joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

1/17/2015

AdFind V01.48.00 Released

by @ 1:11 pm. Filed under tech, updates

It has been over two years since V01.47.00 was released but finally AdFind V01.48.00 has been released. I have no excuses other than allowing my day job to completely overrun my personal life. I would love to spend my days working on building and releasing tools but financially it just isn’t feasible at this time. :) I do apologize for the extended period of inactivity. I do intend to do things differently this year and have some exciting thoughts around some tools. This is the year I tackle ESE coding and going directly into the AD Database tables. I have been looking to do that for some time as I have been intrigued by ESE coding from long conversations with Brett Shirley (one of the few ESE Devs at Microsoft and someone I am proud to have as a friend).

Anyway… I started updating the code base almost exactly a year ago and fixed bugs and added features in bursts throughout the year when I found time. At the very least you will find a bunch of new decodes built in for Windows Server 2012, Windows Server 2012 R2, and Windows Server Threshold but hopefully you will find the bug fixes and new features useful as well.

So without further adieu… Here is the general list of changes

Added many Windows Server 2012, Windows Server 2012 R2, and Windows Server Threshold Decodes

Added "mode decodes" for versions > Threshold as Windows Server Threshold+. I kept finding I was annoyed when newer versions of the OS modes that weren’t decoded properly defaulted to the most recent decoded version. I.E. Windows Server Threshold will decode as Windows Server 2012 in V01.47.00 whereas the version after Threshold will decode as Windows Server Threshold+ in V01.48.00. I intend to get out a quick update to change the decodes from Windows Server Threshold to whatever it formally becomes when it becomes it. ;)

Added a bunch more decodes for various attributes. New values that have been added, additional attributes, etc.

Tweaked a bunch of shortcuts so they are more intelligent with base selection, GC use, and enabling -dloid to speed up queries when possible, etc.

Added new features and modifiers for several shortcuts.

In one of the previous versions I changed how AdFind handled what happens when you specify the same attribute multiple times and had it normalize down to a single attribute so that the output was consistent between CSV and non-CSV output. Non-CSV output will always only show the attribute once, CSV output would populate two fields with the attribute. Apparently some folks used that functionality so I changed it back so that you can specify a single attribute multiple times and it will show up in the CSV output.

I ran into some cases where I needed to specify IPv6 IP addresses and the -h option got confused by that (it was parsing the string on colons to retrieve the port) so I updated the code so that it can handle IPv6 format addresses. I.E. [2001:0:5ef5:79fb:45:32c6:94fa:def9]:389.

To better support non-Microsoft LDAP Directories I have set AdFind up to auto-detect if a Directory is paging-capable and if not it will disable its use of paged queries. 

To give more options for cmd piping scenarios I have changed the -b switch and STDIN stream reading to allow for SIDs, GUIDs, and IIDs. The code will detect the base type in the background and then properly wrap the string in the appropriate formatting. For example, SIDs will be changed from S-1-x-xxx-xxx-xxx to <SID=S-1-x-xxx-xxx-xxx>, GUIDs will be changed from 9AF9CD11-9AB3-44DF-B014-8673F3C562C6 or {9AF9CD11-9AB3-44DF-B014-8673F3C562C6} to <GUID=9AF9CD11-9AB3-44DF-B014-8673F3C562C6>. IIDs which are objectGUIDs that are BASE64 encoded and used in AzureAD are converted from BASE64 and then encoded as a GUID. Note that these queries may be a little slower than using a normal base because of the overhead AD has in locating the objects.

I have added several more constants for -replacedn

Added :dnwdata:= matching rule for -bit in filters.

Added BASE64 for -binenc.

Added HEX/BASE64 options for -guidbinout and -sidbinout. For example:

[Tue 01/13/2015 23:02:09.22]
F:\Dev\cpp\AdFind\Release>adfind -hh thr-dc1 -s base -b {9AF9CD11-9AB3-44DF-B014-8673F3C562C6} objectguid -guidbinout base64

AdFind V01.48.00.00cpp Joe Richards (joe@joeware.net) January 2015

Using server: THR-DC1.threshold.loc:389
Directory: Windows Server Threshold

dn:DC=threshold,DC=loc
>objectGUID: Ec35mrOa30SwFIZz88Vixg==

1 Objects returned

And you may realize… Voila that is the IID for that object. Which, in review you could also do the following then

[Tue 01/13/2015 23:07:28.41]
F:\Dev\cpp\_old\OLD\AdFind\Release>adfind -hh thr-dc1 -s base -b Ec35mrOa30SwFIZz88Vixg== objectguid

AdFind V01.48.00.00cpp Joe Richards (joe@joeware.net) January 2015

Using server: THR-DC1.threshold.loc:389
Directory: Windows Server Threshold

dn:DC=threshold,DC=loc
>objectGUID: {9AF9CD11-9AB3-44DF-B014-8673F3C562C6}

1 Objects returned

Added several special bases: -sitelinks, -legacydns, -quotas.

