LDAP

Mapping Your AD: VBScript to List OUs in Parent-Child Order | Lazy Admin Blog

Posted on Updated on

When you’re managing a complex Active Directory environment, getting a clear “birds-eye view” of your structure is essential. While the Active Directory Users & Computers (dsa.msc) snap-in is great for manual navigation, sometimes you need a flat text output that preserves the visual hierarchy of your Organizational Units (OUs).

The following VBScript crawls your LDAP directory and mirrors the parent-child nesting you see in your GUI tools.

📜 The Script: ListAllOUs_ParentChild.vbs

Copy the code below and save it as ListAllOUs_ParentChild.vbs.

VBScript
Option Explicit
Const ADS_SCOPE_SUBTREE = 2
Dim ObjConn, ObjRS, ObjRootDSE
Dim StrSQL, StrDomName, ObjOU
' Get the local domain name
Set ObjRootDSE = GetObject("LDAP://RootDSE")
StrDomName = Trim(ObjRootDSE.Get("DefaultNamingContext"))
Set ObjRootDSE = Nothing
' SQL Query to find OUs (Excluding Domain Controllers)
StrSQL = "Select Name, ADsPath From 'LDAP://" & StrDomName & "' Where ObjectCategory = 'OrganizationalUnit' And Name <> 'Domain Controllers'"
Set ObjConn = CreateObject("ADODB.Connection")
ObjConn.Provider = "ADsDSOObject"
ObjConn.Open "Active Directory Provider"
Set ObjRS = CreateObject("ADODB.Recordset")
ObjRS.Open StrSQL, ObjConn
If Not ObjRS.EOF Then
    ObjRS.MoveLast: ObjRS.MoveFirst
    WScript.Echo vbNullString
    WScript.Echo "Total OU: " & Trim(ObjRS.RecordCount)
    WScript.Echo "==================="
    WScript.Echo vbNullString
    
    While Not ObjRS.EOF
        Set ObjOU = GetObject(Trim(ObjRS.Fields("ADsPath").Value))
        ' Check if it's a top-level Parent OU
        If StrComp(Right(Trim(ObjOU.Parent), Len(Trim(ObjOU.Parent)) - 7), StrDomName, VbTextCompare) = 0 Then
            WScript.Echo "Parent OU: " & Trim(ObjRS.Fields("Name").Value)
            GetChild(ObjOU)
        End If      
        ObjRS.MoveNext
        Set ObjOU = Nothing
    Wend
End If
ObjRS.Close: Set ObjRS = Nothing
ObjConn.Close: Set ObjConn = Nothing
' Subroutine to find first-level children
Private Sub GetChild(ThisObject)
    Dim ObjChild
    For Each ObjChild In ThisObject
        If StrComp(Trim(ObjChild.Class), "OrganizationalUnit", VbTextCompare) = 0 Then
            WScript.Echo vbTab & ">> Child OU: " & Right(Trim(ObjChild.Name), Len(Trim(ObjChild.Name)) - 3)
            GetGrandChild (ObjChild.ADsPath)
        End If      
    Next
End Sub
' Recursive subroutine to find all nested children
Private Sub GetGrandChild (ThisADsPath)
    Dim ObjGrand, ObjItem
    Set ObjGrand = GetObject(ThisADsPath)
    For Each ObjItem In ObjGrand
        If StrComp(Trim(ObjItem.Class), "OrganizationalUnit", VbTextCompare) = 0 Then
            WScript.Echo vbTab & vbTab & ">> Child OU: " & Right(Trim(ObjItem.Name), Len(Trim(ObjItem.Name)) - 3)
            GetGrandChild Trim(ObjItem.ADsPath)
        End If
    Next    
    Set ObjGrand = Nothing
End Sub

🚀 How to Execute

To run this script correctly and avoid “Windows Script Host” popup boxes for every line, you must use the command-line engine (CScript).

Example Command: CScript /NoLogo ListAllOUs_ParentChild.vbs

Output Preview:

Parent OU: Sales

Child OU: North_Region

Child OU: South_Region

>> Child OU: Retail_Stores

#ActiveDirectory #SysAdmin #WindowsServer #Automation #VBScript #ITAdmin #LazyAdmin #LDAP #DirectoryServices #InfrastructureAsCode #Scripting #ADUC

This entry was posted in Active Directory, Scripts and tagged , , , , , , , , , .

Deep Audit: Listing Nested Active Directory Group Members via VBScript | Lazy Admin Blog

Posted on Updated on

Have you ever looked at a “Domain Admins” group and thought it looked suspiciously small? The culprit is usually nesting. Standard AD queries often fail to “recurse,” meaning they show you the subgroup but not the people inside it.

This script, ListGroupMembers_IncludingNested.vbs, uses a recursive function to dive into every sub-group and extract the actual users, ensuring your security audits are 100% accurate.

The Script: How it Works

The script utilizes a Dictionary Object to keep track of groups it has already scanned. This is a critical “Lazy Admin” safety feature—it prevents the script from getting stuck in an infinite loop if two groups are members of each other.

