The ribbon at the top of the interface can be expanded or collapsed by clicking on the collapse arrow, by using the keyboard shortcut Ctrl and F1, or by double-clicking on the currently selected tab.
When collapsed, the ribbon will only show the tab names, and will display in full temporarily after clicking on a tab name until you select a ribbon item or move the focus back to the main interface.
If your ribbon bar has disappeared completely (not even the tab names are visible), you'll need to reset your interface back to its default settings. This can be done by either reinstalling the program, or by deleting the following registry key (and subkeys):
HKEY_CURRENT_USER\Software\Javelina Software\ADHQ Lite\BCGWorkspace
Common Properties are special names that map to Active Directory attributes, and are usually displayed when the corresponding attribute name is not necessarily obvious. For example, as you might expect, the Common Property First Name maps to the attribute givenName. Some other attributes, like userAccountControl, are bitfield attributes which contain multiple settings. For these attributes, we've created Common Properties that help expose these individual settings, making it easier to set them. The Disabled Common Property, which reflects one of the userAccountControl bits, is an example of this type of Common Property.
The following table contains a list of the most common Common Properties, along with the attributes they map to, if any. Common Properties that differ only in capitalization or spacing from the corresponding attribute have been excluded.
|Common Property||LDAP Attribute||Notes|
|Canonical Name||The Canonical Name is a reformatting of the Distinguished Name. For example,
|Container||The container common property retrieves the Distinguished Name of the parent object in Active Directory.|
|Home Folder Drive||homeDrive|
|Home Folder Path||homeDirectory|
|Password||This property can be used in Import Files to set the user's password.|
|Street||streetAddress||Note that this common property does not map to the attribute "street". See What's the difference between "Street"...?|
Some attributes in Active Directory refer to other Active Directory objects. Attributes of these referenced objects are known as Child Attributes in ADHQ Lite. Child attributes can be used to filter items in collections.
For example, the Member Names property of a group contains the Distinguished Name of all of the group's members. If we wanted to filter on the members' email addresses, we can do that by first selecting the Member Names property to retrieve the group's members, then selecting the "Child attribute" Email Address as shown in the image below:
You'll notice a field called Object Type in the screenshot above. This field allows us to choose which set of attributes we want to see in the lists below. For instance, say we want to create a report showing the direct members of all of the groups in the directory, and in the case where the group member is another group, show that group's member count. Like in the screenshot above, we'd select Member Names as the base attribute, but when we try to select the "Member Count" child attribute, it isn't in the list because "Member Count" is not a valid attribute for User objects. Change the Object Type to "Group", and ADHQ Lite will now give the option to show the member's "Member Count" property. This "Member Count" child attribute will simply return nothing when run against one of the group members that isn't also a group.
Many fields within ADHQ Lite can take values which reference other fields. These special fields are called Template fields, and you'll be able to recognize them by the stylized 'T' icon to the right of the field.
Clicking on the Template icon will display a list of suggested templates for this field. Select one of these if they meet your needs, or select "Custom Template" to launch the Template Editor, which can help you design your own template.
The Template Editor contains a template field like the one in the tool, as well as a row of buttons above that are used to modify parameters within the template. Use the Add button to insert a new parameter into the template at the cursor position with the Add a Parameter dialog, and the Edit and Delete buttons to modify or remove the selected parameter.
When adding or editing a parameter, use the grid at the top of the Add/Edit Parameter dialog to select a Common Property or Active Directory attribute to include within the template. The bottom half of the dialog contains display options for the parameter. These depend on the specific attribute selected, but typically include length and formatting options.
As you grow more comfortable with templates, you can bypass using the Template Editor and instead enter your template directly into the field. When manually entering a template, type a percent sign
% to begin inserting a parameter and you'll be prompted with a list to choose from. After typing the parameter name and before the closing percent sign, you can type a colon
: to show a list of formatting options available for the parameter, as shown below.
