Generates a report with information about group memberships for a user. Active Directory environments that contain complex group structures can encounter problems with an access token limitation during authentication. This problem can result in the inability of a user to log on or access resources. By analyzing the results of the report, you can identify the source of the problem.

For detailed information about the access token limitation issue and how to use the group membership evaluation option in Ntdsutil to resolve related problems, see Addressing Problems Due to Access Token Limitation on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=62237).

Ntdsutil is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use ntdsutil, you must run the ntdsutil command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.

Syntax

[clear credentials] [run %s1 %s2] [set account dc %s] [set credentials %s1 %s2 %s3] [set global catalog %s] [set resource dc %s] [verbose %s]

Parameters

Parameter Description

clear credentials

Clears credentials that were used for a prior connection.

run %s1 %s2

Runs token evaluation for the principal %s2 in domain %s1.

set account dc %s

Specifies the domain controller used in the account domain. The account domain is the domain that includes the user account. If you do not specify a domain controller, the tool automatically locates one.

set credentials %s1 %s2 %s3

Sets connection credentials as domain %s1, user %s2, and password %s3.

set global catalog %s

Specifies which global catalog server to use. If you do not specify a global catalog, then ntdsutil.exe automatically locates one.

set resource dc %s

Specifies the domain controller used in the resource domain. Use this parameter only if the user and computer on which the logon is being attempted are in different domains. If the user and computer belong to different domains, the resource groups of the computer must also be enumerated.

verbose %s

Turns verbose mode on or off.

quit

Takes you back to the previous menu or exits the utility.

?

Displays help at the command prompt.

Help

Displays help at the command prompt.

Remarks

  • If the variable has spaces in it, enclose it in parentheses, instead of quotation marks: connect to server (xxx yyy).

Examples