joeware - never stop exploring... :)

Hey! Sorry for the darkness.

AdFind is NOT dead, I am still developing it. I have a bunch of fixes in it that I started back in December 2023 including stuff for Windows Server 2025 that I just haven’t wrapped all up to release. I have actually bumped it to two minor versions too so the next version to be released will be V01.64.00. There have been about 60 builds since the last released version.

I admit, it is going slow, working too much in the regular job and feeling a bit run down and tired. Also looking at the PKI info in AD to look at translating that and that isn’t going as smooth as I had hoped. It isn’t just the coding slowing down, I have all sorts of yard work that is behind too.

Google has slowed down on marking AdFind as malware which is nice. I still check it daily and tell them to fix their shit when it does get marked. And that is literally all I do, I say fix your shit and then they stop marking it as malware until they mark it again in a month or four.

Getting MSFT to leave AdFind alone is a whole other thing. To the folks who think… Just sign the binary and it will be fine. No, that isn’t the case. The issue isn’t that people are using the adfind.exe name to get shit to run on systems like a trojan horse, the problem is that MSFT malware security people are morons and think a read only tool is a bad thing even when their own tools they provide do the same things, just not as well. Windows itself is orders of magnitude more of a security risk than AdFind is. I am not terribly distressed by any of it though. I originally wrote AdFind for myself and what I needed, I ended up sharing it when others said wow that is cool, can you share that with me?? And so I did. In the meanwhile with all of this stupid from MSFT I have written a completely different tool for myself now that I will never share with anyone so when MSFT gets a wild hair about AdFind, it doesn’t impact me at all.

Oh, people can stop sending me emails asking me to make AdFind for EntraID. It isn’t very likely to happen at all unless someone sends a request and about $500,000 into my paypal donation bucket or I change very dramatically the stuff I am working on which will likely cost the amount specified before or likely more. I literally have ZERO interest in EntraID and Cloud in general at the present time. At this point if I worked on anything for EntraID, it would probably be some kind of mechanism to extract Identity out of it so people can put it somewhere else.

I consider EntraID and other Cloud Identity systems to be dangerous to companies, large companies in particular, because you loose control of your authoritative Identity. I am fine with projecting or provisioning Identity into the Cloud systems, but I don’t think that that should be the authoritative store because you are now beholden to whomever you gave it to. Plus Cloud is expensive as hell for large companies and we are already seeing the backlash there as they pull stuff back out and put it into newly built on-premises systems with properly designed and managed management interfaces. In fact, if large companies have sorted out proper datacenter management years ago, Cloud wouldn’t have gone very far. Smaller companies, Cloud is probably the best option available for them for security and stability reasons as they likely don’t have amazing resources to run their stuff securely or well.   

   joe  

I love winget… Full stop.

But do not use winget on Windows Server 2025 and then try to sysprep it. It will break.

See https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/sysprep-fails-remove-or-update-store-apps#cause for how to back out so you can sysprep it.

   joe

Dear everyone out there still working with Active Directory (so most all large orgs and Security Vendors and other Software Vendors), please stop writing whenChanged or uSNChanged based AD Sync methods for your applications. Those may be fine (still bad) for some small company with 1-2 domain controllers but they are utter crap for large companies and do nothing but cause issues and confusion and inconsistent data syncing.

There is a MSFT article, “https://learn.microsoft.com/en-us/windows/win32/ad/polling-for-changes-using-usnchanged” that makes it seem like uSNChanged polling is a good thing, it isn’t. I have seen so many large well-known vendors using this technique and just causing any number of issues because of it, usually inconsistency in the synced data but also in large directories it is abusive when you have much better mechanisms to just return actual changes being tracked by the directory.

Currently, the very first bullet of that article is wrong, and has been wrong for quite some time

Only for highly privileged applications: To use the DirSync control, an application must run under an account that has the SE_SYNC_AGENT_NAME privilege on the domain controller. Few accounts are so highly privileged, so an application that uses the DirSync control cannot be run by ordinary users.

