Great Active Directory Utilities

Hi Guys,

Just did some surfing on Codeplex and stumbled upon a couple of great tools for Active Directory administration, management and logging.

It's a must for every Active Directory Administrator:

CheckDSAcls ver. 2.1.3366.19506
Export ACLs on Active Directory objects in a CSV format. It supports the following features

  • Export only explicitly assigned ACLs
  • Export ACLs on descendant objects
  • Search within ACLs for a specific identity. Where does "Domain\Some Admin" have explicit access?
  • Choose to show either DACLs or SACLs or both.
  • Apply a search filter to the descendant object to return. i.e. "(objectCategory=computer)"
  • Compare the explicit ACLs to the defaultSecurityDescriptor and indicate if an ACE is additional or missing.
  • Report size of ACL as returned from AD (Note: This ACL size will change depending on whether or not both DACL and SACLs are requested).
  • Reports ACLs on "Deleted Objects" containers, when the "CN=Deleted Objects" is contained within the base DN.
  • Takes input from STDIN
  • Option to break object DistinguishedName into multiple columns in order to allow more flexibility in sorting and data mining in Excel.
  • Compares the SACLs on the objects to the defaults for the objectClass as specified in defaultSecurityDescriptor in the schema.

ReplDiag ver. 2.0.3397.24022
AD Replication Diagnostics and Lingering Object Cleanup Automation

When checking replication health this checks the following tests cases.

  • Link is currently in a failure state.
  • Link has never successfully completed a replication cycle.
  • Partition hosted on the server has no links that have successfully completed an inbound replication cycle.
  • There is only one writable instance of the partition in the forest.
  • Partition has no inbound replication links.
  • Writable instance of the partition has no outbound replication links.
  • Partition resident in a site has no inbound replication link from an instance in another site.
  • Writable instance of the partition in the site has no outbound replication links.
  • Partition exists in only one site in the forest. This does not affect the health of replication.
  • Reports if a read-only partition exists on GC for which there is no writable instance.

This also allows for automated clean up of Lingering Objects in Windows 2003 AD Forests. Reference

TrustCheck ver. 1.0.3069.38903
Collect all the trusts in the forest.

Reports on the following:
Trust Flags - In Forest, Direct Outbound, Tree Root, Primary, Native Mode, Direct Inbound
Trust Type - Uplevel, Downlevel, MIT, DCE
Trust Attributes - Non-transitive, Uplevel Only, Quarantined (Sid-History), Forest Transitive, Cross Organization, Within Forest, Treat As External, Uses RC4 Encryption
When the password was last changed on inbound trusts.

SearchForDuplicateAttributeData 1.0.3338.29743
Given a specific attribute, search for all objects with the attribute and return the objects which have the same data in the attribute.

Default mode searches for users and computers with duplicate data in the servicePrincipalName attribute.
Allows custom searches. Examples:
Duplicate user/computer names: SearchForDuplicateAttributeData /AttributeName:"sAMAccountName"
Duplicate Exchange e-mail addresses: SearchForDuplicateAttributeData /AttributeName:"proxyAddresses"
Group users by Exchange Mailbox Store: SearchForDuplicateAttributeData /AttributeName:"homeMDB"
Servers with multiple printers: SearchForDuplicateAttributeData /AttributeName:"serverName"
Report Printers by driver name: SearchForDuplicateAttributeData /AttributeName:"driverName"

FindGuidInAD 1.0.3318.31807
Translates a GUID representing something in AD into the relvent objects.

Useful for translating a guids from an Access Control List (ACL) into either the object type or extended right it references
Also allows translation of an objectGuid to the DN of the object referenced.

/ Peter


blog comments powered by Disqus