Active Directory Management Tools


Active Directory Management Tools

An Introduction to the Active Directory Management Tools

Active Directory or directory service management is a vital component of any administration process if Active Directory is implemented in your networking environment. The two types of management or methods of administration that can be utilized to manage the directory service are:
  • Administrative tools that utilize a graphical user interface (GUI)
  • Command-line tools
Windows Server 2003 includes a number of new command-line tools that can be utilized to manage Active Directory objects as well as the various parts of the Active Directory directory. The Administrative tools that utilize a GUI can be accessed via the Administrative Tools menu.
The main management tool utilized to manage Active Directory is the Microsoft Management Console (MMC). The MMC is not an actual management tool but provides the MMC interface to load Active Directory snap-ins. Snap-ins provide specific administrative functionality. The MMC interface allows you to create custom console tools, and also enable you to load multiple snap-ins into a single console.

The following MMC snap-ins provides specific Active Directory administrative functionality:

  • Active Directory Domains and Trusts : Used to manage domains, domain trust relationships, domain trees and forests, and to change the domain mode. Active Directory Domains and Trusts is also used to configures user principal name (UPN) suffixes.
  • Active Directory Users and Computers : Used to create, configure and manage objects in Active Directory such as users, groups, computers and organizational units (OUs).
  • Active Directory Sites And Services : Used to create, and configure and manage sites and subnets. Active Directory Sites And Services is also used to manage domain controller replication.
  • Active Directory Schema : Unlike the previously mentioned MMC snap-ins, the Active Directory Schema snap-in is not available on the Administrative Tools menu. You have to manually install Active Directory Schema and create a MMC for it as well. Active Directory Schema is used to view and change the Active Directory schema.
  •  

A few improvements introduced in Windows Server 2003 for the Active Directory management tools include the following capabilities:

  • You can choose or select multiple resources or objects individually by holding down the Ctrl key and then individually selecting the objects or resources that you want to work with.
  • You can also select a range of objects simultaneously by pressing down the Shift key, clicking the first object and then clicking the last object.
  • You can change and set the properties of multiple resources or objects.
  • You can drag resources or objects to new locations.
In addition to the above mentioned MMC snap-ins, you can also use Resultant Set Of Policy to view current policy for a user on a system. You can also plan policy changes using Resultant Set Of Policy. You can use the Active Directory Installation Wizard to create domain controllers, new domains, domain trees, and forests. Windows Server 2003 includes links to the Active Directory Installation Wizard on the Manage Your Server Wizard. This is the wizard which is displayed after the operating system is installed. The Windows Support Tools also contain additional Active Directory specific management tools.

How to add the three commonly utilized Active Directory snap-ins to the MMC:

  1. Click Start, Run and enter mmc in the Run dialog box. Click OK.
  2. Select Add/Remove Snap-in under the File menu.
  3. The Add/Remove Snap-in dialog box is displayed next.
  4. Click the Standalone tab. Click Add.
  5. The Add Standalone Snap-in dialog box is where you add the Active Directory snap-ins that should be displayed in the Microsoft Management Console.
  6. Click Active Directory Domains and Trusts from the available list and click Add.
  7. Click Active Directory Sites and Services from the available list and click Add.
  8. Click Active Directory Users and Computers from the available list and click Add.
  9. Click Close.
  10. The snap-ins which has been selected should be displayed in the Add/Remove Snap-in dialog box.
  11. Click OK
  12. The MMC console tree should now contain nodes for each Active Directory snap-in.

