joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...


Additional UPN Suffixes

by @ 9:45 am. Filed under tech

One of my good AD aware friends pinged me yesterday while I was at work asking about what was the specific AdFind command to find out the additional (or alternate) UPN Suffixes that may be defined for a domain. I responded back with a quick answer off the top of my head that it was on the Partitions container in the configuration container. I don’t usually like giving short answers like that but I was at work and that is the time I had available.

Once off work I did a quick google to find where someone had written this up before so I could share it. The several top links I kept clicking on just talked about how to do this from Domains and Trusts so I thought, WTH, I will write it up and hopefully this post will become one of the top posts for adding or viewing additional (or alternate) UPN Suffixes so people know you don’t have to use the GUI.

So the quick (and possibly wrong depending on your actual need, more on that later) answer is that you can find the additional (or alternate) UPN Suffixes defined in AD with the following query.

adfind -partitions -s base upnsuffixes

Or if you want to point to an AD Forest that isn’t your default forest you can use

adfind -h domainname -partitions -s base upnsuffixes

Why is that possibly wrong? Let’s walk through it.

So first the way most sites and instructions seem to be giving you for adding additional (or alternate) UPN Suffixes is to open Domains and Trusts (domain.msc) and right click on the top line that shows what you are connected to and then click on Properties which will give you the following dialog box which you can then populate with the additional (or alternate) UPN Suffixes you care to use.



What is placed there can indeed be found with the command shown above as so:

[Mon 02/13/2017 19:30:23.13]
E:\DEV>adfind -h k16tst.test.loc -partitions -s base upnsuffixes

AdFind V01.50.00.00cpp VS BETA Joe Richards ( February 2016

Using server: K16TST-DC1.k16tst.test.loc:389
Directory: Windows Server 2016
Base DN: CN=Partitions,CN=Configuration,DC=k16tst,DC=test,DC=loc


1 Objects returned

Further if you want to add an additional (or alternate) UPN Suffix from the command line you can rather simply accomplish that with AdMod like so:

[Mon 02/13/2017 19:30:26.77]
E:\DEV>admod -h k16tst.test.loc -partitions

AdMod V01.18.00cpp Joe Richards ( March 2012

DN Count: 1
Using server: K16TST-DC1.k16tst.test.loc:389
Directory: Windows Server 2008 R2
Base DN: CN=Partitions,CN=Configuration,DC=k16tst,DC=test,DC=loc

Modifying specified objects…
   DN: CN=Partitions,CN=Configuration,DC=k16tst,DC=test,DC=loc…

The command completed successfully

And holy crap I just realized I haven’t released a new version of AdMod in 5 years. Ugh.

Anyway now it looks like:

[Mon 02/13/2017 19:34:54.22]
E:\DEV\>adfind -h k16tst.test.loc -partitions -s base upnsuffixes

AdFind V01.50.00.00cpp VS BETA Joe Richards ( February 2016

Using server: K16TST-DC1.k16tst.test.loc:389
Directory: Windows Server 2016
Base DN: CN=Partitions,CN=Configuration,DC=k16tst,DC=test,DC=loc


1 Objects returned

And in domain.msc


So what does it look like when you want to create a new user in ADUC (dsa.msc) now?

It looks like this:


Wow totally cool right? Winking smile  But wait, I don’t see why anything above could possibly be wrong per your earlier parenthetical declaration.

So a little known fact and likely even less used (probably a good thing) configuration you can put into place is to set the additional (or alternate) UPN Suffixes at the OU level and have those additional (or alternate) UPN Suffixes only “take effect” in ADUC at that one and only level of the OU hierarchy in the forest. It will actually override the forest level additional (or alternate) UPN Suffixes that are displayed in in ADUC.

Though you can still use a tool that lets you specify an arbitrary UPN to set it to anything you choose, this configuration only forces validation within ADUC’s main user creation/modification forms and not within the Directory Service itself.

