|
|
The Resource Kit provides a variety of support tools that can aid in system administration activities. Since they are optional, we provide only an overview of each. Please note that their inclusion or exclusion in the Resource Kit is subject to change. Unless otherwise noted, these tools are launched from the command prompt or the Start 
Run menu. They are described in alphabetical order.
This tool troubleshoots issues associated with Active Directory permissions associated with object access control lists. It reads ACL security attributes and outputs the results in either text or tab-delimited format for review with a text editor or spreadsheet. The command syntax is as follows:
acldiag "ObjectDN" [/chkdeleg] [/fixdeleg] [/geteffective:{User | Group}]
[/schema] [/skip] [/tdo]
ObjectDN refers to the distinguished name of the object and must be included in quote marks. Other Acldiag.exe required and optional parameters are described in Table A.74.
The ADSI development tool is described in Chapter 5.
|
Option |
Description |
|---|---|
|
/chkdeleg |
Checks the security on the object to view delegation templates in use by the Delegation of Control Wizard in the Active Directory Users and Computers snap-in. |
|
/fixdeleg |
Fixes any applied delegations by the Delegation of Control Wizard. |
|
/geteffective: {user | group} |
Outputs effective permissions of the specified user or group in a text-readable format. The wildcard (*) for user or group prints the effective rights of all users and groups in the ACL. |
|
/schema |
Verifies if the object's security includes schema defaults. |
|
/skip |
Suppresses security descriptions. |
|
/tdo |
Outputs in tab-delimited format for use in databases or spreadsheets. |
The Application Compatibility tool determines if a specified application can be used in a Windows Server 2003 environment. It is described in Chapter 2.
This tool provides the status of Advanced Power Management (APM) features and is primarily intended to support older notebook computers. The Advanced Configuration and Power Interface (ACPI) is the default power management scheme for Windows Server 2003.
The syntax for Apmstat.exe is
Admstat [-v]
where -v is used to output the verbose version.
This tool moves users from Windows NT to Windows Server 2003 and is particularly helpful when incremental movement is desired. It also provides an emergency fallback to the older Windows NT policies if Windows Server 2003 fails during the migration period. Clonepr.dll must be run on the destination Windows Server 2003 domain controller, on which objects are duplicated (not moved) from the Windows NT domain controller. It can only be applied within a domain. While clonepr.dll does not recognize the user's password, it works in connection with the Movetree support tool, which does retain the password.
The following files are required to use the Clone Principal.
Clonepr.dll— A COM object to support Clone Principal operations.
Clonegg.vbs— A sample script to clone global groups in a domain.
Cloneggu.vbs— A sample script to clone all the global groups and users.
Clonelg.vbs— A sample script to clone all the local groups in a domain.
Clonepr.vbs— A sample script to clone a single security principal.
Sidhist.vbs— A sample script to add the SID of a source account to the SID History of a destination account.
For more information on the Clone Principal refer to the ClonePrincipal User Guide (clonepr.doc) shipped with the Resource Kit.
This utility analyzes domain controllers and identifies abnormal behavior in the system. It is used in the review of domain controller problems such as connectivity, replication, topology, logon rights, domain controller locator, intersite state, and trust verification.
The Dcdiag.exe syntax is
dcdiag /s:DomainController [/n:NamingContext] [/u:Domain\Username
/p:{* | Password | ""}] [{/a | /e}] [{/q | /v}] [/i] [/f:LogFile]
[/ferr:ErrLog] [/c [/skip:Test]] [/test:Test] [{/h | /?}]
Table A.75 lists the options available with dcdiag command
The Dependency Walker is launched from the command prompt by invoking Depend.exe. It is used to ascertain dependencies for applications and DLLs and is discussed in Chapter 2.
This tool permits the command prompt to query the distributed file system (Dfs). It is used for Dfs root maintenance and troubleshooting, and helps remove metadata left after removal of a domain-level Dfs root.