Some template fields can contain multiple templates, in the event that the first template resolves to a value that already exists in your domain. We call this feature "Backup Templates", and it is accessed by clicking on the field's Template icon and choosing Modify Backup Templates.
Selecting this option will launch a special version of the Template Editor dialog that allows you to enter multiple templates. Use the Add button to insert a new template by either selecting a suggested template or creating a custom one. The Copy button will create a duplicate of the selected template and add it to the end of the list. And, as you might expect, the Modify and Delete buttons can be used to edit or remove the selected template. Templates can be reordered with the Move Up and Move Down buttons.
The templates listed here will be resolved in order to find a possible value for the field. If the primary template is already in use in your domain, the tool will try to use the first backup. If that is also in use, the second backup will be used, etc. If none of the templates provided here resolve to a unique value, the value will not be set. If you were attempting to create a new user account with a unique Netbios Name, for example, this failure would result in an error, allowing you to address the issue by manually picking a name for the user.
%AddDigits%parameter in your last backup, which will cause the tool to continuously add digits to the template until it finds a unique value. An example of this is shown in the screenshot above, where the tool is configured to try up to 3 characters of the user's First Name, before giving up and just adding digits to the end.
%FormatText%parameter? It always shows up blank for me.
Most template parameters are simply reflections of AD Attributes or Common Properties. But
%FormatText% works slightly differently in that it has no resolved value. Instead, when added to a template, this parameter affects how the entire template is displayed.
The following table contains a list of the
%FormatText% parameter options, along with a description of what they do and an example of how their use would affect the template text, assuming the initial value was TeMpLåTe TeXt.
|Convert text to...||Changes the case of the template text. "Sentence case" will capitalize the first word, and "Title Case" will capitalize every word.||"Title Case" will change TeMpLåTe TeXt into Templåte Text.|
|Remove white space||Removes any instances of spaces or tabs from the template text.||Changes TeMpLåTe TeXt into TeMpLåTeTeXt.|
|Replace non-ASCII characters||Replaces non-ASCII characters with their ASCII equivalents.||Changes TeMpLåTe TeXt into TeMpLaTe TeXt.|
|Remove these characters||Removes all instances of any characters in the specified list of characters from the template text.||Removing "eL" will change TeMpLåTe TeXt into Tmpåt Txt.|
|Maximum Length||Trims the template text if it exceeds the specified number of characters.||Max length of 11 will change TeMpLåTe TeXt into TeMpLåTe Te.|
|Minimum Length||Pads out the template text to ensure it reaches the specified length. Uses the settings in the following options.||Padding TeMpLåTe TeXt to 15 characters with plus signs from the left will result in ++TeMpLåTe TeXt.|
|Pad character||Use the specified character to reach the minimum length when padding is needed.||See Minimum Length.|
|Pad on the...||Specify whether to pad on the left or right side of the template text.||See Minimum Length.|
ADHQ Lite provides the ability to create Office 365 accounts for accounts on your local network. It can also add or remove licenses, or modify the existing licenses assigned to a user. With respect to information gathering, ADHQ Lite can report on several Office 365 attributes for your users including Last Sync Time, Office 365 Logon Name, Sign-In Blocked, Licenses, and Usage Locations. See the complete list of Office 365 attributes that can be reported on by adding a new column to a report. The Office 365 Common Properties have names starting with "Office 365".
Simply assign a license for the Exchange Online service plan when creating a user, as shown in the screenshot below.
In hybrid environments, if you want to manage the user's mailbox from your local Exchange Admin Center, you'll need to check the option to create an Exchange Remote Mailbox in the Mail operation group. Without this option selected, the user's Office 365 mailbox will not be displayed in the Exchange Admin Center and will have to be managed exclusively through the Office 365 web interface.
