Utilities in JRButils for AD V10

Adaccexp

Adaccexp is intended for use in a login script where it displays a warning if the user’s account is about to expire. The number of days before expiration at which warnings begin is adjustable and defaults to seven. Adaccexp can also be used to check the account expiration status of a named user.

Adchkhome

Adchkhome checks for one or more users that the Active Directory homeDirectory attributes are set correctly, or for one or more directories that there is a user in AD corresponding to the lowest level of the path. Specifically adchkhome can:

  • Display the contents of the homeDirectory and homeDrive attributes for a single user, users selected using wildcards, all members of a group, or a list of users in a file.
  • List users without a homeDirectory or homeDrive attribute.
  • Can check for each user that the home directory path exists providing that it is a UNC path pointing to a directory on a server or cluster volume.
  • Can list only users for which the home directory does not exist.
  • Can check that each user is the owner of their home directory.
  • Can check for each user that the lowest level of the home directory path matches the common name, samAccountName, or userID from the userPrincipalName attribute.
  • For a single directory, or all subdirectories of a directory, check if there is a user in AD with a name matching that of the lowest level directory i.e. for \\rata\users\karen, it will check if user Karen exists somewhere in the domain.
  • For each directory, check that the corresponding user’s homeDirectory attribute contains that directory e.g. for \\rata\users\karen it checks that Karen’s homeDirectory contains \\rata\users\karen.
  • Can display a range of fields associated with each home directory including the attributes, owner, creation date, modification date, last access date, user’s permissions, disk (volume) quota and associated warning threshold.
  • Can restrict the output to those users with a particular character sequence in their home directory path e.g. cShare.
  • May also be used for objects of class inetOrgPerson.

Adchkval

Adchkval is intended for use in a script or batch file to determine whether an attribute of an object has a given value e.g. that “department” contains “Marketing”. An error level is set indicating the result. Adchkval may be used for any attribute holding a text value, and for attributes holding objects as values.

Adchrcheck

Adchrcheck scans all files in a directory structure and lists those with non-standard characters in the name. By default non standard characters are anything other than 0-9, a-z, space, ‘.’, ‘~’, ‘-’ and ‘_’. Features include:

  • Can check for non-standard characters in either the long or short name.
  • Allows customising the set of allowed and disallowed characters.
  • Files may be renamed by removing the non standard characters.
  • Files may be renamed by replacement of the non standard characters with a nominated character.
  • Leading spaces in file names may also be identified, removed or replaced.

Adcreate

Adcreate can create a wide range of objects in Active Directory. It is intended primarily for creating users, groups and inetOrgPersons in batch mode. Adcreate can do the following:

  • Set a password for users and enable the account.
  • Create a home directory for users, set ownership and grant permissions.
  • Set the display name, given name, surname, initials, principal name and email address when creating users.
  • Store the home directory path in the homeDirectory attribute.
  • Enable user password expiration and expire the password.
  • Can copy Active Directory attributes from a template when creating users and inetOrgPersons. These include selected settings from the security descriptor e.g. the ACE to prevent accidental deletion.
  • Create any type of group i.e. security or distribution, global, local or universal.

See also adimport which does user creation, deletion and updating.

Addelattr

Addelattr deletes a selected attribute from one or more objects in Active Directory. Addelattr refuses to delete some attributes where their removal might cause problems and there are others such as objectGUID and objectSID which AD does not allow to be deleted. This does not mean that it is safe to use addelattr to delete all attributes which are not excluded. Use addelattr cautiously, and entirely at your own risk.

Addelete

Addelete can delete almost any class of object from Active Directory. For safety, you may not use wildcards when deleting objects. Nor will addelete delete groups with members. Features include:

  • When deleting users, addelete can delete the user’s home directory and its contents if the path is stored in the homeDirectory attribute, or if a path to the parent directory is given on the command line. The contents of the profile may also be deleted.
  • Can delete users, groups, inetOrgPersons and computers with child objects. The presence of child objects requires a different method of deletion to be used.
  • Multiple objects may be deleted using an input file.
  • Can optionally override the “Protect from accidental deletion setting”.

Addelhome

Addelhome deletes the contents of home directories for one or more users. The home directory paths are retrieved from the homeDirectory attribute and several checks are made to first ensure that the path contained therein is correct.

Adextcheck

The adextcheck program produces a summary of the file extensions in a directory structure or on an entire volume. The extensions are sorted and for each, the number of files and the total space occupied by files with that extension are given. Features of adextcheck include:

  • Can limit the summary to selected extensions.
  • Can produce comma delimited output optionally enclosed in double quotes.
  • Can count the number of and space occupied by files older than a given date for each extension.
  • Can specify the units for the space used (bytes, KB, MB, GB, TB).
  • Can specify whether the extension is treated as those characters after the first or last period for those files with multiple periods in the name.
  • Can sort the results on any of the possible output columns.
  • Works on Windows and Micro Focus (Novell) drives.

Adfsrights

Adfsrights displays the effective rights of objects to file and directories. it can do the following:

  • Can display the rights of one object or multiple objects to a single target directory or file, or to multiple directories or files.
  • Can filter the results by rights e.g. show only those results where the objects have RWXD rights, or eliminate results where the object has no rights.
  • Can show the rights in a directory structure at the starting level and thereafter only when the rights change. This is probably the most useful way to display an object’s rights to a directory structure.
  • Can produce comma delimited output.

Adfsupdate

Adfsupdate is file system maintenance program. It can do the following:

  • Copy selected files, or an entire directory structure to multiple hosts, retaining all file attributes, dates and ownership.
  • Perform a selective copy or delete based on attributes (e.g. the archive bit is set), owner, creation date, modification date or last accessed date of either the files being copied or files to be replaced in the target directory.
  • Perform an update copy transferring only newer files or those which do not exist in the target directory.
  • Perform a mirror copy which in addition to updating files in the target directories, removes and files and directories which do not exist in the source.
  • Optionally retain ownership and DACL entries if sufficient rights are held when copying.
  • Delete individual files or entire directory structures from one or more hosts.
  • List the files to be deleted for a selective delete, without actually deleting them.
  • Delete files but retain the directory structure.
  • Delete or overwrite files flagged read-only.
  • Set file and directory attributes.
  • Rename files.
  • Works on both Windows and Micro Focus (Novell) drives.
  • Supports paths up to 1024 characters in length.
  • Copies sparse files correctly retaining their sparseness.
  • Can skip selected files and directories when copying or deleting a directory structure. Specific paths may be ignored, or individual file and directory names may be given, optionally including wildcards.
  • Can report the number of files to be copied, deleted, renamed, or have attributes modified without actually performing the requested operation.