The syntax for Dfsutil.exe is
Dfsutil [option(s)]
|
Option |
Description |
|---|---|
|
/n:NamingContext |
Defines the type of naming—NetBIOS, DNS, or Distinguished Name. |
|
/s:DomainController |
Uses the home service. |
|
/u:Domain\Username /p:{* | Password | " "} |
Employs the Domain\Username credentials and binds with the password, where " " is a null password and * prompts for a password. |
|
/a |
Tests all site servers. |
|
/e |
Tests all servers enterprise-wide and overrides /a. |
|
/q |
Prints out messages in quiet mode. |
|
/v |
Prints information in verbose or extended mode. |
|
/f:logfile |
Redirects the output to a specified log file. |
|
/ferr:Errlog |
Redirects only fatal errors to a designated error log. |
|
/c |
Runs a comprehensive (all) tests. If the /skip option is also used, it will ignore those tests specified. |
|
/skip:test |
Skips the specified test. |
|
/test:test |
Runs only the test specified. The following tests are valid:
|
|
{/h | /?} |
Displays the proper syntax options in the command prompt. |
|
Option |
Description |
|---|---|
|
/list:Domain [/dcname:DcName] |
Outputs the Dfs in the domains that are fully qualified, with the Active Directory domain name defining a specific domain controller. |
|
/view:\\dfsname\dfsshare [/dcname:DcName] [/level:Level] |
Displays the metadata in \\dfsname\dfsshare and dumps the Active Directory-based Partition Knowledge Table (PKT) that shows the Dfs tree for each computer directory and site location. The |more pipe command can be used. The /dcname option defines a specific domain controller and /level specifies the level of viewing material, with the highest providing greater detail. |
|
/verify:\\dfsname\dfsshare [/dcname:DcName] [/level:Level] |
Verifies metadata in \\dfnsame\dfshare. The /dcname option defines a specific domain controller and /level specifies the level of viewing material, with the highest providing greater detail. |
|
/reinit:ServerName |
Reestablishes or refreshes the Dfs server name. |
|
/whatis:ServerName |
Displays the type of the specified server. |
|
/dfsalt:UNCPath |
Resolves the UNC path for the server. |
|
/clean:ServerName |
Removes the Dfs designation within the registry of the defined server. |
|
/dclist:Domain |
Lists all the domain controllers in the defined domain. |
|
/trusts:Domain/pktinfo [/dfs] |
Lists the trust relationships of the specified domains. |
|
[/level:Level] |
Shows the Partition Kit Table for the designated Dfs. |
|
/pktflush[:EntryToFlush] |
Removes or flushes Partition Kit Table entries. |
|
/spcinfo [/all] |
Outputs the SPC information—the/all switch outputs all the data. |
|
/spcflush[:EntrytoFlush] |
Removes or flushes the SPC data. |
This administrative tool is used to view and diagnosis DNS settings and properties of DNS servers, zones, and resource records. The syntax is
dnscmd ServerName Command [Command Parameters]
This tool is used to manage access control lists. It permits the manipulation of security attributes for Active Directory objects and serves as a command-line alternative to the Active Directory snap-in tools.
|
Option |
Description |
|---|---|
|
ServerName |
Specifies the server to be managed. |
|
IP address |
Specifies the IP address. |
|
Command |
Defines the command desired from the following options:
|
|
Option |
Description |
|---|---|
|
/a |
Outputs permissions, ownership, and auditing data. |
|
/d |
Denies permissions for the specified user or group. |
|
/g |
Grants permissions for the specific user or group. |
|
/i:{c | o | i | p} |
Specifies the inheritance—p = propagate inheritable permissions one level only; s = subobjects only; t = this object and subobjects. |
|
/n |
Replaces the object permissions. |
|
/p |
Sets the object as protected (y = yes) or not (n = no). Lacking the /p option, the current protection flag is preserved. |
|
/r |
Removes the security permissions for specified user or group. |
|
/s |
Restores the security permissions for the specified user or group. |
|
/t |
Restores the security permissions for the object tree. |
|
/? |
Output to syntax options. |
The Dsacls.exe command syntax is as follows:
dsacls object [/a] [/d {user | group}:permissions [...]] [/g {user |
group}:permissions [...]] [/i:{p | s | t}] [/n] [/p:{y | n}] [/r {user
| group} [...]] [/s [/t]] [/?]
