SCRIPT CONFIGURATION ------
        intNumUsers = 1000               ' Number of users to create
        strParentDN = "<ParentDN>" ' e.g. ou=bulk,dc=emea,dc=rallencorp,dc=com
        ' ------ END CONFIGURATION --------

        ' Taken from ADS_USER_FLAG_ENUM
        Const ADS_UF_NORMAL_ACCOUNT = 512

        set objParent = GetObject("LDAP://" & strParentDN)
        for i = 1 to intNumUsers
           strUser = "User" & i
           Set objUser = objParent.Create("user", "cn=" & strUser)
           objUser.Put "sAMAccountName", strUser
           objUser.SetInfo
           objUser.SetPassword(strUser)
           objUser.SetInfo
           objUser.Put "userAccountControl", ADS_UF_NORMAL_ACCOUNT
           objUser.AccountDisabled=FALSE
           objUser.SetInfo
        WScript.Echo "Created " & strUser
        next
        WScript.Echo ""
        WScript.Echo "Created " & intNumUsers & " users"

Discussion

Using ADSI and even the new DS command-line utilities on Windows Server 2003, you can create hundreds and even thousands of users easily and quickly. We ran both the CLI and VBScript solutions in a test domain on a single processor machine. The VBScript solution took less than 1.5 minutes and the CLI solution took less than 5 minutes to create 1,000 user objects. Admittedly, they are not populating very many attributes, but it shows that you can quickly populate Active Directory with user accounts very easily. You can also modify the examples to pull real data from a data source, such as an employee database.

Problem

You want to create a user object.

Solution

Using a graphical user interface

1. Open the ADUC snap-in.
2. If you need to change domains, right-click on “Active Directory Users and Computers” in the left pane, select Connect to Domain, enter the domain name, and click OK.
3. In the left pane, browse to and select the container where the new user should be located and select New User.
4. Enter the values for the first name, last name, full name, and user logon name fields as appropriate and click Next.
5. Enter and confirm password, set any of the password flags, and click Next.
6. Click Finish.

Using a command-line interface

You can create a user with the built-in DSAdd utility or by using AdMod. Using DSAdd requires the following syntax:

        > dsadd user "<UserDN>" -upn <UserUPN> -fn "<UserFirstName>"
        -ln "<UserLastName>" -display "<UserDisplayName>" -pwd <UserPasswd>

To create a user account with AdMod, use the following syntax:

        > admod b "<UserDN>" add objectClass::user
           sAMAccountName::<SAMAccount> unicodepwd::<password> userAccountControl::512
        kerbenc

Using VBScript

        ' Taken from ADS_USER_FLAG_ENUM
        Const ADS_UF_NORMAL_ACCOUNT = 512

        set objParent = GetObject("LDAP://<ParentDN>")
        set objUser = objParent.Create("user", "cn=<UserName>") ' e.g. joes
        objUser.Put "sAMAccountName", "<UserName>"   ' e.g. joes
        objUser.Put "userPrincipalName", "<UserUPN>" ' e.g. joes@rallencorp.com
objUser.Put "givenName", "<UserFirstName>"       ' e.g. Joe
        objUser.Put "sn", "<UserLastName>"           ' e.g. Smith
        objUser.Put "displayName", "<UserFirstName> <UserLastName>" ' e.g. Joe Smith
        objUser.SetInfo
        objUser.SetPassword("<Password>")
        objUser.AccountDisabled = FALSE
        objUser.SetInfo
        objUser.Put " 
userAccountControl", ADS_UF_NORMAL_ACCOUNT
        objUser.SetInfo

Discussion

The only mandatory attribute that must be set when creating a user is sAMAccountName, which is the account name that is used to interoperate with downlevel domainsand even this attribute is only mandatory in Windows Server 2003. To make the account immediately available for a user to use, you’ll need to make sure the account is enabled, which is accomplished by setting userAccountControl to 512 after you’ve set a password that follows any password complexity rules in place for the domain (order is important in this case).If you only set the sAMAccountName when creating a user object, the account will be disabled by default.

Problem

You want to determine whether a domain controller is ready to be upgraded to Windows Server 2003.

Solution

Using a graphical user interface

Insert a Windows Server 2003 CD into the Windows 2000 domain controller or map a drive to the files contained on the CD. Run the following command from the \i386 directory:

        > winnt32 /checkupgradeonly

Using a command-line interface

To produce a compatibility report from the command line, first you need to create a text file containing the following information:

        [Unattended]
        Win9xUpgrade = Yes

        [Win9xUpg]
        ReportOnly = Yes
        SaveReportTo = "\\server1\upgradereports\"

Save this file as unattend.txt, and then run the following from the command-line:

        > winnt32 /checkupgradeonly /unattend:c:\unattend.txt

Discussion

The /checkupgradeonly switch simulates the initial steps for upgrading a server to Windows Server 2003. It verifies, among other things, that AdPrep has completed and checks any installed applications against a known list of compatible and non-compatible applications with the new operating system.

Read Me First

The Windows Server 2003 Active Directory Domain Rename Tools provide a security-enhanced and supported methodology to rename one or more domains (as well as application directory partitions) in a deployed Active Directory forest. The DNS name and the NetBIOS name of a domain can be changed using the domain rename procedure. For an understanding of the constraints of the domain rename procedure, please see the accompanying document, “Understanding How Domain Rename Works,” available on this page.

Note: These tools are for use with Windows Server 2003 only. Do not use them with Windows 2000.

Important: The domain rename operation and the use of the domain rename tools is not supported in an Active Directory forest that has any version of Microsoft Exchange Server prior to Exchange Server 2003 SP1 deployed in it.

The latest version of the domain rename tools that are available for download are as follows:

• Latest Version: rendom.exe version 1.4, gpfixup.exe version 1.1
• Release Date: August 16, 2004
• Download Statistics: 364 KB download file, 60 seconds @ 28.8 kbps

You can check the version number of each tool by running the tool with the “/?” command-line switch. If you do not have the latest version of these tools as specified here, you can download them from this page (see How to Download and Install, below).

Documents

Note that implementing domain rename is a complex undertaking that requires thorough planning and a good understanding of the domain rename procedure. The two documents on this page are designed to help you understand the process and guide you through the procedure step by step.

• For an understanding of where the domain rename process is applicable, its constraints, and how it works, please review the document “Understanding How Domain Rename Works.”
• For a step-by-step guide to planning and implementing the domain rename procedure, please review the document “Step-by-Step Guide to Implementing Domain Rename.”

System Requirements

To perform the domain rename procedure, you must be running one of the following versions of Windows Server 2003 or higher on every domain controller in the forest in which the domain rename is to be performed:

• Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition

Language Support

The domain rename tools can be used on all language versions of Windows Server 2003. There are no language-specific versions of the tools.

How to Download and Install

1. Download The File
2. Choose a location on your computer to save the file, and then click Save.

How to Use

1. Go to the location where you saved the downloaded file, and then double-click the file to launch the installation wizard.
2. Review the contents of the two documents referenced in the Documents section above for a thorough understanding of the domain rename process and a step-by-step guide to the domain rename procedure.

How to Uninstall

Go to the location where you saved the downloaded file, and then delete the downloaded file as well as the individual tools that were extracted.