Adgetdirquota

Adgetdirquota displays directory quotas, usage, space available, template applied, quota status, peak usage, peak usage times and warning thresholds, individually or en masse. It can do the following:

  • Process individual directories, all subdirectories of a directory, or all directories in a tree.
  • Display quota values for the home directories of individual users, users selected via wildcards, or for all members of a group. The home directory for each user is obtained from their homeDirectory attribute.
  • The values can be displayed in bytes, KB, MB or GB.
  • Filter the results on any of the fields e.g. directories without a quota, quota status equals disabled, or users whose home directory usage exceeds 500MB.
  • Display columnar or delimited output.
  • Sort the results by any of the output fields.

Adgetobjsec

Adgetobjsec displays components of the security descriptor from the ntSecurityDescriptor attribute for objects of any class in Active Directory. It can do the following:

  • Display any combination of the DACL, SACL, owner, group and security descriptor flags.
  • Display components for a single object, objects selected via wildcards, all members of a group, a group object or a list of objects in a file.
  • Display explicit (non-inherited) ACEs, inherited ACEs, or both.
  • Display all or any combination of ACE types from the DACL and SACL e.g. deny and deny object ACEs.
  • Display only those ACEs with a specified value for “applies to”.
  • Display only those ACEs inherited by a specific object class.
  • Display ACEs selectively based on the permissions granted or denied.
  • Display ACEs containing only orphaned SIDs i.e. those which cannot be translated to an object name.
  • Display the parent object from which an ACE is inherited.
  • Suppress the display of DACL and SACL ACEs for well-known security identifiers such as “NT AUTHORITY\SELF”.
  • Display the rights in character form e.g. CR or as a 32 bit hexadecimal value representing the permissions mask.
  • Has flexible output formats including selected ACE fields in any order and optionally in comma or semicolon delimited format.
  • Display the results in Security Descriptor Description Language (SDDL) format.
  • Sort the results on any field.

Adgetrest

Adgetrest displays account restrictions for one or more objects. The restrictions include:

Account is disabled Password change next logon
Account is expired Password is expired
Account expiration date and time Password expiration date and time
Account is locked Password history length
Creation date and time Password last change date/time
Intruder lockout bad logon count Password minimum age
Intruder lockout date and time Password minimum length
Intruder lockout period Password maximum age
Intruder lockout reset time Password is required
Intruder lockout threshold Password reversible encryption allowed
Last login date and time Password settings object
Last unsuccessful login date Password user can change
Logon hours Password unique required
Modification date and time Protected from accidental deletion
Password complexity required Workstation restrictions

Note that some of these are set at the domain level or via a password settings object, and some at the object level. The features of adgetrest include:

  • Supports users, inetOrgPersons and computers in Active Directory.
  • Supports local non-domain users on workstations.
  • Can display restrictions for a single object, objects selected using wildcards, all members of a group (optionally including nested groups), or a list of objects in a file.
  • Can display all restrictions, or a single restriction e.g. password minimum length.
  • Can control the order and width of each output field (user name, domain name, display name, restriction value) when displaying individual restrictions.
  • Can sort into ascending or descending order by object name or by restriction value.
  • Can filter by restriction value e.g. list all users whose account has expired, or all users without an account expiration date and time.
  • Can process objects in the specified container and all containers below it.
  • Can retrieve values from a designated domain controller.
  • Values for last logon and the modification date and time are retrieved from all domain controllers and the most recent value is displayed.
  • Can set an error level indicating the number of matching objects. This allows testing in a batch file for example if a particular user’s account is disabled.

Adgetval

Adgetval displays values for almost any attribute and object class. A fully GUI version is also included. Features include:

  • Display values for a single object, objects selected using wildcards, all members of a group (optionally including nested groups), or a list of objects from a file.
  • Can display single attributes, multiple attributes or all attributes for each object.
  • Can use a template file containing text and substitution identifiers to format the results e.g. as commands for input to another program.
  • Can display objects which have a value, or do not have a value, for a particular attribute.
  • Can display the number of values for each attribute rather than the actual values.
  • Knows how to correctly display a very wide range of attributes e.g. it correctly formats object SIDs and object GUIDs which are stored as octet strings.
  • Can retrieve values from a designated domain controller.
  • Values for last logon and the modification date and time are retrieved from all domain controllers and the most recent value is displayed.
  • Can sort by object name or attribute value. In the GUI version sorting can be based on the contents of any column
  • Supports the following pseudo-attributes for user objects. These are derived values (e.g. accountLocked), bit values from userAccountControl (e.g. accountDisabled), values which are domain wide or from a password settings object (e.g. passwordMinimumLength), or terminal services values read from the userParameters attribute, or from the ntSecurityDescriptor attribute.

    accountDisabledprimaryGroupName
    accountExpiredprimaryProxy
    accountLockedprotectFromAccidentalDeletion
    homedirRequiredtsAllowLogon
    lockoutDurationtsBrokenConnectionAction
    lockoutThresholdtsConnectClientDrivesAtLogon
    lockoutWindowtsConnectClientPrintersAtLogon
    passwordChangeNextLogontsDefaultToMainPrinter
    passwordComplexityRequiredtsEnableRemoteControl
    passwordExpiredtsHomeDirectory
    passwordExpirestsHomeDrive
    passwordHistoryLengthtsInitialProgram
    passwordMaximumAgetsMaxConnectionTime
    passwordMinimumAgetsMaxDisconnectionTime
    passwordMinimumLengthtsMaxIdleTime
    passwordNeverExpirestsProfilePath
    passwordRequiredtsReconnectionAction
    passwordReverseEncryptiontsWorkDirectory
    passwordUniqueRequired

Adgetvolquota

Adgetvolquota displays disk quotas, disk usage, space available and warning thresholds for multiple users. Features include:

  • Can display values for a single user, users selected using wildcards, all members of a group, or a list of users in a file.
  • Can display values for each user’s home volume by reading the homeDirectory attribute, or can display values on a designated volume.
  • The values can be displayed in bytes, KB, MB or GB.
  • Can sort into ascending or descending order of quota, space used, space available, warning threshold or by user name.
  • Can display only totals for quotas and usage.
  • Can select which fields are displayed and their order.
  • Can filter by value e.g. list all users whose usage exceeds 500 MB, all users without a quota, or all users whose usage is within 20% of their quota.
  • Can display all entries in the quota tables on a selected volume.
  • Can display columnar or delimited output.

