Utilities in JRButils for AD v5.0

Adaccexp

Adaccexp is intended for use in a login script where it displays a warning if the user’s account is about to expire. The number of days before expiration at which warnings begin is adjustable and defaults to seven. Adaccexp can also be used to check the account expiration status of a named user.

Adchkhome

Adchkhome checks for one or more users that the Active Directory homeDirectory attributes are set correctly, or for one or more directories that there is a user in AD corresponding to the lowest level of the path. Specifically adchkhome can:

Display the contents of the homeDirectory and homeDrive attributes for a single user, users selected using wildcards, all members of a group, or a list of users in a file.
List users without a homeDirectory or homeDrive attribute.
Check for each user that the home directory path exists providing that it is a UNC path pointing to a directory on a server or cluster volume.
Can list only users for which the home directory does not exist.
Check that each user is the owner of their home directory.
For a single directory, or all subdirectories of a directory, check if there is a user in AD with a name matching that of the lowest level directory i.e. for \\rata\users\karen, it will check if user Karen exists somewhere in the domain.
For each directory, check that the corresponding user’s homeDirectory attribute contains that directory e.g. for \\rata\users\karen it checks that Karen’s homeDirectory contains \\rata\users\karen.
Can display a range of fields associated with each home directory including the owner, and the user’s permissions.
Can restrict the output to those users with a particular character sequence in their home directory path e.g. cShare.
May also be used for objects of class inetOrgPerson.

Adchkval

Adchkval is intended for use in a script or batch file to determine whether an attribute of an object has a given value e.g. that “department” contains “Marketing”. An error level is set indicating the result. Adchkval may be used for any attribute holding a text value, and for attributes holding objects as values.

Adchrcheck

Adchrcheck scans all files in a directory structure and lists those with non-standard characters in the name. By default non standard characters are anything other than 0-9, a-z, space, ‘.’, ‘~’, ‘-’ and ‘_’. Features include:

Can check for non-standard characters in either the long or short name.
Allows customising the set of allowed and disallowed characters.
Files may be renamed by removing the non standard characters.
Files may be renamed by replacement of the non standard characters with a nominated character.
Leading spaces in file names may also be identified, removed or replaced.

Adcreate

Adcreate can create a wide range of objects in Active Directory. It is intended primarily for creating users, groups and inetOrgPersons in batch mode. Adcreate can do the following:

Set a password for users and enable the account.
Create a home directory for users, set ownership and grant permissions.
Set the display name, given name, surname, initials, principal name and email address when creating users.
Store the home directory path in the homeDirectory attribute.
Enable user password expiration and expire the password.
Can copy attributes from a template when creating users and inetOrgPersons.
Create any type of group i.e. security or distribution, global, local or universal.

See also adimport which does user creation, deletion and updating.

Addelattr

Addelattr deletes a selected attribute from one or more objects in Active Directory. Addelattr refuses to delete some attributes where their removal might cause problems and there are others such as objectGUID and objectSID which AD does not allow to be deleted. This does not mean that it is safe to use addelattr to delete all attributes which are not excluded. Use addelattr cautiously, and entirely at your own risk.

Addelete

Addelete can delete almost any class of object from Active Directory. For safety, you may not use wildcards when deleting objects. Nor will addelete delete groups with members. Features include:

When deleting users, addelete can delete the user’s home directory and its contents if the path is stored in the homeDirectory attribute, or if a path to the parent directory is given on the command line.
Multiple objects may be deleted using an input file.

Addelhome

Addelhome deletes the contents of home directories for one or more users. The home directory paths are retrieved from the homeDirectory attribute and several checks are made to first ensure that the path contained therein is correct.

Adextcheck

The adextcheck program produces a summary of the file extensions in a directory structure or on an entire volume. The extensions are sorted and for each, the number of files and the total space occupied by files with that extension are given. Features of adextcheck include:

Can limit the summary to selected extensions.
Can produce comma delimited output optionally enclosed in double quotes.
Can count the number of and space occupied by files older than a given date for each extension.
Can specify the units for the space used (bytes, KB, MB, GB).
Can specify whether the extension is treated as those characters after the first or last period for those files with multiple periods in the name.
Can sort the results on any of the possible output columns.
Works on Windows and NetWare drives.