This tool compares naming contexts on domain controllers and detects differences. In the case of a Global Catalog, it compares two directory trees within the same or different domains, gathering capacity statistics that include megabytes per server, objects per server, megabytes per object class, and attribute comparisons for replicated objects.
The syntax for Dsastat.exe is
dsastat [/?] [-loglevel:option] [-output:option] [-f:filename] [-s:servername[portnumber][;servername[portnumber];...]] [-t:option] [-sort:option] [-p:entrynumber] [-b:searchpath] [-filter:ldapfilter] [-gcattrs:option[;option;...]]
The Dskprobe.exe command launches the graphical Disk Probe application discussed in Chapter 14.
|
Option |
Description |
|---|---|
|
/? |
Displays the syntax options. |
|
-loglevel:option |
Establishes the extent of logging performed during execution. The valid option values are INFO (default), TRACE, and DEBUG. |
|
-output:option |
Sets where the output of DsaStat is displayed. The valid option values are SCREEN (default), FILE, or BOTH. |
|
-f:filename |
Sets the name for the initialization file to use for parameters if not user-specified |
|
-s:servername[portnumber] [;servername[portnumber]] |
Sets the name of servers to be compared, separated by a semicolon. The server name can include the IP port number. The default port number is the default LDAP port (389). |
|
-t:option |
Determines if a full or statistical comparison is to be made. The option TRUE is for statistical; FALSE is for a complete content comparison. |
|
-sort:option |
Determines if the GUID is to be used as the sorting basis. The option TRUE will sort by GUID; FALSE will not. |
|
-p:entrynumber |
Sets the page size for ldap-search from 1–999, with 54 as the default. |
|
-filter:ldapfilter |
Sets the LDAP filter used in the LDAP search operation. The default is "(objectclass=*)". |
|
-b:searchpath |
Uses the Distinguished Name as the basis of comparison and allows reviews of all subtrees. |
|
-gcattrs:option[;option;...] |
Specifies attributes to be returned for the search. |
This is a debugging tool used to review crash and other system dumps. Its syntax is as follows:
dumpchk [-v] [-p] [-c] [-x] [-e] [-y] [-?] CrashDumpFile
This is a command-line utility employed to verify the version level of an .exe or .dll file. The syntax is as follows:
filever [/s] [/v] [/e] [/x] [/b] [/a] [/d] [[drive:][path][filename]]
|
Option |
Description |
|---|---|
|
-e |
Performs a dump examination. |
|
-c |
Validates the dump file. |
|
-v |
Outputs in verbose mode. |
|
-x |
Performs extra dump file examination. |
|
-y |
Sets the path to the symbols file. |
|
Option |
Description |
|---|---|
|
/a |
Does not display attributes. |
|
/b |
Outputs a bare format with directories. |
|
/d |
Does not display time and date. |
|
/e |
Lists executable components only. |
|
/s |
Shows all directories and subdirectories. |
|
/v |
Uses verbose mode. |
|
/x |
Generates a short name for even non-8.3-based names. |
The gflags command launches a graphical application used by system administrators and developers to edit NTGlobalFlag. This command is used to modify the current flags for the kernel or the global Registry.
CAUTION
Modifying global flags is not advised except by the most experienced developer or system administrator. Consult with Microsoft Professional Services when doing this because flag changes that are inappropriately applied can damage your system.
The syntax used for gflags is
gflag [-r [flag [maxdepth]] [-k [flag]] [-i ImageFileName [flag]] [-l flag commandline...]
|
Option |
Description |
|---|---|
|
-i |
Operates on the specified image. |
|
-I |
Launches the command line for a specified flag. |
|
-r |
Displays Registry settings. |
|
-k |
Operates on the kernel settings. |
The global flag abbreviations and their meanings are
kst— create kernel mode stack trace database.
ust— create user mode stack trace database
dic— debug Initial Command.
dwl— debug WINLOGON.
dhc— disable Heap Coalesce on Free.
ddp— disable kernel mode DbgPrint output.
dps— disable paging of kernel stacks.
dpd— disable protected DLL verification.
ece— enable Close Exception.
d32— enable Win32 Subsystem debugging.
eel— enable Exception Logging.
hat— enable Heap API Call Tracing.
hfc— enable heap free checking.
hpc— enable heap parameter checking.
htg— enable heap tagging.
htd— enable Heap Tagging by DLL.
htc— enable heap tail checking.
hvc— enable heap validation on call.
ksl— enable loading of kernel debugger symbols.
eot— enable Object Handle Type Tagging.
pfc— enable pool free checking.
ptg— enable pool tagging.
ptc— enable pool tail checking.
otl— maintain a list of objects for each type.
hpa— place heap allocations at ends of pages.
sls— Show Loader Snaps.
soe— Stop On Exception.
shg— Stop on Hung GUI.
idp— unused.
