The kernel of LTC is a graphical language to construct characteristic subsets of directory objects. Its possibilities are far beyond conventional operations on controlling objects of hierarchical directories and moreover – are forcing to revise majority of such operations from the viewpoint of operations upon sets. On the basis of this latter approach nowadays a number of useful functions are already implemented – in the context of corporative networks administration on Active Directory platform:

View/edit attributes

In complete accordance with the LTC concept the user deals not with a single object but with a set of filtered objects and a set of attributes he is interested in. Editing is accomplished in a form of worksheets and is being held with the aid of macroses. The latter allow to express some attributes via others. It’s very essential that effectiveness of LTC-approach severely depends on the attributes support quality – on their completeness and actuality. At the same time it’s just LTC that gives a way to maintain both these features on desirable level, to reveal here problems clearly and on-the-fly.

Export/import of directory objects

If the procedures listed in the previous section are oriented to interactive control of attributes of directory objects, the export/import procedures allow to implement the program control. Import operations go far beyond conventional idea about data download from file to directory. In conjunction with described below policy mechanism import mechanism enables to keep up in actual state complex links between objects from different directories.

LTC policies mechanism

By its nature this mechanism is similar to standard policies of Windows 2000 and is not replacing them but expanding – not only users and computers configurations are exposed to control, but the complete AD directory. By means of LtcPolicy administrator can define multitude rules that will be executed according to established for every rule schedule.

NT autogroups

The structure of such NT group is generated and maintained according to some rule specified by LTC filter. The filter itself is stored in an attribute of corresponding group. The rule actualization is carried out via LTC-policy. To define such policy one have to specify the autogroups set and update schedule.


The autoattribute value is maintained according to some rule defined by LTC-policy. To define autoattribute one have to specify: attribute to be handled as automatic, the set of objects that require (or for which it is desirable) this attribute as ruled attribute, the rule itself and renewal schedule.
For instance, you can automatically ensure the equality of ‘userPrincipalName’ attribute to ‘mail’ attribute, if it corresponds to your company standard. It is possible to build attribute on the values of two and more attributes. For example, the ‘proxyAddresses’ attribute can be described by the following expression:
X400:c=RU;a= ;p=Yukos;o=AGMyCompany;s=$TextOf(mailNickname);i=?;
Here macro $TextOf is used to make a reference to another attribute. Such construct in practice enables to create automatically not only main mail address but also its shortened variant and inherited address. It is presumed that ‘extensionAttribute9’ attribute is also formed on the base of some predefined rule using user name attributes (‘givenName’, ‘middleName’, ‘sn’), and ‘extensionAttribute7’ is created during migration process from the old domain.

Generation of executable modules

This function in essence is a subkind of export but requires distinct consideration due to its importance. Given mechanism enables to expand LTC functionality in desirable for each concrete situation direction, “switching on” LTC capabilities in sets’ generation.
Consider this mechanism by example. Suppose you need to generate a set of DFS directories, referring to system resources ADMIN$ of all network servers.
To generate directories of this kind for all servers under interest, one can do the following:
  1. Create in LTC a set of all servers you’re interested in.
  2. Execute an export function for created set using in a format file a line like:
    dfscmd.exe /map "\\MYDOMAIN\Dfs\Auto\Admins\$TextOf(cn)" "\\$TextOf(dNSHostName)\ADMIN$"
    As a result of export a command file will be created having calls to utility DFSCMD.EXE with proper parameters. Macroses $TextOf(dNSHostName) and $TextOf(cn) will be replaced with actual DNS- and CN- server names correspondingly.
  3. Call a command file generated as a result of export operation.
To maintain this set of DFS directories in the actual state you can generate the LTC policy adjusted in a way that the specified procedure (export and call of created file) will be periodically repeated, so that after appearance of servers matching filter the corresponding directories will be automatically added.
Clear that proposed scheme looks clumsily if the number of servers is not significant. But if their number is 20 and more you’ll not only get savings of time but also define a generation principle for directories of this kind that radically resolves the stated problem “once and forever”.
The class of programs that can be integrated with LTC is extremely wide. Any executables can be used (cmd, bat, vbs, java, exe, etc.) that are capable of command line mode and are oriented to single object handling. It is enough if the command line can be expressed through the values of object attributes.

Classification of directory objects by attribute value

If in the properties of the so-called terminal filter of LTC any of classification enumerators is chosen then while building the resulting set of objects they will be classified according to filter attribute value. It implies that for every value of attribute a container will be created that will hold all the objects with a given value. Moreover, a structural classification is possible when on the basis of an attribute having hierarchical nature it becomes possible to create the objects tree inducted by attribute.

Controlling users script files

The LTC program actually provides the possibilities to control script files of multiple users. It is possible to add commands into scripts of selected users, to delete commands by user-defined template, to filter users on the basis of the content of their scripts, to make simultaneous context replacements in multiple files and so forth. One general point must be focused - the practice of LTC usage in handling scripts unambiguously shows that even for quite moderate number of users LTC provides extreme reduction (to tens and even hundreds times) in scripts modification time as compared with any other known tool. But there is even one more essential thing. Very often operations must be held as transactions. Due to production restrictions it can be inadmissible to stretch in time these or that actions. And the paradigm of operations on entire objects sets gives solution of this problem.