Adfsrights

Adfsrights displays the effective rights of objects to file and directories. it can do the following:

Can display the rights of one object or multiple objects to a single target directory or file, or to multiple directories or files.
Can filter the results by rights e.g. show only those results where the objects have RWXD rights, or eliminate results where the object has no rights.
Can show the rights in a directory structure at the starting level and thereafter only when the rights change. This is probably the most useful way to display an object’s rights to a directory structure.
Can produce comma delimited output.

Adfsupdate

Adfsupdate is file system maintenance program. It can do the following:

Copy selected files, or an entire directory structure to multiple hosts, retaining all file attributes, dates and ownership.
Perform a selective copy or delete based on attributes (e.g. the archive bit is set), owner, creation date, modification date or last accessed date.
Perform an update copy transferring only newer files or those which do not exist in the target directory.
Perform a mirror copy which in addition to updating files in the target directories, removes and files and directories which do not exist in the source.
Optionally retain ownership and DACL entries if sufficient rights are held when copying.
Delete individual files or entire directory structures from one or more hosts.
List the files to be deleted for a selective delete, without actually deleting them.
Delete files but retain the directory structure.
Delete or overwrite files flagged read-only.
Set file and directory attributes.
Rename files.
Works on both Windows and NetWare drives.
Supports paths up to 1024 characters in length.

Adgetdirquota

Adgetdirquota displays directory quotas, usage, space available, template applied, quota status, peak usage, peak usage times and warning thresholds, individually or en masse. It can do the following:

Process individual directories, all subdirectories of a directory, or all directories in a tree.
Display quota values for the home directories of individual users, users selected via wildcards, or for all members of a group. The home directory for each user is obtained from their homeDirectory attribute.
The values can be displayed in bytes, KB, MB or GB.
Filter the results on any of the fields e.g. directories without a quota, or users whose home directory usage exceeds 500MB.
Sort the results by any of the fields.

Adgetobjsec

Adgetobjsec displays components of the security descriptor from the ntSecurityDescriptor attribute for objects of any class in Active Directory. It can do the following:

Display any combination of the DACL, SACL, owner, group and security descriptor flags.
Display components for a single object, objects selected via wildcards, all members of a group, a group object or a list of objects in a file.
Display explicit (non-inherited) ACEs, inherited ACEs, or both.
Display all or any combination of ACE types from the DACL and SACL e.g. deny and deny object ACEs.
Display only those ACEs with a specified object type.
Display only those ACEs with a specified inherited object type.
Display ACEs selectively based on the permissions granted or denied.
Suppress the display of DACL and SACL ACEs for well-known security identifiers such as “NT AUTHORITY\SELF”.
Display the rights in character form e.g. CR or as a 32 bit hexadecimal value representing the permissions mask.
Has flexible output formats including selected ACE fields in any order and optionally in comma or semicolon delimited format.
Sort the results on any field.

Adgetvolquota

Adgetvolquota displays disk quotas, disk usage, space available and warning thresholds for multiple users. Features include:

Can display values for a single user, users selected using wildcards, all members of a group, or a list of users in a file.
Can display values for each user’s home volume by reading the homeDirectory attribute, or can display values on a designated volume.
The values can be displayed in bytes, KB, MB or GB.
Can sort into ascending or descending order of quota, space used, space available, warning threshold or by user name.
Can display only totals for quotas and usage.
Can select which fields are displayed and their order.
Can filter by value e.g. list all users whose usage exceeds 500 MB, all users without a quota, or all users whose usage is within 20% of their quota.
Can display all entries in the quota tables on a selected volume.

Adgetrest

Adgetrest displays account restrictions for multiple users. These include:

Account is disabled	Password change next logon
Account is expired	Password is expired
Account expiration date and time	Password expiration date and time
Account is locked	Password history length
Creation date and time	Password last change date/time
Intruder lockout bad logon count	Password minimum age
Intruder lockout date and time	Password minimum length
Intruder lockout period	Password maximum age
Intruder lockout reset time	Password is required
Intruder lockout threshold	Password reversible encryption allowed
Last login date and time	Password settings object
Last unsuccessful login date	Password user can change
Logon hours	Password unique required
Modification date and time	Workstation restrictions
Password complexity required

Note that some of these are set at the domain level or via a password settings object, and some at the user level. The features of adgetrest include:

