Active Directory Command-Line Tools

Number of command-line tools are required to manage Active Directory Enviroment. This post will help you to find and understand all the utilities in a single page.

Dcdiag.exe: This command-line tool analyzes the state of domain controllers in a forest or enterprise and reports any problems to assist in troubleshooting. As an end-user reporting program, Dcdiag encapsulates detailed knowledge of how to identify abnormal behavior in the system. Dcdiag displays command output at the command line.

Some common uses of the Dcdiag tool: 1. 2. 3. 4. 5. 6. 7. 8. Checking FSMO roles on a Domain Controller Troubleshoot Active Directory replication errors Check DNS registration Examine Domain Controller and verify it is functioning correctly. Topology Integrity Inter site Health Trust Verification File Replication Service

Dsacls.exe: Used to manage ACLs for Active Directory objects. Ldp.exe: Ldp.exe is a Windows Support Tools utility you can use to perform Lightweight Directory Access Protocol (LDAP) searches against the Active Directory for specific information given search criteria. This also allows administrators to query data that would otherwise not be visible through the Administrative tools included in the product. All data that is returned in LDP queries, however, is subject to security permissions. Nltest.exe: Nltest.exe is a very powerful command-line utility that can be used to test trust relationships and the state of domain controller replication in a Windows NT domain. Repadmin.exe: Used to monitor, diagnose, and manage replication issues. Repadmin.exe is a Microsoft Windows tool. It is a command-line interface to Active Directory replication. This tool provides a powerful interface into the inner workings of Active Directory replication, and is useful for troubleshooting Active Directory replication problems. Replmon.exe: Used to monitor and manage replication through a graphical user interface (GUI). This GUI tool enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication. Sdcheck.exe: Displays the security descriptor for Active Directory objects and can be used to check ACL propagation and replication and whether the ACLs are being inherited correctly. Setspn.exe: Used to view, change, or delete the Service Principal Names (SPN) directory property for a service account in Active Directory. Cacls: Used to view and change user and group permissions to resources. Through Cacls, users can change the discretionary access control lists (DACLs) on files. Cmdkey: Used to view, create, edit, and delete usernames, passwords, and credentials. Csvde:Tool used to import and export data from Active Directory. Dcgpofix:Used to return GPOs to their original state, that is, the state that they were in when first installed. Dsget: Used to view a specified objects properties in Active Directory. The commands that

can be utilized are: dsget user to view a users properties. dsget group to view a groups properties. dsget computer to view a computers properties. dsget site to view a sites properties. dsget subnet to view a subnets properties. dsget ou to view an organizational units properties. dsget contact to view a contacts properties. dsget server to view a domain controllers properties. dsget partition to view a directory partitions properties. dsget quota to view a quotas properties. Dsadd: Used to create objects in Active Directory including users, groups, computers, OUs, contacts, and quota specifications. The commands that can be utilized are: dsadd user used to add a user. dsadd group used to add a group. dsadd computer used to add a computer. dsadd ou used to add an OU. dsadd contact used to add a contact. dsadd quota used to add a quota specification. Dsmod: Used to modify the attributes of an existing object in Active Directory. The commands that can be utilized are: dsmod user used to modify a users attributes. dsmod group used to modify a groups attributes. dsmod computer used to modify a computers properties. dsmod ou used to modify an organizational units attributes. dsmod contact used to modify a contact. dsmod server used to modify a domain controllers properties. dsmod partition used to modify a directory partition. dsmod quota used to modify a quotas properties. Dsmove: Used to move an Active Directory object to a new container within the domain. Dsrm: Used to remove an Active Directory object or container. Dsquery: Used to locate or find object(s) that match the defined search criteria. Ldifde: Used to create, delete, and modify objects from the Active Directory directory, to import or export user/group information, and to extend the Active Directory schema. Ntdsutil: Used to manage domains, information in the Active Directory directory, and log files. Ntdsutil can also be used when an authoritative Active Directory restore needs to be done. The tool is also used to manage SIDs and the master operation roles Ntfrsutl.exe:This command-line tool dumps the internal tables, thread and memory information for the NT File Replication Service (NTFRS). It runs against local and remote servers. Gpupdate.exeThe gpupdate command refreshes local and Active Directorybased Group Policy settings, including security settings on the computer from where it is run. You can use gpupdate locally on Windows XP and higher computers to refresh policy immediately. On computers running Windows 2000, this functionality is provided by the using the secedit command with the refreshpolicy option. Gpresult.exeDisplays the Resultant Set of Policy (RSoP) information for a remote user and computer.