Free Active directory tools or scripts?

Posted on 2009-05-16
Last Modified: 2012-05-07
Does anyone know if there are any good/free Active directory tools/scripts that can be shared or downloaded?

Specifically, I am most interested in reporting and creating users from templates.

One report in particular that I am very interested in:
I would like a report that tells me all the users, all the groups those users belong to, and all the shares those groups belong to.
Not asking for much huh?  :-)
Question by:Miahmichno
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 47

Expert Comment

by:Donald Stewart
ID: 24404753
LVL 57

Expert Comment

by:Mike Kline
ID: 24405193
Yeah so I'm also a huge joeware find, one of his tools is adfind
So for a user dump use
adfind -default -f  "&(objectcategory=person)(objectclass=user)" samaccountname, givenname sn memberof -csv -nodn > c:\users.csv
That will create the csv on your C drive
You can also use powershell for things like that (Quest AD cmdlets come in handy)
As for shares you will have to scan them and look at the ACLs some free tools for that are ShareEnum from Microsoft
dumpsec from somarsoft

Expert Comment

ID: 24406647
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.


Expert Comment

ID: 24416094
try this for the reporting....another script to follow for perms
Option Explicit 
Dim objConnection, objCommand, objRootDSE, strDNSDomain, strQuery 
Dim objRecordSet, strDN, objGroup 
Dim FileSystem, oFile 
' Open Text File for Output 
Set FileSystem = WScript.CreateObject("Scripting.FileSystemObject") 
Set oFile = FileSystem.CreateTextFile("GroupMemebrshipNew.html", True) 
oFile.writeLine "<HTML><HEAD><TITLE>Group Membership for</TITLE><HEAD><BODY>" 
oFile.writeLine "<h4><TABLE width=100% border=0 padding=0 cellspacing=0 valign=top>" 
' Use ADO to search Active Directory. 
Set objConnection = CreateObject("ADODB.Connection") 
Set objCommand = CreateObject("ADODB.Command") 
objConnection.Provider = "ADsDSOObject" 
objConnection.Open "Active Directory Provider" 
Set objCommand.ActiveConnection = objConnection 
' Determine the DNS domain from the RootDSE object. 
Set objRootDSE = GetObject("LDAP://RootDSE") 
strDNSDomain = objRootDSE.Get("defaultNamingContext") 
' Search for all groups, return the Distinguished Name of each. 
strQuery = "<LDAP://" & strDNSDomain _ 
& ">;(objectClass=group);distinguishedName;subtree" 
objCommand.CommandText = strQuery 
objCommand.Properties("Page Size") = 100 
objCommand.Properties("Timeout") = 30 
objCommand.Properties("Cache Results") = False 
Set objRecordSet = objCommand.Execute 
If objRecordSet.EOF Then 
Wscript.Echo "No groups found" 
Set objRootDSE = Nothing 
Set objConnection = Nothing 
Set objCommand = Nothing 
Set objRecordSet = Nothing 
End If 
' Enumerate all groups, bind to each, and document group members. 
Do Until objRecordSet.EOF 
strDN = objRecordSet.Fields("distinguishedName") 
Set objGroup = GetObject("LDAP://" & strDN) 
oFile.writeLine "<TR>" 
oFile.writeLine "<TD width=20% valign=top bgcolor=black><font color=white><strong><u>" & "Group Name:" &_ 
"</u></strong></font></TD><TD width=80% valign=top><strong>" &_ 
objGroup.SAMaccountName & "</strong></TD>" 
oFile.writeLine "</TR><TR>" 
oFile.writeLine "<TD valign=top bgcolor=black><font color=white><strong><u>" & "Distinguished Name:" &_ 
"</u></strong></font></TD><TD valign=top><strong>" &_ 
objGroup.distinguishedName & "</strong></TD>" 
oFile.writeLine "</TR><TR>" 
oFile.writeLine "<TD valign=top bgcolor=black><font color=white><strong><u>" & "Description:" &_ 
"</u></strong></font></TD><TD valign=top><strong>" &_ 
objGroup.description & "</strong></TD>" 
oFile.writeLine "</TR><TR>" 
oFile.writeLine "<TD valign=top bgcolor=black><font color=white><strong><u>" & "Type:" & "</u></strong></font></TD><TD valign=top><strong>" & GetType(objGroup.groupType) & "</strong></TD>" 
oFile.writeLine "</TR>" 
oFile.writeLine "<TR><TD valign=top bgcolor=black><font color=white><strong><u>Members:</font></TD><TD align=left valign=top>" 
oFile.writeLine "<TABLE width=70% border=0 cellspacing=0 cellpadding=0>" 
oFile.writeLine "<Tr>" 
oFile.writeLine " <TD valign=top><strong><u> Name </u></strong></TD>" 
oFile.writeLine " <TD valign=top><strong><u> Account </u></strong></TD>" 
oFile.writeLine " <TD valign=top><strong><u> Type </u></strong></TD>" 
oFile.writeLine "</Tr>" 
Call GetMembers(objGroup) 
oFile.writeLine "</TABLE>" 
oFile.writeLine "</TD></TR>" 
oFile.writeLine "<TR><TD COLSPAN=2><hr width=90%></TD></TR>" 
oFile.writeLine "</TABLE></BODY></HTML>" 
msgBox "Done !!!" 
' Clean up. 
Set objRootDSE = Nothing 
Set objGroup = Nothing 
Set objConnection = Nothing 
Set objCommand = Nothing 
Set objRecordSet = Nothing 
Function GetType(intType) 
' Function to determine group type from the GroupType attribute. 
If (intType And &h01) <> 0 Then 
GetType = "Built-in" 
ElseIf (intType And &h02) <> 0 Then 
GetType = "Global" 
ElseIf (intType And &h04) <> 0 Then 
GetType = "Local" 
ElseIf (intType And &h08) <> 0 Then 
GetType = "Universal" 
End If 
If (intType And &h80000000) <> 0 Then 
GetType = GetType & "/Security" 
GetType = GetType & "/Distribution" 
End If 
End Function 
Sub GetMembers(objADObject) 
' Subroutine to document group membership. 
' Members can be users or groups. 
Dim objMember, strType 
For Each objMember In objADObject.Members 
If UCase(Left(objMember.objectCategory, 8)) = "CN=GROUP" Then 
strType = "Group" 
strType = "User" 
End If 
oFile.writeLine "<TR>" 
oFile.writeLine "<TD valign=top>" & objMember.displayName & _ 
"</TD><TD valign=top>" & objMember.SAMaccountName & _ 
"</TD><TD valign=top>" & strType & "</TD>" 
oFile.writeLine "</TR>" 
' Wscript.Echo " Member: " & objMember.sAMAccountName & " (" & strType & ")" 
Set objMember = Nothing 
End Sub