Supports users, inetOrgPersons and computers.
Display restrictions for a single object, objects selected using wildcards, all members of a group (optionally including nested groups), or a list of objects in a file.
Can display all restrictions, or a single restriction e.g. password minimum length.
Can control the order and width of each output field (user name, domain name, display name, restriction value) when displaying individual restrictions.
Can sort into ascending or descending order by object name or by restriction value.
Can filter by restriction value e.g. list all users whose account has expired, or all users without an account expiration date and time.
Can process objects in the specified container and all containers below it.
Can retrieve values from a designated domain controller.
Values for last logon and the modification date and time are retrieved from all domain controllers and the most recent value is displayed.
Can set an error level indicating the number of matching objects. This allows testing in a batch file for example if a particular user’s account is disabled.

Adgetval

Adgetval displays values for almost any attribute and object class. Features include:

Display values for a single object, objects selected using wildcards, all members of a group, or a list of objects in a file.
Can display single attributes, multiple attributes or all attributes for each object.
Can use a template file containing text and substitution identifiers to format the results e.g. as commands for input to another program.
Can display objects which have a value, or do not have a value for a particular attribute.
Can display the number of values for each attribute rather than the actual values.
Knows how to display many attributes e.g. it correctly formats object SIDs and object GUIDs which are stored as octet strings.
Can retrieve values from a designated domain controller.
Values for last logon and the modification date and time are retrieved from all domain controllers and the most recent value is displayed.
Can sort by object name or attribute value.

Supports the following pseudo-attributes for user objects. These are derived values (e.g. accountLocked), bit values from userAccountControl (e.g. accountDisabled), values which are domain wide or from a password settings object (e.g. passwordMinimumLength), or terminal services values read from the userParameters attribute.

accountDisabled	passwordUniqueRequired
accountExpired	primaryGroupName
accountLocked	tsAllowLogon
homedirRequired	tsBrokenConnectionAction
lockoutDuration	tsConnectClientDrivesAtLogon
lockoutThreshold	tsConnectClientPrintersAtLogon
lockoutWindow	tsDefaultToMainPrinter
passwordChangeNextLogon	tsEnableRemoteControl
passwordComplexityRequired	tsHomeDirectory
passwordExpired	tsHomeDrive
passwordExpires	tsInitialProgram
passwordHistoryLength	tsMaxConnectionTime
passwordMaximumAge	tsMaxDisconnectionTime
passwordMinimumAge	tsMaxIdleTime
passwordMinimumLength	tsProfilePath
passwordNeverExpires	tsReconnectionAction
passwordRequired	tsWorkDirectory
passwordReverseEncryption

Adgrpadd

Adgrpadd adds one or more members to a group. Its features include:

Can process a single group or a file containing a list of groups.
Supports local groups on workstations and member servers.
Can create both security and distribution groups.
Can accept one or more members on the command line.
Can add all members of another group.
Can add a list of objects from a file.
Can process a file containing one group name and one member name per line.
Supports nested groups.
Supports adding members from a trusted domain.
Suports adding well known objects as members.
Supports setting the group as the primary for each user.
Can provide an exclusion list of members not to be added. This may be useful when adding via wildcards or when adding all members of one group to another.
Allows group membership to be synchronized with the contents of a file. Objects named in the file are added to the group if not already members, members not named in the file are removed. This may be a better option than removing all members, then adding the contents of the file when something is monitoring changes to the group membership and performing an action based on the changes.

Adgrpdel

Adgrpdel removes one or more members from a group. Its features include:

Can process a single group or a file containing a list of groups.
Supports local groups on workstations and member servers.
Can accept one or more members on the command line.
Can remove all members of another group.
Can remove a list of members from a file.
Can process a file containing one group name and one member name per line.
Supports nested groups.
Supports removing members from a trusted domain.
Suports removing well known objects as members.
Can delete the group if it has no remaining members.

Adgrplist

Adgrplist lists the members of individual groups or combinations of groups. It can do the following:

List the members of a single group.
List the members of multiple groups via wildcards in the group name.
List members based on selection criteria involving one or more groups. An expression may be given using logical operators ‘and’, ‘or’ and ‘not’ to list members who are or are not members of a combination of groups.
Results may be sorted by member name, member’s display name, container or the total number of members.
Results may be formatted as adgrpadd or adgrpdel commands.
Correctly displays members which are objects in the ForeignSecurityPrincipals container. These are converted to well known object names or to names in a trusted domain.
Supports both security and distribution groups.
Can expand nested distribution groups, and deals correctly with nesting loops.
Can optionally remove duplicated names from the output when expanding nested groups.
Can display totals only.