For example:

[Mon 02/13/2017 19:36:04.17]
E:\DEV>admod -h k16tst.test.loc -default -rb ou=users2,ou=testou

AdMod V01.18.00cpp Joe Richards ( March 2012

DN Count: 1
Using server: K16TST-DC1.k16tst.test.loc:389
Directory: Windows Server 2008 R2
Base DN: ou=users2,ou=testou,DC=k16tst,DC=test,DC=loc

Modifying specified objects…
   DN: ou=users2,ou=testou,DC=k16tst,DC=test,DC=loc…

The command completed successfully

[Mon 02/13/2017 19:37:45.50]
E:\DEV>adfind -h k16tst.test.loc -default -rb ou=users2,ou=testou upnsuffixes

AdFind V01.49.00.00cpp Joe Richards ( February 2015

Using server: K16TST-DC1.k16tst.test.loc:389
Directory: Windows Server Threshold
Base DN: ou=users2,ou=testou,DC=k16tst,DC=test,DC=loc


1 Objects returned

Here is what it looks like when you try to create a user via ADUC in that specific OU.


But here is what happens if you go to a subOU of the OU that you set the additional (or alternative) UPN Suffix value. Note that the additional (or alternative) OU specific UPN Suffixes are not displayed.

Again, though you can still use a tool that lets you specify an arbitrary UPN to set it to anything you choose, this configuration only forces validation within ADUCs main user creation/modification forms and not within the Directory Service itself.



You may recall, as it was only seconds ago for you, that I mentioned that you can set the UPN Suffix on a user’s UPN to ANY value you choose. That is generally true but isn’t correct in all use cases. It works perfectly in a single forest where you are not expecting anyone to use the values outside of that forest – say in the case of a cross forest trust. In a cross forest trust the external forests need to know where to route the userid authentication requests to and it does that via the domain names combined with the registrations of the UPN Suffixes on the Partitions object in the Configuration container. Anything NOT listed there will not be able to be used across a cross-forest trust.

And that also means the additional (or alternate) UPN Suffixes ONLY stamped on OUs cannot be routed across a forest trust either. In fact when you try to establish a trust after you have set some suffixes up as we did here in this post, you will see a message like this:


Note the lack of the extra additional (or alternate) UPN Suffix I had assigned to the OU?

If you need the routing you can set the additional (or alternate) UPN Suffix on the Partitions container AND on the OU. The setting at the OU level tells ADUC (or any tool smart enough to look for that attribute on the OU) to limit the UPN Suffix display and the setting on the Partitions container tells the rest of the world who has a forest trust where to go to resolve the ID to a principal to perform the authentication.

But joe, you say fervently and with no trust, what if you just deleted that extra OU level additional (or alternate) UPN Suffix prior to creating that trust and we just didn’t see that step? Well you have to trust me that I didn’t. Alternately I guess I can show you let see what AdFind says because, you know, trust but verify…

[Tue 02/14/2017  8:01:05.20]
E:\DEV>adfind -h k16tst.test.loc –gcb -f upnsuffixes=* upnsuffixes -e ad

AdFind V01.50.00.00cpp VS BETA Joe Richards ( February 2016

Using server: K16TST-DC1.k16tst.test.loc:3268
Directory: Windows Server 2016
Base DN: DC=k16tst,DC=test,DC=loc

0 Objects returned

Err wait… what?? Maybe I did lie!!! Or wait, maybe AD is lying???

How about this then…

[Tue 02/14/2017  8:06:12.55]
E:\DEV>adfind -h k16tst.test.loc -prb -f upnsuffixes=* upnsuffixes

AdFind V01.50.00.00cpp VS BETA Joe Richards ( February 2016

Using server: K16TST-DC1.k16tst.test.loc:389
Directory: Windows Server 2016
Base DN:



2 Objects returned

If you don’t have AdFind V01.50.00 VS BETA which is everyone but me as I write this then you can use -pr with -null in the place of -prb.

Did you catch that?