The Active Directory Installation Wizard

The Active Directory Installation Wizard is the main tool that is used to install Active Directory, domain controllers and create new domains and domain trees. You can initiate the Active Directory Installation Wizard directly using Dcpromo.exe. The Active Directory Installation Wizard prompts for the following information as it guides you through its set of configuration pages/screens:
  • The domain controller type: The wizard shows the Domain Controller Type page when the computer you are working with is not a domain controller. The options that you can choose from are:
    • Domain Controller For A New Domain: This option installs Active Directory on a server and defines it as the first domain controller for a new domain. When you select this option, the Active Directory Installation Wizard proceeds to install Active Directory support files, creates the new domain, and then registers it with DNS.
    • Additional Domain Controller For An Existing Domain: This option installs Active Directory on a server and then replicates directory information from an existing domain.
  • The domain type: If you chose to create a new domain, the wizard displays the Create New Domain page. You can select one of the following options from this page:
    • Domain In A New Forest
    • Child Domain In An Existing Domain Tree
    • Domain Tree In An Existing Forest
  • Set domain names: In the New Domain Name page, you have to specify a DNS name for the domain as well as a NetBIOS name for the domain. The NetBIOS name for the domain will be used by clients that do not support Active Directory.
  •  
  • Active Directory database and log folder location: The wizard prompts you to enter the location of the Active Directory database, and the log files folder on the Database And Log Folders page. The location that you enter has to be on a NTFS volume.
  • Shared system volume folder location: You have to enter the location of the shared system volume on the Shared System Volume page.
  • Default permissions for user and group objects: The Permissions Compatible Only With Windows 2000 and Windows Server 2003 Operating Systems option should be selected.
  • Directory services restore mode Administrator account password: You have to enter the password for the restore mode Administrator account of the server here. This password would be typically needed to use the Recovery Console.

How to use the Active Directory Installation Wizard to install Active Directory for a new domain

  1. Click Start, Run, and then enter dcpromo in the Run dialog box. Click OK
  2. This action launches the Active Directory Installation Wizard.
  3. When the Welcome To The Active Directory Installation Wizard page opens, click Next.
  4. Click Next as well on the Operating System Compatibility page.
  5. Select the Domain Controller For A New Domain option on the Domain Controller Type page. Click Next.
  6. When the wizard displays the Create New Domain page, verify that the Domain In A New Forest option is selected Click Next.
  7. The Active Directory Installation Wizard now shows the New Domain Name page. This is where you enter the DNS name of the domain in the Full DNS Name For New Domain box. Click Next.
  8. You can accept the default NetBIOS name displayed on the NetBIOS Domain Name page. Click Next.
  9. Enter the proper locations in the Database Folder and Log Folder boxes on the Database and Log Folders page. Click Next
  10. When the Shared System Volume page displays, enter the location of the shared system volume folder in the Folder Location box. Click Next.
  11. On the DNS Registration Diagnostics page, select the appropriate option. Click Next.
  12. When the wizard displays the Permissions page, select the Permissions Compatible Only With Windows 2000 and Windows Server 2003 Operating Systems option. Click Next.
  13. On the Directory Services Restore Mode Administrator Password page, enter the required password. Click Next
  14. The Active Directory Installation Wizard now displays the Summary page. All the configuration options that you have selected as navigating through the pages of the wizard are summarized on this page. Click Next to continue with the installation.
  15. When the Completing The Active Directory Installation Wizard page is displayed, click Finish, and then Restart Now.
  16. When the This Server Is Now A Domain Controller page is displayed, click Finish as well.

The Active Directory Domains and Trusts Console

The Active Directory Domains and Trusts console is used to manage domains and trust relationships between domains and forest, change the domain mode, and set user principal name (UPN) suffixes for the forest. With the installation of Windows Server 2003, the Active Directory Domains and Trusts console is by default added to the Start menu. The MMC snap-in file, Domain.msc, can be used to start Active Directory Domains and Trusts from the Run dialog box. You can also start the console from Administrative Tools. The administrative tasks enabled by Active Directory Domains and Trusts can be accessed from the Action menus displayed by selecting a domain name or the root object. You can also perform management tasks on the Properties dialog box of a domain.
The administrative tasks that you can use the Active Directory Domains And Trusts MMC snap-in for are summarized below:
  • View a console tree listing all the domains in a forest
  • Change the domain mode from Windows 2000 mixed mode to Windows 2000 native mode or Windows Server 2003 functional level. The domain mode in now known as the domain functional level.
  • Configure interoperability with domains in other Windows Server 2003 forests and pre-Microsoft Windows 2000 domains through specifying trust relationships between the domains.
  • Transfer the domain naming operations master role from one domain controller to a different domain controller.
  • Add, delete and change user principal name (UPN) suffixes.
Domain functional levels allow you to enable Active Directory features and functionality in the domain and forest for your network. Windows Server 2003 adds additional functionality based on the mode of the forest. When a new domain is created in a new forest, the functionality level for the domain is Windows 2000 mixed mode, and the functionality level for the new forest is Windows 2000 mode. When you upgrade the domain controllers in a forest, you can improve the functionality level to support further Active Directory features and functionality.

