While it's true that Active Directory provides a number of easy, wizard-driven Graphical User Interface options to create objects and perform many common administrative tasks, to be a truly effective admin you'll often need to get away from the GUI and find a more efficient way to operate.
A common example among AD administrators I know goes like this: take two administrators, call them Admin A and Admin B, and give each of them the task of creating 1,000 Organizational Unit objects. Admin A launches into the Active Directory Users and Computers snap-in and right-clicks where she wants the OU to go. She clicks New→61664;Organizational Unit, fills in the relevant information in the wizard, and poof! The first OU on the list is done, and now she's got another 999 to go. Not only is this time-consuming, but the odds are extremely good that she'll make at least one or two typos or create an OU in the wrong location.
Admin B, on the other hand, decides to head to the command-line. She creates a text file called ous.txt with the Distinguished Name (DN) of each OU on a separate line, like this:
…and so on.
Admin B then uses a simple for loop that cycles through the OUs in the text file and creates each one in turn, like this:
for /f %i in (C:\ous.txt) do dsadd ou "%i"
While it may take a little extra time to format that ous.txt file appropriately and to proofread it for correctness, it'll more than pay off in the end when the process of actually creating those 1,000 OUs ends up taking less than a minute. Using a script for this process is also much less error-prone, since there's no chance that you'll mistype "Training" as "Tarining" because it's the twentieth time you've had to type it into the ADUC wizard and your eyes have gone crossed.
What's that, you say? Still not convinced? You're only running a small AD deployment and the odds of you needing to create 1,000 OUs in a single go are quite slim indeed? Try this one on for size then.
You've been asked to deploy a software application to your clients that requires at least 512MB of RAM to run comfortably, and you need to know how many of your current workstations have less than this. So you open up ADUC, right-click on the domain and click Find. Hmm, seems the only options you can search for here are the computer name, role, description, and operating system version. Out of luck? Not by a long shot. You can use the Windows Management Instrumentation (WMI) to loop through the computers in your domain and grab the information you need. To obtain the total amount of memory installed on your local computer, for example, you'd use something like this:
Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2")
Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_LogicalMemoryConfiguration", "WQL", _ wbemFlagReturnImmediately + wbemFlagForwardOnly)
For Each objItem In colItems
NextWScript.Echo "Total Installed Memory: " & objItem.TotalPhysicalMemoryNext
Now, before your eyes start to glaze over because there's just no way that you have time to learn something that looks so confusing, here's a secret: you can find ready-made scripts to do most of the things you need just by searching the Internet. To help you get started, there's the TechNet Script Center Repository, a plethora of free scripts to be found at Lissware.net, and an excellent collection of Active Directory-specific scripts from RallenHome.com. The Microsoft "Scripting Guys" who run the Microsoft site I just mentioned also host a number of webcasts each month to help you get started with administrative scripting.
While I know that we're all overworked administrators with not much time left in the day to pick up a new skill like VBScript or learning a host of new command-line utilities, I can promise you that the time you spend now to learn these useful tools will end up saving you hours spent doing the "point-and-click shuffle" in the long-run. Scripting also lends itself quite well to automation: you can create a script to check for unused computer or user accounts on your domain once a quarter, or to parse your server event logs looking for red flag error messages. The more you can automate tasks such as these, the better your network will run and the more time you can devote to more involved tasks (or maybe just going home at 5:30 to play with your kids or your dog once in awhile!)
Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is a senior IT specialist with the University of Pennsylvania, where she provides network planning, implementation and troubleshooting services for business units and schools within the university. Hunter is a two-time recipient of the prestigious Microsoft "Most Valuable Professional" award in the area of Windows Server-Networking. She is the author of the Active Directory Field Guide (APress Publishing). You can contact her at email@example.com.
This was first published in January 2006