Information about joeware mixed with wild and crazy opinions…
joe says:
I was sure when I first told you
joe says:
But I don’t put past some evil ass hack you found that is completely and utterly unsupported
joe says:
I have strong faith in your ability to find things that you aren’t supposed to be able to do
Argue for your limitations, and sure enough, they’re yours.
- Richard Bach “Illusions”
There’s only one person we have to answer to, of course, and that is…
…ourselves.
- Richard Bach “Illusions”
I took this shot after doing the cleanup work last Saturday/Sunday. It is about 650 feet back from the road (350 from the house) and the property goes back about another 1000 feet behind where I took the picture and all you can hear are birds and frogs and fish jumping in the pond. The road is barely visible and the pond is extremely relaxing. I have to admit I am extremely lucky to have this. Even better… Wireless from my house works all the way out by the pond so I need to get some more picnic tables and set them up out there so I can enjoy even more how lucky I am. This evening the stars were crystal clear and the moon was out and looking stunning.
I have received a few emails lately that all pretty much comment about being “all over the map” with my quotes, etc. People asking, what in the world do you read, you seem to be a trifle eclectic in your tastes…
Why yes, that is true. I read any and everything pretty much. I have a huge library with a bunch of books from my grandmother, some dating back into the 1800’s. I can’t say I have read everything in it but I have read a lot and I buy a lot and several publishing houses have been sending me free books for years to “look over” or “comment on”. Thanks to them, keep it up, sometimes I start recommending those books…
But I think these people were mostly wondering about my personal tastes and again, I am all over the map. I think I mentioned this in a previous entry but right now I am reading a book on Root Kits, Dr. Phil’s Family First book, a book about Life’s Purpose based on the Celestine Prophecies book series), and any number of magazines including Mother Earth News, 5.0 Mustang & Super Fords, Popular Science, Playboy (yes I actually read the articles, though I don’t close my eyes for the pictures) and whatever else might catch my eye in the magazine rack.
My personal book recommendations are here –> http://www.joeware.net/books/funbooks.htm
I really should add Richard Bach’s Illusions which I have been posting quite a few quotes from lately. I have read and reread that book 10+ times over the years. You can pretty much read it in a single night if you really want to.
My all time best favorite hands down period author though is Robert Anson Heinlein. I grew up on Heinlein and my values and way of looking at life are taken from my parents and grand parents and close friends but also in great part from what I learned from R.A.H. in his writing. Just seeing “Time Enough for Love” in someone’s hands is enough to make me smile and tell them that is a great book and to enjoy it. So many other good books from Robert as well. Love them all. Heinlein is a sci-fi genre writer but his writing in sci-fi is just so he could give commentary on our current society, it is much easier to do that (and not be castigated) in sci-fi than most other genres I think. There are several sci-fi writers both in books and TV/Movies that do this. If you haven’t been interested in sci-fi but are interested in commentary on the human condition and society as a whole, try looking into some sci-fi. You may be mildly surprised.
joe
I saw a posting that had a piece on AdFind at ActiveDir.org that made me want to post something to my blog here for anyone who doesn’t read ADOrg…
Basically one of the posters came up with a good way of setting local admin passwords on machines and part of the solution was to use adfind to get the list of machines. I was thrilled to see that but the command line was a little longer than needed but I don’t blame the poster… That is actually an issue with AdFind because there are soooo many options, sometimes you don’t see the cool option that you need. So in case anyone else is doing anything similar… here is some help for you
Basically the command used was
adfind -b ou=prodservers,ou=computers,dc=contoso,dc=com -f “objectcategory=computer” cn -nolabel -nodn | grep -iv “Objects returned” | grep -iv “Directory” | grep -iv “Using Server” | grep -iv “^$” > d:\servers.txt
The goal here is to get a list of computer names that doesn’t have my “shameless” AdFind Banner in the listing… I actually have an option explicitly to help with that when listing a single attribute… that option is called… -list
So instead of the command above using the grep’s to filter out some of the output, you can instead do something like
adfind -b ou=prodservers,ou=computers,dc=contoso,dc=com -f “objectcategory=computer” cn -list > d:\servers.txt
Much simpler, much cleaner, more pretty. 
And in the spirit of perl… there is more than one way to slice this orange… You could also do something like
adfind -b ou=prodservers,ou=computers,dc=contoso,dc=com -f “objectcategory=computer” cn -nodn -nocsvheader -csv > d:\servers.txt
Granted that isn’t as elegant but it does quote the server names for you if you need them quoted.