In its default configuration, Azure AD Connect will synchronize the Disabled state of local accounts with the Block Sign-In flag for Office 365 accounts. To disable a user, check the "Account is disabled" checkbox in the Security operation group. This setting will be reflected in your Office 365 environment after the next automatic sync (by default, every 30 minutes).
The ability to modify the Office 365 licenses is controlled by whether we can locate a corresponding user in the Office 365 environment. ADHQ Lite attempts to find the user with the following techniques:
If we can't retrieve these attributes, or if we can't find a user with a corresponding userID or userPrincipalName, you will not have the ability to modify Office 365 settings for the selected user. If your local domain name is not a valid domain in your Office 365 environment, or if you use a different format for your Office 365 Logon Names, you can specify a custom template on the Office 365 page of the Options dialog.
ADHQ Lite accepts CSV (comma separated value) files and TXT files as input into any of the Import tools. In the Import Wizard, ADHQ Lite allows you to specify whether the file uses commas, asterisks, colons, semicolons, or a custom character string as the delimiter between fields. The image below shows a standard CSV file, which could be used to create new user accounts with the Import New Users tool. Click this link to download the sample file.
ADHQ Lite will normally overwrite the existing value(s) of any attribute in your import files while setting the new value. If you want to retain part of the existing value, ADHQ Lite provides several special character sequences that you can use within import files to instruct the program to modify the fields in specific ways. The following table contains a list of these special prefixes, and contains links to example files where you can see them in use.
|<null>||Remove an attribute.||This import file will remove the Description attribute from the user John Doe.
Sample Import File
|<+>||Append text to the existing value of an attribute.||This import file will change the user's First Name from
Sample Import File
|<*>||Add value(s) to a multi-valued attribute.||This import file will new proxyAddresses of
Sample Import File
|<->||Remove value(s) from a multi-valued attribute.||This import file will remove the user John Doe from the group
Sample Import File
If you want to do something more complicated with the old value of an attribute, ADHQ Lite also supports using templates within imported values. The following link leads to an example import file, which will change a user's description from
Sample Import File
In addition to Active Directory attributes, the Import Wizard allows you to map columns to Common Properties. Common Properties are aliases we've created that map to Active Directory attributes, and are usually displayed when the corresponding attribute name is not necessarily obvious. See What is a Common Property? for more information.
Although we've made an effort to ensure that most Common Property names are straightforward, the "Street" Common Property is a little unusual. It does not map to the street Active Directory attribute as you might expect it to, but rather to the streetAddress attribute. This was done to better mimic Microsoft's user interfaces, which often refer to the field as "Street", even though they are setting the "streetAddress" attribute behind the scenes. This decision had the unfortunate side effect of creating confusion with the Active Directory attribute "street", which is also a valid attribute for User objects, though it is not regularly used.
To make a long description short, if you want to set the "Street" field as it appears in property sheets in Active Directory Users and Computers, use "Street" (uppercase) or "streetAddress". If you want to set the rarely-used attribute "street", map your column to "street" (lowercase).
ADHQ Lite filters are used throughout the program to limit the objects within a particular scope. You'll see them as part of collections and reports, as well as when setting up Search & Replace operations and Security Tools.
Filters consist of a set of conditions, which are grouped into Match All or Match Any groups to provide support for complex queries.
Above the filter field, there is a row of buttons. These buttons are used to modify the filter by adding conditions or groups, modifying filter items, deleting items, or shifting them around. Below is a description of each of the buttons and their purpose:
|Add Condition||Add a condition to the selected Match Any or Match All.|
|Add Match Any Group||Add a nested Match Any group to the currently selected group. This button will add the new nested group and launch the Add Condition dialog to add a condition to the newly created group.|
|Add Match All Group||Add a nested Match All group to the currently selected group. This button will add the new nested group and launch the Add Condition dialog to add a condition to the newly created group.|
|Edit||If a condition is selected, the Edit button will launch the Modify Condition dialog to edit it. If a group is selected, the Edit button will ask if you'd like to change the group's type between Match All and Match Any.|
|Delete||Removes the currently selected condition or group from the filter.|
|Move Up||Moves the selected item up within its parent Match All or Match Any group.|
|Move Down||Moves the selected item down within its parent Match All or Match Any group.|
Sure. ADHQ Lite filters are very powerful, but unfortunately there's always a trade-off between power and complexity. It can be helpful to sit down ahead of time and figure out the exact conditions you're trying to match, and how those conditions are linked together.