Since Windows Server 2003 we have had the LDAP Control “LDAP_DIRSYNC_OBJECT_SECURITY” which allows anyone who can see AD to perform DirSync operations on AD. In AdFind you can use the OS option in –dirsync_opts switch to see it in action. I use it on a regular basis with completely normal basic userids to watch flow of changes in AD. It is kind of fun actually, it helps to find stupidity in AD like products that are changing shit all of the time that shouldn’t be.

Anyway, if you are writing some quick and dirty application to look for changes quickly in some small application in some small directory, have at it. If you are writing a full blown application, especially an application you expect to sell to companies for thousands or millions of $$, do it correctly. Use DirSync if you are syncing data between AD and your application, if you just need occasional notifications of specific changes (like a config change), then use Change Notification.

DirSync (this is the most common case)

https://learn.microsoft.com/en-us/windows/win32/ad/polling-for-changes-using-the-dirsync-control

LDAP Specific – https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/ldap-server-dirsync-oid

Change Notification

https://learn.microsoft.com/en-us/windows/win32/ad/change-notifications-in-active-directory-domain-services

I recall talking to one large, well known company, actually this has happened a few times over the last decade with large software developers, about their AD Syncing, their app was abusing my AD with whenChanged syncing + just pulling all objects (millions) every few hours in case whenChanged missed something (because it is likely to happen if you don’t know how AD works) and likely fell back on the full syncs every few hours because of issues they had already seen in the past. I explained they needed to switch to usinig DirSync and do it correctly, the response back is that that is complicated and will take months. I spent a few hours over the weekend and added the functionality to AdFind, which, was not ever originally set up or structured to use DirSync. Is it perfect? No, but it shows it isn’t a months long issue for a company with professional developers.

So companies, don’t let your developers using shitty AD Syncing mechanisms. And if you are buying software and you know it is doing AD Syncing, find out HOW they are doing it and doon’t let them use shitty AD Syncing mechanisms. If they won’t tell you, you can do some packet tracing and sort out exactly what they are doing and if they do shitty syncing, they probably do other shitty things. There are not a lot of amazing developers out there, there are just a lot of developers out there and some really good sales people.

My favorite quote about programming is the following quote that I first heard from a professor at Michigan State University in 1988, it is called Weinberg’s Law:

If Builders Built Buildings the Way Programmers Wrote Programs, Then the First Woodpecker That Came Along Would Destroy Civilization

Somewhat ironically, the professor that shared this with me also argued with me about the idea that the more people who get involved with programming the better the overall code space would get (which is the battle cry of open source you may notice). I thought that was a complete crap position based on the fact that not even our very small coding classes back then had but maybe 10% of people who didn’t write complete crap code and that was a highly filtered group of people. I could not visualize any world where adding a whole bunch of people who weren’t as highly filtered could possibly increase the percentage of decent coders. And now nearly 4 decades later with huge amounts of random people thinking they are developers now, I look around and feel I was 100% accurate in my assessment all the way back then. All we have been doing is making the door wider for more unqualified people to come in building more and more complex frameworks for people and web based RESTful APIs and now the shitty AI we have at the moment which is, basically, glorified google focused on Stack Overflow.

   joe

AdFind updates for 2025 (and other things) is under way. Thirty something builds or so since the last publicly released version of AdFind.

[Sun 11/03/2024 14:05:12.57]
D:\DEV\cpp\vs\AdFind\Debug>adfind -appver

AdFind V01.64.00cppBETA Joe Richards (support@joeware.net) November 2024
  BUILD    : 1.64.0.6206_DEBUG
  BUILDDATE: 20241103-14:03:46 EST x86 VS2022
  WIN32  PATH: D:\DEV\cpp\vs\AdFind\Debug\AdFind.exe
  NATIVE PATH: \Device\HarddiskVolume4\DEV\cpp\vs\AdFind\Debug\AdFind.exe

[Sun 11/03/2024 14:05:21.11]
D:\DEV\cpp\vs\AdFind\Debug>adfind -hh k25-dc1.k25.test.loc -rootdse