Added two new shortcuts: -sc sitelinkdmp and -scsitelinkdmpl. You specify the site short name with the shortcut and it will dump the links for that site ex: -sc sitelinkdmp:site2

Several new switches:

-exclrepl : For some reason MSFT didn’t think to not return some of the AD Replication Metadata in the star (*) default attribute set so in larger environments you can literally get screens of output when just dumping the NC Head object that you pretty much won’t care about. This switch is like a shortcut switch in that it simply adds several attributes to the -excl switch in the background.

-ametal/-vmetal: Versions of -ameta and -vmeta with -list enabled too.

-encguidtoiid: Encode a GUID to an IID. Doesn’t need to talk to AD to do this.

-deciidtoguid: Decode an IID to a GUID. Doesn’t need to talk to AD to do this.

-objcnterrlevel: This one is an often requested switch… Dear joe, please output the returned object count in the errorlevel attribute… Well since I already populate the errorlevel attribute for status of the execution I had to think long and hard about doing this. I finally decided to add the switch. Note I didn’t perform comprehensive tests for this one. As always, if you see issues, please let me know.

-stripdn: This was a customer request as well, it simply strips DNs down to the most relevant RDN for all normal DN type attributes (based on attribute syntax)… For example:

[Tue 01/13/2015 23:24:30.34]
F:\Dev\cpp\AdFind\Release>adfind -hh thr-dc1 -default -s one -dn -stripdn

AdFind V01.48.00.00cpp Joe Richards (joe@joeware.net) January 2015

Using server: THR-DC1.threshold.loc:389
Directory: Windows Server Threshold
Base DN: DC=threshold,DC=loc

dn:Builtin
dn:Computers
dn:Domain Controllers
dn:ForeignSecurityPrincipals
dn:Infrastructure
dn:LostAndFound
dn:Managed Service Accounts
dn:NTDS Quotas
dn:Program Data
dn:System
dn:TPM Devices
dn:Users

12 Objects returned

That may not look interesting but this may look more interesting:

[Tue 01/13/2015 23:28:51.19]
F:\Dev\cpp\AdFind\Release>adfind -hh thr-dc1 -config -f objectclass=sitelink sitelist -stripdn -list
Site3
Site2
Default-First-Site-Name

-fdnx: This allows DN Expansion for some common base DNs within a filter. This is so you can come up with a general query command that could work in multiple environments or so you can type less. It is actually put into place to help with the two new shortcuts.

[Tue 01/13/2015 23:33:29.74]
F:\Dev\cpp\AdFind\Release>adfind -hh thr-dc1 -sc sitelinkdmpl:site3 -po
Selected Switches
    -alldc
    -arecex
    -config
    -f (&(objectclass=sitelink)(sitelist=CN=site3,CN=Sites,[CONFIG]))
    -fdnx
    -flagdc
    -h thr-dc1
    -hh thr-dc1
    -list
    -po
    -rb CN=Inter-Site Transports,CN=Sites
    -rootdsedc
    -s subtree
    -samdc
    -sc sitelinkdmpl:site3
    -schdc
    -sitelinks
    -sitenamedc
    -sites
    -tdcas
    -utc

Selected Attributes
    name

DEFAULTIPSITELINK

Note the filter "-f (&(objectclass=sitelink)(sitelist=CN=site3,CN=Sites,[CONFIG]))"

 

I usually release a new version of AdMod with AdFind but I didn’t want to hold AdFind back any longer so AdMod will be released at some later date.

You can find AdFind V01.48.00 at http://www.joeware.net/freetools/tools/adfind. Feel free to check out the sponsored link when you are there. :)

 

   joe

Rating 4.80 out of 5

1/13/2015

Finally… AdFind V01.48.00 coming soon…

by @ 1:58 am. Filed under general

[Tue 01/13/2015  0:45:05.80]
F:\Dev\cpp\AdFind\Release>adfind -hh thr-dc1 -rootdse currenttime -extsrvinfo