Match Any groups are used when an object only has to match one condition from a group in order to pass the test. The default Inactive Users filter is a good example of a Match Any group. When trying to match a user against this filter, the first thing we do is look at the Disabled state of the user. If the user is Disabled, the Match Any group is immediately satisfied, and we don't need to look at any of the other conditions.
Match All groups are used when an object has to match all of the conditions from a group in order to pass the test. In the filter above, we are matching on Users named Joe in the state of California. If we had used a Match Any group here instead, the filter would have picked up everyone in California, as well as all the Joes from other states. But that's not what we want; we want only the Joes in California. Therefore, we use Match All.
If you were paying attention to the last 2 examples, this one should be pretty straightforward. Like Example 2, it will show all of the Joes in California. But there's a new item at the bottom of the Match All group, a Match Any group. This Match Any group is the same as the group in Example 1, which shows Inactive Users. So, this filter shows the inactive users named Joe in California.
If a user fails to meet any of the 3 items under the Match All group, he will not match. That is, if the user is not named Joe, or if the user is not in California, or if the User is not Inactive (aka "if the User is Active").
What if I switch the groups around?
Interesting question. This new filter will match users named Joe, and users in California, and users that meet all 5 conditions in the Match All group. If you look closely however, you'll see that it's not possible to meet all 5 conditions in the Match All group, because that would require the user's Last Logon attribute to be empty and equal to 0 at the same time. So, we can ignore the entire Match All group. That means the filter will simply match all users named Joe, and all users in California.
Yes, absolutely. This is the intended purpose of the Attributes tab of the Tab View. For instance, if you wanted to see the attributes of the user Joe Manager in your domain.net\Test Users OU, you would perform the following steps:
Once you've performed those steps, you should see in the Attributes List, a list of Joe Manager's attributes.
The Configuration and Schema containers are top-level sub-trees shown in the Active Directory Tree pane on the left side of the ADHQ Lite Home View.
The Configuration sub-tree stores configuration objects for the entire forest in cn=configuration,dc=forestRootDomain. Configuration objects store information about sites, services, and directory partitions. Likewise, the Schema sub-tree stores class and attribute definitions for all existing and possible Active Directory objects in cn=configuration,dc=forestRootDomain.
You can remove these folders from the tree in the Options dialog. To do so, select Options from the file menu, and navigate to the Directory page. From there, you can show or hide these folders as well as the deleted objects folder.
Yep! This is accomplished on the Home Tab by clicking within the Child Objects pane and then using the Export to File button in the View panel of the ribbon.
You can also use this button to export the attributes of the currently selected object by first switching to the Attributes tab at the bottom of the Tab View.
Using collections to modify multiple AD objects at once has a couple of benefits over selecting the objects in the Home tab:
The upper part of the Collection Pane shows the locations or items that make up the collection.
Use the Select button to add a location to the grid. You can add individual objects, or add every object in a container by adding the container to the scope. To add individual objects defined in a file, click the down arrow on the Select button and choose Import From File. The Set a Import File option will not automatically import objects into the grid, but rather the file will be read at the time the collection is used. You can adjust the level of each container you add to the collection by selecting the item and using the Level button to switch between Entire Subtree, This Object and Its Children, or This Object Only.
|Entire Subtree||All objects in the container's sub-tree will be added to the collection.|
|This Object and Its Children||This object and its immediate children will be added to the collection.|
|This Object Only||This object will be added to the collection.|
In the example image above, we are setting up the a collection to show Inactive Users. For this collection, we care about the objects in 2 containers:
Javelina Software\Engineering and
Javelina Software\Sales. Any users found within the
Javelina Software\Engineering\Maryland container will appear in the collection, because the scope level for the Engineering container is set to Entire Subtree. On the other hand, users found within the
Javelina Software\Sales\Maryland container will not appear in the collection because the Sales container is only set to a scope level of This Object and Its Children.
