Several years ago, Microsoft bought Sysinternals and, well, “internalized” it. The good news is that many of the old tools are still available. The bad news is that you can’t even buy the old ERD Commander tools; they’ve morphed into part of the Microsoft Desktop Optimization Pack or MDOP, which is only available to Software Assurance customers.
For those of you who don’t already know about Sysinternals, I will introduce you to a few of the utilities that proved popular with server and Active Directory administrators. These are:
- AD Explorer
Tools for viewing and navigating the Active Directory database — which, as we know, isn’t really one monolithic database, any more than there is such a thing as one Windows Registry — have not been the most user-friendly utilities Microsoft ever designed. There’s LDP, formally the “Active Directory Administration Tool,” which is pretty much the picture of an uninformative interface, and there’s ADSI Edit, which is better, but it’s still almost as user-hostile as REGEDIT. To make matters worse, many Active Directory operations require NTDSUTIL, a command-line tool with as many levels as an M. C. Escher staircase. For something as important as managing AD, one would think that Microsoft could do better.
Microsoft’s prehistoric-feeling AD database utilities created a void in the marketplace that has been filled by a variety of third-party vendors with products that make Active Directory administration a task fit for humans.
However, many of these third-party tools cost fairly big bucks. The Sysinternals ADExplorer tool is more intuitive than LDP, ADSI Edit, and NTDSUTIL, and it has the virtue of being free. With AD Explorer, you can browse the database. Click on an object in the navigation pane at left and see its attributes populate the details pane at right. You can even copy the object’s attributes to the Windows clipboard, although the process is implemented a little bit strangely. Instead of right-clicking the object itself, you have to right-click one of its attributes, then choose Copy attributes from the context menu. All the attributes will be copied, not just the one you right-clicked.
If you want to see an object’s permissions, right-click the object, choose Properties, and click the Security tab. Domain Administrators have full rights to the Win7 Restricted Organizational Unit.
One of the handy things about AD Explorer is that it has back and forward buttons, much like a Web browser, which are useful as you navigate around the database. In another design touch borrowed from the world of browsers, you can create a “favorites” list of places in the database, which can be a nice timesaver and is something ADSI Edit doesn’t have.
Another nice advantage AD Explorer has over ADSI Edit is the ability to save, view, and even compare AD snapshots. This is normally an operation that requires the NTDSUTIL command-line tool, but AD Explorer makes it very easy.
With AD Explorer, you can also change attributes, delete objects, create new objects, and change permissions. This of course can be hugely dangerous. So, if you can perform a desired operation with one of the “normal” Active Directory tools — AD Users and Computers, AD Sites and Services, AD Domains and Trusts — then, in general, you should do so. These management consoles have some (not enough, but some) built-in safeguards to prevent you from doing something stupid. AD Explorer has virtually no such safeguards, and it’s possible to do Very Bad Things in AD Explorer if you’re not paying attention.
AccessChk does ICACLS one better in that it isn’t limited to displaying file system permissions. AccessChk can display Registry key permissions, local file permissions, network share permissions, process permissions — basically permissions for any securable object. This tool can also display “effective” permissions based on multiple group memberships.
AccessChk unique capabilities can be useful when you’re trying to accomplish a task on a system (such as install software), and you don’t know whether the account you’re planning to use has the necessary user rights. Run AccessChk with full administrative rights for the most useful results. And if you don’t require permission information on processes, services, or user rights, the alternative tool AccessEnum (also in the Sysinternals Suite) is graphical and possibly more convenient.
BGInfo is a very handy utility for support technicians because it puts a lot of system configuration information right on the user’s wallpaper, where the user can read it off to a Help Desk troubleshooter. It’s also handy for IT professionals who have so many virtual machines whirling around that they sometimes forget what system they’re on, and who they’re logged in as (of course that never happens to me. Yeah, right!)
There are 24 “canned” display fields in all, and you can even go beyond them and create custom fields, based on WMI queries (WMI, or Windows Management Instrumentation, is a repository of data about Windows systems that can be queried in much the same manner as a SQL database.)
When you get a configuration set up that you like, you can save it to a file (*.BGI). You can also specify that you’d like BGInfo to integrate with your existing wallpaper. All told, this is a very useful tool to have in your hip pocket.
The excellent Autoruns tool shows you every program that is set to automatically run in Windows. Doesn’t MSCONFIG already do that? Well, yes, but not as well as Autoruns.
- MSCONFIG doesn’t show you per-user autostart entry points. Autoruns does.
- You don’t need administrator privileges to invoke Autoruns (although you will need privileges to make changes).
- Autoruns lets you analyze a system that isn’t even running. You can boot to WinPE, for example, and display the autostart entries for your unbooted Windows hard drive.
It’s amazing how many programs and services start in a normal Windows environment — some of which are unnecessary, others of which might even be malicious. You can simplify things significantly by hiding the Windows entries, on the supposition that they’re more likely to be OK. You can right-click Registry entries and jump to REGEDIT.
This tool is great for server administrators but also for help desk technicians, troubleshooters, and security administrators as well. A little pruning of your autoruns, either by clearing the checkboxes next to undesired items or by deleting the entries altogether (which requires elevated permissions), might not be a bad idea. Also helpful is the ability to save results to a file. For example, you might “baseline” a normal, clean, healthy PC and then compare its Autoruns results with a system that is having problems.
You’ve probably heard of “P-to-V” (or “P2V”) migrations — Physical to Virtual. If you’re looking at migrating some of your servers to virtual, it’s often easier to do a P-to-V migration than to go through a backup/restore cycle. However, among the various tools that are available, not all are free and not all can capture a live, running system. Disk2VHD can. It can also save your shiny new VHD file to the same volume you’re capturing.
The Disk2VHD user interface is about as clean as it gets. Select the volumes you want, and click Create. Files that don’t need to be copied (page file, hibernation file) aren’t. If you are a System Center licensee, then you will probably want to use the System Center Virtual Machine Manager (SCVMM) for P-to-V migrations, but if not, Disk2VHD is nice to have. Just realize that you’ll probably have some device updating to do, considering that the old drivers for your physical drivers won’t be optimal for the virtual environment. Also, remember that you’ll have to install integration components too.
If you haven’t looked at the Sysinternals tools — ever or lately — I recommend doing so. Some are more useful than others of course, but I guarantee at least a handful that you will find helpful. Get the whole collection by downloading the “Sysinternals Suite” or pick and choose just the ones you want to try. You can run most of the tools directly. And to get the most out of these utilities, check out the 2011 book, Windows Sysinternals Administrator’s Reference, from Microsoft Press. You can also visit the Sysinternals blog site.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Configuring, Managing, and Maintaining Server 2008 R2
MCITP: Server Administrator Boot Camp