I would highlight some posts from Daniel Petri (Microsoft MVP) that explain how to work with new features in Windows Server 2008 regard AD Snaphot.

This new feature in Windows Server 2008 permit to create a snapshot from AD and working with it trough some tools.... I suggest to read these post because for me are very interesting.

Many thanks to Daniel Petri that have published these for the comunity...

Below the link:

Working with Active Directory Snapshots in Windows Server 2008

Directory Service Comparison Tool

Exporting Information from Active Directory Snapshots in Windows Server 2008

How I’ve write in precedent post “use windows native command line for change attributes for multiple account” there are some useful Windows command Line tools that permit to do multiple activity in the same time.

In this example we explain how to use DSMOVE, a command line tool for move object in Active Directory.

Note: Only for remember this tip is valid for Windows 2000, Windows Server 2003, and Windows Server 2008.

User and computer accounts will be the types used most frequently from a mass management standpoint; Comma Separated Value Data Exchange (CSVDE) is a good starting point for an export file.

Scripting the move with dsmove is done via the command line.

Here is an example command that will move the username Jhon Buy from the Users OU to a new OU called DestinationOU:

dsmove "CN= Jhon Buy,CN=Users,DC=test,DC=Local" -newparent OU= DestinationOU, DC=test,DC=Local"

Note: When the DN of the object to move has a space, the entire DN is placed in quotes

When performing a multiple move, you may want to designate a domain controller with the -d parameter to process all of the transactions associated with the move to contain all of the work. Each dsmove operation is a direct call to the domain controller and could be taxing if the commands hit a relatively busy domain controller.

For create a .cmd script with more lines you can use Excel worksheet how I’ve specify in my precedent post here….

For more information please go to Microsoft Technet Site

Sometimes Administrators need to modify AD attribute for multiple accounts, to do this is possible to use VBscript, but for the administrators that haven’t familiarly with VBscript is possible to use also Windows Native command line.

For example if I need to modify the parameters “user must change password at next logon” to activate or deactivate it, I can use the following command lines:

Activate:

 dsmod user "cn=User1,ou=HQ,dc=exampledomain,dc=com" -mustchpwd yes

Deactivate:

dsmod user "cn=User1,ou=HQ,dc=exampledomain,dc=com" -mustchpwd no

Now if I do this for multiple users I can use a Worksheet Excel with concatenate formula:

The easiest way to do this is to make a copy of the original GPO, and then rename it.  Then you will have a new GPO with all of the settings of the original.  To do this, open the GPMC and drill down to the Group Policy Objects node. Right-click over the GPO you want to use, and select Copy. Then, immediately select Paste. It will create a new GPO named “Copy of oldname”. Simply rename it whatever you wish, and you’re in business!

Within the Windows 2000 and Windows 2003 Server operating systems, you can only have one password policy for the entire domain. If you need separate password policies, you will have to create separate domains.  However, this does change for Windows Server 2008. Read more about new features in the Microsoft Identity and Access foundation here.

I was inspirated to this article by Paul Wiliam.

In Windows Server 2003 Service Pack 2 and Windows Server 2007 Microsoft have added a new LDAP query matching rule for linked-value DN syntax attributes, currently known as a recursive query.  The idea behind such a query is that it simplifies chasing nested links.  The matching rule is implemented by using the OID of the matching rule, enclosed within a starting and ending colon, just like bitwise AND and OR matching rules are implemented.  This means that a recursive query takes the format of:

<attribute value> : <matching rule OID> := <assertion value>

For example, to use a recursive query to ascertain whether or not a user is a member of a group, you would use the following syntax:

(member:1.2.840.113556.1.4.1941:=cn=administrator, cn=users, dc=test-lab, dc=com)

Note.  Spaces have been used within the DN for readability purposes.  That query is a single line.

What are the benefits of this?

This is best explained with an example.  Consider the following scenario.

Suppose you have a global group that is a member of a domain local group and the domain local group is used to grant access to some securable object.  User objects are direct members of the global group, as well as members of another global group nested into the first global group.  

You need to find out what user (and inetOrgPerson) objects have access to the secured object in question.  Normally you would have to query the member attribute of the domain local group and then query the member attribute of each global group that is a member of that group, and any groups that are a member of that group, and so on.  A recursive query does this for you, so to get a list of all members of the domain local group whether direct or indirect (nested) you would run the following query against a suitable base container, e.g. the parent container of your user objects or, as in this case, the parent of the parent:

(&(objectCategory=person)(objectClass=user)(memberOf: 1.2.840.113556.1.4.1941:=cn=dlg01, ou=groups, dc=domain-name, dc=com))

Running the query via LDP

***Searching...
ldap_search_s(ld, "OU=South,OU=People,DC=longhorn,DC=com", 2, "(&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=cn=Domain Local 01,ou=groups,dc=longhorn,dc=com))", attrList,  0, &msg)
Getting 3 entries:
Dn: CN=Homer Simpson,OU=South,OU=People,DC=longhorn,DC=com
canonicalName: longhorn.com/People/South/Homer Simpson;
memberOf: CN=Global 02,OU=Groups,DC=longhorn,DC=com;
name: Homer Simpson;
objectClass (5): top; person; organizationalPerson; user; inetOrgPerson;

Dn: CN=Dirk Pitt,OU=South,OU=People,DC=longhorn,DC=com
canonicalName: longhorn.com/People/South/Dirk Pitt;
memberOf: CN=Universal 02,OU=Groups,DC=longhorn,DC=com;
name: Dirk Pitt;
objectClass (5): top; person; organizationalPerson; user; inetOrgPerson;

Dn: CN=James Bond,OU=South,OU=People,DC=longhorn,DC=com
canonicalName: longhorn.com/People/South/James Bond;
memberOf: CN=Universal 02,OU=Groups,DC=longhorn,DC=com;
name: James Bond;
objectClass (5): top; person; organizationalPerson; user; inetOrgPerson;

Note.  Recursive queries aren't limited to groups.  They work on any linked-value DN syntax attribute.  The member/ memberOf linked-value pair is simply one of the most familiar and therefore easier to relate to.

Limitations

Recursive queries are only performed within the local Directory Information Table (DIT) of the domain controller performing the query.

If you need to restart a DC in your domain, but you don’t want or you don’t have a local IT for make this, you can use a trick for make this remotely as your self.   

At first step  you need to remember that you have Remote Desktop on DC enable, and you need Active Directory Restore Mode Password (if you don’t know DSRM password you can reset follow this articles Restore DSRM password on Windows 2000/2003)   

At second step go in Advanced tab in System Properties:   

Right-click My Computer >> click Properties >> and then click the Advanced tab >> Click Settings for startup and recovery >> Click the Edit button to edit the startup options file.