Yep! This is the purpose of the Collection Filter, found below the location list in the Collection Pane.
The Filter pane is used to specify a series of conditions that must be met in order for the object to match. These conditions are grouped into Match All or Match Any groups to provide support for complex queries. For more information about creating filters, see How do I create a filter?
Of course, you can rename a collection by right-clicking on the collection in the collection tree and selecting rename. Alternatively, clicking on a previously selected collection will launch an in-place editor that you can use to change the collection's name. Locked collections (those that have a icon next to their name) cannot be renamed.
You can view the objects within your collection with the Collection Preview button, located in the ribbon.
Previewing a collection will launch a report showing all the objects located in the location list and that match the collection filter. Use the report output to verify the collection matches the objects you need. You may also save or email the list directly from the output screen.
Now you can run ADHQ Lite tools on your collection of objects using the tool menus in the ribbon.
The tool menus in the Collections tab are the same as the corresponding menus from the Home tab, with the Add, Properties, and Import menus missing, since these tools cannot be run on a collection of objects. To modify the Custom Tools menu, use the Edit Custom Tools Menu dialog on the Custom Tools view ribbon.
Scheduled Tasks in ADHQ Lite are more robust compared to their equivalent in previous versions of our software. Whereas in prior versions, a scheduled task could be linked to only one tool, tasks in ADHQ Lite can run multiple tools or reports.
Furthermore, you can add actions to a task outside of running an ADHQ Lite tool or report. These actions, available from the button, include things like running an external program or sending an email. For more information about these kinds of actions, see Task Action Dialog.
Click the button to the right of the Output field in the Task Settings to modify the output settings for the task. This dialog will provide settings for saving the task output to a file or sending an email once the task is complete.
Unfortunately, due to compatibility concerns with previous versions of Microsoft's Task Scheduler, ADHQ Lite does not yet support the kind of advanced scheduling you'll find in more recent versions of Task Scheduler. There are however, a couple of workarounds if you require your task to run more than once a day:
The easiest workaround to this problem is to modify the task's schedule from within Task Scheduler. ADHQ Lite's Scheduled Tasks are run by creating a Microsoft task of the same name. Simply open the task in Task Scheduler and modify the schedule (called Triggers in recent versions). The downside to this workaround is that ADHQ Lite will not display your task's schedule correctly and it is easy to accidentally change the schedule back to once a day if you modify the task in ADHQ Lite.
Set up your task to run once a day. Then, once it is set up, create one or more copies of the task and change the schedule on the copies to handle the other times of the day. For example, if you want to run your task every 6 hours, you could set up the following tasks:
|Original Task||Daily, 12am.|
|Copy 1||Daily, 6am.|
|Copy 2||Daily, 12pm.|
|Copy 3||Daily, 6pm.|
Newly created tasks (or copied tasks) in ADHQ Lite default to running under the local System account. This account should be sufficient for actions like sending an email, or executing an external program. However, if you are trying to run an ADHQ Lite tool or report from your task, you will likely need to set the task to run as a user with more permission.
Also, it's possible that the task is running, but that an error occurred while running a tool or report task action. Verify that the task output is not reporting any errors, and if you are running a tool or report, check to see if the action-specific output files are created. These output files, if they exist, should help guide you to the problem. For more information about task output files, see How can I save output from my task?
Finally, you can try running the task directly from the Run Now button on the ribbon to verify that there are no issues with your task configuration.