Probably the one functional change I would make overall would be to dump the dNSHostName attribute instead of the cn/name. Why you ask? Well my dear reader, because you don’t have to rely on short hostname resolution… I would also change the filter to be an AND of the computer objectcategory tied together with dNSHostName having a value. If that attribute isn’t populated on the computer, it means the computer hasn’t successfully spoken to AD yet, why waste time on it? So how about…
adfind -b ou=prodservers,ou=computers,dc=contoso,dc=com -f “&(objectcategory=computer)(dnshostname=*)” dnshostname -list > d:\servers.txt
joe
The Golden Rule doesn’t work. How would you like to meet a masochist who did unto others as he would have them do unto him? Or a worshiper of the Crocodile God, who craves the honor of being thrown alive into the pit? Even the Samaritan, who started the whole thing… what made him think that the man he found lying at the roadside wanted to have oil poured in his wounds? What if the man was using those quiet moments to heal himself spiritually, enjoying the challenge of it?
Even if the Rule was changed to Do unto others as they want to be done to, we can’t know how anybody but ourselves wants to be done to. What the Rule means, and how we apply it honestly, is this: Do unto others as you truly feel like doing unto others. Meet a masochist with this rule and you do not have to flog him with a whip, simply because that what he would you to do unto him. Nor are you required to throw the worshipper to the crocodiles.
- Richard Bach “Illusions”
In order to live free and happily, you must sacrifice boredom. It is not always an easy sacrifice.
- Richard Bach “Illusions”
The mark of your ignorance is the depth of your belief in injustice and tragedy.
What the caterpillar calls the end of the world, the master calls a butterfly.
- Richard Bach “Illusions”
Do you think that maybe if you say impossible over and over again a thousand times that suddenly hard things will come easy for you?
- Richard Bach “Illusions”
I have an ad for some new service Amazon has called subscribe and save. It is a service to order food and other type items like that through Amazon and have it delivered for free. Well I decided to look up an item I just bought last night, my favorite cereal… Cocoa Pebbles… Yes I am a goof but I still like them. Here is the link inside of Amazon for that
Now this is, according to the ad I have, supposed to be 10-15% cheaper than the everyday price… So what do they have here
5 x 17 ounce boxes for $27.10 which works out to be around $0.32 an ounce… This seemed high. I looked at the box of Cocoa Pebbles I got from Meijer last night and it wasn’t on sale (they often have 2 for 1 on the Cocoa Pebbles but I must have missed the most recent sale) and it was $1.98 for 13 ounces… That comes out to about $0.15 an ounce… No wonder shipping is “free” from Amazon on this service…
Call me weird but I actually like Dandelions, never got why people were so “out to get them”. I think they are really pretty. Our neighborhood was just covered in them the last few weeks well except for the neighbor across the street, I think they spray something to kill them off. They actually looked weird as they were the only house in the area whose lawn was green instead of yellow… The pictures just don’t do it justice.
Some of the pics are after I mowed (didn’t want to but had to or else I wouldn’t have been able to get through the grass later) so the number of dandelions got knocked down a notch or two for a day.
I spent most of today in the rain trying to pick stuff up around the back yard where I am reclaiming the “yard” from the “woods”. I am greatly hampered by piles of crap that are just randomly stacked up around back there. In the end I will likely spend hundreds of hours cleaning up after people who should have been old enough to clean up after themselves.