Adgrpmemb

Adgrpmemb may be used to determine in a batch file or script whether an object is a member of a group. Features include:

It can set a range of error levels indicating whether the object is or is not a member, and whether the group and object exist.
Supports nested groups i.e. can either check or ignore nested group membership.
Supports checking memberships for objects in a foreign domain.
Supports checking memberships for well known objects.
Can execute a given command (e.g. “notepad c:instructions.txt”) when the user is a member of the group.
While it performs silently by default setting just an error level, the result can be displayed as a single line of text optionally including the resultant error level.

Adhome

Adhome maps the current drive or a designated drive to the path from a user’s homeDirectory attribute. It can also make the designated drive, the current drive. This may be useful when trouble-shooting an issue in a user’s home directory.

Adimport

Adimport is a powerful tool for batch mode management of users. Features include:

Creates, updates and deletes users, inetOrgPersons and contacts, and can export attribute values.
Can require that the CN is unique in the domain, and/or that the samAccountName equals the CN. Object creation will fail if these conditions cannot be met.
Sets and modifies values for a wide range of attributes including all of the terminal services settings stored in the userParameters attribute.
Can create home directories, set ownership and assign permissions.
Can create profile directories. Version 2 profile paths are supported.
Can control which name is used for the lowest level of the home directory and profile paths.
Can store the home directory path in the homeDirectory attribute.
Can create a second home directory, set ownership and assign permissions.
Can create subdirectories of home directories.
Can set or remove a disk quota or warning threshold on the home volume or any other volume.
Can set or remove a directory quota on the primary or secondary home directories under W2008 onwards.
Can create directories associated with group memberships.
Can copy attributes from an object serving as a template.
Can search AD before object creation to check if a name is unique.
Can generate random passwords of any length using numeric, alphanumeric, alphabetic or symbol characters of mixed case or single case. The generated passwords may be written to a file, along with the object name and optionally the server name and object’s description. The random passwords can be generated without them actually being set.
Can use two passes through the control and data files, creating objects in the first pass and setting attributes on the second.
Can specify a delay after object creation to allow replication to occur.
Can delete home directories and their contents when deleting objects.
Supports copying files or a directory structure into the home directory or into one of its subdirectories.
Can assign a password settings object under W2008 onwards.
Can set an alternative primary group.
Can move objects into a different container.

Adjrbpass

Adjrbpass is a graphical utility for changing passwords for individual users. It can be used by anyone to change a password providing that they know the current password. Users with appropriate rights can change another user’s password without knowing the old one. Features of adjrbpass include:

Can change a user’s Active Directory password.
Can change an NT domain password when logged into an NT domain.
Can change passwords on the local workstation.
Can change NetWare passwords if the Novell client is installed and a connection exists to a NetWare server.
When used by someone with sufficient rights, it can unlock an account that has been locked by Window’s intruder detection, and can expire a password after change.
The interface can be modified via command line switches.

Adlist

Adlist lists objects of any class in Active Directory. Features include:

Can list all objects of any class in a container.
Can list all objects of a particular class in a domain, or branch of the domain.
Can locate an object with any common name (or partial name using wildcards) and class in the domain.
Can locate objects by samAccountName and by logon name (or user ID) which is the portion of the userPrincipalName preceding the ‘@’ symbol.
Can list groups by type (distribution or security) and whether global, local or universal.
Can expand common names to distinguished names.
Can display the results in csv format.
Can identify objects in the domain with duplicate common names.
Can return an error level if no matching objects are found, providing a means to detect in a batch file if an object of any class exists.
Can set an error level equal to the number of matching objects.
Can display any combination of the common name, display name, samAccountName, user logon name (or user ID), userPrincipalName, container and class.
Can sort the results by common name, display name, samAccountName, user logon name (or user ID), userPrincipalName, container or class.
Can display totals only.
Can give the number of objects of the specified class in each container in any branch of the domain, or for the entire domain. An option exists to suppress the output for containers where the count is zero.