Working with access lists (ACL) of AD, Exchange and NTFS objects

The most useful LTC possibility in ACL context is very likely the search function of objects that are having not inherited but explicitly defined access rights. Because just such objects carry information about access rights distribution in hierarchical system of objects. In practice very often the current state of ACL-objects is a result of uncoordinated actions of different users during several years. And it is simply impossible to get the overall picture of the present-day access rights distribution to files and directories via standard means. Whereas working via this LTC function network administrator gets some resulting subset of directories, analysis of which will make it possible to understand the actual distribution of access rights and hence – to reveal the gaps in security with their subsequent elimination.

Working with file sets

Though LTC cannot be treated as full-scale file manager there is a class of file operations where LTC proves to be the most suitable tool. This is the class of operations where creation of some characteristic file set comes to the forefront. As for operations with file set entities when simultaneous regularized files alterations are performed – a number of them are implemented in LTC: exchange of one context with another, replacement of lines matching template, addition/removal of lines before or after a line matching template, etc.

Automated procedure to handle users passwords

There is a problem to change end users passwords on periodical base (at least, due to security reasons). Administrator can do this by means of LTC using the following scenario:
  1. Administrator creates LTC-set corresponding to a set of users for which replacement (or assignment) of a password is foreseen.
  2. The function of the bulk password assignment is initiated.
  3. The parameters of the operation are chosen (password length, generation scheme), template text for user notification. The data of actual password exchange can also be set here.
  4. Passwords alteration is executed (if pending mode was not chosen). Simultaneously a file is generated that contains a set of notes to users with their personal passwords and instructions on password usage. If there are jobs or services running under accounts of selected users then – if appropriate option is selected – passwords will be automatically updated on computers where these jobs or services are defined. (The computer set to which this operation will be applied, is defined by autogroup).

Conversion of graphical filter into its text form of LDAP-request

This operations allows to prepare in LTC filters that can be then used in conventional form of LDAP-requests in standard programs (not supporting LTC format) like Exchange 2000. Inverse operation is also possible.


In LTC a number of operations is realized that deal with migration of Windows 2000 domains into unified Active Directory. By means of LTC administrator can describe practically any scheme of migration. Having a built-in mechanism to handle multiple objects and multiple attributes LTC allows to describe with clearness but in all details both the sets of migrating objects and their heritable features. Besides, special LTC functions for searching duplicates allow to reveal beforehand (and prevent) potential collisions. The latter is of extreme importance while performing complex migrations when two or more domains are merged into one – what is typical for transition to Windows 2000. But perhaps the most essential difference in migration via LTC as compared with, say, ADMT is the possibility to set the background domain synchronization. This allows to make changes in the old domain during a transient period, to create or modify its objects. All changes will be automatically replicated to a new domain.

Event Logs analysis for Windows NT and higher platforms

Working with LTC administrator can create a set of certain events and a set of certain servers (computers) and make a search of events set within servers set. By means of structured LTC filters he can exactly pick out events he is actually interested and cast away the others (hampering analysis). This, in particular, allows to “tie up” events taking place on different servers but having one reason. Say, administrator needs to find out who and when made changes into ‘Domain Admins’ group. Placing in the ‘Comment’ field of filter the context “Domain Admins” and executing a search on all controllers, he’ll get all events related to this group. Obviously, administrator can use more complicated filters combining conditions on various events’ attributes. In a ‘Standard’ program version this option is not supported.

Report generators on Internet usage at user and enterprise levels

The problem of Internet traffic billing is solved via LTC in an exhaustive way. Information is retrieved from reports of proxy servers and is split along AD users. Such approach gives the possibility to generate reports as in the context of separate users (independently of computer being used to access Internet) as well as for separate departments and complete organizations. Besides all a possibility is realized to establish traffic limits for individual users with automatic access prohibition when attempts are made to exceed bounds. In a ‘Standard’ program version this option is not supported.

Report generators on mail traffic

LTC gives the possibility to describe subsets of mail users administrator is concerned and to analyse postal streams between them. Information is retrieved from the logs of mail servers and is made accordant to AD users. On customer desire a number of various reports on mail traffic can be generated, starting from individual users and ending with creation of resumptive mail flows. In particular, a flow of incoming post from Internet can be revealed (or – if more details are required - flows). In a ‘Standard’ program version this option is not supported.

Report generators on data flows at site level through logs managed on frontier routers

The Internet flows represent a separate interest in network data flows. LTC is capable to generate reports for routers. Here LTC plentiful abilities in creating complicated filters supply administrators with powerful instrument to analyse IP-flows under different perspectives, depending on the needs. These reports can also be used for comparison with data delivered by Internet provider for verification purposes. In a ‘Standard’ program version this option is not supported.