Usage Instructions

  1. Copy the code below into Notepad.
  2. Edit the StrGroupName variable to match your target group.
  3. Save the file as ListGroupMembers.vbs.
  4. Run it from the command prompt using cscript ListGroupMembers.vbs.
VBScript
' -- Save as ListGroupMembers_IncludingNested.vbs
Option Explicit
Dim ObjRootDSE, ObjConn, ObjRS, ObjCustom
Dim StrDomainName, StrGroupName, StrSQL, StrGroupDN, StrEmptySpace
Set ObjRootDSE = GetObject("LDAP://RootDSE")
StrDomainName = Trim(ObjRootDSE.Get("DefaultNamingContext"))
' -- Edit the line below with your Group Name
StrGroupName = "YourGroupNameHere" 
StrSQL = "Select ADsPath From 'LDAP://" & StrDomainName & "' Where ObjectCategory = 'Group' AND Name = '" & StrGroupName & "'"
Set ObjConn = CreateObject("ADODB.Connection")
ObjConn.Provider = "ADsDSOObject": ObjConn.Open "Active Directory Provider"
Set ObjRS = ObjConn.Execute(StrSQL)
If ObjRS.EOF Then
    WScript.Echo "Group not found: " & StrGroupName
Else
    StrGroupDN = Trim(ObjRS.Fields("ADsPath").Value)
    Set ObjCustom = CreateObject("Scripting.Dictionary")
    GetAllNestedMembers StrGroupDN, " ", ObjCustom
End If

Why VBScript in 2026?

While PowerShell is the modern standard, many legacy environments and automated scheduled tasks still rely on VBScript because it requires zero execution policy changes and runs natively on every Windows machine since Server 2000. It is the “Old Reliable” of the AD world.

Key Features of this Script

  • Recursive Discovery: It doesn’t just stop at the first layer.
  • Class Identification: Clearly marks if a member is a User, Computer, or another Group.
  • Loop Protection: Uses the Scripting.Dictionary to escape circular nesting traps.

#ActiveDirectory #WindowsServer #CyberSecurity #SysAdmin #ITAudit #VBScript #Automation #LazyAdmin #TechArchive

This entry was posted in Active Directory, Scripts and tagged , , , , , , , , .

Master the Forest: Top Active Directory Interview Questions & Answers | Lazy Admin Blog

Posted on Updated on

Part 1: The Logical vs. Physical Structure

Understanding how AD is organized is the first step in mastering the service. Interviewers often look for the distinction between how objects are managed (logical) and how traffic flows (physical).

Logical Components

These define the administrative boundaries and hierarchy:

  • Forest: The uppermost boundary. It contains one or more trees that share a common schema and global catalog.
  • Tree: A collection of domains that share a contiguous namespace (e.g., corp.com and dev.corp.com).
  • Domain: The primary unit of replication and security. All objects in a domain share a common database (ntds.dit).
  • Organizational Unit (OU): Containers used to organize objects within a domain. OUs are primarily used to delegate administration and apply Group Policy.

Physical Components

These define how AD exists on hardware and over the network:

  • Domain Controllers (DC): The servers that host the AD database and handle authentication.
  • Sites: A grouping of IP subnets connected by high-speed links. Sites are used to control replication traffic and ensure users log on to a local DC rather than one across a slow WAN link.

Part 2: The Core “Under the Hood” Mechanics

The Active Directory Database

The database is stored in %systemroot%\ntds as ntds.dit. Key files include:

  • edb.log: Transaction logs (changes are written here first).
  • res1.log / res2.log: Reserve logs to ensure the system can write to disk if space runs out.
  • edb.chk: The checkpoint file that tracks which transactions have been committed to the database.

The Global Catalog (GC)

The GC is a partial, read-only replica of every object in the forest. It allows users to search for resources (like a printer in another domain) without needing to query every single DC in the forest.

SYSVOL Folder

The SYSVOL folder is a shared directory on every DC that stores the domain’s public files, including:

  • Login scripts (Netlogon share).
  • Group Policy Templates.
  • It is kept in sync across all DCs using the File Replication Service (FRS) or DFSR.

Part 3: Protocols and Naming

LDAP (Lightweight Directory Access Protocol)

LDAP is the language used to talk to Active Directory. It follows the X.500 standard and uses TCP/IP.

  • Distinguished Name (DN): The full path to an object (e.g., CN=JohnDoe,OU=Sales,DC=corp,DC=com).
  • Relative Distinguished Name (RDN): Just the object’s name (e.g., JohnDoe).
  • UPN (User Principal Name): The “email-style” login name (e.g., johndoe@corp.com).

Part 4: Essential Admin Tools

ToolPurpose
ADSIEditA low-level “registry editor” for Active Directory objects and attributes.
LDPA tool for performing LDAP searches and operations manually.
RepadminThe go-to command-line tool for diagnosing replication health.
NetdomUsed for managing trust relationships and joining computers to domains via CLI.
Dcpromo(Legacy) The command to promote or demote a Domain Controller.