Why why why?? How much disrespect do you have for the world and yourself in order to do this? I think there has to be something fundamentally wrong to think to do this…
I was talking with a good friend this evening and he asked a question which I would normally consider trivial but the way he put it made me go, oh wow, put that way, that is kind of interesting… It should work the way you would intuit it to work…
The question was, how do I make another Domain Controller a Global Catalog??? Of course everyone who uses AD is like, well just go to dssite.msc (oh ok you probably said go to Sites and Services) and drill down to the DC in question and then go down one more level to NTDS Settings and then right click and select properties and then select the Global Catalog check box…
As I went to say that I thought about it, the guy asking is very good with computers, it has been his business for as long as I have been alive so was a little slow to respond and then he said something that made me go… yeah, that is how it should be… Basically he said, I went to ADUC and looked in the Domain Controllers OU and opened the properties for the Domain Controller and expected to see something that told me it was a GC or not and I could select it to be one… I then said, oh it isn’t there but I can see why you would think it should be… because it probably should be… Why isn’t it there? Just because that info is kept in the config doesn’t mean it shouldn’t be exposed in ADUC for the domain controller properties. ADUC isn’t a raw LDAP editor, it is a tool used to manage the environment and if DCs are going to be exposed in it, it should allow you to view/manipulate the GC status from there as well. I never thought about it before because I always think of AD as an LDAP Server and then visualize the tools as LDAP tools… But ADUC shouldn’t be an LDAP tool… it is a domain/forest management tool. So why doesn’t it allow you to get the full details on a DC and set/clear the fact that a specific DC is a GC. Be a lot better than fishing around in dssite.msc…
Again this guy is a very good computer guy, he is a fellow DEC PDP-11 lover like myself. Very smart. He just doesn’t work in large environments where turning on GCs or making DCs isn’t a real regular occurrence. In fact the last couple of years he spent a lot of time learning Java and making a parametric search engine for the company he works for product search tools. Today he was hooking up a UPS system to a PBX and all of the supporting equipment. Next week he could be working on their Exchange server or one of their Linux servers or their think client solution… Sort of a normal small company IT guy, not an AD specific person and I think he made a great point.
Finally hooked the XBOX 360 up to my home theatre… My goodness did they make some improvements in the sound quality over the XBOX… Wow. I need to finish the network drop that goes up to the home theatre setup so that I can tie into my media center and XBOX live. I am getting things done slowly but surely…
I need to get some photos but I have started repatriating[1] my yard. I started mowing out around the pond where I could which hasn’t been mowed in some time. For some reason the former owners dug out some of the pond and just stacked the dirt up around the pond making it impossible to really get at it very well so I get to clean that all up. Just one more thing that makes me go “hmmm”. Also as I was mowing back there I found little garbage piles with bricks and what not… I don’t understand the dump crap anywhere you can mentality, just doesn’t make any sense.
joe
[1] Yes, technically not the correct word but it works for me.
I was looking for the GTA (Grand Theft Auto for you uncool people) city map in Google that I heard was out there and typed in Grand Theft in the search box and got these hits… Chrysler World Headquarters and the UAW…
This is going to be a “joe sees more movies than usual” summer I think….
http://thedarkknight.warnerbros.com/
They put Brett out in front of the world…. Oh my[1]…
http://edge.technet.com/Media/Exchange-Server-meet-the-team/
Brett starts at 3:37…. He is awfully video-genic don’t you think? I just want to know why he wasn’t wearing a joeware t-shirt…
Overall, that was a great video and great idea. It shows that the MSFT Dev folks are real people which is something I learned a long time ago and a message I have been trying to spread for just as long. I would love to see this kind of thing out of more teams. There are a lot of brilliant awesome people with great personalities with hilarious stories inside of Microsoft that could be shared.
joe
[1] Don’t get me wrong, I am proud to call Brett a friend. He put the fear of giant bumblebees into me… If you know Brett, ask him about the attack of the giant bumblebee that occurred at the Museum of Flight in Seattle a couple of years back where he nearly killed an MVP - specifically me. If he had killed me via heartattack… everyone would have just said… Ah that’s just Brett…
Intuition comes very close to clairvoyance; it appears to be the extrasensory perception of reality.
- Alexis Carrel
http://news.bbc.co.uk/1/hi/health/7380064.stm
Long-term use of ibuprofen may reduce the risk of developing Alzheimer’s disease, a large US study reports.
Data from almost 250,000 veterans showed those who used the painkiller for more than five years were more than 40% less likely to develop Alzheimer’s.
The study in Neurology reported that some other similar painkillers may also have a protective effect.
Dementia experts said the results were interesting but warned against people taking ibuprofen to reduce their risk.
It is not the first time an association between non-steroidal anti-inflammatory drugs (NSAIDs), such as ibuprofen, and Alzheimer’s disease has been reported but results have been conflicting.
<snip>
I have been using Ibuprofen for a long long time. I am a headache sufferer, pressure fronts rock my world. But maybe it was all to help me stave off Alzheimer’s…
Could be good… Could be bad… Who are we to judge?
There is nothing either good or bad but thinking makes it so.
- William Shakespeare
…appears to be a processor pig… watch out.
Just did the Apple Update of QuickTime, iTunes, and Safari two days ago and was running iTunes the last couple of days and it kept hanging one of my “fast” machines up. 90% processor and better. Especially on video mode.
In one of my old posts (September 2005) I had some vbscript code to convert an octet string GUID to a friendly GUID string. Well I recently received an email from fellow MVP Michael Smith letting me know he found a bug and a new function that was corrected.
