dsquery
-o {dn | rdn} Specifies output format
Finding a Computer Account
- Click Start, and then click Run.
- In the Open box, type cmd.
-
At the command prompt, type the following command:
dsquery computer -name name
To find all groups in the current domain whose name starts with “PC”
dsquery group domainroot -name PC*
“dsquery computer -inactive 8 -limit 400”
“dsquery computer -inactive 8 -limit 400| dsmod computer -disabled yes”
If you need to target a specific OU, simply place DN of the OU after the computer:
“dsquery computer “OU=Build,DC=hps,DC=com” -inactive 8 | dsmod computer -disabled yes”
dsmove “cn=computer
Configures, queries, or changes Boot.ini file settings.
| Driverquery | Queries for a list of drivers and driver properties. |
| Dsadd | Adds a computer, contact, group, organization unit, or user to a directory |
Tasklist
Tasklist
Displays a list of currently running processes on either a local or remote machine.
/s Computer
Specifies the name or IP address of a remote computer (do not use backslashes). The default is the local computer.
/svc
Lists all the service information for each process without truncation. Valid when the /fo parameter is set to TABLE.
Delegation of Control Wizard
http://technet.microsoft.com/en-us/library/cc756087(WS.10).aspx
- ACL Editor
- Ldp.exe
- Dsacls.exe
- Acldiag.exe
- Dsrevoke.exe
LDP
LDP (Ldp.exe)
is a graphical tool that allows you to perform Lightweight Directory Access Protocol (LDAP) operations, such as connect, bind, search, modify, add, or delete, against any LDAP-compatible directory, including Active Directory.
To view the security descriptor of an object by using Ldp.exe
- In LDP, on the Connection menu, click Connect to connect to a domain or a specific domain controller.
- In theConnect dialog box, in theServer box, type a server name or leave the entry blank to connect to the local server, and then clickOK.
- On the Connection menu, click Bind.
- In the Bind dialog box, type a user name and password, and then click OK to bind to Active Directory.
- On the View menu, click Tree. In the BaseDN box, either type a specific distinguished name (DN) or leave BaseDN blank to view the entire domain.
- To display the object for which you want to view the security descriptor, double-click the domain object in the tree view and then double-click the appropriate container.
-
To view the security descriptor of an object, right click the object in the tree view, select Advanced,select Security Descriptor, and then in the Security Descriptor dialog box, click OK.
The security descriptor of the object is displayed in the details pane. Note that you can scroll to view the Security Descriptor Definition Language (SDDL) version of the security descriptor and to view the security descriptor in text format.
To analyze the security descriptor in detail, you can either view the information in the details pane, or, if you prefer, right click in the details pane, choose Select All, choose Copy, and then paste the contents into a text file.
Dsacls.exe
Dsacls.exe is a command-line tool that you can use to query the security attributes and to change permissions and security attributes of Active Directory objects. It is the command-line equivalent of the Security tab in the Windows Active Directory snap-in tools such as Active Directory Users and Computers and Active Directory Sites and Services.
Acldiag
Acldiag.exe: ACL Diagnostics
This command-line tool detects and reports discrepancies in the access control lists (ACLs) of objects in Active Directory. It can also reapply a security delegation template to an ACL, eliminating special permissions and restoring incomplete delegations.
Example 1: Display the ACL of a user object in Active Directory
To display the ACL of a user object in Active Directory, type:
acldiag CN=”Test Admin”,CN=Users,DC=domain1,DC=test,DC=fourthcoffee,DC=com
Dsrevoke
Dsrevoke is a new command-line tool that can be used on domain controllers that are running Windows Server 2003 or Windows 2000 Server to report the existence of all permissions for a specific user or group on a set of OUs in a domain and optionally remove from the DACLs of a set of OUs all permissions specified for a particular user or group