In the category of leaving them wanting more… I will now end this post. The –pr(b) switch vs the –gc(b) switch is a good discussion for later. Smile 


p.s. It is nice to knock the rust off and get the old blog post fingers running again. Winking smile

Rating 4.60 out of 5


Hello World! Part Deux

by @ 4:00 pm. Filed under general

I started working for Hewlett-Packard in 2004 and it went very well for a long time. It was the second time I worked for Hewlett-Packard but the first time I was an FTE for them. Initially I was an Expert in Residence and was almost exclusively technical and spent a great deal of my time:

  1. Solving technical issues
  2. Writing white papers
  3. Creating and then fixing problems in the lab
  4. Finding new and interesting solutions to old and new problems
  5. Finding and fixing issues people didn’t even know they had
  6. Generally helping people get out of the holes they were in which really contributed to what I could do here at as well.

However once HP bought EDS in 2007/8 things took a massive turn for the worse as we tried to swallow EDS. In effect I was no longer working for Hewlett-Packard Managed Services, I was now working for “EDS, an HP Company” which later became the Enterprise Services Division which eventually became the primary component of Hewlett Packard Enterprise when it split from HP Inc.

It primarily was not and still mostly is not the old HP, it is in great part still the old EDS. When the spin off of Enterprise Services to CSC completes in April then the Hewlett-Packard Enterprise that is left will be closer to the old HP I worked for in the fact that the vast majority of EDS (in particular upper management) will be gone. I suspect there will be a dramatic and hopefully very positive culture shift back to the older model, at least I hope so for my friends that are still there. I have no clue what will happen to the Enterprise Services group that was sold to CSC but from the things I have heard of CSC I have concerns for my friends still in Enterprise Services, both from legacy HP and legacy EDS.

While I met a lot of amazing people (techies and some managers) due to the merger with EDS, overall the merger was a failure for HP and it also did nothing to help me stay relevant in the tech world as I got further and further away from being where I really wanted to be – deep in the tech focused and sorting things out. Any long-time joeware fans likely noticed that I substantially dropped how much I was doing in the blog and in the tool updates and new releases. This really hurt me personally because I love working on this stuff and sharing it with others so they are more effective and capable and empowered. However as I look back now I realize I spent so much time on work and it was so taxing it killed my creativity and my desire to do much on computers outside of work. The creative spark was quite dim and anything I did come up with I really didn’t have any time to focus on it and develop the spark into a flame. That was due, in great part, IMO, to a once great company which has been stripped down to the bone and forcing people to do way too much way too fast for way too little. We were all doing what absolutely needed to be done to get by day to day which didn’t leave a lot of time for the things that really should have been done though some of us would try to do that as well which caused even more burn out. There is only so much you can do in a day and if the company doesn’t have your back, you are not destined to win no matter how good you are or how badly you want to make things succeed.

Cut to last summer / fall when I was approached about joining another company. It looked very interesting. I went through the interview process and in one phone call where I thought I was going to talk to a couple of managers about the position it ended up being a panel based tech interview and I was super whacked out on cold meds.  I know I got answers wrong because while I could barely recall the interview I did recall a couple of things when the cold meds wore off that I got wrong although I knew the right answers to the questions such as mixing up asymmetric encryption with hashes … The power of Sudafed D with some other OTC stuff stacked up and KO’ed my brain. I also recalled that I really enjoyed talking to the people and was tickled to be in a technical interview because I wasn’t expecting it and I hadn’t actually had a technical interview since the 90s. Every job I had since 1996 was somehow related to a previous job and the people knew who I was and had some idea of what I was capable of. Anyway, even though I felt I had blown the tech interview they still were interested and after some discussions I ended up accepting an offer from them.