First thought in my mind was… NFW. I am exceedingly careful about things I post, especially code/scripts. But I knew that I had a good function because I used it all over the place and it always aligned with AdFind output…
So I copied from the blog entry and mine and his function into a script and fired in an octet string GUID and sure enough, my function screwed up and his worked…
So I went to one of my scripts that used this function heavily and was used Active Directory Third Edition for decoding Security Descriptors because by darn, if my function was broken that meant that was wrong in the book too which would REALLY SUCK.
I ran the sdlist.vbs script and it worked perfectly fine… So I look again at my function in the test script and I look at the function in sdlist.vbs and they looked the same for all of the logic… wtf…
I copy both functions into separate text files and run windiff against them and get
And think well shoot, so my spacing is off… I see that all the time when doing compares like that… So who cares that isn’t going to hurt the script so I go over the logic in the script line by line and the logic is identical…. <BLINK>IDENTICAL</BLINK>.
I start getting very frustrated because I figure I am not seeing something obvious because of a massive headache I have been fighting off all day…
On the third pass through the script I notice one small thing… the function I posted previously had this line
str = “”
the function in sdlist.vbs had this line
str = ” “
Do you see it??? One bloody space character…. ASCII 32/0×20…. $^%$#^&*(@%$#
What difference does that single space make?
G:\Temp>guidc1
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Object DN : OU=Users,OU=My,DC=test,DC=loc
String GUID : ba1ee8b7248b34408c34841740211a81
BLOG POST Func: {728BEEA1-B348-0844-C348-41740211A81}
Michael Func : {B7E81EBA-8B24-4034-8C34-841740211A81}
sdlist Func : {B7E81EBA-8B24-4034-8C34-841740211A81}
and here is the actual answer
G:\Temp>adfind -b OU=Users,OU=My,DC=test,DC=loc objectguid -s base
AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007
Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
dn:OU=Users,OU=My,DC=test,DC=loc
>objectGUID: {B7E81EBA-8B24-4034-8C34-841740211A81}
1 Objects returned
So here is the updated and correct script, this time copied and pasted straight out of sdlist.vbs which is on page 649 of Active Directory Third Edition.
‘****************************************************************************
‘Convert a binary GUID to a string GUID
‘ Convert GUID octet string to Hex characters then arrange in proper order
‘ and add brackets {}
‘****************************************************************************
Function GuidToStr(Guid)
Dim i, str
str = ” “
For i = 1 To Lenb(Guid)
str = str & Right(”0″ & Hex(Ascb(Midb(Guid, i, 1))), 2)
Next
GuidToStr = “{”
For i = 1 to 4
GuidToStr = GuidToStr & Mid(str,10-(i*2),2)
Next
GuidToStr = GuidToStr & “-”
For i = 1 to 2
GuidToStr = GuidToStr & Mid(str,14-(i*2),2)
Next
GuidToStr = GuidToStr & “-”
For i = 1 to 2
GuidToStr = GuidToStr & Mid(str,18-(i*2),2)
Next
GuidToStr = GuidToStr & “-”
For i = 1 to 2
GuidToStr = GuidToStr & Mid(str,16+(i*2),2)
Next
GuidToStr = GuidToStr & “-”
For i = 1 to 6
GuidToStr = GuidToStr & Mid(str,20+(i*2),2)
Next
GuidToStr = GuidToStr & “}”
End Function
For completeness and since he went through the trouble of figuring it out and sending it to me… here is Michael’s version as well. You will note he solved it by changing the start points of the MID function in each line. Both solutions work equally well. I would say I probably prefer his version. Less chance for mistake obviously.
‘****************************************************************************
‘Convert a binary GUID to a string GUID
‘ Convert GUID octet string to Hex characters then arrange in proper order
‘ and add brackets {}
‘****************************************************************************
Function GuidToStr(Guid)
Dim i, str
str = “”
For i = 1 To Lenb(Guid)
str = str & Right(”0″ & Hex(Ascb(Midb(Guid, i, 1))), 2)
Next
GuidToStr = “{”
For i = 1 to 4
GuidToStr = GuidToStr & Mid(str,9-(i*2),2)
Next
GuidToStr = GuidToStr & “-”
For i = 1 to 2
GuidToStr = GuidToStr & Mid(str,13-(i*2),2)
Next
GuidToStr = GuidToStr & “-”
For i = 1 to 2
GuidToStr = GuidToStr & Mid(str,17-(i*2),2)
Next
GuidToStr = GuidToStr & “-”
For i = 1 to 2
GuidToStr = GuidToStr & Mid(str,15+(i*2),2)
Next
GuidToStr = GuidToStr & “-”
For i = 1 to 6
GuidToStr = GuidToStr & Mid(str,19+(i*2),2)
Next
GuidToStr = GuidToStr & “}”
End Function
joe
In my previous article on DN formats (http://blog.joeware.net/2008/05/03/1226/) I talked about the various Base DN shortcut formats available and hinted that AdFind has some shortcuts of its own. To me these are all, well they aren’t even second nature because I use them almost exclusively. I am bringing it up because even people who use AdFind a lot have watched me or my friends use AdFind and see them and say “Wow I had no idea… AdFind is cool.” Indeed.