The following domain functionality levels exist:

  • Windows 2000 Mixed domain functionality level is supported by Windows NT 4, Windows 2000 and Windows Server 2003 domain controllers.
  • Windows 2000 Native domain functionality level is supported by Windows 2000 and Windows Server 2003 domain controllers.
  • Windows Server 2003 Interim domain functionality level is supported by Windows NT 4 and Windows Server 2003 domain controllers.
  • Windows Server 2003 domain functionality level is supported by Windows Server 2003 domain controllers.

The following forest functionality levels exist:

  • Windows 2000 forest functionality level is supported by Windows NT 4, Windows 2000 and Windows Server 2003 domain controllers.
  • Windows Server 2003 Interim forest functionality level is supported by Windows NT 4 and Windows Server 2003 domain controllers.
  • Windows Server 2003 forest functionality level is supported by Windows Server 2003 domain controllers.

You can use the Active Directory Domains and Trusts console to create the following types of trusts between domains and forests:

  • Tree-root trust
  • Parent-child trust
  • Shortcut trust
  • Forest trust
  • Realm trust
  • External trust

How to change the domain functionality level using Active Directory Domains and Trusts

  1. Click Start, Administrative Tools and then select Active Directory Domains And Trusts.
  2. Proceed to right-click the domain that you want to upgrade and click Raise Domain Functional Level from the shortcut menu.
  3. When the Raise Domain Functional Level dialog box opens, use the Select An Available Domain Functional Level drop-down list to choose the domain functionality level that you want to use. The drop-down list only displays the levels that can be specified for the particular domain.
  4. Click Raise
  5. When the Raise Domain Functional Level message box appears, click OK.

How to change the forest functionality level using Active Directory Domains and Trusts

  1. Click Start, Administrative Tools and then select Active Directory Domains And Trusts.
  2. Proceed to right-click the domain that you want to upgrade and click Raise Forest Functional Level from the shortcut menu.
  3. When the Raise Forest Functional Level dialog box opens, use the Select An Available Forest Functional Level drop-down list to choose the forest functionality level you want to use. The drop-down list only displays those levels that can be specified for the particular forest.
  4. Click Raise
  5. When the Raise Forest Functional Level message box appears, click OK

How to add or remove UPN suffixes

  1. Click Start, Administrative Tools and then select Active Directory Domains And Trusts.
  2. Right-click the Active Directory Domains And Trusts node and select Properties from the shortcut menu.
  3. When the Active Directory Domains And Trusts dialog box appears, click the UPN Suffixes tab.
  4. If you want to add a UPN suffix, use the Alternative UPN Suffixes box to enter an alternative UPN suffix. Click Add
  5. If you want to remove a UPN suffix, use the Alternative UPN Suffixes box to indicate the UPN suffix that should be removed. Click Remove.
  6. Click Yes to verify your configurations and then click OK.

How to configure different types of trusts between domains and forests using Active Directory Domains and Trusts

Use the steps below to create shortcut trust between two domains in a forest:
  1. Click Start, Administrative Tools and then select Active Directory Domains And Trusts.
  2. Right-click the domain node for the domain that you want to configure shortcut trust for using the console tree and then select Properties from the shortcut menu.
  3. When the Properties dialog box appears, click the Trusts tab.
  4. This is the tab utilized to create new trust relationships between domains
  5. Click New Trust to start the New Trust Wizard.
  6. Click Next on the Welcome To The New Trust Wizard page.
  7. When the Trust Name page appears, in the Name box, enter the name of the domain that you want to use to create trust. Click Next
  8. Select one of the following options on the Direction Of Trust page:
    • Two-Way
    • One-Way: Incoming
    • One-Way: Outgoing
  9. Click Next, when the Sides Of Trust page displays, choose between the following options:
    • This Domain Only for the trust relationship to be created in the local domain.
    • Both This Domain And The Specified Domain for the trust relationship to be created in both domains
  10. Click Next. The wizard now uses the options that you have selected in this step and the previous step to display the appropriate pages.
  11. The Outgoing Trust Authentication Level page is displayed if you have previously selected the following: Two-Way or One-Way: Outgoing and This Domain Only.
    • You can now either select the Domain Wide Authentication option or the Selective Authentication to specify user authentication. Click Next.
  12. The Trust Password page is displayed if you previously selected the following: One-Way: Incoming and This Domain Only
    • You have to enter a password in the Trust Password box and Confirm Trust Password box. Click Next.
  13. The User Name And Password page is displayed if you previously selected Both This Domain And The Specified Domain.
    • " You have to enter a user name and password of an account that has administrative privileges in the domain in the User Name and Password boxes. Click Next
  14. The wizard displays the Trust Selections Complete page. This page contains a list of all the configuration options that you have specified. Click Next
  15. When the Trust Creation Complete page appears, click Next
  16. When the Confirm Outgoing Trust page appears, choose between the following options:
  17. Yes, Confirm The Outgoing Trust
  18. No, Do Not Confirm The Outgoing Trust
  19. Click Next
  20. When the Confirm Incoming Trust page appears, choose between the following options:
    • Yes, Confirm The Incoming Trust
    • No, Do Not Confirm The Incoming Trust
  21. Click Nexti
  22. When the Completing The New Trust Wizard page is displayed, click Finish.