I have been in that job since early December and even though I didn’t get the last few weeks of December off like I usually do I still have more energy and desire to build things now than I have had in many years. I am slowly getting stuff done around the house that I have been neglecting and better, the creative juices are coming back with a vengeance and I am working on joeware utilities again and have ideas for about 10 or 15 blog posts to put together and this is with me getting absolutely pounded at work trying to spin up on a completely new and different environment that definitely has a lot of systemic and emergent issues. This new job is far more technical than what I was doing and closer to what I did when I first returned to HP. I am solving problems and sorting out how to best move forward in the future for a company that isn’t currently, but wants to become a well known tech giant and I absolutely believe they can accomplish it.

Where I am working now and what I am doing isn’t important here, the fact that I am working on something that has reignited my technical and creative drive is important and the blog and the tools download section should start reflecting that more and more as time goes on. If anyone needs to know what my new job is, I take a cue from my good friend Brett Shirley who shares his job as “Building 7 Garage Door Operator”. My new job is Walmart Greeter Store #3487. Greeter isn’t entirely out of my wheelhouse because Greeters are part of Security. They see everything coming in.

I held off on writing about this new position and its impact on what I do here for joeware because I wanted to see if my guesses were correct and they seem to be. Over the last couple of weeks I have started re-organizing and rebuilding my test labs. Additionally I built a new dev laptop and dug out the source code for AdFind and the associated supporting code modules for it and started working on converting it from Borland C++ Builder to Visual Studio. Note this is something that I have wanted to do and have actually tried to do a couple of times over the last 6 or so years but I finally now accomplished it. It only took 3 or 4 evenings once my brain was de-saturated and I finally had a version of AdFind running that was compiled from Visual Studio.

The results for the VS compiled version currently appear to be showing parity for the side by side output tests I have been running between it and V01.49.00. What isn’t par is that the new VS compiled version is substantially faster than the Borland C++ Builder compiled version; I am seeing it is give results between 25%-50% faster. The binary is also half the size because, I believe, it doesn’t need all of the Borland VCL addon stuff for it. Additionally I converted the char* functions from the older styles to the newer _s (safe) versions which I expected would slow things down. not speed it up. I haven’t released an update for AdFind since two years ago so this is pretty exciting for me. Additionally I have a ton of ideas of things to put into it that have come to me in the last month or so. In fact I have probably had five times the ideas for updates in the last month than I had in the prior two years. I already know that not every mod will make the next release because I want to get V01.50.00 out relatively soon because Windows Server 2016 is available now and I dislike seeing “Threshold” for OS version. That being said, it won’t be another two years after that for V01.51.00. I am expecting that I will be putting a lot of extra new functionality in around ACLs etc and also making it even faster for larger scale environments. If you have ideas of things you would like to see go into AdFind, please feel free to email at


Rating 4.60 out of 5


Cool Fish Aquarium Controller Software

by @ 9:45 pm. Filed under general

I know a lot of IT folks who like to read this blog (when I actually write something) also are into aquariums so I thought I would share this cool Aquarium Controller software a friend of mine has put together.

Check it out!

Rating 3.00 out of 5


Hey joe, How Do I Get a Listing of the Number of Direct Members in All Groups in a Domain or Forest

by @ 7:08 pm. Filed under tech


If you need to quickly get a handle on how many members each group in your domain or forest has, here is a quick and dirty method of generating that information:

Retrieving information for a single domain:

adfind -default -f objectcategory=group member -csv -cv

Which would look like

C:\>adfind -default -f objectcategory=group member -csv -cv
"CN=Print Operators,CN=Builtin,DC=testvn,DC=testvg,DC=loc","0"
"CN=Backup Operators,CN=Builtin,DC=testvn,DC=testvg,DC=loc","0"

If you have a large environment you may need to add -t 0 to disable an LDAP timeout.

This could also be done by specifying the domain or even a container somewhere within a given domain via the -b switch like -b dc=testvn,dc=testvg,dc=loc instead of -default (which is a shortcut or alias for “Look up the default domain DN and use it”) or by specifying a specific domain name via the host switch such as -h testvn.testvg.loc

Note that primary group membership is maintained in a different manner and will not be reported this way. See primaryGroupID attribute on a user object for this info.

