Back in late 1999, I had a chance to meet with the folks assembling the Microsoft Windows 2000 Server Resource Kit. They wanted to tell me about their plans for the resource kit’s future, but one thing struck me as odd: They felt that one of the strengths they were bringing to the resource kit was a push to unify the syntax of the various command-line tools. I have to say that, at the time, I wasn’t very encouraged.
However, it all makes a lot more sense to me now.
Between late 1999 and today, two things have changed my mind. First, I’ve learned a lot about Linux. Second, the non-uniformity of the way Windows utilities let you specify a username has been driving me crazy. Linux, as you probably know, tends to have more command-line administrative tools than GUI administrative tools, compared with the Windows world. And some of those tools have a lot of options. So, it’s nice to see some unofficial standards about how to lay out those options. After living in Linux-land for a while and making heavy use of the command-line interface (CLI) world, I’ve come to appreciate the value of standards.
Which brings me to Windows CLI tools. If you’ve ever used one of these tools, consider this question: How do you specify a username? Many tools let you issue commands that control remote systems, and so some of those tools intelligently and helpfully let you include a username and password for authentication. Consider, for example, one of the most extreme examples in the CLI world, Netdom. Netdom lets you perform many functions, including creating trust relationships between domains. You can, if you like, sit at a Windows XP workstation and command two domains to trust each other, even if that XP system isn’t a member of either domain. Clearly, both the trusted and trusting domains won’t accede to such a command without authorization, and so Netdom has four optional parameters—userd, passwordd, usero, and passwordo—that let you specify an administrator’s username and password for trusted and trusting domains.
But how would you specify the username? Suppose the trusting domain is named bigfirm.com, the NetBIOS name is bigfirm, and the administrative account is named Jane. Should I enter /usero:jane, /usero:bigfirm\jane, or /usero:[email protected]? Detdom, a pretty flexible command, will take either bigfirm\jane or [email protected] Kudos to the Netdom team. But many other CLI developers aren’t so forgiving. For example, consider the Dsrevoke tool, which you can find at the Microsoft Download Center. (It’s not in Support Tools or the resource kit.)
Dsrevoke is a cool little utility that answers a question I’ve wryly asked technical audiences for a few years: Why is there a Delegation of Control wizard but not an UNdelegation of Control wizard? In other words, it’s easy to give employee Tyrone a set of Active Directory (AD) powers with just a few clicks, but extracting Tyrone from AD involves much more involved clicking. Dsrevoke lets you quickly and simply find and yank any delegations that Tyrone has.
Well, almost simply.
I love Dsrevoke, but the syntax drives me a little crazy. Suppose Tyrone is a member of the bigfirm.com domain. Here’s the simplest syntax to perform a Tyronectomy of AD:
dsrevoke /remove bigfirm\tyrone
You might ask, What’s wrong with that? And I would answer, “That bigfirm\tyrone stuff, that’s what’s wrong. After all, this is a tool that makes sense only in an AD context. AD has a clever way of specifying a unique username—a user principal name (UPN). And yet Dsrevoke can’t accept UPNs. Which means that an AD implementation that has done what Microsoft has said is possible—shut off NetBIOS altogether—wouldn’t benefit from this convenient tool. That’s sad.
Please don’t misunderstand me: I apologize for singling out Dsrevoke’s author or authors. There are many Microsoft CLI applications that require you to specify a particular user, and as we continue to become more and more security-conscious, that trend will continue. Wouldn’t it be wonderful if command-line utilities all accepted both the old NetBIOS domainname\username and the email-ish UPN names?