The Active Directory Sites and Services Console

When you need to create and perform administrative tasks on sites, you would use the Active Directory Sites and Services console. Because Active Directory utilizes sites during authentication and replication, the management of sites in Active Directory is important and can be quite complicated. Through the use of Active Directory Sites and Services, you can control the manner in which a directory is replicated within a site and between sites. Active Directory Sites and Services allow you to configure connections between sites, and then specify how replication should occur. When you open the Active Directory Sites and Services console, you are presented with containers that can be used to create new sites, and to manage the sites in your network environment.
The first site object, Default-First-Site-Name , is created when you install the first domain controller in the network. This site is connected with the server that was promoted to domain controller. You should rename the site object to a name that has some significance in your organization.
The Inter-Site Transports container contains site links. You would use this container to create connections among sites. When you create a connection beneath the IP container, the connection would utilize the IP transport protocol. Similarly, when you create a link beneath the SMTP container, those links utilize Simple Mail Transfer Protocol (SMTP) and not IP.
The Subnets container contains information on the subnets in the network. You would use this container to group different subnets to form a site.

How to rename the first site object using Active Directory Sites and Services

  1. Open Active Directory Sites and Services
  2. Right-click Default-First-Site-Name, and select Rename from the shortcut menu.
  3. Proceed to set a meaningful name for the site.

How to create a new site object using Active Directory Sites and Services

  1. Open Active Directory Sites and Services
  2. Right-click the Sites object, and then click New Site from the shortcut menu.
  3. The New Object - (Site) dialog box appears next.
  4. Enter a name for the site in the Name box.
  5. Enter a site link object for the site in the Link Name box.
  6. Click OK.

How to move a server to a new site using Active Directory Sites and Services

  1. Open Active Directory Sites and Services
  2. Expand the Sites node in the console tree, and click the site that contains the server that you want to move.
  3. Right-click the server, and then select Move from the shortcut menu.
  4. When the Move Server windows appear, specify a new site for the server.
  5. Click OK

The Active Directory User and Computers Console

You would use Active Directory Users and Computers to view and manage user account, groups, computer accounts, OUs, and many other Active Directory objects. Through the Active Directory Users and Computers console, you can view, create, set permissions, change, delete and move objects stored in Active Directory. After you create a domain controller, the containers that are by default created are summarized below. You can however create additional containers.
  • Builtin container : In Windows Server 2003, this container stores groups which Windows Server 2003 created. These groups can be used to manage access for users that are permitted to perform specific functions.
  • Computers container : Computer objects are stored in this container. Accounts which applications utilize to access Active Directory are also stored in the Computers container.
  • Domain Controller container : Objects that signify domain controllers within the domain are stored in the Domain Controller container.
  • Users container : User accounts and groups are located in the Users container.
When Advanced Features are activated; additional containers are shown along with the just mentioned containers:
  • LostAndFound container: Objects whose containers have since been deleted or moved to a location that could not be found, are stored in this container.
  • System container: This container stores system settings for Active Directory containers and objects.