Common Interview Scenario: “My Replication is Broken”

Answer: I would start by checking connectivity between sites. Then, I would use repadmin /showrepl to see which naming contexts (Domain, Configuration, or Schema) are failing. I’d also check the DNS SRV records to ensure the DCs can find each other.

#ActiveDirectory #SysAdmin #WindowsServer #ITJobs #TechInterview #Microsoft #Networking #ITOps #LazyAdmin

This entry was posted in Active Directory, Interview, Windows and tagged , , , , , , , , , .

LDIFDE vs. CSVDE: How to Export Active Directory Data

Posted on Updated on

Exporting Active Directory objects doesn’t require complex scripts. Windows includes built-in tools to handle this via the command line. Choosing between them depends on what you plan to do with the data.

1. LDIFDE (LDAP Data Interchange Format)

Best for: Migrations and bulk modifications.

LDIFDE exports data in the .ldf format. This format is superior for importing data back into AD because it can handle operations like add, modify, and delete.

Command Syntax:

DOS

ldifde -f Exportuser.ldf -s ADservername -d "CN=username,CN=Users,DC=domain,DC=com"
  • -f: The filename for the export.
  • -s: The source Active Directory server.
  • -d: The Distinguished Name (DN) of the root search point.

2. CSVDE (Comma Separated Value)

Best for: Reporting and Excel analysis.

CSVDE exports data into a standard CSV format. This is perfect if you need to create a spreadsheet of user attributes for a manager or an audit. Note that CSVDE cannot be used to modify existing objects; it only supports “Add” operations during an import.

Advanced Export Command:

This command filters for specific objects with mailboxes and pulls a massive list of attributes (Name, Company, Title, Phone, etc.):

DOS

csvde -m -f Mailboxes.csv -d "OU=Users,DC=domain,DC=com" -r "(&(objectClass=user)(mail=*))" -l "objectClass,displayName,memberOf,proxyAddresses,title,telephoneNumber,company,userPrincipalName,sAMAccountName"
  • -m: Omits binary attributes (like objectGUID) that aren’t readable in text.
  • -r: The LDAP filter (e.g., only users with an email address).
  • -l: The list of specific attributes you want to include in the columns.

Comparison Table: Which should you use?

FeatureLDIFDECSVDE
Output FormatPlain Text (.ldf)Comma Separated (.csv)
Best UseModifying/Moving ObjectsReporting / Spreadsheet Analysis
ReadabilityHarder for humansVery easy (Excel)
Import SupportAdd, Modify, DeleteAdd only

The LazyAdmin Tip: Always use the -m switch with CSVDE. If you don’t, your CSV file will be filled with unreadable binary strings for attributes like user certificates or SID history, making it almost impossible to use in Excel!

#ActiveDirectory #SysAdmin #ITPro #DataExport #WindowsServer #CSVDE #LDIFDE #LazyAdmin #TechTips #ServerManagement

This entry was posted in Active Directory, Windows and tagged , , , , , , , , .

Installing ADSI Edit on Windows Server 2003

Posted on Updated on

Whether you are performing a schema extension or manually cleaning up metadata after a failed Domain Controller demotion, ADSI Edit is the tool you need. Because it interacts directly with the Active Directory database, it is powerful—and dangerous.

Warning: ADSI Edit does not have “undo” functionality. Always ensure you have a valid System State backup before making manual attribute changes.

Step 1: Locating the Installation Files

On Windows Server 2003, ADSI Edit is not installed by default. It is part of the Windows Support Tools package.

  • From the CD: Insert your Windows Server 2003 installation media and navigate to: [CD-DRIVE]:\SUPPORT\TOOLS\
  • Run the Installer: Double-click SUPTOOLS.MSI and follow the installation wizard.
  • No CD? You can download the “Windows Server 2003 Service Pack 2 Support Tools” directly from the Microsoft Download Center.

Step 2: Launching the Console

Once the Support Tools are installed, you can launch the editor:

  1. Go to Start > Run.
  2. Type adsiedit.msc and press Enter.

Step 3: Troubleshooting “adsiedit.msc not found”

If you have installed the tools but still receive an error that the file cannot be found, the system likely hasn’t registered the required library (.dll) file properly.

To manually register the DLL:

  1. Go to Start > Run.
  2. Type the following command: regsvr32 adsiedit.dll
  3. You should see a success message stating that the DllRegisterServer succeeded.

What can you do with ADSI Edit?

ADSI Edit allows you to view and edit the three primary partitions of the Active Directory database:

  • Domain Partition: Contains the users, groups, and OUs.
  • Configuration Partition: Contains forest-wide configuration data (like site topology).
  • Schema Partition: Contains the definitions for every object type and attribute in the forest.

#ActiveDirectory #ADSIEdit #WindowsServer #SysAdmin #ITPro #Microsoft #TechSupport #LazyAdmin #ServerManagement #VintageTech #ADTroubleshooting

This entry was posted in Active Directory, Windows and tagged , , , , , , , , .