Adgroups

Adgroups is a GUI program combining adgrpadd, adgrpdel and adgrplist. Its features include:

  • Works with both Active Directory and local workstation groups.
  • Can list the members of one or more groups using wildcards.
  • Can use logical operators ‘and’, ‘or’ and ‘not’ to list objects which are or are not members of a combination of groups.
  • Can display the following fields for groups and their members:
    • The group name or an expression containing group names
    • The group’s display name
    • The group’s description
    • The group’s type (security, distribution, local, global, universal)
    • The group’s creation date and time
    • The group’s modification date and time
    • The number of group members
    • The member’s name
    • The member’s display name
    • The member’s description
    • The member’s object class
  • Can display the members as adgrpadd or adgrpdel commands.
  • Can display only members of a particular object class e.g. contact.
  • Can display only those members whose accounts are or are not disabled.
  • Can display only those members whose accounts are or are not expired.
  • Can exclude selected members from being displayed via an input file of names.
  • Can display members for only groups of a selected type e.g. local security groups.
  • Can include the members of nested subgroups instead of displaying the nested group name.
  • Can display only group information i.e. the membership is suppressed.
  • Can include or omit groups without members.
  • Can add or remove selected objects, all members of another group, or a list of objects from a file.
  • Can create groups of any type when adding members and delete groups after removing members.
  • Can use wildcards in group names when adding or removing members.
  • Supports adding or removing nested groups as members.
  • Supports adding the members of nested groups, or the group itself, when adding all members of one group to another.
  • Can be used to manage groups on a workstation not in a domain.
  • Can customise the GUI interface by selectively removing controls via a command line switch.
  • Can specify via the command line, a starting container for the object browser used to select groups or members.
  • Can use a command line switch to display in the object browser only those groups which the person running the program is authorized to modify the membership.

Adgrpadd

Adgrpadd adds one or more members to a group. Its features include:

  • Can process a single group or a file containing a list of groups.
  • Supports local groups on workstations and member servers.
  • Can create both security and distribution groups.
  • Can accept one or more members on the command line.
  • Can add all members of another group.
  • Supports adding the members of nested groups, or the group itself, when adding all members of one group to another.
  • Can add a list of objects from a file.
  • Can process a file containing one group name and one member name per line.
  • Supports nested groups.
  • Supports adding members from a trusted domain.
  • Can add domain objects to non-domain local groups.
  • Suports adding well known objects as members to both domain and non-domain groups.
  • Supports setting the group as the primary for each user.
  • Can run without AD being present allowing it to be used to manage group memberships on a workstation which is not a domain member.
  • Can provide an exclusion list of members not to be added. This may be useful when adding via wildcards or when adding all members of one group to another.
  • Allows group membership to be synchronized with the contents of a file. Objects named in the file are added to the group if not already members, members not named in the file are removed. This may be a better option than removing all members, then adding the contents of the file when something is monitoring changes to the group membership and performing an action based on the changes.

Adgrpdel

Adgrpdel removes one or more members from a group. Its features include:

  • Can process a single group or a file containing a list of groups.
  • Supports local groups on workstations and member servers.
  • Can accept one or more members on the command line.
  • Can remove all members of another group.
  • Can remove a list of members from a file.
  • Can process a file containing one group name and one member name per line.
  • Supports nested groups.
  • Supports removing members from a trusted domain.
  • Can remove domain objects from non-domain local groups.
  • Suports removing well known objects as members from both domain and non-domain groups.
  • Can delete the group if it has no remaining members.
  • Can run without AD being present allowing it to be used to manage group memberships on a workstation which is not a domain member.

Adgrplist

Adgrplist lists the members of individual groups or combinations of groups. It can do the following:

  • List the members of a single group.
  • List the members of multiple groups via wildcards in the group name.
  • List members based on selection criteria involving one or more groups. An expression may be given using logical operators ‘and’, ‘or’ and ‘not’ to list members who are or are not members of a combination of groups.
  • List members based on object class e.g. only user members or well-known object members.
  • Display only those members whose accounts are or are not disabled.
  • Display only those members whose accounts are or are not expired.
  • List members only in a selected container or one of its subcontainers.
  • Can exclude selected members from being listed.
  • Results may be sorted by member name, member’s display name, container or the total number of members.
  • Results may be formatted as adgrpadd or adgrpdel commands.
  • Correctly displays members which are objects in the ForeignSecurityPrincipals container. These are converted to well known object names or to names in a trusted domain.
  • Supports both security and distribution groups.
  • Supports both domain and non-domain groups.
  • Can expand nested distribution groups, and deals correctly with nesting loops.
  • Can optionally remove duplicated names from the output when expanding nested groups.
  • Can display totals only.
  • Can run without AD being present allowing it to be used to list group memberships on a workstation which is not a domain member.
  • Can select the number of fields to display and their order. The output may be columnar or csv. The fields are:
    • The group name or an expression containing group names
    • The host name (for local workstations)
    • The group’s display name
    • The group’s description
    • The group’s type (security, distribution, local, global, universal)
    • The group’s creation date and time
    • The group’s modification date and time
    • The member’s name
    • The member’s display name
    • The member’s description
    • The member’s object class
    • The member’s container without the domain component
    • The member’s container with the domain component

Adgrpmemb

Adgrpmemb may be used to determine in a batch file or script whether an object is a member of a group. Features include:

  • It can set a range of error levels indicating whether the object is or is not a member, and whether the group and object exist.
  • Supports nested groups i.e. can either check or ignore nested group membership.
  • Supports checking memberships for objects in a foreign domain.
  • Supports checking memberships for well known objects.
  • Supports checking memberships for non-domain groups.
  • Can execute a given command (e.g. “notepad c:instructions.txt”) when the user is a member of the group.
  • While it performs silently by default setting just an error level, the result can be displayed as a single line of text optionally including the resultant error level.
  • Can run without AD being present allowing it to be used to check memberships on a workstation which is not a domain member.