How to add a new domain user account using Active Directory Users and Computers

  1. Open Active Directory Users and Computers.
  2. Click the domain, right-click the OU where the domain user account should be stored, and select New, and then User from the shortcut menu.
  3. When the New Object-User dialog box appears, enter the appropriate information in the following boxes:
    • First Name: Enter the first name of the user.
    • Initials: Enter the initials of the user
    • Last Name: Insert the last name of the user
    • Full Name: This information is automatically populated using the information entered in the prior three boxes. Full Name is the name that would be displayed in the OU that stores the user account.
    • User Logon Name: Enter the unique logon name of the user.
    • User Logon Name (Pre-Windows 2000): This information is automatically populated.
  4. Click Next
  5. In the second New Object-User dialog box that is displayed, you have to enter password settings for the new domain user account.
    • Password: Enter the password that would be utilized to authenticate the user.
    • Confirm Password: Re-enter the password.
  6. You can also enable the following checkboxes for the new user account
    • User Must Change Password At Next Logon: When enabled, the user has to change the password when he/she next logs on.
    • User Cannot Change Password: This option is typically enabled for the Guest account.
    • Password Never Expires: This option is generally enabled for accounts utilized by Windows services or programs.
    • Account Is Disabled: When enabled, the user account can no longer be utilized.
  7. Click Next
  8. Verify that the full name and user logon name details for the new user account are correct.
  9. Click Finish.

How to change a domain user accounts' properties using Active Directory Users and Computers

  1. Open Active Directory Users and Computers.
  2. Click the domain and then select the OU that holds the domain user account.
  3. Locate and right-click the domain user account that you want to change property settings for, and choose Properties from the shortcut menu.
  4. Click the tab that contains the settings that you want to change.
  5. After changing the necessary settings, click OK

The Active Directory Schema Snap-In

The schema in Active Directory defines the kinds of objects that can be stored in the database. It also defines the attributes of those objects. To view the schema and change it, you need to use the Active Directory Schema snap-in. The Active Directory Schema snap-in is not by default displayed on the Administrative Tools menu. Because of this, you would have to install the snap-in and then create a MMC for it as well.

How to install the Active Directory Schema snap-in and create a MMC for it

  1. Click Start, and then click Command Prompt
  2. Enter regsvr32 schmmgmt.dll.
  3. Click Start, then Run, and enter mmc in the Run dialog box. Click OK.
  4. Select Add/Remove Snap-in under the File menu
  5. The Add/Remove Snap-in dialog box is displayed next.
  6. Click the Standalone tab. Click Add
  7. The Add Standalone Snap-in dialog box is where you add Active Directory snap-ins. Double-click Active Directory Schema. Click Close
  8. Click OK in the Add/Remove Snap-in dialog box
  9. Click Save from the File menu.
  10. When the Save As dialog box is displayed, verify that the Save In box contains Administrative Tools.
  11. In the File Name box, enter Active Directory Schema. Click Save.
  12. The Active Directory Schema snap-in would now be displayed on the Administrative Tools menu.

How to create a new attribute object using the Active Directory Schema snap-in

  1. Open the Active Directory Schema
  2. In the console tree, right-click Attributes, and select Create Attribute from the shortcut menu.
  3. When the Create New Attribute dialog box appears, in the Identification section of the box, you have to enter the name for the new attribute object.
  4. In the Common Name box, enter the name that will be used when the attribute appears in dialog boxes.
  5. In the LDAP Display Name box, enter the name for the object associated with the LDAP directory.
  6. In the Unique X.500 Object ID box, enter a unique ID that identifies the attribute object in X.500 namespace.
  7. In the Description box, enter an object description.
  8. Using the Syntax and Range section of the Create New Attribute dialog box, specify what type of data can be stored in the particular attribute.
  9. Click OK to create the attribute object.

The Active Directory Windows Support Tools

Many Active Directory specific support tools are found in the Windows Support Tools toolkit. You can use these tools to configure, manage and troubleshoot Active Directory. The Windows Support Tools can be found on the Windows Server 2003 CD in Tools folder. Before you can use these tools, you have to install it from the Windows Server 2003 CD. The Active Directory specific support tools are summarized in the next section:
  • Acldiag.exe: Used to determine whether a user has been granted access or denied access to an object in Active Directory.
  • Adsiedit.msc: Used to add, move and delete objects; and to change or delete object attributes.
  • Dcdiag.exe: Used to determine the state of domain controllers in the forest/enterprise.
  • Dfsutil.exe: Used to manage the Distributed File System (DFS) and to view DFS information.
  • Dsacls.exe: Used to manage ACLs for Active Directory objects.
  • Dsastat.exe: For comparing the naming contexts on the domain controllers.
  • Ldifde: Used to create, delete and change objects on computers running Windows XP Professional and Windows Server 2003.
  • Ldp.exe: Used to carry out Lightweight Directory Access Protocol (LDAP) functions on Active Directory.
  • Movetree.exe: Used to move objects from one domain to another domain.
  • Netdom.exe: Can be used to manage domains and trust relationships.
  • Nltest.exe: Can be used to view information on primary domain controllers, trusts and replication.
  • Repadmin.exe: Used to monitor, diagnose, and manage replication issues.
  • Replmon.exe: Used to monitor and manage replication through a graphical user interface (GUI).
  • Sdcheck.exe: Displays the security descriptor for Active Directory objects, and can be used to check ACL propagation, replication and whether the ACLs are being inherited correctly.
  • Setspn.exe: Used to view, change or delete the Service Principal Names (SPN) directory property for a service account in Active Directory.
  • Sidwalker.exe: Used to configure ACLs on objects that belonged to either moved or deleted accounts.