AdFind V01.64.00cppBETA Joe Richards (support@joeware.net) November 2024

Using server: K25-DC1.K25.test.loc:389
Directory: Windows Server 2025 (10.0.26100.1)

dn:
> domainFunctionality: 10 [Windows Server 2025 Domain Mode]
> forestFunctionality: 10 [Windows Server 2025 Forest Mode]
> domainControllerFunctionality: 10 [Windows Server 2025 Mode]
> rootDomainNamingContext: DC=K25,DC=test,DC=loc
>ldapServiceName: K25.test.loc:k25-dc1$@K25.TEST.LOC
> isGlobalCatalogReady: TRUE
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: GSS-SPNEGO
> supportedSASLMechanisms: EXTERNAL
> supportedSASLMechanisms: DIGEST-MD5
> supportedLDAPVersion: 3
> supportedLDAPVersion: 2
> supportedLDAPPolicies: MaxPoolThreads
> supportedLDAPPolicies: MaxPercentDirSyncRequests
> supportedLDAPPolicies: MaxDatagramRecv
> supportedLDAPPolicies: MaxReceiveBuffer
> supportedLDAPPolicies: InitRecvTimeout
> supportedLDAPPolicies: MaxConnections
> supportedLDAPPolicies: MaxConnIdleTime
> supportedLDAPPolicies: MaxPageSize
> supportedLDAPPolicies: MaxBatchReturnMessages
> supportedLDAPPolicies: MaxQueryDuration
> supportedLDAPPolicies: MaxDirSyncDuration
> supportedLDAPPolicies: MaxTempTableSize
> supportedLDAPPolicies: MaxResultSetSize
> supportedLDAPPolicies: MinResultSets
> supportedLDAPPolicies: MaxResultSetsPerConn
> supportedLDAPPolicies: MaxNotificationPerConn
> supportedLDAPPolicies: MaxValRange
> supportedLDAPPolicies: MaxValRangeTransitive
> supportedLDAPPolicies: ThreadMemoryLimit
> supportedLDAPPolicies: SystemMemoryLimitPercent
> supportedLDAPPolicies: SecurityDescriptorWarningSize
> supportedControl: 1.2.840.113556.1.4.319 [LDAP_PAGED_RESULT_OID_STRING]
> supportedControl: 1.2.840.113556.1.4.801 [LDAP_SERVER_SD_FLAGS_OID]
> supportedControl: 1.2.840.113556.1.4.473 [LDAP_SERVER_SORT_OID]
> supportedControl: 1.2.840.113556.1.4.528 [LDAP_SERVER_NOTIFICATION_OID]
> supportedControl: 1.2.840.113556.1.4.417 [LDAP_SERVER_SHOW_DELETED_OID]
> supportedControl: 1.2.840.113556.1.4.619 [LDAP_SERVER_LAZY_COMMIT_OID]
> supportedControl: 1.2.840.113556.1.4.841 [LDAP_SERVER_DIRSYNC_OID]
> supportedControl: 1.2.840.113556.1.4.529 [LDAP_SERVER_EXTENDED_DN_OID]
> supportedControl: 1.2.840.113556.1.4.805 [LDAP_SERVER_TREE_DELETE_OID]
> supportedControl: 1.2.840.113556.1.4.521 [LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID]
> supportedControl: 1.2.840.113556.1.4.970 [LDAP_SERVER_GET_STATS_OID]
> supportedControl: 1.2.840.113556.1.4.1338 [LDAP_SERVER_VERIFY_NAME_OID]
> supportedControl: 1.2.840.113556.1.4.474 [LDAP_SERVER_RESP_SORT_OID]
> supportedControl: 1.2.840.113556.1.4.1339 [LDAP_SERVER_DOMAIN_SCOPE_OID]
> supportedControl: 1.2.840.113556.1.4.1340 [LDAP_SERVER_SEARCH_OPTIONS_OID]
> supportedControl: 1.2.840.113556.1.4.1413 [LDAP_SERVER_PERMISSIVE_MODIFY_OID]
> supportedControl: 2.16.840.1.113730.3.4.9 [LDAP_CONTROL_VLVREQUEST]