Adhome

Adhome maps the current drive or a designated drive to the path from a user’s homeDirectory oe profilePath attribute. It can also make the designated drive, the current drive. This may be useful when trouble-shooting an issue in a user’s home directory or profile.

Adhomedirs

The adhomedirs program combines the functionality of adchkhome and adsethome into a single GUI environment. Its features include:

  • Can display the home directory and a range of related properties for selected users, all users in a container, a list of users in a file or for all members of a group.
  • For a path or for all first level subdirectories of a path, adhomedirs can attempt to find a user, inetOrgPerson or computer with a name matching the lowest level of the path. If found, the object name is displayed and any of the properties of that object’s home directory may be displayed.
  • The fields available for display are:

    The object name (when checking paths, the object matching the lowest level)
    The object’s class
    The object’s display name
    The object’s home drive *
    The objects’s home directory *
    Whether the home directory exists (yes/no)
    The object’s permissions to their home directory *
    The home directory owner *
    The home directory attributes *
    The home directory creation date and time
    The home directory last access date and time
    The home directory modification date and time
    Volume quotas
    The quota applicable to the user on the home directory volume *
    The warning threshold applicable to the user on the home directory volume *
    The space used
    The space used as a percentage of the quota
    The free space
    The free space as a percentage of the quota
    Directory quotas
    The directory quota on the home directory *
    The space used
    The space used as a percentage of the quota
    The free space
    The free space as a percentage of the quota
    When starting with a path the following can also be displayed
    The path being checked
    The path’s attributes
    The path’s creation date and time
    The path’s last access date and time
    The path’s modification date and time
    The path’s owner
    The path’s trustees
  • The fields marked with “*” can have their values modified by right clicking in the appropriate row and column in the list view. For the home directory field, right clicking also allows creation of the path.
  • When displaying the home directories for selected objects, the results may be filtered, for example on whether or not the homeDirectory attribute has a value, whether the path is in UNC or non-UNC format, and whether the path can be verified.
  • Has the ability to set and modify home directories en masse. This allows:
    Setting the homeDirectory attribute
    Setting the homeDrive attribute
    Selecting a name (CN, samAccountName, loginID or display name) to append to complete each user’s home path
    Creating the home directory for paths given in UNC format
    Setting home directory permissions
    Setting home directory ownership
    Setting home directory attributes
    Setting or removing a volume quota
    Setting or removing a warning threshold
    Setting or removing a directory quota

Adimport

Adimport is a powerful tool for batch mode management of users, inetOrgPersons, contacts and computers. Features include:

  • Creates, updates and deletes users, inetOrgPersons, contacts and computers, and can export attribute values.
  • Supports user specific values being supplied, plus fixed values which are applied to each object being created or updated.
  • Can require that the CN is unique in the domain, and/or that the samAccountName equals the CN. Object creation will fail if these conditions cannot be met.
  • Has one in-built scheme to modify CNs when not unique. It is expected that more schemes will be added in future.
  • Sets and modifies values for a wide range of attributes including all of the terminal services settings stored in the userParameters attribute.
  • Supports constructing attribute values from other attribute values e.g. combining the first and last names to form the display name.
  • Can create home directories, set ownership, attributes and assign permissions.
  • Can create profile directories. Version 2 profile paths are supported.
  • Can control which name (common name, samAccountName or userID) is used for the lowest level of the home directory and profile paths.
  • Can store the home directory path in the homeDirectory attribute.
  • Can create a second home directory, set ownership and assign permissions.
  • Can create subdirectories of home directories.
  • Can set or remove a disk quota or warning threshold on the home volume or any other volume.
  • Can set or remove a directory quota on the primary or secondary home directories under W2008 onwards.
  • Can create directories associated with group memberships.
  • Can copy Active Directory attributes from an object serving as a template.
  • Can search Active Directory before object creation to check if a name is unique.
  • Can generate random passwords of any length using numeric, alphanumeric, alphabetic or symbol characters of mixed case or single case. The generated passwords may be written to a file, along with the object name and optionally the server name and object’s description. The random passwords can be generated without them actually being set.
  • Can use two passes through the control and data files, creating objects in the first pass and setting attributes on the second.
  • Can specify a delay after object creation to allow replication to occur.
  • Can delete home directories and their contents when deleting objects.
  • Can delete objects with children which requires a different method of deletion to be used.
  • Supports copying files or a directory structure into the home directory or into one of its subdirectories.
  • Can assign a password settings object under W2008 onwards.
  • Can set an alternative primary group.
  • Supports the “Protect from accidental deletion” setting. This can be added to objects after creation, copied from a template, removed from objects, and optionally overridden when deleting or moving objects.
  • Can move objects into a different container.

Adjrbpass

Adjrbpass is a graphical utility for changing passwords for individual users. It can be used by anyone to change a password providing that they know the current password. Users with appropriate rights can change another user’s password without knowing the old one. Features of adjrbpass include:

  • Can change a user’s Active Directory password.
  • Can select a target domain from a combo box.
  • Can change passwords on the local workstation.
  • Can change eDirectory passwords if the client for OES Enterprise Server (the Novell client) is installed and a connection exists to a Micro Focus server.
  • Can locate users via common name, display name, samAccountName or user principal name.
  • Displays the Active Directory username in red if the account is disabled, expired or locked. A tooltip states the account is disabled, expired at a given date, or was locked at a given date and time.
  • When used by someone with sufficient rights, it can unlock an account that has been locked by Window’s intruder detection, and can expire a password after change.
  • The interface can be modified via command line switches.

Adlencheck

Adlencheck reports on the length of file and directory names. It can do the following:

  • Check the length of entire paths in UNC or drive letter format.
  • Check the length of only file names or the lowest level component of paths.
  • Can specify the maximum length. Entries shorter than this length are not displayed.
  • Displays the length of each entry listed.
  • Can process files and/or directories including an entire directory structure. A directory structure may be checked to a nominated depth.
  • Can shorten file and directory names to comply with the desired maximum length.
  • Has flexible output options allowing columnar and csv formats for selected fields.

