Export Active Directory data

Show me the samid and upn name of all disabled user accounts in the domain.

C:\>dsquery user -disabled | dsget user -samid -upn


Show me the samid and upn of each user account in the domain and show me when the user account expires.

C:\>dsquery user | dsget user -samid -upn -acctexpires


Show me the samid and upn of each user account in the domain and show me when the user account expires. Send output to a file called c:\log.txt

C:\>dsquery user | dsget user -samid -upn -acctexpires > c:\log.txt


Show me the samid and upn name of each user account in the Production OU in the TEST.COM domain with a password age of 14 days or older and also show me if the account is flagged for "user must change password" and if the user account is allowed to change its password

C:\>dsquery user "OU=Production,DC=test,DC=com" -stalepwd 14 | dsget user -samid -upn -mustchpwd -canchpwd

Restoring objects with Microsoft ADRestore (previously Sysinternals)

Formerly Sysinternals and now Microsoft, Mark Russinovich has created a command-line freeware application called ADRestore. The tool enumerates all of the currently tombstoned objects in a domain and allows you to restore them selectively, and provides a convenient command-line interface for using the Active Directory reanimation functionality. If you run it from the command line you will be prompted to choose which object you want to restore, and since there could be quite a few tombstoned objects, this process might take some time as you answer NO to each and every prompt.

To add a little selectivity to the restore operation, you can run ADRestore with a parameter to narrow down the search. For example:

adrestore -r daniel

would search for all objects with "daniel" as part of its name.

The -r switch forces the program to prompt the user for each restoration. Otherwise, all the objects found matching said criteria will be automatically restored. The default (no criteria supplied) is that all tombstoned objects will be enumerated and restored.

Note that deleted items may no longer be members of specific organizational units or OUs. Restoring these objects from deleted status will not automatically restore them to their respective OUs; this will need to be done manually.

Download ADRestore

Recovering Deleted Items in Active Directory

Restoring objects with ADRestore.net

Guy Teverovsky, a fellow MVP from Israel, has written a cool tool that allows you to easily restore deleted AD objects. The tool is provided as freeware and has no kind of support, but from what I've seen, it works great. Some of the tools features include:

• Browsing the tombstones
• Domain Controller targeting
• Can be used with alternative credentials (convenient if you do not logon to your desktop as Domain Admin, which you should never do anyway)
• User/Computer/OU/Container reanimation
• Preview of tombstone attributes

Enumerating tombstones

Previewing the tombstone attributes

Restoring a deleted user account

For more information on Guy's tool, please see Guy's blog entry announcing ADRestore.net

Windows Server : Managing the Terminal Services - RDP Permissions

Managing the terminal services includes various tasks such as assigning RDP permissions, configuring connection limits, session time limits, assigning session permissions, viewing process, monitoring sessions, logging off users, disconnect sessions, and resetting the terminal services. Terminal Services Manager is used to perform these administrative tasks. Ensure you have a thorough understanding of every task and the implications before you apply it on a production network. Improper configuration of permissions may result in assigning additional permissions to the users where not required and inadequate access where required.

RDP Permissions

Terminal Services Manager allows you to configure various RDP permissions. Permission sets such as Full Control, User Access, Guest Access, and Special Permissions can be assigned to users, clients, and groups. Each permission set has one or more permissions (see Tables 1 and 23). Figure 1 shows the RDP properties. Figure 2 shows the advanced security settings for RDP. Figure 3 shows RDP permissions.

Table 1. Terminal Services Permissions

Permission[*]	Description
Full Control	Permission set providing Query Information, Set Information, Remote Control, Logon, Logoff, Message, Connect, Disconnect and Virtual Channels permissions
User Access	Permission set providing Query Information, Logon, and Connect permissions
Guest Access	Logon permission only
Logon	Logon to Terminal Server session

^[*] Permissions are described more in the Table 2.

Table 2. Terminal Services Connection Permissions

Permission	Description
Query Information	Allows users to query for information from Terminal Servers and Sessions
Set Information	Allows users to configure properties of the connection
Remote Control	Allows users to view or control other users’ sessions
Logon	Logon to Terminal Server session
Logoff	Log off a user from the Terminal Server session
Message	Allows users to send a message to a user session
Connect	Allows users to connect to another user’s session
Disconnect	Disconnects a user session
Virtual Channels	Assigning this permission provides access to local (client computer’s) device and redirects resources

Figure 1. RDP Properties

windows xp service pack 3 access denied error

Procedure to follow

1) Download and then install the Subinacl.exe file from the following link

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en

2) Start Notepad

Copy and then paste the following text into Notepad.

cd /d "%ProgramFiles%\Windows Resource Kits\Tools"
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f
subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

3) Save this file as sp3fix.bat

Double-click the sp3fix.bat file
to run the script.

Note This script file may take a long time to run. You must run this script as an administrator.