This command-line utility is employed to terminate one or more processes, using the process identification number (PID) to recognize them. See the Tlist.exe to view the tasks. The syntax for the Kill.exe utility is
kill [/f] {process_id | pattern}
The /f option forces termination.
KSetup is a command-line tool that configures Windows Server 2003 or Professional clients used by an MIT Kerberos server. The Windows .NET client employs a Kerberos realm (instead of a Windows Server 2003 domain), which establishes a single sign-on to the Key Distribution Center (KDC) and a local Windows Server 2003 client account.
The syntax for KSetup.exe is as follows:
ksetup [/SetRealm DnsDomainName] [/MapUser Principal Account] [/AddKdc RealmName KdcName] [/DelKdc RealmName KdcName] [/AddKpasswd Realmname KpasswdName] [/DelKpasswd Realmname KpasswdName] [/Server Servername] [/SetComputerPassword Password] [/Domain DomainName] [/ChangePassword OldPasswd NewPasswd][/?][/Help]
The command-line tool Ktpass.exe is a configuration utility that creates Kerberos keytab Ktpass files. It generates a mapping of password and account names for UNIX services that use Windows Server 2003 KDCs. Along with the Trustdom.exe utility, they establish Kerberos interoperability by creating a key shared by UNIX and Windows Server 2003 Kerberos services. The syntax for Ktpass.exe is
ktpass /out filename /princ username [/mapuser] [/in filename] [/crpyto type] [/ptype type] [/keyno keynum] [/?]
|
Option |
Description |
|---|---|
|
/AddKdc Realmname Kdcname |
Adds the Kpasswd server address for a realm. |
|
/ChangePassword OldPasswd NewPasswd |
Changes a logged-on user's password via Kpassword. |
|
/DelKdc RealmName KdcName |
Deletes instance(s) of the KDC address for the realm. |
|
/DelKpasswd Realmname KpasswdName |
Deletes the Kpasswd server address for a realm. |
|
/Domain DnsDomainName |
Uses the current domain if no domain name is set. |
|
/MapUser KerbName LocalName |
Maps the name of a Kerberos principal and an account (* = any/all). |
|
/SetComputerPassword Passwd |
Sets the local computer password. |
|
/SetRealm DnsDomainName |
Establishes/SetRealm DnsDomainName. |
|
/Server servername |
Sets the target Windows Server 2003 that will be changed. |
|
Option |
Description |
|---|---|
|
/crypto [DES-CBC-CRC | DES-CBC-MD5] |
Establishes the cryptographic type—DES-CBC-CRC is the default. |
|
/DesOnly |
Establishes the use of DES only. |
|
/in |
The keytab to digest or read. |
|
/kvno |
The key version number—the default is 1. |
|
/mapOp |
The mapping attribute—add: add value (default) or set: set value. |
|
/mapuser |
Maps the user of the Kerberos principal to a local account; this is done by default. |
|
/out |
Sets the name of the Krb5 keytable file. This keytable file is transferred to the UNIX system and then merged with (or replaces) the /etc/krb5/keytab. |
|
/pass |
Sets password for the principle. The wildcard * prompts for the password. |
|
/princ |
Inputs the principal name in the form user@REALM, for example, "example" or "host/unix.com". |
|
/ptype [KRB5_NT_PRINCIPAL | KRB5_NT_SRV_INST | KRB5_NT_SRV_HST] |
Specifies the principal type: KRB5_NT_PRINCIPAL for the general type and the name of the principal is recommended; KRB5_NT_SRV_INST for user service instance; or KRB5_NT_SRV_HST for host service instance. |
The Ldp.exe tool launches a graphical utility for performing LDAP (Lightweight Directory Access Protocol) functions. These functions include connect, bind, search, modify, add, and delete against any LDAP-compatible directory, such as the Active Directory.
