Active Directory is great for running your organization smoothly but it has almost no way to allow you to pull meta-data from it easily.

A client asked to have the membership of a few distribution and email-enabled objects pulled so that they could review it for accuracy. Here are a few ways to do it.

Command-line

From the command line on a domain controller, type

net group <AD groupname> > report.txt

This will dump the usernames for the members of that group. Useful but not terribly clean.

Alternately, use the csvde command

csvde -f report.txt -r sAMAccountName=<groupname> -l member

You will get a file that has one entry per member. You can clean up the line in Word using the Replace function (to replace the semicolon with a return, use the ^p value).

Scripting

If you like scripting, you can extract using LDIFDE and VBS to clean it up, or you can script against the LDAP services on your domain controller. Microsoft has a good explanation of the LDIFDE method and clean-up here.

Here is a quick example of using VBScript against LDAP:

Set ObjGroup = GetObject("LDAP://cn=TargetGroup,ou=Groups,dc=company,dc=com")
For Each objMember in objGroup.Members
  WScript.Echo objMember.Name
Next

You will need to know where your object is located and alter the LDAP query to match. A good free tool for figuring this out is made by Softerra and is called LDAP Browser 2.6. This type of tool is invaluable for letting your script access into the data held for your employees in Active Directory and Softerra's implementation is easy to use and works well.

A client today needed us to set a home drive mapping from several Windows 7 clients to a share on a Windows 2003 DC. I learned a few things to look out for next time.

Home Directories

If you didn't know this already, you need to set home directory shares so that they allow full offline access. Specifically, this allows the H: drive mapping to occur. This should be the end of the discussion for pre-Win7 clients. User logs in, drive is mapped.

Windows 7 home directory mappings

Windows 7 does not appear to observe home directory mappings when joined to a Windows 2003 AD domain. You can set the home directory mapping in the user account, but the drive will not appear. Some others suggested disabling UAC, but I found this to be true even with UAC disabled.

If you need to map a home directory in this scenario, just do it in a login script.

In some small firms running Blackberry Enterprise Server or Blackberry Professional, some BES users may be Domain Admins or Admins on the server. A not-so-recent patch to 2003 enables a scavenging operation in Active Directory on accounts for users belonging to protected groups such as Administrators or Domain Admins that will clear the permissions needed by BES to access this user's mailbox. This was meant to be a safeguard against someone escalating their rights, but practically means that Admins need to use a day-to-day account for their email needs (which isn't a bad idea in itself to separate daily ops from God Mode). As with all things, there is a workaround.

You can use the Dsacls.exe utility to add the entries that are being stripped off the Admin's user objects. To do this, change the AdminSDHolder permissions. Then, add the entries that you want. Because all the entries use the security principal SELF, this workaround should not introduce any security problems.

The following workaround changes the AdminSDHolder object. Then, the AdminSDHolder object is propagated to each user account that is a member of a protected group. Follow these steps:

   1. Install the Microsoft Windows 2000 Support Tools from the Windows 2000 CD. These tools include the Dsacls.exe utility. You can use the Dsacls.exe utility to view, modify, or remove ACEs on objects in Active Directory.
   2. Create a batch file that contains the following code.

       dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\SELF:CA;Send As"
       dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:CA;Receive As"
       dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:CA;Change Password"
       dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Personal Information"
       dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Phone and Mail Options"
       dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Web Information"

      Note Replace "dc=<mydomain>,dc=com" with the distinguished name of your domain.
   3. Wait for an hour so that Active Directory has time to rewrite the security descriptor of all the user accounts that are members of any propagated groups.
   4. After the ADC replicates the changes, all users appear as "user" instead of as "CUSTOM."

You might also apply security update 916803, security update 912442, or the daylight saving time update for Exchange Server that is described in the following article in the Microsoft Knowledge Base: 926666  (http://support.microsoft.com/kb/926666/ ) Update for daylight saving time changes in 2007 for Exchange 2003 Service Pack 2. If you do this, you must prevent the AdminSDHolder from overwriting permissions that are granted to a BlackBerry Services account on protected groups. To do this, create a batch file that contains the following code:

dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\SELF:CA;Send As" 
dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:CA;Receive As" 
dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:CA;Change Password" 
dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Personal Information" 
dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Phone and Mail Options" 
dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Web Information" 
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\BlackBerrySA:CA;Send As"

Note: In this batch file, BlackBerrySA is a placeholder for name of the BlackBerry Service account (normally besadmin). If you have accounts in multiple domains, you can also specify the domain in the command line by using the following format:Domain\BlackberrySA.

Alternatively, best practices recommend that you do not use accounts that are members of protected groups for e-mail purposes. If you must have the rights that are given to a protected group, we recommend that you have two Active Directory user accounts. These Active Directory accounts include one user account that is added to a protected group, and one user account that is used for e-mail purposes and at all other times.