$Beschreibung: Beschreibung: C:\Users\Sony\Desktop\jose31\Dateien\Jose_gross.gif$ José Active-Directory- Documentation 3.1

José greets!

What it is: Jose is a small, HTML and script-based tool for the documentation of the objects of in Active Directory. It reads in the directory and generates an HTML file that displays information about OUs, users, groups, computers, policies, etc..

What is not: and José generates no dynamic pages, i.e. it is not possible the displayed folder structure, subsequently ascending or to collapse or similar.

And: Jose reads only the AD and does not change. Therefore, it requires no write permission in the AD and can be run with normal user rights (in the case but missing permissions can cause that Jose can not read a lot). José is therefore 'safe' to Active Directory.

But caution: Jose is designed for manageable environments. Because the queries that used José, are not very optimized, can occur in large environments to long waiting periods and may be greater network load. In addition, the generated report should be not too large, because the display in the browser can be otherwise problematic. Environments with several thousand objects have been documented but successfully. Who manages very large environments, should limit his reports always on a particular level or a specific object class and work with multiple part reports.

New code since version 3.0

In version 3.0, Ansgar Wiechers has newly built up for the script code from JoseExec.vbs. The code is now easier to maintain and extend. This however also the mode of operation of the script has changed, so that it takes more time in many cases. We believe this but for well justified.

Starting with version 3.0, José the description (description) of objects only optionally emits. This option is however by default. You found above in jose.hta left in the General options. In definition file controls the behavior specification "description" in the section [common] - missing them, José emits no descriptions.

Usage

Since version 2.0, Jose has two modes of operation:

1. Interactive operation with GUI

2. Script-driven operation via command line

For this reason, Jose now consists of two executable files: Jose.hta and JoseExec.vbs. Anyone how wants to work so far, continue to only the Jose.hta uses.

Interactive mode: Jose.hta

José starts double click on "jose.hta". It opens a form in which you can configure the report to be produced. Each of the sections relate to different object classes of Active Directory (user accounts, groups, etc.). This is always true: the uppermost, printed in bold entry of a list specifies whether the associated class of at all is displayed. Way to control which object classes in the report to appear. If a class is not displayed, the individual attributes are ignored automatically.

The LDAP names of the attributes that can be switched on or switched off are displayed in a small Info window when you show the mouse pointer over the box. When José, a standard set of attributes that result in most cases an interesting report is selected. (The button "all properties" and "no properties" should be self-explanatory) to restore himself through the button "Default selection" is this default selection.

When you turn off "OU structure and objects", José not goes through the folders and OUs. This is useful for reports that you want to emit only the domain data or only the GPO list.

Filters

When you start the Active Directory structure is read from version 2.0 no longer automatically. This had been found in large environments as an obstacle. You can wear a layer filter now at the top in the field "Issue from OU" in LDAP notation. For example, OU=IT OU=Germany, DC=faq-o-matic,DC=net. Who would rather make the selection with the mouse, click on the button "Show OUs" next to the input box. Then José unhides the AD structure with radio buttons in the left pane (Note: in a very complex environment can take a moment!). Select an OU or folder whose LDAP name in the filter field is entered. Thus, you may limit the output of the objects on the selected OU or the selected folder (and child). Unless the output is limited to a certain level, an indication will appear in the report.

Miscellaneous

Respect for group memberships: the selection of "Group memberships" under "User accounts" or "Members" under "Groups" may leads to a rather lengthy processing time.

When you select "Group policy" only the names of the directives are displayed, but not the settings that are used within the guidelines. This information can be read is (currently) not scripted. For this we recommend the scripts of the Group Policy Management Console (GPMC), in particular "GetReportsForAllGPOs.wsf".

Jose can read the Terminal Server settings (TS profile and TS-home) while in two ways (ADSI access to "userParameters" and the new "msTS **"-LDAP fields since Windows Server 2008), however, only the first variant works because the fields introduced in Windows Server 2008 in the AD are not yet implemented.

Run Report

In the "Report Name" field, you can specify a title for the generated report. Together with the options "Show legend", "Object name show instead of the LDAP name (in the case of group memberships)" and "Properties in slang" is the documentation for non-techies.

Under "Report file name" you can specify a file name for the report - only the name, not the path (the suffix ".htm" adds Jose demand itself). The field is blank, José created themselves a name. Note: If the selected file name is already taken, José overrides the existing report.

Click on the button starts the documentation "Document now!". It opens a black CMD window, which may not be closed! It may take now quite a few minutes where the window looks like nothing was happening. Just be patient! After generating the reports, there is below under "Status" information and any error messages. Once the documentation is ready, a small box of "OK" show, and in the notification area, a link is on the generated HTML file.

Alternatively or in addition, you can save existing settings as a definition file to perform a similar report with JoseExec.vbs. To do this, you press the button "Save report definition". Jose then asks for a name for the definition file, which you can freely choose (specified without path - only the file name!). The definition files are located in the subfolder / definition.

Automated mode: JoseExec.vbs

Who automates José or would like to run with an existing report definition, can be done about the additional script "JoseExec.vbs". JoseExec.vbs removes the definition of the report from a definition file in the folder / definition. The script is called with "cscript.exe" in a CMD window (or batch) and has several command line options:

cscript JoseExec /d:<Definition> [/r:<Report>] [/t:<Titel>] [/f:<Filter>]

/d: Name a José definition file
Is without file path - only the file name with extension!
/r: (optional) Name of the report file to be generated (HTML)
Is without file path - only the file name. Note: The file will be overwritten without question!
/t: (optional) Title of the report
/f: (optional) LDAP object filter (Container/OU)
/debug: (optional) Debug output in the CMD window

The parameter "/ d" is imperative. When false (or on call with /?) JoseExec.vbs displays an overview of the syntax.

