Personal IT Experiences » Active Directory

Microsoft Group Policy Diagnostic Best Practice Analyzer (GPDBPA)

Scott — Thu, 30 Aug 2007 02:33:02 +0000

The GPDBPA tool is a stand-alone program that an administrator can run
from a Windows Server 2003-based system or from a Windows XP-based
system. You can use the tool to do the following:

•	Perform a proactive health check on the Group Policy environment to detect common configuration errors that frequently generate support incidents.
•	Collect diagnostic information and initial data from an environment, and then automate some analysis of that data.
•	Obtain a snapshot of the Group Policy configuration for archiving. This data may be a useful reference if a future problem occurs.

http://support.microsoft.com/kb/940122

A New AD Domain Unjoin Utility

ptsnorth — Wed, 18 Jul 2007 14:20:29 +0000

It will unjoin a machine from a Windows domain and not even start to ask the domain for permission or even tell it it did so, zip, out of the domain, have a nice day. You will find that this will likely be faster than NETDOM for any unjoin ops. It allows you to specify connection creds and will also allow you to specify a reboot.

New Utility – Unjoin V1.1.0

Active Directory Explorer

ptsnorth — Wed, 11 Jul 2007 16:02:36 +0000

Active Directory Explorer AD Explorer is an advanced Active Directory AD viewer and editor. You can use AD Explorer to easily navigate an AD database, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an objects schema, and execute sophisticated searches that you can save and re-execute.

AD Explorer also includes the ability to save snapshots of an AD database for off-line viewing and comparisons. When you load a saved snapshot, you can navigate and explorer it as you would a live database. If you have two snapshots of an AD database you can use AD Explorers comparison functionality to see what objects, attributes and security permissions changed between them.

AD Explorer works on Windows 2000 and higher.

Active Directory Explorer v1.0

Retaining NTFS Permission When Moving User Folders To New Drive Share

ptsnorth — Mon, 02 Jul 2007 20:58:39 +0000

Moving a large group of terminal server user home folders from one clustered hard drive share to another on a SAN. If you try to manually copy or “move” the home folders, the NTFS permissions on the new home folders are not retained and users are not able to access their directories on the new hard drive share properly.

Solved by:
Creating a backup of the original home directories using ntbackup.exe and then restoring them on the new hard drive share. The original NTFS permissions are retained for all files and folders.

After restoring the home folders to the new location, return to the old home drive share and delete the previous home folders.

If you have difficulty deleting folders and files from the old home drive share because of errors like this “Cannot delete file: Access is denied”, then use a utility like Unlocker. It’s a free delete utility and works quite well.

Don’t forget to update the terminal server home folder location in each user’s profile. Use ADModify.net for bulk account changes like this.

Making Bulk Changes To Active Directory Users With ADModify.NET

ptsnorth — Mon, 02 Jul 2007 16:16:37 +0000

This article provides a step-by-step guide to making bulk changes to users in Active Directory using the ADModify.NET tool.

Making bulk changes to Active Directory users with ADModify.NET

ADModify.Net Support Tool Utility

ptsnorth — Mon, 02 Jul 2007 16:14:24 +0000

Having difficulty locating the Admodify.net utility? Try the URL link below.

Admodify – Download

When Was The GPO Last Refreshed?

ptsnorth — Wed, 20 Jun 2007 20:51:12 +0000

If you’re creating and troubleshooting the effects of group policies (GPO) on your computer, there is a command line utility you can download and install called GPTime.exe. It’s one simple executable that I unzipped and copied into the same folder as the Win2k3 Resource Kit tools. The resource kit folder is already included in the path statement of my computer.

Download GPTime.exe

Configure your group policy then perform a gpupdate /force to apply the group policy change. After the update is completed, run gptime.exe to see when the group policies were really updated on the computer.

What Group Policies Have Been Applied?

ptsnorth — Wed, 20 Jun 2007 19:57:47 +0000

In Windows XP or Windows 2003, open an entire command window and type -> GPUpdate . All of the current policy settings affecting your computer (or server) and your account are displayed.

You can also see a history of the application of group policies by inspecting the registry.

To inspect the group policies applied to your local computer, use Regedt32 to navigate to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\History

To inspect the group policies applied to your account, navigate to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\History

Each sub-key represents an installed Group Policy Extension and each Group Policy Object is a subkey numbered from 0, the first GPO applied.

JSI Tip 2487. What group policies have been applied?