The idea behind the shortcut bases was to be able to write generic scripts where I didn’t have to first work out the DNs so submit the AdFind queries. This way I can tell someone, well I need to see what your uPNSuffixes attribute looks like, run this command
adfind -partitions -s base upnsuffixes
and it will work in every forest period. I know there are consultants and support professionals everywhere that love me for that one… It can literally save a 5 minute conversation on how to find that spot in the directory.
So here are the shortcuts currently in the publicly available version of AdFind (V01.37.00) from the usage screen (adfind /??)
-null Use null base.
-root Determine and use root partition for BaseDN.
-config Determine and use configuration partition for BaseDN.
-schema Determine and use schema partition for BaseDN.
-default Determine and use default partition for BaseDN.
-rb xx Relative Base, use with special BaseDN’s above.
So you could specify -default and -rb cn=users.
-forestdns Use ForestDNS NDNC for base.
-domaindns Use DomainDNS NDNC for base.
-dcs Use Domain Controllers container of default domain for base.
-gpo Use System Policies container of default domain for base.
-psocontainer Use PSO Container of default domain for base.
-ldappolicy Use Ldap Query Policies container for base.
-xrights Use Extended Rights container for base.
-partitions Use Partitions container for base.
-sites Use Sites container for base.
-subnets Use Subnets container for base.
-exch Use Exchange Services container for base.
-fsps Use Foreign Security Principals container for base.
Quick descriptions
-null : Null base or Base = “”
-root : DN to the root domain of the forest
-config : DN to the configuration container of the forest
- schema : DN to the schema container of the forest
-default : DN to the default domain for the DC contacted. For ADAM this will select the first App Partition unless a default app partition is defined in ADAM (see msDS-defaultNamingContext).
-rb xx : Now this is a cool little feature that lets you specify a special shortcut base but then prepend some more onto the DN that is used for that. So for example say I want the domain controllers OU of the default domain I would specify -default -rb “OU=Domain Controllers” and AdFind will determine the default domain DN and then prepend “OU=Domain Controllers,” to is to you get the whole DN to the Domain Controllers OU.
-forestdns : DN to the ForestDNS Application Partition
-domaindns : DN to the DomainDNS Application Partition
-dcs : DN to the Domain Controllers OU - so you don’t have to type that long -default -rb “OU=Domain Controllers” mentioned above. 
-gpo : DN to the System Policies Container
-psocontainer : DN to the Password Settings Object Container (Windows Server 2008 obviously…)
-ldappolicy : DN to the LDAP Query Policies container in the configuration partition
-xrights : DN to the Extended Rights container in the configuration partition
-partitions : DN to the partitions container in the configuration partition
-sites : DN to the sites container in the configuration partition
-subnets : DN to the subnets container in the configuration partition
-exch : DN to the Exchange container in the configuration partition
-fsps : DN for the Foreign Security Principals container
There is also a special shortcut base I have that doesn’t fit exactly in with the above, that is -gcb. That is the combination of the -gc and -null switches so it sets you up to search the GC at the base of the forest.
Cool right?
So Active Directory can do some cool things around distinguishedNames (DNs) that many developers even this long into the availability of the product don’t know or take advantage of. I mention this because yet again I ran into a case where some developer/application integrator was unhappy about how easy it is to move users around in the hierarchy of Active Directory because it made it difficult to bind to the userid…
Now I expect most AD Admins probably don’t think twice about this but anyone who has come from other LDAP directory platforms have a more “that DN better not EVER change” attitude… Why? Because for their bind IDs they need to know the exact DN or else they can’t bind. Trouble that eh?