Adlist

Adlist lists objects of any class in Active Directory. Features include:

  • Can list all objects of any class in a container.
  • Can list all objects of a particular class in a domain, or branch of the domain.
  • Can locate an object with any common name (or partial name using wildcards) and class in the domain.
  • Can locate objects by samAccountName and by logon name (or user ID) which is the portion of the userPrincipalName preceding the ‘@’ symbol.
  • Can list groups by type (distribution or security) and whether global, local or universal.
  • Can list deleted objects in the “CN=Deleted Objects” container.
  • Can expand common names to distinguished names.
  • Can display the results in csv format.
  • Can identify objects in the domain with duplicate common names.
  • Can return an error level if no matching objects are found, providing a means to detect in a batch file if an object of any class exists.
  • Can set an error level equal to the number of matching objects.
  • Can display any combination of the common name, display name, samAccountName, user logon name (or user ID), userPrincipalName, SID, container, parent container and class.
  • Can sort the results by common name, display name, samAccountName, user logon name (or user ID), userPrincipalName, SID, container or class.
  • Can display totals only.
  • Can give the number of objects of the specified class in each container in any branch of the domain, or for the entire domain. An option exists to suppress the output for containers where the count is zero.

Adlookup

Adlookup provides an alternative to adgetval for displaying attributes. It is more limited in scope but provides a convenient means of searching AD for objects with a particular name, or with an attribute such as telephoneNumber containing a specific value. Features include:

  • Supports searching attributes holding string, 32 bit integer, large integer (which may hold 64 bit integers or dates and times), date and time, and boolean values.
  • Supports logical operators equals, not equals, less than or equal to, greater than or equal to, includes or does not include. The last two apply only to string values.
  • For maximum speed, it performs the search at the server where possible. But LDAP does not support some searches such as wildcard searches on object names, in which case this is handled by adlookup at the workstation with the consequent performance penalty.
  • Supports a value of “*” for all attribute types. When used with an “equals” operator, all objects are returned where the attribute has one or more values. When used with “not equals”, all objects are returned where the attribute is not populated.
  • For objects meeting the search criteria, adlookup can display either all attributes, or selected attributes read from a file.
  • Can retrieve values such as minimum password length from the domain object or a password settings object if applicable under W2008 onwards.
  • Supports searching users, groups, inetOrgPersons, computers and contacts.
  • Can sort the results by object name.
  • Can display the results in delimited format with a user selected delimiter, and values enclosed in double quotes.
  • Allows use of a labels file providing strings to display instead of actual attribute names e.g. “City” for “l” and “Surname” for “sn”.

Admakememb

Admakememb adds or removes users, contacts, inetOrgPersons, computers and well known objects from Active Directory and non-domain local groups. It manages group memberships from the member perspective whereas adgrpadd and adgrpdel manage the membership of groups. Admakememb can do the following for selected objects:

  • Add memberships to or remove memberships from individual groups.
  • Remove all group memberships.
  • Add or remove all group memberships of another object e.g. add user A’s memberships to user B.
  • Synchronise group memberships with the memberships of another object.
  • Synchronise group memberships with a list of group names in a file.

Admove

Admove moves Active Directory leaf objects from one container to another. Features include:

  • Can move a single object, objects selected using wildcards, all members of a group, or a list of objects in a file.
  • Can use an input file with one object to be moved, and the destination container, on each line.
  • Can override the “Protect from accidental deletion” setting which not only prevents deletion but also prevents the object from being moved.

Admovedir

Admovedir moves files and directories from one location to another within the same server and volume by moving the directory entry rather than copying and deleting. It can move entries on both local and network drives and on Micro Focus (Novell) servers if the client for OES Enterprise Server (the Novell client) is installed.

Admovehome

Admovehome moves home directories from one location to another. It can do the following:

  • Create a new home directory and copy the contents of the old home directory. When the home directory is being relocated within the same volume, the default action is to move the directory entry rather than create a new one and copy the contents.
  • Can control the name used for the lowest level of the home directory path. Possible values are the existing directory name (the default), the common name, the sam account name and the user logon name.
  • Set ownership on the new home directory and copy the entire discretionary ACL from the old home directory.
  • Optionally delete the contents of the old home directory if no errors occurred during the copy.
  • Optionally copy a volume quota on the old home volume to the new volume. The volume quota may also be removed from the old volume.
  • Copy a share on the home directory if it is being moved to a different server.
  • Update the homeDirectory attribute.
  • Revoke all rights and ownership to the old home directory. Ownership is set to administrator.
  • Set or clear the archive bit on the copied files.
  • Can create a file of adfsupdate commands to delete the old home directories at a later date.

Adobjsec

Adobjsec is a fully GUI version of adgetobjsec allowing all or any parts of the security descriptor to be displayed for objects of any class. Its features include:

  • Can display up to 17 output fields in any order. They are:
    Object name
    Security principal
    Ace type
    Permissions
    Inheritance flags
    Ace applies to
    Ace inherited by
    Parent container the ace is inherited from
    Ace source (DACL or SACL)
    Object display name
    Object class
    Principal class
    Principal SID
    Permissions mask in hexadecimal
    Security descriptor control flags
    Security descriptor owner
    Security descriptor group
  • Has extensive facilities for filtering DACL ACEs e.g. on ACE type, principal object class, inherited or explicit, permissions, applies to and inherited by.
  • Can display only ACEs for orphaned objects.
  • Can display ACEs in the DACL, the SACL or both.
  • Has right click options for adding, removing and modifying non-inherited ACEs.

Adopenfile

Adopenfile displays the files held open on a host by network connections. It can do the following:

  • List all open files in and below a given network path.
  • List all files on a server held open by network connections.
  • Display open files for a given user or for objects selected via wildcards.
  • Can display a list of workstations from which the user holding a file open is connected. It is not possible to retrieve the specific workstation holding a file open but it is possible to retrieve a list of workstations from which a user is connected.
  • Close open files.
  • Display the number of locks on each file and the permissions used to open it.
  • Has flexible output options allowing fields to be displayed in any combination and order, and optionally in csv format.
  • The results may be sorted on any field.

Adprdel

Adprdel deletes jobs queued to Windows printers. It can do the following:

  • Delete jobs by ID.
  • Delete jobs for a range of IDs e.g. 20-25.
  • Delete jobs by owner.
  • Delete a selected number of jobs at the top of the queue.
  • Delete all queued jobs.
  • Prompt for confirmation before deleting each job.