The Memsnap.exe utility is used to capture information about the memory used by active processes. This data is dumped to a log. The syntax for KSetup.exe is as follows:
memsnap [-t] [-g] [-?] [logfile]
The -t option adds tags for Greenwich mean time (GMT), date, and computer name. The -g option adds GDI and USER resource counts.
The command-line MoveTree.exe interfaces with the Active Directory Object Manager (MoveTree) that allows the movement of Active Directory objects such as domains within a tree or organizational units. When organizational units are moved, the linked grouped policies remain intact. Universal groups are moved intact during a MoveTree.exe operation, whereas local and domain global groups are not moved at all with this utility. Other objects that can not be moved with movetree include
System objects that identified by the objectClass as systemOnly
Configuration or schema naming contexts objects
Special container objects in the domain including Builtin, ForeignSecurity Principal, System, and LostAndFound
Domain controllers
Objects with the same name as an object that exists in the target domain
The syntax for the MoveTree.exe utility is
movetree {/start | /startnocheck | /continue | /check} /s SrcDSA
/d DstDSA /sdn SrcDN /ddn DstDN [/u [Domain\]Username /p Password]
[/verbose] [{/? | /help}]
The Msinfo32.exe utility gathers system configuration data including hardware, software, and other system components. It is used to rapidly gather data necessary to resolve system conflicts or other problems.
|
Option |
Description |
|---|---|
|
/check |
Performs a test of MoveTree before actually moving any objects. The reports provide an opportunity to correct noted errors. |
|
/continue |
Continues to the move effort even after it is paused or a network failure occurs. |
|
/d Destination DSA |
Sets the fully qualified primary DNS name of the destination server. |
|
/ddn DestinationDN |
Sets the full distinguished name for the destination server subtree. |
|
/s SrcDSA |
Sets the DNS of the source server. |
|
/sdn SrcDN |
Sets the full distinguished name for the source server subtree. |
|
/start |
Starts the MoveTree operation with the /check option. |
|
/startnocheck |
Starts without the /check option. |
|
/u [Domain\]Username/p Password |
Launches MoveTree with the specified user and password account. |
|
/verbose |
Uses the verbose mode. |
|
Option |
Description |
|---|---|
|
/computer computername |
Establishes the computer to be analyzed. |
|
/categories +|-categoryname(s) |
Sets the category of data to be retrieved for the output report. |
|
/report filename |
Saves the report in the specified text file. |
|
/s filename |
Saves the report in a System Information file. |
The syntax for Msinfo32.exe is as follows:
msinfo32 [/?] [/report filename] [/s filename] [/info filename] [/computer computername] [/categories +|- category name(s)]
The Netdiag.exe command-line diagnostic tool identifies network connectivity problems and tests network client connectivity. Its syntax is
netdiag [/q] [/v] [/l] [/debug] [/d:DomainName] [/fix] [/DcAccountEnum] [/test:testname] [/skip:testname]
|
Option |
Description |
|---|---|
|
/d:DomainName |
Locates the specified domain. |
|
/debug |
Places in debug mode and outputs more data that even the verbose mode. |
|
/DcAccountEnum |
Enumerates domain controller accounts. |
|
/fix |
Fixes any identified minor problems automatically. |
|
/l |
Outputs results to the netdiag.log log file. |
|
/q |
Uses quiet mode and outputs errors only. |
|
/skip:TestName |
Skips the named test among those listed below:
|
|
/test:TestName |
Performs the specified test. The optional tests are the same as those listed in the /skip option. |
|
/v |
Outputs in verbose mode. |
The Netdom.exe command-line utility manages domains and trust relationships. It can be used to join Windows Server 2003 domains to either a Windows NT or Windows Server 2003 domain and to create one-way explicit trusts. Relationships can be viewed and displayed.