> supportedControl: 2.16.840.1.113730.3.4.10 [LDAP_CONTROL_VLVRESPONSE]
> supportedControl: 1.2.840.113556.1.4.1504 [LDAP_SERVER_ASQ_OID]
> supportedControl: 1.2.840.113556.1.4.1852 [LDAP_SERVER_QUOTA_CONTROL_OID]
> supportedControl: 1.2.840.113556.1.4.802 [LDAP_SERVER_RANGE_OPTION_OID]
> supportedControl: 1.2.840.113556.1.4.1907 [LDAP_SERVER_SHUTDOWN_NOTIFY_OID]
> supportedControl: 1.2.840.113556.1.4.1948 [LDAP_SERVER_RANGE_RETRIEVAL_NOERR_OID]
> supportedControl: 1.2.840.113556.1.4.1974 [LDAP_SERVER_FORCE_UPDATE_OID]
> supportedControl: 1.2.840.113556.1.4.1341 [LDAP_SERVER_RODC_DCPROMO_OID]
> supportedControl: 1.2.840.113556.1.4.2026 [LDAP_SERVER_DN_INPUT_OID]
> supportedControl: 1.2.840.113556.1.4.2064 [LDAP_SERVER_SHOW_RECYCLED_OID]
> supportedControl: 1.2.840.113556.1.4.2065 [LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID]
> supportedControl: 1.2.840.113556.1.4.2066 [LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID]
> supportedControl: 1.2.840.113556.1.4.2090 [LDAP_SERVER_DIRSYNC_EX_OID]
> supportedControl: 1.2.840.113556.1.4.2205 [LDAP_SERVER_UPDATE_STATS_OID]
> supportedControl: 1.2.840.113556.1.4.2204 [LDAP_SERVER_TREE_DELETE_EX_OID]
> supportedControl: 1.2.840.113556.1.4.2206 [LDAP_SERVER_SEARCH_HINTS_OID]
> supportedControl: 1.2.840.113556.1.4.2211 [LDAP_SERVER_EXPECTED_ENTRY_COUNT_OID]
> supportedControl: 1.2.840.113556.1.4.2239 [LDAP_SERVER_POLICY_HINTS_OID]
> supportedControl: 1.2.840.113556.1.4.2255 [LDAP_SERVER_SET_OWNER_OID]
> supportedControl: 1.2.840.113556.1.4.2256 [LDAP_SERVER_BYPASS_QUOTA_OID]
> supportedControl: 1.2.840.113556.1.4.2309 [LDAP_SERVER_LINK_TTL_OID]
> supportedControl: 1.2.840.113556.1.4.2330 [LDAP_SERVER_SET_CORRELATION_ID_OID]
> supportedControl: 1.2.840.113556.1.4.2354 [LDAP_SERVER_THREAD_TRACE_OVERRIDE_OID]
> supportedCapabilities: 1.2.840.113556.1.4.800 [LDAP_CAP_ACTIVE_DIRECTORY_OID]
> supportedCapabilities: 1.2.840.113556.1.4.1670 [LDAP_CAP_ACTIVE_DIRECTORY_V51_OID]
> supportedCapabilities: 1.2.840.113556.1.4.1791 [LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID]
> supportedCapabilities: 1.2.840.113556.1.4.1935 [LDAP_CAP_ACTIVE_DIRECTORY_V60_OID]
> supportedCapabilities: 1.2.840.113556.1.4.2080 [LDAP_CAP_ACTIVE_DIRECTORY_V61_R2_OID]
> supportedCapabilities: 1.2.840.113556.1.4.2237 [LDAP_CAP_ACTIVE_DIRECTORY_W8_OID]
> subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=K25,DC=test,DC=loc
> serverName: CN=K25-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=K25,DC=test,DC=loc
> schemaNamingContext: CN=Schema,CN=Configuration,DC=K25,DC=test,DC=loc
> namingContexts: DC=K25,DC=test,DC=loc
> namingContexts: CN=Configuration,DC=K25,DC=test,DC=loc
> namingContexts: CN=Schema,CN=Configuration,DC=K25,DC=test,DC=loc
> isSynchronized: TRUE
> highestCommittedUSN: 12989