If you need this information for an entire forest, you can use a for /f loop to execute a similar command above for every domain.

for /f %i in (‘adfind -sc domainlist’) do @adfind -h %i -default -f objectcategory=group member -csv -cv -nocsvheader

That would produce commands like

adfind -h testvg.loc -default -f objectcategory=group member -csv -cv -nocsvheader

adfind -h testvn.testvg.loc -default -f objectcategory=group member -csv -cv –nocsvheader

You will note the use of -csvheader, that switch turns off the header so it isn’t repeated for every domain so you will have a cleaner CSV output.

Alternately, if you would like the output for each domain to go to its own individual text CSV file, you could do something like

for /f %i in (‘adfind -sc domainlist’) do @adfind -h %i -default -f objectcategory=group member -csv -cv >%i.csv

Which would look like:

C:\>for /f %i in (‘adfind -sc domainlist’) do @adfind -h %i -default -f objectcategory=group member -csv -cv >%i.csv

C:\>dir *.csv
Volume in drive C has no label.
Volume Serial Number is 2C39-AD1C

Directory of C:\

10/05/2012  11:10 AM             2,085 testvg.loc.csv
10/05/2012  11:10 AM             2,269 testvn.testvg.loc.csv
               2 File(s)          4,354 bytes
               0 Dir(s)  10,312,482,816 bytes free

Rating 3.50 out of 5

Reducing Hibernation File Size

by @ 5:47 pm. Filed under tech

Not sure where I previously found this but cleaning up my email and wanted to save this tip

powercfg hibernate size xx

Where xx  is the % of the size of hibernation file. Start with xx=60. 

Set xx to 65% if you have problems with 60%.

That will take 40% less size while still giving you the benefits of hibernation.


Keywords: Hibernation File Compression

Rating 3.00 out of 5

Hey joe, How Do I Quickly Get a List of the OSes of Every DC in the Forest?

by @ 5:42 pm. Filed under tech



adfind -gcb -sc dcdmp -dsq | adfind -nodn dnshostname operatingsystem operatingsystemservicepack –jtsv2

Rating 3.00 out of 5


Free Azure eBook

by @ 11:47 am. Filed under general



Free e-book – Microsoft Azure Essentials: Fundamentals of Azure, Second Edition


This free Microsoft Press e-book covers the Azure fundamentals you need to start developing solutions right away. Discover the Azure features you’re most likely to need. Download the e-book.
Download the e-book

Rating 3.00 out of 5


PowerShell source now on GitHub

by @ 8:37 pm. Filed under general

Back in July, the web was afloat of rumors that Microsoft might be open sourcing PowerShell. Now a little over a month later, those rumors have been confirmed, and PowerShell has officially appeared on GitHub for Windows, Linux and MacOS.

Rating 4.00 out of 5


AdFind/AdMod Are In The Garage

by @ 11:31 am. Filed under tech

I am looking at what needs to be updated for AdFind/AdMod for Windows Server 2016 Active Directory and ADLDS. Is anyone actively using the beta and using AdFind/AdMod against it? Thoughts, comments, questions?


Rating 4.33 out of 5

What do I like about Windows 10/Windows Server 2016 TP5?

by @ 11:29 am. Filed under general

It seems I have been having a generally bad attitude about Windows 10 and Windows Server 2016 TP5 lately (especially the Start Menu) so I sat down and thought for a while… what do I really like about Windows 10/Windows Server 2016 TP5.

There has to be something that sticks out to me because it can’t all be painful and/or bad… I realized that my favorite part is the ability to finally be able to set the transparency level on the CMD and PowerShell console windows.

There used to be an application that would do that for you for the CMD console but it was kind of clunky especially when typing fast or the screen was scrolling fast. Glad to have it built in now. That was a feature I fell in love with on FreeBSD ages ago.


Rating 4.00 out of 5

[joeware – never stop exploring… :) is proudly powered by WordPress.]