Adprjobs

Adprjobs lists jobs queued to Windows printers. Jobs may be selected by owner, and the following fields may be displayed in columnar or delimited format:

    Printer name Notify name
    Computer from which the job was submitted Path and document name
    Document name Print processor
    Submission time Job status (printing, deleting, etc)
    Page count Document type
    Pages printed Owner
    Job ID Earliest print time
    Priority Latest print time
    Job position Size in bytes

Adpsomgr

Manages password settings objects (PSOs) which hold the values for fine grained password policies under Windows server 2008 onwards. It can do the following:

  • Create new PSOs, optionally using an existing PSO as a template.
  • Delete PSOs.
  • Display the attributes of PSOs. A range of options are available including the ability to display all attributes and the security descriptor.
  • Modify one or more of a PSO’s settings. All password related settings, plus the description and display name may be modified.
  • Display the domain-wide password settings for the current domain.
  • Display the security descriptor for the Password Settings Container.

Adpwdexp

Adpwdexp is intended for use in a login script where it displays a warning if the user’s password is about to expire. However, it can also perform the check for any nominated user. Features include:

  • The number of days before expiration at which warnings begin is adjustable and defaults to seven.
  • Can force a password change before or after password expiration.
  • It will prompt for and change the password.
  • Sets one of a range of error levels indicating whether the password is within the expiration period, whether a password was successfully changed, etc
  • Supports fine-grained password policies.
  • Both text mode and GUI versions are available.
  • The GUI version has a number of extra features including:

    • Can change AD domain, workstation and eDirectory passwords.
    • Can force the window to remain as the topmost window.
    • Can customise the window reporting the impending expiration.
    • Allows either one or two lines of user supplied text to be displayed.
    • Can control how long the window warning of impending password expiration remains open.
    • Can prevent changing other passwords if the Active Directory password is not successfully changed first.
    • Can display a customer supplied graphic in the upper right of the window.

    Adrename

    Adrename allows renaming of any class of Active Directory object. Features include:

    • When renaming a user or inetOrgPerson, it will check for the existence of a homeDirectory attribute. If found, adrename will rename the lowest level of the home directory path to match the new name, and update the contents of the homeDirectory attribute.
    • Can specify the home directory path on the command line when the user does not have a homeDirectory attribute.
    • When renaming a user or inetOrgPerson, adrename can rename the profile path and update the profilePath attribute. Version 2 profile paths are supported.
    • Can process an input file containing one old name and one new name per line.
    • Can change the case of the names of existing objects to all lowercase, all uppercase, or to a mixture of upper and lowercase.
    • Can specify a new first (given) name.
    • Can specify a new surname.
    • Can specify a new display name.
    • Can create a new samAccountName to match the new object name.
    • Can update the email address in the mail attribute.
    • Can update the principal name in the userPrincipalName attribute.
    • Can update the value in the Exchange mailNickname attribute.
    • Can perform all requested changes to attribute values but not rename the object itself, i.e. the original CN is retained.

    Adrights

    Adrights displays the effective rights of objects in AD to other objects. It can do the following:

    • Display the rights of one or more objects to other objects.
    • Display the rights of one or more objects to an attribute (e.g. department) of other objects.
    • Display the rights of one or more objects to extended rights of objects, e.g. “Reset Password”.
    • The results can be in columnar or delimited format.
    • The results can be filterd based on the effective rights.
    • The results can be sorted on any of six possible output fields.

    Adschema

    Adschema displays information from the Active Directory schema. The following may be displayed:

    • Object classes in the schema. Wildcards may be used to list only a subset of the defined classes.
    • For each object class, the names of attributes which are valid for that class.
    • For each object class, full details of attributes which are valid for that class.
    • For each object class, only attributes using a particular syntax may be displayed.
    • A list of attributes defined in the schema. Wildcards may be used to list only a subset of defined attributes.
    • Selected details for one or more attributes. These include the attribute syntax, OID, whether single or multi-valued, any length constraints for a string value, and any property sets belonged to.
    • A list of attributes with the object classes for which the attribute is valid.
    • The adschema program may be used before and after a product install to identify changes made to the schema by the installation.

    Adsessions

    Adsessions lists current sessions on one or more Windows hosts. It has the following features:

    • Can display a number of fields associated with each session including the object name, computer name, computer IP address, active connection time, number of open files, connection flags, Windows version and transport type.
    • The output fields and their order may be selected, and displayed in columnar or delimited format.
    • The results may be sorted on any of the output fields.
    • Session details may be displayed only for matching objects.
    • Session details may be displayed only for matching computers (name or IP address) from which the connection originates.
    • An error level may be set indicating that a matching object or computer was found, or indicating the number of matches.

    Adsetdirquota

    Adsetdirquota sets and removes directory quotas individually or en masse. The program must be run on W2008 server or later. It can do the following:

    • Process individual directories, all subdirectories of a directory, or an entire directory structure.
    • Set quota values for the home directories of individual users, users selected via wildcards, or for all members of a group. The home directory for each user is obtained from their homeDirectory attribute.
    • Apply a quota or a quota template.
    • Can increase or decrease existing quotas by a nominated amount or percentage.
    • Set quotas relative to the current usage.
    • Remove quotas and quota templates.
    • Set the quota status to hard, soft or disabled.
    • Reset the peak usage value to the current usage.
    • Prompt for confirmation before setting each value.

    Adsethome

    Adsethome performs a range of tasks for managing home directories, and the homeDirectory and homeDrive attributes. Features include:

    • Can process a single user or inetOrgPerson, objects selected using wildcards, all members of a group, or a list of objects in a file.
    • When a directory is specified, (e.g. \\moa\students\2011), adsethome will automatically append a name to obtain the complete home path. The name appended may be the common name, sam account name or the user logon name.
    • A complete path can be specified when the lowest level of the home directory does not match any of the object’s names.
    • Can create the home directory if it does not exist. The user is optionally assigned permissions and ownership of the directory.
    • Can set ownership of the entire home directory contents when the home directory already exists.
    • Can create home directories without modifying the contents of the homeDirectory attribute.
    • Can set the homeDirectory attribute without creating the home directory, or verifying that the path is valid.
    • Can modify ownership and permissions for existing home directories. Both grant and deny ACEs may be added to or removed form the DACL.
    • Can add or remove permissions for another object to each user’s home directory.
    • Can remove a user’s permissions to their home directory.
    • Can add and remove volume quotas and associated warning thresholds.
    • Can delete homeDirectory attributes.
    • Can set or delete the homeDrive attribute.