Bind Formats
So the first thing we will discuss is the “DN” formats available for binding. AD only offers one format that could honestly be called a DN format, but since the term most often used in applications and in general discussion is Bind DN I will stick with the “DN Format” label.
Format 1:
An actual real live DN in the normal DN format like CN=joe,OU=Users,OU=My,DC=test,DC=loc. Canonically that looks like test.loc/My/Users/joe. For those who like pretty pics it is this user…
With AdFind you could specify this bind DN like so
adfind -default -f name=joe -u cn=joe,ou=users,ou=my,dc=test,dc=loc -up SomePassword123!
Various other programs would have other methods of specifying it, if you use those programs, you should be able to work out the method.
This is the most used/widespread bind DN format for directories and hence applications. For Active Directory it is pretty much your worse choice because it is the most susceptible to breaking. I don’t like to be too direct with things like this but if you don’t know what you are doing, just don’t use this format. It will save you issues later.
Format 2:
This is a very familiar format to Windows users and admins as they have lived with it for 15 or more years… However, anyone from some other directory environment will probably look at you in disgust if you mention it… The format is Domain\UserId; this is the standard Windows NT format. So for the previous example the ID would be test\joe. Not only is that shorter, but it has no dependence on the location in the directory where the userID is located, at least within the domain. I could move “joe” to the Domain Controllers OU (not that I normally would) and no programs nor scripts nor tools nor anything else using that Bind DN format would need to be changed.
With AdFind you could specify this bind DN like so
adfind -default -f name=joe -u test\joe -up SomePassword123!
Note: If you have but a single domain, it is also safe to omit the [domain\] from the bind DN.
Format 3:
This is newer format that neither the old Windows folks nor the old other platform directory folks likely are familiar with. We call it the UPN format because it utilizes the userPrincipalName attribute of the userid. Now this attribute may or may not be populated but whether it is or not, all user’s have a UPN. If nothing specific is specified for a userid, the UPN is their sAMAccountName followed by an @ symbol followed by the domain in dot format. So for the previous example… joe@test.loc. One nice thing about this format is that it *should* work uniquely across an entire forest. So if you move a user even between domains it could be configured to still be fine. But joe… you said it had the domain in the attribute, wouldn’t that change? Well yes reader, if you stick with the default if I move my userid joe from test.loc to child.test.loc then my default UPN will then become joe@child.test.loc but you don’t have to leave the default, you can set what you want… For instance I could set my UPN to actually just be joe@test.loc and regardless of the domain moved to it would stay that way. I could even set it to joe@tracysbarandgrill.com if I wanted to. Of course if you set that value you should also set the allowed (or alternate) UPN Suffixes in the forest to allow for it. That way people can set that suffix in ADUC and so other things with forest trusts all work properly. Strictly speaking for use within a single forest though you don’t need it. You can set the allowed UPN suffixes with domain.msc or you can just go straight to the source and stick it into the uPNSuffixs attribute of CN=Partitions,CN=Configuration,[ROOT DOMAIN DN]
Like so
Or better
G:\>adfind -partitions -s base upnsuffixes
AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007
Using server: r2dc1.test.loc:389
Directory: Windows Server 2003
Base DN: cn=partitions,CN=Configuration,DC=test,DC=loc
dn:cn=partitions,CN=Configuration,DC=test,DC=loc
>uPNSuffixes: tracysbarandgrill.com
1 Objects returned
So how do you use this format bind DN in AdFind???
adfind -default -f name=joe -u joe@test.loc -up SomePassword123!
Note: While Active Directory enforces you to use an email style (RFC 822) format string for the UPN, ADAM (Active Directory Application Mode) does not enforce the same standard. You can use single part strings just fine there such as just joe or joeuser or joe.user.
Search Base Formats
Now it is time to discuss the various “DN” formats that can be used for your search base in Active Directory. As you probably know an LDAP query requires you to tell it where in the directory tree to start the search, that is the search base. Most people think you can only specify a DN for this. Normally that may be true but Microsoft was kind enough to give some shortcuts and anyone familiar with AdFind know that I gave more shortcuts but my shortcuts are not the same as the MSFT shortcuts…
Format 1:
The first format for the Base DN is, well, not to surprise you too much, but an actual real live DN. This takes the form of any old DN like… to reuse an example… CN=joe,OU=Users,OU=My,DC=test,DC=loc. But since this is about search bases it could be an OU such as OU=Users,OU=My,DC=test,DC=loc.