> dsServiceName: CN=NTDS Settings,CN=K25-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=K25,DC=test,DC=loc
> dnsHostName: K25-DC1.K25.test.loc
> defaultNamingContext: DC=K25,DC=test,DC=loc
> currentTime: 20241103190552.0Z
> configurationNamingContext: CN=Configuration,DC=K25,DC=test,DC=loc
> validFSMOs: CN=Schema,CN=Configuration,DC=K25,DC=test,DC=loc
> validFSMOs: CN=Partitions,CN=Configuration,DC=K25,DC=test,DC=loc
> validFSMOs: DC=K25,DC=test,DC=loc
> validFSMOs: CN=Infrastructure,DC=K25,DC=test,DC=loc
> validFSMOs: CN=RID Manager$,CN=System,DC=K25,DC=test,DC=loc
> usnAtRifm: 1
> tokengroups: S-1-5-21-1203498047-784946223-2106378776-500
> tokengroups: S-1-5-21-1203498047-784946223-2106378776-513
> tokengroups: S-1-1-0
> tokengroups: S-1-5-32-544
> tokengroups: S-1-5-32-545
> tokengroups: S-1-5-32-554
> tokengroups: S-1-5-2
> tokengroups: S-1-5-11
> tokengroups: S-1-5-15
> tokengroups: S-1-5-21-1203498047-784946223-2106378776-512
> tokengroups: S-1-5-21-1203498047-784946223-2106378776-520
> tokengroups: S-1-5-21-1203498047-784946223-2106378776-518
> tokengroups: S-1-5-21-1203498047-784946223-2106378776-519
> tokengroups: S-1-5-21-1203498047-784946223-2106378776-572
> tokengroups: S-1-5-64-10
> supportedExtension: 1.3.6.1.4.1.1466.20037 [LDAP_SERVER_START_TLS_OID]
> supportedExtension: 1.3.6.1.4.1.1466.101.119.1 [LDAP_TTL_REFRESH_OID]
> supportedExtension: 1.2.840.113556.1.4.1781 [LDAP_SERVER_FAST_BIND_OID]
> supportedExtension: 1.3.6.1.4.1.4203.1.11.3 [LDAP_SERVER_WHO_AM_I_OID]
> supportedExtension: 1.2.840.113556.1.4.2212 [LDAP_SERVER_BATCH_REQUEST_OID]
> supportedConfigurableSettings: DynamicObjectDefaultTTL
> supportedConfigurableSettings: DynamicObjectMinTTL
> supportedConfigurableSettings: DisableVLVSupport
>supportedConfigurableSettings: ADAMDisablePasswordPolicies
> supportedConfigurableSettings: ADAMDisableLogonAuditing
> supportedConfigurableSettings: ADAMLastLogonTimestampWindow
> supportedConfigurableSettings: RequireSecureSimpleBind
> supportedConfigurableSettings: RequireSecureProxyBind
> supportedConfigurableSettings: MaxReferrals
> supportedConfigurableSettings: ReferralRefreshInterval
> supportedConfigurableSettings: SelfReferralsOnly
> supportedConfigurableSettings: ADAMAllowADAMSecurityPrincipalsInConfigPartition
> supportedConfigurableSettings: ADAMDisableSPNRegistration
> supportedConfigurableSettings: ADAMDisableSSI
> supportedConfigurableSettings: DenyUnauthenticatedBind
> spnRegistrationResult: 21
> serviceAccountInfo: machineDomainName=K25
> schemaIndexUpdateState: 3
> msDS-PrincipalName: K25\Administrator
> msDS-PortSSL: 636
> msDS-PortLDAP: 389
> dsSchemaPrefixCount: 39
> dsSchemaClassCount: 270
> dsSchemaAttrCount: 1507
> dsaVersionString: 10.0.26100.1 (WinBuild.160101.0800)
> databaseGuid: 00000000-0000-0000-0000-000000000000
> approximateHighestInternalObjectID: 5147