Adlookup

Adlookup provides an alternative to adgetval for displaying attributes. It is more limited in scope but provides a convenient means of searching AD for objects with a particular name, or with an attribute such as telephoneNumber containing a specific value. Features include:

Can display either all attributes, or selected attibutes read from a file for matching objects.
Supports users, inetOrgPersons and contacts
Will retrieve values such as minimum password length from a password settings object if applicable under W2008 onwards.
Supports exact and partial matches on attribute values.
Can sort the results by object name.
Can display the results in comma delimited format.

Admove

Admove moves Active Directory leaf objects from one container to another. Features include:

Can move a single object, objects selected using wildcards, all members of a group, or a list of objects in a file.
Can use an input file with one object to be moved, and the destination container, on each line.

Admovedir

Admovedir moves files and directories from one location to another within the same server and volume by moving the directory entry rather than copying and deleting. It can move entries on both local and network drives and on NetWare if the Novell client is present.

Admovehome

Admovehome moves home directories from one location to another. It can do the following:

Create a new home directory and copy the contents of the old home directory. When the home directory is being relocated within the same volume, the default action is to move the directory entry rather than create a new one and copy the contents.
Can control the name used for the lowest level of the home directory path. Possible values are the existing directory name (the default), the common name, the sam account name and the user logon name.
Set ownership on the new home directory and copy the entire discretionary ACL from the old home directory.
Optionally delete the contents of the old home directory if no errors occurred during the copy.
Optionally copy a volume quota on the old home volume to the new volume. The volume quota may also be removed from the old volume.
Copy a share on the home directory if it is being moved to a different server.
Update the homeDirectory attribute.
Revoke all rights and ownership to the old home directory. Ownership is set to administrator.
Set or clear the archive bit on the copied files.
Can create a file of adfsupdate commands to delete the old home directories at a later date.

Adopenfile

Adopenfile displays the files held open on a server by network connections. It can do the following:

List all open files in and below a given network path.
List all files on a server held open by network connections.
Display open files for a given user or for objects selected via wildcards.
Close open files.
Display the number of locks on each file and the permissions used to open it.
Has flexible output options allowing fields to be displayed in any combination and order, and optionally in csv format.
The results may be sorted on any field.

Adprdel

Adprdel deletes jobs queued to Windows printers. It can do the following:

Delete jobs by ID.
Delete jobs for a range of IDs e.g. 20-25.
Delete jobs by owner.
Delete a selected number of jobs at the top of the queue.
Delete all queued jobs.
Prompt for confirmation before deleting each job.

Adprjobs

Adprjobs lists jobs queued to Windows printers. Jobs may be selected by owner, and the following fields may be displayed in columnar or delimited format:

Printer name	Notify name
Computer from which the job was submitted	Path and document name
Document name	Print processor
Submission time	Job status (printing, deleting, etc)
Page count	Document type
Pages printed	Owner
Job ID	Earliest print time
Priority	Latest print time
Job position	Size in bytes

Adpwdexp

Adpwdexp is intended for use in a login script where it displays a warning if the user’s password is about to expire. However, it can also perform the check for any nominated user. The number of days before expiration at which warnings begin is adjustable and defaults to seven. Adpwdexp can also force a password change before or after password expiration. It will prompt for and change the password. Both text mode and GUI versions are available. The GUI version has a number of extra features including:

Can change AD domain, NT domain, workstation and NetWare passwords.
Can force the window to remain as the topmost window.
Allows either one or two lines of user supplied text to be displayed.
Can control how long the window warning of impending password expiration remains open.
Can prevent changing other passwords if the Active Directory password is not successfully changed first.
Can display a customer supplied icon or bitmap on the right of the window.

Adrename

Adrename allows renaming of any class of Active Directory object. Features include:

When renaming a user or inetOrgPerson, it will check for the existence of a homeDirectory attribute. If found, adrename will rename the lowest level of the home directory path to match the new name, and update the contents of the homeDirectory attribute.
Can specify the home directory path on the command line when the user does not have a homeDirectory attribute.
When renaming a user or inetOrgPerson, adrename can rename the profile path and update the profilePath attribute Version 2 profile paths are supported.
Can process an input file containing one old name and one new name per line.
Can change the case of the names of existing objects to all lowercase, all uppercase, or to a mixture of upper and lowercase.
Can specify a new first (given) name.
Can specify a new surname.
Can specify a new display name.
Can create a new samAccountName to match the new object name.
Can update the email address in the mail attribute.
Can update the principal name in the userPrincipalName attribute.
Can update the value in the Exchange mailNickname attribute.