Open in new window


Accepted Solution

crokeefe28 earned 50 total points
ID: 24416183
The dsrevoke syntax is as follows

Using Dsrevoke
Dsrevoke.exe has the following syntax:

dsrevoke/report|/remove[/domain:domainname] [/username:username]

[/password:password|*] [/root:domain/OU] securityprincipal

Descriptions for each option are as follows:

/report: Reports the explicit ACEs that are currently set for the specified security principal on OU objects in the specified domain or an OU subtree. By default, the command dsrevoke /report starts at the domain root and searches every OU below that root for explicit ACEs that are granted to the specified security principal. If you are sure that the permissions for a security group are set only on or below a specific OU, you can specify the scope of the search by using the /OU switch to make the search more efficient.

/remove: Reports all explicit ACEs and then, after prompting for confirmation, removes the ACEs that are currently set for the security principal, including all inherited ACEs.

/domain: The DNS or NetBIOS name of the domain in which the permissions are to be removed. This value must be specified only when the ACEs that you want to remove are set on OUs in a domain other than the domain of the logged-on user.

/username: The user name of the user who is using the tool. This value is required when:

The user is not logged on as an administrator.

ACEs are being removed in a domain other than the domain of the logged-on user.

/password: The password of the tool user. If the command is entered with an asterisk (*) in place of a password, the tool prompts the user for a password.

/root: The OU or domain root at which to start the search for ACEs. If no value is specified, the search begins at the root of the specified domain. If no domain is specified, the search begins at the root of the domain of the logged-on user. When specifying a root domain or OU, you must use the distinguished name (for example, /root:OU=BusUnits=DC=DomainA,DC=com). If spaces occur in any part of the distinguished name, enclose the entire option in quotation marks (for example, /root:OU=Product Development,OU=Delegation,OU=Business Units,DC=DomainA,DC=com).

/securityprincipal: The identity of the user or group in the form DomainName\UserName or DomainName\GroupName. Use the DNS name or NetBIOS name of the domain


Expert Comment

ID: 26379321
As for good Active Directory tools, try Adaxes from Softerra (<a href="></a>). But it is free for 30 days only.

Expert Comment

ID: 26397523
As for good Active Directory tools, try Adaxes from Softerra But it is free for 30 days only.

Expert Comment

ID: 32817852
thats really fantasic, it works with me

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question