The syntax for the Netdom.exe utility is as follows:
netdom command object [/D:domain] [options]
NOTE
This command should be used only by the most knowledgeable system administrator. We recommend that you use the graphical Active Directory snap-in tools while gaining familiarity with Windows Server 2003 domains. The options available for this utility are expansive. If you use it, refer to the published information supplied for the Netdom Resource Kit Support Tool.
The Nltest.exe utility identifies domain controllers and trust relationships. It can also be used to force a shutdown and to synchronize Windows NT 4.0 user accounts. The syntax is as follows:
nltest [option] ...
The Pmon.exe tool launches the Process Monitor, which examines processes to identify problems like memory leaks. Chapter 2 has more information on process monitoring.
The Pviewer.exetool launches the Process Viewer. It is used to view processes and identify problems such as memory leaks. See Chapter 2 for more information on process monitoring.
The Repadmin.exe command-line utility permits the administrator to view the replication topology (also called RepsFrom and RepsTo) from each domain controller and can be used to manually create the replication topology. The syntax is as follows:
repadmin command arguments [/u:[domain\]user /pw:{password|*}]
|
Option |
Description |
|---|---|
|
/SERVER:ServerName |
Directs nltest to a specified remote computer. |
|
/QUERY |
Verifies the health of the named Servername domain controller. |
|
/REPL |
Forces a partial replication on the local system or the Servername. |
|
/SYNC |
Forces a full replication on the local system or the Servername. |
|
/SC_QUERY:DomainName |
Verifies the secure channel. |
|
/SC_RESET:DomainName |
Resets the secure channel between Windows 2003 computers. |
|
/DCLIST:DomainName |
Lists all domain controllers—Windows 2000/.NET, PDC, and BDC. |
|
/TRANSPORT_NOTIFY |
Notifies of a new transport. |
|
/USER:UserName |
Displays user account attributes. |
|
/LOGON_QUERY |
Outputs the cumulative number of logon attempts. |
|
/PARENTDOMAIN |
Identifies the parent domain. |
|
/BDC_QUERY:DomainName |
Identifies all domain BDCs and their current state of replication. |
|
/SHUTDOWN:Reason [Seconds] |
Shuts down in the specified time period. |
|
/SHUTDOWN_ABORT |
Aborts the shutdown command. |
Here command represents one of the commands listed in Table A.89, and arguments specifies the command's arguments.
The Replmon.exe utility launches the graphical Replication Monitor snap-in tool, which provides a view of Active Directory replication status and topology. It can also be used to force replication, as discussed in Chapter 6.
The Rsdiag.exe command-line utility is used to view diagnostic information about jobs, managed NTFS volumes, removable media, and other remote storage data (see Table A.90). The syntax is
rsdiag [/c jobname] [/d filetype fullpath&filename] [/e errorcode] [/i] [/j [jobname]] [/m] [/r [/f]] [/s] [/t] [/v [driveletter]] [/x queuedrecall] [/w fullpath&filename]
The Sdcheck.exe command-line tool outputs the security descriptor for any Active Directory object stored (see Table A.91). This descriptor contains the object's ACL.
|
Option |
Description |
|---|---|
|
/u:[domain\]user |
Sets an optional user as the administrator. |
|
/pw:{password|*} |
Sets the password for the alternative administrator set with the /u option. |
|
/sync name-context DestDC
|
Starts the replication with following options:
|
|
/showreps [Naming_Context] [DSA [SourceDCUUID]] [/verbose] [/unreplicated] [/nocache] |
Outputs the replication partners. |
|
/showmeta Object_DN [DSA] [/nocache] |
Shows the metadata for Active Directory objects. |
|
/? |
Outputs all optional commands. |
The syntax for Sdcheck.exe utility is as follows:
sdcheck Server Object [-dumpSD] [-dumpAll] [-debug] [[-domain: DomainName] - user: UserName -password: Password] [/?]
secedit /refreshpolicy has been replaced with gpupdate (see page 769).