Adrights

Adrights displays the effective rights of objects in AD to other objects. It can do the following:

Display the rights of one or more objects to other objects.
Display the rights of one or more objects to an attribute (e.g. department) of other objects.
Display the rights of one or more objects to extended rights of objects, e.g. “Reset Password”.
The results can be in columnar or delimited format.
The results can be filterd based on the effective rights.
The results can be sorted on any of six possible output fields.

Adschema

Adschema displays information from the Active Directory schema. The following may be displayed:

Object classes in the schema. Wildcards may be used to list only a subset of the defined classes.
For each object class, the names of attributes which are valid for that class.
For each object class, full details of attributes which are valid for that class.
A list of attributes defined in the schema. Wildcards may be used to list only a subset of defined attributes.
A list of attributes with the object classes for which the attribute is valid.
The adschema program may be used before and after a product install to identify changes made to the schema by the installation.

Adsessions

Adsessions lists current sessions on one or more Windows hosts. It has the following features:

Can display a number of fields associated with each session including the object name, computer name, computer IP address, active connection time, number of open files, connection flags, Windows version and transport type.
The output fields and their order may be selected, and displayed in columnar or delimited format.
The results may be sorted on any of the output fields.
Session details may be displayed only for matching objects.
Session details may be displayed only for matching computers (name or IP address) from which the connection originates.
An error level may be set indicating that a matching object or computer was found, or indicating the number of matches.

Adsetdirquota

Adsetdirquota sets and removes directory quotas individually or en masse. The program must be run on W2008 server or later. It can do the following:

Process individual directories, all subdirectories of a directory, or an entire directory structure.
Set quota values for the home directories of individual users, users selected via wildcards, or for all members of a group. The home directory for each user is obtained from their homeDirectory attribute.
Apply a quota or a quota template.
Can increase or decrease existing quotas by a nominated amount or percentage.
Set quotas relative to the current usage.
Remove quotas and quota templates.
Set the quota status to hard, soft or disabled.
Reset the peak usage value to the current usage.
Prompt for confirmation before setting each value.

Adsethome

Adsethome performs a range of tasks for managing home directories, and the homeDirectory and homeDrive attributes. Features include:

Can process a single user or inetOrgPerson, objects selected using wildcards, all members of a group, or a list of objects in a file.
When a directory is specified, (e.g. \\moa\students\2011), adsethome will automatically append a name to obtain the complete home path. The name appended may be the common name, sam account name or the user logon name.
A complete path can be specified when the lowest level of the home directory does not match any of the object’s names.
Can create the home directory if it does not exist. The user is optionally assigned permissions and ownership of the directory.
Can set ownership of the entire home directory contents when the home directory already exists.
Can create home directories without modifying the contents of the homeDirectory attribute.
Can set the homeDirectory attribute without creating the home directory.
Can modify ownership and permissions for existing home directories.
Can add or remove permissions for another object to each user’s home directory.
Can remove a user’s permissions to their home directory.
Can delete homeDirectory attributes.
Can set or delete the homeDrive attribute.

Adsetowner

Adsetowner is a flexible tool for setting file and directory ownership. It can do the following:

For a single user, users selected via wildcards, all members of a group or a list of users in a file, set the ownership of the contents of the home directory. The path is read from the homeDirectory attribute.
For a directory, set ownership of the directory and contents to a user corresponding to the directory name e.g. larry for \\yogi\users\larry, or to another named object.
For all first level subdirectories of a directory, set ownership of each subdirectory tree to the user corresponding to the directory name. For example, if \\yogi\users has subdirectories harry, barry and larry, a single command can be used to set ownership of files in \\yogi\users\harry to harry, \\yogi\users\barry to barry and \\yogi\users\larry to larry.
Set ownership of one or more files and directories to a specified object.
Can set ownership of either files or directories, or both.
Can prompt for confirmation before modifying each file or directory.
Process a file created by adwhodidit to restore one or more of ownership, creation date and time, modification date and time, last access date and time, and attributes.