AdFind V01.48.00.00cpp Joe Richards (joe@joeware.net) January 2015

Using server: THR-DC1.threshold.loc:389
Directory: Windows Server Threshold
Domain Mode: Windows Server 2012 R2 Domain Mode
Forest Mode: Windows Server 2012 R2 Forest Mode
Site Name: Default-First-Site-Name
Options: GC
Security Principal: THRESHOLD\AdFindTestID1
DSA Version: 6.4.9841.0 (fbl_release.140912-1613)

dn:
>currentTime: 20150113054931.0Z

1 Objects returned

 

Rating 4.75 out of 5

1/9/2015

…extraordinarily intelligent people are not literal minded…

by @ 7:09 pm. Filed under quotes

"I think the central problem of any religion is that the founders of religion are always extraordinarily intelligent people.  And what you notice as you get older, is that extraordinarily intelligent people are not literal minded.  And the great problem with religion is when what is said by the founder of the religion, which was supposed to be taken metaphorically, is taken literally.  And that’s when you get complete nonsense being made of what the founder of the religion said – and indeed people claiming, more or less, that the founder of the religion said the opposite of what they believe, except they haven’t realized that."

  – John Cleese

Rating 4.33 out of 5

12/17/2014

FitDesk For The Desktop Jockeys

by @ 6:54 pm. Filed under general

I just got this set up at home and it rocks.

I got in 12 miles the last two days that I otherwise wouldn’t have been able to do because of my work schedule.

Rating 4.00 out of 5

12/3/2014

Don’t forget your holiday cards!

by @ 6:51 pm. Filed under humour

http://www.zazzle.com/happy_winter_solstice_stonehenge_greeting_card-137923096598785355

 

image

Rating 4.00 out of 5

11/18/2014

CRITICAL ACTIVE DIRECTORY UPDATE!

by @ 4:16 pm. Filed under tech

https://twitter.com/joewaredotnet/status/534798307735134210

Rating 4.00 out of 5

11/17/2014

Updated: the joeware fork of rdp-sec-chk

by @ 9:03 pm. Filed under perl, tech, updates

I have updated rdp-sec-chk on the joeware website.

I had added some IPv6 functionality so that I could use it over DirectAccess from my employer’s environment and never released it because it was a bit hacky. However I started having others that wanted to use it that way too so was going to release V01.01.00 and then noticed that Portcullis Security had updated their tool to V0.9-beta. So instead of releasing V01.01.00 I instead tweaked their V0.9-beta with the V01.00.00 and V01.01.00 changes and made it into joeware version V02.00.00.

You can find it at http://www.joeware.net/freetools/tools/rdp-sec-check

Once again, this isn’t your normal joeware, this was something useful that I found that solved a specific issue but I needed to get it into a slightly different format for my easy use so tweaked it. Tweaks are intended to be kept at a minimum to achieve my goals. Please feel free to use the Portcullis Security version directly if that works better for your needs.

      joe

Rating 4.00 out of 5

9/16/2014

Common Sense.

by @ 3:32 pm. Filed under general

More and more I find that I have to state out loud, and often strongly, common sense thoughts that 10 years ago I didn’t need to state because the others in IT already thought that way or at least knew what I was going to say if I started to say something about something really stupid.

For example… If a system is deemed critical, it should be set up as High Availability and have solid Business Recovery processes. You can’t just call the system critical and suddenly it is less likely to fail. In fact, Murphy’s law would tend to indicate the opposite is true. There is no combination of hardware and OS that isn’t susceptible to eventual failure. That is why we come up with all of these cool high availability options and redundancy and failover, etc.

I don’t know if the problem is that people are labeling everything as critical so as to artificially promote urgency in recovery or if everything truly is critical but no one is thinking about failure when costing, solutioning, designing, and engineering and they just assume it will always work (perhaps because it is important and important things shouldn’t break) so when that working state is no longer true there is a lack of process, resources, and recoverability and someone somewhere takes an “unexpected” shot to the pocket book and overall customer service and system availability suffers.

 

   joe

Rating 4.67 out of 5

8/7/2014

Umm…

by @ 7:54 am. Filed under tech

Rating 4.50 out of 5

8/2/2014

You know you have been in IT too long when…

by @ 11:44 am. Filed under humour

…sorting your socks you realize you have at least 5 different brands/styles of white socks and you actually say out loud before thinking… “I really need to standardize on a single vendor and style for these white socks.”…

Then even as you think how sad it was that you came to that conclusion about something as simple and fun as socks you are trying to come up with a remediation plan and determining the features to standardize on… which ones do I like the feel of, what brands have the better quality, what socks seem to stay “whitest”, etc…

Sadly that is a true story.

joe

Rating 4.25 out of 5

[joeware – never stop exploring… :) is proudly powered by WordPress.]