You'll need to customize some elements of the script to match your installation. Specifically, where the script shows tech.gulfcoast.edu, put the name of your domain. The script has all passwords set to "gccc," so have the user create the initial password and regularly change it.
We tested this script by building two domain controllers and a single user in a separate network that wasn't attached to the production environment. We recommend lifting the script as shown, building input for a single user and creating a test user account. That way, you'll know that all the parts--AD, the scripting engines and interfaces, and the script itself--work. You can then delete the test user and make your changes.
If your installation uses AD groups, they must be built before you add users. Code Box 2 shows how to create AD groups.
Once we had created and tested the entire script, it was time to make the input file. We wanted to develop a process that could be duplicated and run at a scheduled frequency. We first deployed the export function in the AD MMC (Microsoft Management Console) snap-in. Although we created several different files, none provided the range of data we needed, such as a list of all the workstations for a specific user. So we turned to the two command-line utilities in Windows 2000 server--LDIFDE (LDAP Data Interchange Format Data Exchange) and CSVDE (CSV Data Exchange).
LDIFDE is a utility program that can be used to import and export AD objects using LDIF-formatted files. It includes several command-line switches that direct the import or export operation. Although LDIFDE is intended to assist in the migration of data, with the right combination of switches we were able to use it as our backup facility (see "The Command-Line Syntax").
By using filters to choose Users or Groups and selecting or omitting attributes as needed, you can create a nearly complete backup file. In our case, the file we created using LDFIDE still requires regular review and minor changes to support the script (see Code Box 3).
The CSVDE utility, meanwhile, imports and exports data from AD using files that store data in the CSV format. This utility operates identically to LDIFDE. Applications such as Microsoft Excel can read and save data in the CSV format, which consists of one or more lines of data with each value separated by a comma. Only the first line contains the names of each attribute in the same order as the data in any line following it. We preferred the LDIFDE format where every field is identified.
Chances Are ...
If you think instituting an AD backup plan with separate backup and recovery for users and groups requires extra effort, you're right on. Creating input files for the two scripts we developed lets the installation recover them in the event of a catastrophic failure, such as the one we experienced. Since there's no way to know for sure the chances of a major loss in your directory implementation, try measuring the risk against the cost of rebuilding your AD from scratch. Then you can decide whether opting for the backup and recovery setup is worthwhile.
Dan Wohlbruck is assistant systems administrator and an adjunct instructor at Gulf Coast Community College in Panama City, Fla. Write to him at dwohlbruck@aol.com.
REPORTS
Analyize In-Line NAC strategies and products.
ANALYTICS Plan and design your enterprise blade server deployments
InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Download Today
REPORTS
ANALYTICS
Follow 