Adsetpwd

Adsetpwd sets and verifies passwords for Active Directory users. Its features include:

Can set a password for an individual user using either the old password, or without if the person making the change has sufficient rights.
Can change passwords for multiple users via wildcards, all members of a group, or an input file.
Can accept a new password on the command line, or via an input file if the password has been generated by some other means.
Checks for “password Reset” rights when the old password is not supplied which is faster than attempting the change and have it fail due to insufficient rights.
Can set the password to match the user name (subject to any password policy).
Can set a different password for each user via an input file containing user name and password pairs on each line.
Can generate random passwords of any length using numeric, alphanumeric, alphabetic or symbol characters of mixed case or single case. The generated passwords may be written to a file, along with the user name and optionally the server name and user’s description. The random passwords can be generated without them actually being set.
Can check password compliance against the password policy rather than set the password. This requires that adsetpwd be run on Windows 2003 or a more recent server OS. The function used is not supported on Windows 2000 servers or on workstations.
Can expire the password after an administrator change.
Can verify passwords i.e. determine if a given password is the user’s current password.
Can unlock an account before setting a user’s password.
Can display the passwords being set or verified when reporting the results. The default is to not do so, but this may be useful when reading passwords from an input file or when generating random passwords.

Adsetrest

Adsetrest sets those account restrictions maintained at the object level rather then domain wide or via a password settings object. These include:

Account is disabled	Password required
Account expiration date and time	Password reversible encryption
Account is locked (unlock only)	Password settings object
Logon hours	Password user can change
Password expired	Workstation restrictions
Password never expires

Features include:

Supports users, inetOrgPersons and computer objects.
Restrictions may be set for a single object, objects selected using wildcards, all members of a group, or a list of objects in a file.
Can prompt for confirmation before modifying each object.
Supports processing nested groups.

Adsettrust

Adsettrust manages ACE entries in the discretionary access control list for files and directories. Specifically, it can do the following:

Add grant or deny ACEs for one or more directories or files.
Remove grant or deny ACEs for one or more directories or files.
Restore ACEs from a file of adsettrust, icacls or cacls commands created by adtrstlist.
Accepts wildcards in trustee object names allowing multiple objects to be updated for the same files and directories.
Check for and optionally fix ACLs containing duplicate ACEs, incorrectly ordered ACEs or unused space.
Grant or remove non-propagated RX rights to each parent directory, or to a specified number of levels of parent directories, thereby providing a means to browse to the directory from the volume root.
Modify DACLs on both Active Directory servers and on workstations.
Accepts rights in numeric format as well as accepting the well known symbols of R, X, GR, GE etc.
Can control the inheritance for each directory. Inheritance can be enabled, disabled with existing ACEs converted to explicit, or disabled with existing inherited ACEs discarded. This can be done at the same time as adding or removing ACEs, or as a stand-alone operation.
Remove ACEs containing orphaned SIDs where the corresponding object has been deleted but the SID remains in the file system.

Adsetval

Adsetval can set a wide range of attributes for objects of any class. Its features include:

Can set attribute values for a single user, users selected using wildcards, all members of a group, or a list of users in a file.
Can set attributes holding text attributes such as givenName, middleName, sn (surname), description and department.
Can be used to change the case of existing values for text attributes.
Can set boolean attributes such as msNPAllowDialin.
Can set attributes holding integer values such as userAccountControl, codePage or the domain’s maxPwdAge.
Can set attributes holding dates as values such as accountExpires.
Can set attributes holding object names e.g. member, seeAlso and secretary.
Can replace existing values for multi-valued attributes or add new values.
Allows the setting or removal of specific bits from 32 bit values stored in integer attributes. For example, adsetval Fred /a=userAcountControl /# +0x02 adds bit 0x02 which disables the account.
Can copy a value from another object.
Accepts as input a csv file containing one object name and attribute value per line.
Can delete all or selected values for an attribute.

Adsetvolquota

Adsetvolquota sets disk quotas and warning thresholds for multiple users. Features include:

Can set values for a single user, users selected using wildcards, all members of a group, or a list of users in a file.
Can set values on each user’s home volume by reading the homeDirectory attribute, or on a designated volume.
Quotas may be specified in units of bytes, KB, MB or GB.
Can increase or decrease existing values by a nominated amount or percentage.
Can set values relative to the current disk usage e.g. the current usage plus 20% or current usage plus 50MB.
Can remove quotas and thresholds.
Can prompt for confirmation before setting each value.