    Adsetobjsec

    Adsetobjsec modifies components of the security descriptor from the ntSecurityDescriptor attribute for objects of any class in Active Directory. Features include:

    • Can add or remove ACEs from the DACL. These may control rights to the object, to a property or property set, or enable an extended right.
    • Can set the object’s owner.
    • Can set the object’s group.
    • Can restore components of the security descriptor in SDDL format from a file created by adgetobjsec.

    Adsetowner

    Adsetowner is a flexible tool for setting file and directory ownership. It can do the following:

    • For a single user, users selected via wildcards, all members of a group or a list of users in a file, set the ownership of the contents of the home directory. The path is read from the homeDirectory attribute.
    • For a directory, set ownership of the directory and contents to a user corresponding to the directory name e.g. larry for \\yogi\users\larry, or to another named object.
    • For all first level subdirectories of a directory, set ownership of each subdirectory tree to the user corresponding to the directory name. For example, if \\yogi\users has subdirectories harry, barry and larry, a single command can be used to set ownership of files in \\yogi\users\harry to harry, \\yogi\users\barry to barry and \\yogi\users\larry to larry.
    • A directory structure can be processed to a nominated depth.
    • Set ownership of one or more files and directories to a specified object.
    • Can set ownership of either files or directories, or both.
    • Can set ownership to an object in a trusted domain.
    • Can prompt for confirmation before modifying each file or directory.
    • Process a file created by adwhodidit to restore one or more of ownership, creation date and time, modification date and time, last access date and time, and attributes.

    Adsetpwd

    Adsetpwd sets and verifies passwords for Active Directory users. Its features include:

    • Can set a password for an individual user using either the old password, or without if the person making the change has sufficient rights.
    • Can change passwords for multiple users via wildcards, all members of a group, or an input file.
    • Can change passwords for a range of users given in the form exam010-exam050.
    • Can accept a new password on the command line, or via an input file if the password has been generated by some other means.
    • Checks for “Password Reset” rights when the old password is not supplied which is faster than attempting the change and have it fail due to insufficient rights.
    • Can set the password to match the user name (subject to any password policy).
    • Can set a different password for each user via an input file containing user name and password pairs on each line.
    • Can generate random passwords of any length using numeric, alphanumeric, alphabetic or symbol characters of mixed case or single case. The generated passwords may be written to a file, along with the user name and optionally the server name and user’s description. The random passwords can be generated without them actually being set.
    • Can check password compliance against the password policy rather than set the password. This requires that adsetpwd be run on Windows 2003 or a more recent server OS. The function used is not supported on Windows 2000 servers or on workstations.
    • Can expire the password after an administrator change.
    • Can verify passwords i.e. determine if a given password is the user’s current password.
    • Can unlock an account before setting a user’s password.
    • Can display the passwords being set or verified when reporting the results. The default is to not do so, but this may be useful when reading passwords from an input file or when generating random passwords.
    • Can set passwords for local users on a workstation.

    Adsetrest

    Adsetrest sets those account restrictions maintained at the object level rather then domain wide or via a password settings object. These include:

    Account is disabled Password required
    Account expiration date and time    Password reversible encryption
    Account is locked (unlock only) Password settings object
    Logon hours Password user can change
    Password expired Protect from accidental deletion
    Password never expires Workstation restrictions

    Features include:

    • Supports users, inetOrgPersons and computer objects in Active Directory.
    • Supports non-domain users on local workstations.
    • Restrictions may be set for a single object, objects selected using wildcards, all members of a group, or a list of objects from a file.
    • Can prompt for confirmation before modifying each object.
    • Supports processing nested groups.

    Adsettrust

     Adsettrust manages ACE entries in the discretionary access control list for files and directories. Specifically, it can do the following:

    • Add grant or deny ACEs for one or more directories or files.
    • Remove grant or deny ACEs for one or more directories or files.
    • Restore ACEs from a file of adsettrust, icacls or cacls commands created by adtrstlist.
    • Restore security descriptor components from a file containing object names and Security Descriptor Definition Language (SDDL) data.
    • Accepts wildcards in trustee object names allowing multiple objects to be updated for the same files and directories.
    • Check for and optionally fix ACLs containing duplicate ACEs, incorrectly ordered ACEs or unused space.
    • Grant or remove non-propagated RX rights to each parent directory, or to a specified number of levels of parent directories, thereby providing a means to browse to the directory from the volume root.
    • Modify DACLs on both Active Directory servers and on workstations.
    • Accepts rights in numeric format as well as accepting the well known symbols of R, X, GR, GE etc.
    • Can control the inheritance for each directory. Inheritance can be enabled, disabled with existing ACEs converted to explicit, or disabled with existing inherited ACEs discarded. This can be done at the same time as adding or removing ACEs, or as a stand-alone operation.
    • Remove ACEs containing orphaned SIDs where the corresponding object has been deleted but the SID remains in the file system.

    Adsetval

    Adsetval can set a wide range of attributes for objects of any class. Its features include:

    • Can set attribute values for a single object, objects selected using wildcards, all members of a group (optionally including nested group members), or a list of objects from a file.
    • Can set attributes holding text attributes such as givenName, middleName, sn (surname), description and department.
    • Can be used to change the case of existing values for text attributes.
    • Can set boolean attributes such as msNPAllowDialin.
    • Can set attributes holding integer values such as userAccountControl, codePage or the domain’s maxPwdAge.
    • Can set attributes holding dates as values such as accountExpires.
    • Can set attributes holding object names e.g. member, seeAlso and secretary.
    • Can set values for attributes holding photos or graphics by reading the value from a file.
    • Can set correctly formatted values for the info attribute which typically holds a number of lines of text separated by <CR><LF> pairs. These are inserted in place of a nominated character in the input string.
    • Can replace existing values for multi-valued attributes or add new values.
    • Can set values only for unpopulated attributes.
    • Allows the setting or removal of specific bits from 32 bit values stored in integer attributes. For example, adsetval Fred /a=userAcountControl /# +0x02 adds bit 0x02 which disables the account.
    • Can copy a value from the same attribute of another object, from another attribute of the same object or from a different attribute of another object.
    • Accepts as input a csv file containing one object name and attribute value per line.
    • Can delete all or selected values for an attribute.