Es empfiehlt sich, alle Angaben in Anführungsstriche einzufassen (zwingend, sobald Leerzeichen enthalten sind).

Example:

cscript JoseExec /d:"DomainData.txt" /r:"MyDomainData.htm" /t:"Meine Domäne" /f:"OU=IT,OU=Germany,DC=domain,DC=tld"

To create a debug log, it appends the / debug to the command line parameter. It makes sense we should redirect then the output of the command to a text file.

Example:

cscript JoseExec /d:"DomainData.txt" /r:"MyDomainData.htm" /debug > C:\Daten\josedebug.txt

The definition file format

The definition file is a simple text file with a fairly simple construction. Here an example:

; --------------------------------------------

; José-Definitionsdatei AD-Definition-Beispiel.txt

; Erzeugt: 10.03.2010 06:44:20

; von: FAQ-O-MATIC\Nils

; mit: José AD-Dokumentation 3.0

; Download auf http://www.faq-o-matic.net

; --------------------------------------------

[Meta]

ReportName=Active Directory

ReportFileName=AD-Doku 15.09.2008 16-27-08.htm

ObjectFilter=

ShowSymbols

ShowNaturalName

ShowFriendlyName

[Common]

fsmo

trust

folder

OU

gpo

number

Modify

[Printer]

serverName

printShareName

[Group]

[Contact]

[User]

samAccountName

userPrincipalName

profilePath

homeDirectory

homeDrive

scriptPath

Rows, the with; begin, comments are. You will be ignored. Note: Comments must be in own rows and can be attached to existing rows.

Each section begins with a label in square brackets. Currently, Jose knows the labels [meta], [common], [printer], [group], [contact] and [user]. You are - except meta and Commons — for the object classes, which documented José.

In the section [meta], Jose deposited the report options. The name of the report, the report file name and the levels filter can use the command line parameter / r, / t or / f overrides of JoseExec.vbs be - once so appearing in the command, JoseExec evaluates the respective information in the definition file no longer.

In the section [common], Jose lists the active options, upper left standing in the graphical window.

The other sections are simple: If a section of an object class emerges, this class of object (e.g. user) at least named in the report is documented. Follow the attributes to be taken into account under the label.

Expand reports

The architecture of JoseExec.vbs allows to extend reports to include new attributes or to edit existing definition files. This is done using a simple text editor. To remove attributes from a definition, it makes the attribute simply. To include new attributes, it enlists just the attribute name the desired class (such as employeeID). That is suitable only for text attributes. Jose can deal with multivalued attributes. Binary attributes are problematic because they are accessible easily by script.

José built a native support for the following attributes - they are accessible only from the extension of the definition file:

logonHours (permitted logon hours)
pwdLastSet (last password change)
lastLogonTimestamp (last replicated logon date)
canonicalName (OU path as displayed in the Advanced view under "Object" as the canonical name)

An example of an advanced file:

; --------------------------------------------

; José-Definitionsdatei AD-Definition-Beispiel.txt

; Generates: 10.03.2010 06:44:20

; von: FAQ-O-MATIC\Nils

; with: José AD- Documentation 3.0

; Download on http://www.faq-o-matic.net

; --------------------------------------------

[Meta]

ReportName=Active Directory

ReportFileName=AD-Doku-Beispiel.htm

ObjectFilter=

ShowSymbols

ShowNaturalName

ShowFriendlyName

[Common]

fsmo

trust

folder

OU

gpo

number

Modify

description

[User]

samAccountName

userPrincipalName

; ab hier: manuell hinzugefügt

distinguishedName

logonHours

pwdLastSet

lastLogonTimestamp

employeeID

The parser for the definition file is quite robust. The order of the sections is no matter, blank lines do not disturb. Attributes that do not exist, are simply ignored. Case does not matter.

Reports

The generated HTML files are exclusively in the reports stored (from time to time empty), produced on demand. Who wants to share these generated files or save elsewhere, has several ways:

copy the two "Documents" folder and "Reports" together. You must be at the same level, so that the graphics are correctly inserted.
Open the HTML file in Internet Explorer and [file-> save under...] (Dateityp:_"Website,_komplett_(.htm,_.html)")] Save. All required are "born .gif" images and the style sheet in a subdirectory of the chosen location where copied and adapted the links relative to.

Standard-Reports

In the José main directory there is a file "Standard Reports.bat". Executes automated four predefined AD reports, which put together useful information for many diagnostic purposes. Here, she automatically generates the file name by inserts the NetBIOS name of the domain, as well as a random number. This way you can run also repeated the standard reports, without losing previous data. Submit to run double click on "Default Reports.bat", as well as some patience.

Note account attributes

The evaluation of different objects or attributes, there may be permissions problems. This will cause that information to disabled, locked, or expiring accounts - but also other information - be represented incorrectly.

To get reliable information about these objects and attributes, run Jose or JoseExec with an account, the full read permission to the relevant attributes (such as a domain administrator account). Under Windows Vista/Windows 7 and Windows Server 2008 R2 you should start to José or JoseExec from a command prompt, you explicitly started as an administrator.

(See this article for more information on the features of Vista to Windows Server 2008 R2.)

If something occurs, you can "permission" in the section [common] the definition file details of the non-readable objects emit "Extended permission notice" above right or by the entry of the switch. This information is however no guarantee, because José no further validation is on, why he could not read data.

The free sharing of programme is allowed. It is also allowed to change the source code. The authors of this program take over however no guarantee or support!