Adspace

Adspace displays the maximum space, usage and available space for the home directory of a single user, or for a specific directory. When run by a member of the administrators group, it can display volume based quota information for the home volume of a user, and can display directory quota information under W2008 onwards. For a non-privileged user, adspace retrieves values via a generic win32 function which returns values reflecting a volume based quota if applicable to the caller, and if run on W2008 onwards, directory quotas. However, directory quota information can be retrieved only by programs running on the server on which the quota exists. Adspace can work around this when used in conjunction with the jrbserv Windows system service which responds to a request for quota information for a specific directory, and returns the relevant values to the requestor. Adspace has the following features:

Can display volume based quota information, directory quota information or volume wide values when run by a member of the administrators group.
Can display correct results for a non-privileged user when a volume based quota is applicable.
Can display correct results for a non-privileged user when a directory quota applies to the target directory providing that either adspace is run on the server on which the directory exists, or is used in conjunction with the jrbserv Windows system service.
Can display a warning when the free space falls below a specified level, or a specified percentage of the maximum space.
The GUI version can run silently, producing a window only when the free space has fallen below the nominated threshold.
The GUI version can display the results window for a specified number of seconds before automatically closing it.
Very flexible output formats including the ability to provide replacement text containing substitution identifiers for maximum space, free space etc.
The values can be displayed in bytes, KB, MB or GB.
Can display values for a selected subdirectory of a user’s home directory.
Can be run on any Windows host, domain membership is not required.

Adtrstlist

Adtrstlist displays components of the security descriptor for file and directories. It can do the following:

Display all or any combination of the DACL, SACL, owner, group and security descriptor flags.
Supports both local and network paths.
Process selected files and directories, or an entire directory structure.
Process a specified path then each of its parent directories.
For a single user, users selected via wildcards, all members of a group, a group object or a list of users in a file, display the ACEs in a DACL or SACL for which the object is a trustee. This may be done on a user’s home directory or for a specified directory or file.
Suppress the display of DACL and SACL ACEs for well-known security identifiers such as “CREATOR OWNER”.
Suppress the display of DACL and SACL ACEs for a list of objects.
Display explicit (non-inherited) ACEs, inherited ACEs, or both.
Display access allowed ACEs, access denied ACEs, or both.
Display ACEs selectively based on the permissions granted or denied.
Display only those ACEs containing orphaned SIDs.
Display the rights in character form e.g. RWXD or as a 32 bit hexadecimal value representing the permissions mask.
Display the ACEs from a DACL as cacls , icacls or adsettrust commands.
Display paths for which there are no ACEs for a selected trustee.
Has flexible output formats including selected fields in any order and optionally in comma or semicolon delimited format.
Sort the results on any field.
Can show the actual contents of the DACL by using the old GetFileSecurity function. The newer GetNamedSecurityInfo, which is used by default, returns correct results for inheritance. If the two methods give different results for a particular directory, then the actual contents of the DACL need updating for inheritance.
Invokes backup privilege if required to read the DACL.

Adusergrps

Adusergrps lists the groups to which one or more users belong. Features include:

Can list group memberships for a single user, users selected using wildcards, all members of a group, or a list of users in a file.
Can suppress selected group types (e.g. distribution groups) from the results.
Includes the primary group by default.
Can include or exclude selected groups.
Can display only those groups which exist in the same container as the user, or in a particular container.
Can sort the users and/or groups belonged to.
Has flexible formatting options including the ability to list the results as adgrpadd and adgrpdel commands.
Supports nested groups.

Adwhodidit

Adwhodidit displays selected information about files and directories which is useful in determining when they were created, modified, last accessed and by whom. It can list any combination of the following fields:

Attributes	Modification date and time
Creation date and time	Number of files in each directory
The cumulative usage in a directory	Owner
File or directory extension	Physical size (for compressed or sparse files)
Last access date and time	Short (DOS) name
Length of each path	Space used exclusive of subdirectories
Logical size as shown by Explorer	Space used inclusive of subdirectories
Long name