Analyzes security settings comparing settings in the specified database with the systems current security settings. The results may be viewed in the Security Configuration and Analysis snap-in. The syntax is
secedit /analyze /db filename.sdb [/cfg filename] [/overwrite] [/log filename] [/quiet]
Configures local security policy settings by applying the stored database settings. The syntax is
secedit /configure /db filename [/cfg filename ] [/overwrite] [/areas area1 area2...] [/log filename] [/quiet]
|
Option |
Description |
|---|---|
|
/c jobname |
Cancels the specified job. |
|
/d filetype fullpath&filename |
Converts the database to a text file. The file type identifies the source file type from among the following (fullpath&filename must include the full path):
|
|
/i |
Identifies the version data. |
|
/j [jobname] |
Specifies the job to be output. If not specified, all jobs are output. |
|
/m |
Displays the volumes that can be managed. |
|
/s |
Outputs physical storage information. |
|
/t |
Loads the trace files. |
|
/v [driveletter] |
Displays extended information about the specified drive. |
|
Option |
Description |
|---|---|
|
-dumpSD |
Outputs the security descriptor of the specified object only. |
|
-dumpSD |
Outputs the security descriptor of the object and its parents. |
|
-domain: DomainName |
Specifies the domain for the object. |
|
-user: UserName |
Specifies a user other than the one currently logged on. |
|
-password: Password |
Identifies the password for the specified user. |
Export security settings stored in the database. The syntax is
secedit /export [/DB filename] [/tablename] [/CFG filename] [/areas area1 area2...] [/log filename] [/quiet]
Import a security template into the named database. The syntax is
secedit /import /db filename.sdb /cfg filename.inf [/overwrite] [/areas area1 area2...] [/log filename] [/quiet]
Validates security temple syntax. Enter
secedit /validate filename
Creates a rollback template with respect to a configuration template. When applying a configuration template to a computer, you have the option of creating rollback template which, when applied, resets the security settings to the values before the configuration template was applied. The syntax is
secedit /GenerateRollback /CFG filename.inf /RBK SecurityTemplatefilename.inf [/log Rollbackfilename.inf] [/quiet]
|
Option |
Qualifier |
Description |
|---|---|---|
|
/db |
filename |
Database used to perform the security configuration. |
|
/overwrite |
Filename |
Database is deleted prior to importing the security template. Without this parameter, security settings are accumulated into the database, giving priority to template settings where conflicts occur. |
|
/areas |
area1 area2 . . . |
Security setting areas to be applied to the system. If not specified, all security settings defined in the database are applied to the system. To configure multiple areas, separate each area by a space. The following areas are supported: SECURTY POLICY, GROUP_MGMT, USER_ RIGHTS, REGKEYS, FILESTORE, and SERVICES. |
|
/log |
filename |
File to log the status of the configuration process. The default file isscesrv.log is located in the %windir%\security\logs directory. |
|
/quiet |
Configuration takes place without prompting the user. |
|
|
/CFG |
filename |
Security template name. |
|
/RBK |
filename |
Rollback template name. |
The Sidwalk.exe command-line utility takes a mapping file as input and scans its ACLs in the Registry, file system, file and print shares, and local group membership. The mapping file can be used for Sidwalk conversion on multiple computers.
The syntax for this utility is as follows:
sidwalk profile_file [profile_file ...] [/t] [/f [path]] [/r] [/s] [/p] [/g] [/l file] [/?]
|
Option |
Description |
|---|---|
|
/l file |
Creates a converter file as named. |
|
/f [path] |
Scans all directories unless the path is set, then only the subtree directories are scanned. |
|
/g |
Scans local groups. |
|
/p |
Scans shared printers. |
|
/r |
Scans the Registry. |
|
/s |
Scan all shares. |
|
/t |
Performs a test or dry run. |
|
Option |
Description |
|---|---|
|
-m pattern |
Lists all processes with associated DLLs. |
|
-p processname |
Outputs the PID for the specified process. |
|
-s |
Outputs the services associated with a process. |
|
-t |
Outputs a process tree. |
The Snmputilg.exe utility invokes the graphical SNMP Utility Tool and is used in conjunction with the older SNMP Browser Tools (Snmputil.exe.) to manage SNMP network elements.
The Tlist.exe command-line utility lists currently executing processes (tasks) and outputs information such as the process identification number (PID) and process name. Its syntax is
tlist [pid] [pattern] [-m pattern] [-p processname] [-s] [-t]
|
|
|
| Top |