In general, Active Directory (AD) domains are an unalloyed improvement over Windows NT 4.0 domains. However, if you're a former NT 4.0 administrator who uses AD on a day-to-day basis, you'll soon notice that NT 4.0's User Manager for Domains user account management tool bests Windows 2000 Server's Microsoft Management Console (MMC) Active Directory Users and Computers snap-in in one important way: bulk edits.
Suppose you're working with NT 4.0 and you move all your users' roaming profile directories from a server named \\OLD to a server named \\NEW. You then must modify every user's Profile tab to reflect the fact that his or her roaming profile, which formerly resided in a directory named \\OLD\Users\%username%, now resides in \\NEW\Users\%username%. In NT 4.0, you would simply highlight all users; click User, Properties; then click Profile to access a window in which you could change the user profile path from \\old\user\%username% to \\new\user\%username%—bulk domain edits in a twinkling.
If you try something similar with Win2K's Active Directory Users and Computers, you'll find that you can't select more than one account at a time—bulk edits are impossible from Active Directory Users and Computers. Two problematic workarounds exist: You can write an Active Directory Service Interfaces (ADSI) script, which requires some script-writing knowledge, or you can download the Windows Server 2003 Administration Tools Pack (http://www.microsoft.com/downloads/details.aspx?familyid=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en), install the tools on a member workstation running Windows XP (the tools won't run on Win2K), then perform your domain administration from the XP box. The Windows 2003 tools let you select multiple users, thus making bulk edits possible on Win2K-based domains. The catch is that the Windows Server 2003 Administration Tools Pack license lets you download and run the tools only if you have Windows 2003—based domain controllers (DCs) in your network.
How can you perform bulk edits without learning scripting or violating a software license? You can use a little-known Microsoft tool called ADModify, which you can download from ftp://ftp.microsoft.com/pss/tools/exchange%20support%20tools/admodify. (Don't be discouraged if you can't access the tool the first time you try; that FTP server is apparently pretty busy.) Unzip the admodify_1.5.zip file, place its contents into a folder, then double-click admodify.exe.
ADModify starts as a wizard that offers you four options: Modify Existing User Attributes, Export Users from Active Directory, Export Users from Exchange 5.5, and Import Users. You want to modify profile paths for a bunch of users, so choose Modify Existing User Attributes and click Next.
The resulting page shows you a list of DCs in your AD domain, as well as the objects (e.g., user accounts, groups, machine accounts, organizational units—OUs) in your domain. From the Select Domain Controller drop-down list, choose a DC, then navigate the tree-structured AD view to choose the users whose accounts you want to modify. Click the Add To List button to move the accounts into the wizard page's right pane. Highlight those user accounts in the right pane and click Next.
Now, you'll see a modified version of the Active Directory Users and Computers snap-in's Properties window. In this window, you can change many—but not all—AD characteristics in bulk. Most of the easily changed items are the merely descriptive ones, such as user description or the items on the Address, Telephones, and Organization tabs. On the Profile tab, you can change profile locations, home directories, and logon scripts en masse.
Microsoft Exchange Server users will recognize that ADModify's developers are probably Exchange support folks. The tool includes tabs with names such as Exchange General, E-mail Addresses, and Extension Attributes. I don't use Exchange, so I can't comment about the usefulness of that functionality, but I can say that—in AD environments that don't use Exchange—ADModify can't change the E-mail address field on the General tab of the user's Properties page.
I'm almost out of space, but I'd be remiss if I didn't mention another interesting ADModify feature: user and group import and export. This capability makes ADModify a nicely updated version of the Microsoft Windows NT Server 4.0 Resource Kit's addusers.exe tool. You can test the feature from ADModify's wizard interface. You'll find the feature fairly self-explanatory, but be aware of one caveat: You can import users only if you've installed the Win2K Support Tools' Lightweight Directory Access Protocol (LDAP) Data Interchange Format (LDIF) Directory Exchange tool (Ldifde). For more information about Ldifde, see "The LDIF Directory Exchange Tool," June 2003, http://www.winnetmag.com, InstantDoc ID 38947.