1 Objects returned

A colleague from my HP days (neither he nor I work for HP anymore) reached out to me to ask for clarification on the joeware licensing for use WITHIN a company, specifically the company he works for now. He wasn’t asking for you and your company, I mean, he is a terribly great nice person and cares a great deal about people and I can absolutely say this as I worked with him for quite a while, but he does have his priorities.   What he asked does apply to most companies as well so if there was any confusion in your companies, I am sorry for that. I hope this clarifies things.

The question was, basically… If we want to use your tools internally, does every single person in the company have to download the tools individually or can we download a copy and put it up on an internal SharePoint, File Share, or OneDrive (or whatever)?

If it is for corporate use and not being distributed to others, especially as part of a solution being sold, then feel free to download and serve out to your internal corporate users from whatever internal distribution model you want to use. Feel free to drop me a line giving me hints on what tools and how popular they are so I can keep the usage in the back of my mind for tool popularity but you don’t even have to do that.

I will even, and have in the past, negotiated terms with folks who want to distribute joeware tools as part of their solutions they are selling to their customers. I am not greedy about it, I just think my beak should get a little bit wet too if someone is taking my work and using it to make some money themselves. I, at least, deserve a nice dinner and something from the top shelf of the dessert cart if someone is making money off of what I have created that they find to be so good it is worth selling as part of something under their own banner. Considering over the last 25 years how much time my tools have saved, how many people and companies I have helped, and how many millions, yes millions of $$$ that my tools have saved companies it is a bit stingy not to share some love with me.

     joe  

…Microsoft, you have become so damn annoying with Windows Defender and other things that I am looking to turn it off permanently because I, not you, gets to be the arbiter of what I want on my machine and if I say leave this on my machine, I shouldn’t have to retell you over and over and over and over again.

Not only that, I am now looking to completely replace my Windows Laptops with FreeBSD laptops. It brings me no joy to say that as a near 20 year Microsoft MVP but you always wanted us to be honest about when MSFT is doing a shit job and well… In many areas and in many ways, you are absolutely doing a shit job. If I can find a manufacturer that actually builds decent quality laptops that come pre-loaded and fully supported with FreeBSD, I will start buying them exclusively for my home. I will sill have virtual Windows servers for testing things for work until I find alternative solutions for that as well but I am likely going to be removing all Windows from my personal life.

In the meanwhile I am looking into this.

https://www.makeuseof.com/permanently-disable-microsoft-defender-windows-11/

I released V01.62.00 last night to fix a crash bug introduced in V01.61.00 from integrating some of the joe only private ldap query tool functionality because some of the core functionality was different enough to be problematic.

If you ran into that crash bug, my deepest apologies.  

  joe

I just performed the final compiles and final commits for AdFind V01.61.00, AdMod V01.28.00, and joe’s private LDAP query tool because MSFT has their head up their ass in going after AdFind and I need a tool around that doesn’t just disappear when they decide to take it because they know better than anyone else what should be allowed on Windows machines and casually ignore that AdFind has never caused any damage and that PowerShell is used regularly to harm companies. This tells you the level of intelligence going on in the MSFT Antimalware/Antivirus space. They could be redefining how Antimalware and Antivirus are handled but clearly have no one smart enough to do it. If they ran the rest of the world there would be no pressure cookers, cars, bats, knives, guns, sticks, or rocks.

I should have the new versions of AdFind and AdMod up on the website in the next 1-7 days I expect.

   joe

The first bit is of course wrong, AdFind cannot bypass any security in place.

The second bit is of course right, AdFind is not malware despite what Windows Defender says. I expect this goes back to some person at Microsoft who doesn’t understand what software is nor how it works and has never, on their own, ever produced anything of value that people liked to use.