    Adsetvolquota

    Adsetvolquota sets disk quotas and warning thresholds for multiple users. Features include:

    • Can set values for a single user, users selected using wildcards, all members of a group, or a list of users in a file.
    • Can set values on each user’s home volume by reading the homeDirectory attribute, or on a designated volume.
    • Quotas may be specified in units of bytes, KB, MB or GB.
    • Can increase or decrease existing values by a nominated amount or percentage.
    • Can set values relative to the current disk usage e.g. the current usage plus 20% or current usage plus 50MB.
    • Can remove quotas and thresholds.
    • Can prompt for confirmation before setting each value.

    Adspace

    Adspace displays the maximum space, usage and available space for the home directory of a single user, or for a specific directory. When run by a member of the administrators group, it can display volume based quota information for the home volume of a user, and can display directory quota information under W2008 onwards. For a non-privileged user, adspace retrieves values via a generic win32 function which returns values reflecting a volume based quota if applicable to the caller, and if run on W2008 onwards, directory quotas. However, directory quota information can be retrieved only by programs running on the server on which the quota exists. Adspace can work around this when used in conjunction with the jrbserv Windows system service which responds to a request for quota information for a specific directory, and returns the relevant values to the requestor. Adspace has the following features:

    • Can display volume based quota information, directory quota information or volume wide values when run by a member of the administrators group.
    • Can display correct results for a non-privileged user when a volume based quota is applicable.
    • Can display correct results for a non-privileged user when a directory quota applies to the target directory providing that either adspace is run on the server on which the directory exists, or is used in conjunction with the jrbserv Windows system service.
    • Can display a warning when the free space falls below a specified level, or a specified percentage of the maximum space.
    • The GUI version can run silently, producing a window only when the free space has fallen below the nominated threshold.
    • The GUI version can display the results window for a specified number of seconds before automatically closing it.
    • Very flexible output formats including the ability to provide replacement text containing substitution identifiers for maximum space, free space etc.
    • The values can be displayed in bytes, KB, MB or GB.
    • Can display values for a selected subdirectory of a user�s home directory.
    • Can be run on any Windows host, domain membership is not required.

    Adtrstlist

    Adtrstlist displays components of the security descriptor for file and directories. It can do the following:

    • Display all or any combination of the DACL, SACL, owner, group and security descriptor flags.
    • Supports both local and network paths.
    • Process selected files and directories, or an entire directory structure. For the latter, a maximum depth to process may be specified.
    • Process a specified path then each of its parent directories.
    • For a single user, users selected via wildcards, all members of a group, a group object or a list of users in a file, display the ACEs in a DACL or SACL for which the object is a trustee. This may be done on a user’s home directory or for a specified directory or file.
    • Suppress the display of DACL and SACL ACEs for well-known security identifiers such as “CREATOR OWNER”.
    • Suppress the display of DACL and SACL ACEs for a list of objects in a file.
    • Suppress the display of DACL and SACL ACEs for selected subdirectories when processing an entire directory structure.
    • Display explicit (non-inherited) ACEs, inherited ACEs, or both.
    • Display access allowed ACEs, access denied ACEs, or both.
    • Display ACEs selectively based on the permissions granted or denied.
    • Display ACEs selectively based on the object class of the trustee. In addition to being able to specify user, group etc, special values “wko” (well-known objects), “ggroup” (global groups), “lgroup” (domain local groups), and “ugroup” (universal groups), may be used.
    • Display only those ACEs containing orphaned SIDs.
    • Display the rights in character form e.g. RWXD or as a 32 bit hexadecimal value representing the permissions mask.
    • Display the ACEs from a DACL as cacls , icacls or adsettrust commands.
    • Display paths for which there are no ACEs for a selected trustee.
    • Display security descriptor components in Security Descriptor Description Language (SDDL) format.
    • Display security descriptor components based on the presence or absence of particular control flags e.g. DP (DACL protected).
    • Has flexible output formats including selected fields in any order and optionally in comma or semicolon delimited format.
    • Sort the results on any field.
    • Can show the actual contents of the DACL by using the old GetFileSecurity function. The newer GetNamedSecurityInfo, which is used by default, returns correct results for inheritance. If the two methods give different results for a particular directory, then the actual contents of the DACL need updating for inheritance.
    • Invokes backup privilege if required to read the DACL.
    • When processing a directory structure, entries with particular attributes (e.g. system, hidden) may be skipped.
    • When processing a directory structure, entries may be skipped based on their name. This allows ignoring a particular branch of a directory structure, or just selected files.

    Adusergrps

    Adusergrps lists the groups to which one or more users belong. Features include:

    • Can list group memberships for a single user, users selected using wildcards, all members of a group, or a list of users in a file.
    • Can display memberships for both domain objects and non-domain local users.
    • Can suppress selected group types (e.g. distribution groups) from the results.
    • Includes the primary group by default.
    • Can include or exclude selected groups.
    • Can display only those groups which exist in the same container as the user, in a particular container, or in a particular container plus its child containers.
    • Can sort the users and/or groups belonged to.
    • Has flexible formatting options including the ability to list the results as adgrpadd and adgrpdel commands.
    • Supports nested groups.
    • Can run without AD being present allowing it to be used to display memberships on a workstation which is not a domain member.

    Adwhodidit

    Adwhodidit displays selected information about files and directories which is useful in determining when they were created, modified, last accessed and by whom. It can list any combination of the following fields:

    Attributes Number of data streams associated with each file
    Creation date and time Number of files in each directory
    The cumulative usage in a directory Number and size of extended attributes
    File or directory extension Owner
    Last access date and time Physical size (for compressed or sparse files)
    Length of each path Second data stream size
    Logical size as shown by Explorer Short (DOS) name
    Long name Space used exclusive of subdirectories
    Modification date and time Space used inclusive of subdirectories

    Features include:

    • The user may select which of the above are to be displayed, in what order, and the width of the columns.
    • A template file containing text and substitution identifiers may be used. This allows any combination of values to be given in any format and may be useful to create a batch file of commands incorporating file names.
    • The results may be filtered on any value e.g. it is possible to display details of files greater than a certain size, files which are compressed, or all files and directories owned by a particular user.
    • Filters may be combined in a logical expression e.g. “(owner=John) and (size gt 100mb)”.
    • Can display only the total files or directories.
    • Can display only a user defined number of the oldest or newest files in each directory based on creation, modification or last access dates.
    • Can display file and directory information for both Windows and Micro Focus (Novell) drives. The full functionality for Micro Focus servers is available when run on a machine with the client for OES Enterprise Server (Novell client) installed.