AdFind Examples:
adfind -b ou=users,ou=my,dc=test,dc=loc -f name=joe
adfind -b cn=joe,ou=users,ou=my,dc=test,dc=loc -s base
Format 2:
The next format is the GUID of the object. This is a nice format to use if you are tracking an object and want to be able to go to it wherever it might be moved to within the forest. You specify the base in a special format - <GUID=9e0645e9c606d14295ac153d5076d897>.
AdFind Examples
adfind -b “<GUID=ba1ee8b7248b34408c34841740211a81>” -f name=joe
adfind -b “<GUID=9e0645e9c606d14295ac153d5076d897>” -s base
Those two queries correspond to the queries in the Format 1 examples above.
Note: I had to put quotes around the “DN” because if the great than and less than symbols. Those mean something in the command interpreter and I need them to be passed into AdFind unharmed (see http://blog.joeware.net/2008/03/27/1109/).
Format 3
The next format is the SID of the object. This is similar to the GUID format but using SIDs.
AdFind Examples
this space intentionally not an adfind command
adfind -b “<SID=010500000000000515000000aa867905c1c5484bba6236d557040000>” -s base
alternately with any version of Active Directory beyond Windows 2000 you can use
this space intentionally not an adfind command
adfind -b “<SID=S-1-5-21-91850410-1263060417-3577111226-1111>” -s base
As you can see, I don’t have a base DN format with the SID specified that I can use for the OU… why you ask? OU’s aren’t security principals and don’t have SIDs (yes I know this pissed you Novell people off - I get it. heh). So no SID, no way to address the OU by SID. As you can also see there are two different SID formats. I won’t go much into this other than yes there are two formats you can use. Most people, if they do this at all, will likely use the second friendly format and not the HEX format.
SideBar
There is a little sidebar we can take here now related to these Base DN formats. Microsoft was very kind to allow us to output DNs in such a way that these formats are exposed to us… This is called the extended DN format. It is enabled by turning on the proper LDAP control in the LDAP request, for information see http://msdn.microsoft.com/en-us/library/aa366980(VS.85).aspx or search for LDAP_SERVER_EXTENDED_DN_OID when MSDN breaks that link for me…
So what does that look like you ask?
AdFind Examples
G:\>adfind -default -f name=joe -dn -extname
AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007
Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc
dn:<GUID=9e0645e9c606d14295ac153d5076d897>;<SID=010500000000000515000000aa867905c1c5484bba6236d557040000>;CN=joe,OU=Users,OU=My,DC=test,DC=loc
1 Objects returned
And cooler, as you can see, ANY DN format attributes (not to be confused with string attributes that hold DNs) will get output this way…
G:\>adfind -default -f name=joe memberof directreports managedobjects -extname
AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007
Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc
dn:<GUID=9e0645e9c606d14295ac153d5076d897>;<SID=010500000000000515000000aa867905c1c5484bba6236d557040000>;CN=joe,OU=Users,OU=My,DC=test,DC=loc
>memberOf: <GUID=f8fcc524dba94047ac67e36d72195747>;<SID=010500000000000515000000aa867905c1c5484bba6236d578060000>;CN=joegroup,OU=joeperm,OU=TestOU,DC=test,DC=loc
>directReports: <GUID=7806a7be8d6d094b9f9750143cc5151a>;<SID=010500000000000515000000aa867905c1c5484bba6236d5f4010000>;CN=Administrator,CN=Users,DC=test,DC=loc
>managedObjects: <GUID=6186a268b84c374c8563baf56e387d3f>;<SID=010500000000000515000000aa867905c1c5484bba6236d505020000>;CN=Cert Publishers,CN=Users,DC=test,DC=loc
1 Objects returned
And here is an example of the same output for an OU, note the lack of the SID field
G:\>adfind -default -f ou=users -dn -extname
AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007
Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc
dn:<GUID=ba1ee8b7248b34408c34841740211a81>;OU=Users,OU=My,DC=test,DC=loc
dn:<GUID=d64d7146973a5a4b928403fba911fb63>;OU=Users,OU=TestOU,DC=test,DC=loc
2 Objects returned
So I did something I always have some amount of trepidation doing… upgraded my web software, in particular I upgraded WordPress. This was needed, there was a security issue in the older version I was using and someone actually poked themselves into it and popped some hidden links into the blog entries. No harm to you, no fears. Just pissed me off.
So if you see anything weird, let me know.
joe
My inner geek is coming out again…
Looks like they may have done it correctly this time. Though no one has yet to have properly explained to me why his pants stretch so much… I gain a few pounds and my pants rip right out in the crotch darn near every time.