Active Directory Command-Line Tools

You can also use a number of command-line tools to manage Active Directory. Windows Server 2003 introduced a set of DS command-line tools that can be used to administer Active Directory. The command-line tools available for Active Directory management functions are summarized below:
  • Cacls: Used to view and change user and group permissions to resources. Through Cacls, you can change the discretionary access control lists (DACLs) on files.
The syntax for Cacls is: Cacls filename. The switches for the command are:
    • /t, modifies the DACLs on files in the directory, and subdirectories
    • /e, edits the DACL.
    • /r username, revokes the rights of the user
    • /c, errors that occurred when changing the DACL is ignored.
    • /g username:permission, grants rights (f - Full Control, r - Read, w - Write, c - Change, n -None) to a user.
    • /p username:permission, replaces a user's rights.
    • /d username, denies access for the particular user
  • Cmdkey: Used to view, create, edit and delete usernames, passwords and credentials. A few switches for the command are listed below:
    • /add:targetname, adds a username/password to the list. Indicates the domain/computer for the entry.
    • /user:username, username that the entry is related to.
    • /generic, adds generic credentials
    • /smartcard, credentials are obtained from a smart card
    • /pass:password, password to be stored for the entry.
  • Csvde: This tool used to import and export data from Active Directory.
  • Dcgpofix: Used to return GPOs to their original state, that is, the state that they were in when first installed.
  • Dsget: Used to view properties of a specified object in Active Directory. The commands that can be utilized are:
    • dsget user, to view a user's properties
    • dsget group, to view a group's properties
    • dsget computer, to view a computer's properties
    • dsget site, to view a site's properties
    • dsget subnet, to view a subnet's properties
    • dsget ou, to view an organizational unit's properties
    • dsget contact, to view a contact's properties
    • dsget server, to view a domain controller's properties
    • dsget partition, to view a directory partition's properties
    • dsget quota, to view a quota's properties
  • Dsadd: Used to create objects in Active Directory including users, groups, computers, OUs, contacts and quota specifications. The commands that can be utilized are:
    • dsadd user, used to add a user
    • dsadd group, used to add a group
    • dsadd computer, used to add a computer
    • dsadd ou, used to add an OU.
    • dsadd contact, used to add a contact
    • dsadd quota, used to add a quota specification
  • Dsmod: Used to modify the attributes of an existing object in Active Directory. The commands that can be utilized are:
    • dsmod user, used to modify a user's attributes
    • dsmod group, used to modify a group's attributes
    • dsmod computer, used to modify a computer's properties
    • dsmod ou, used to modify an organizational unit's attributes
    • dsmod contact, used to modify a contact
    • dsmod server, used to modify a domain controller's properties
    • dsmod partition, used to modify a directory partition
    • dsmod quota, used to modify a quota's properties
  • Dsmove: Used to move an Active Directory object to a new container within the domain.
  • Dsrm: Used to remove an Active Directory object or container.
  • Dsquery: Used to locate or find object(s) that match the defined search criteria.
  • Ldifde: Used to create, delete and modify objects from the Active Directory directory, to import or export user/group information, and to extend the Active Directory schema.
  • Ntdsutil: Used to manage domains, information in the Active Directory directory and log files. You can also use Ntdsutil when needing to do an authoritative restore of Active Directory. The tool is also used to manage SIDs and the master operation roles.
  • Whoami: Used to view information on the user that is currently logged on.
Source: technet.microsoft.com

Comments

Post a Comment

Popular Posts