Better Quality Trailers here - http://www.apple.com/trailers/universal/theincrediblehulk/
http://ap.google.com/article/ALeqM5gsPiYvAUO3i7krLIdN-nv09fxkvQD90CE08O0
Chilean town giving free Viagra to senior citizens
SANTIAGO, Chile (AP) — A working class suburb of Chile’s capital began handing out free Viagra to senior citizens on Wednesday. Lo Prado Mayor Gonzalo Navarrete said he launched the program because “an active sexuality improves the overall quality of life.”
About 1,500 residents of the working-class area are eligible to receive as many as four pills of the erectile dysfunction drug each month, the mayor said. They have to be at least 60 and be registered with the municipality’s health service.
“A doctor will have to certify that they suffer from erectile dysfunction and that their condition would not put them in danger of suffering cardio-respiratory side effects,” Navarrete told The Associated Press by telephone.
He said he has assured about US$10,000 (euro6,400) in financing for the program through the end of the year.
Some government insurance plans in the United States and elsewhere provide Viagra, but Lo Prado hands the 50mg pills out free, with no membership in any public or private insurance plan required.
Navarrete said some other mayors in the Santiago area, which includes 34 municipalities, have told him they plan similar programs.
Navarrete said he did not know how many pills had been distributed so far.
I know some of you may read that and choke on your bagel or candy bar or coke or whatever else you were shoving down your throat as you relaxed and sat back to read what I have to say today…
But I mean it!
I had an unfortunate issue where one of my virtual host servers started having issues with one of the Western Digital drives in it. This particular drive was in a MOBO RAID (Promise RAID) "stripe" set. This caused my server to act quite erratically and black screen (like a blue screen of death but worse because you have nothing to go on) and generally perform poorly. After a series of tests I worked out what happened. Unfortunately both my Exchange Server and my mail client machines were virtuals on that one host… So I lost Exchange and all of my PSTs in one fell swoop. I was devastated as you may imagine. Well you may not imagine it all… When I moved, my backup system "broke" and I never reset it all up. It was one of those, "I will get to it" items. Well busy schedule and Carbon Monoxide poisoning prevented me from worrying about it and voila, several months later, here I am with broken pieces and a need for a backup but that backup was almost 6 months old…
Long story slightly shortened, the Promise RAID "Stripe" set apparently wasn’t a stripe set because I noticed while trying to copy files off, some worked fine, some didn’t work as fine and actually hung the box. So I worked to get as much off as possible and soon realized that the symptoms added up to the "Stripe" set where the data is interspersed on both drives equally in stripes (hence the brilliant name) was actually implemented as a volume set… I.E. The info was written to one drive and then slowly crawled onto the second. Luckily, 3 DCs and my client’s Data logical virtual drives were all on the "good" disk and the Exchange server, one DC, and my client’s OS disk logical virtual drives were on the "bad" disk. Using the command line virtual disk mounting tool in Virtual Server I mounted my client data virtual disk and immediately copied the gigs and gigs of PSTs off and to about 10 different other machines.
So only thing left was to rebuild a DC and the Exchange Server… Well I wasn’t relishing the Exchange Server rebuild as I had a lot of custom settings… Well my good friend and coworker and co-MVP buddy old pal Brian Desmond casually said in IM… why don’t you just use "setup /disasterrecovery" (dumbass)[1]. I was like… hmmm never heard of it, my Exchange servers don’t do that normally. Let me try it…
WOW. Very cool. I was very impressed. Worked like a dream. I was, at that moment, thinking, hey the Exchange team did something right here. I was quite happy as all special configs I had were all in place and bam things just worked. Very good.
Of course if I look on this in the slightly negative way I could say… why is it that one of the best implemented features I have found to date was the disaster recovery option??? Have to run that much around the world? I will just assume they thought it was exceedingly important to get right and exceedingly easy to do because all of the data was in AD already. I am glad it ran that well. If it didn’t, it is quite likely I would be running a FreeBSD mail server right now because honestly, Exchange is running in my house for two reasons. First, it is for testing things to see how it impacts AD and of course for my ExchMbx utility and second, I need a SMTP/POP3 landing zone server and that is all it is.
BTW, some folks I consider to be good friends now are over on the Exchange Dev team and I know we will see amazing things because of it. I look forward to when their influence is helping us all out.
joe
[1] Brian didn’t say dumbass, I just inferred it from how it was said.
So maybe not a complete geek, this looks good too.
Deception…
