joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...


Everything I Need to Know I Learned in Monty Python and the Holy Grail

by @ 6:35 pm. Filed under general

Be pragmatic: Everyone told the King of Swamp Castle that he was “daft to build a castle on a swamp,” and sure enough, his first attempt sank into the muck. “So I built a second one,” he says. “That sank into the swamp. So I built a third. That burned down, fell over, then sank into the swamp. But the fourth one stayed up.”

This is the kind of thinking that produces epic SAP implementation failures. The King and his melancholy son Alice … I mean, Herbert … could’ve spared themselves a lot of trouble if they had listened to trusted advisors and built on another site. Be pragmatic and be willing to shift your plan as events and conditions warrant. Oh, and no singing.


Rating 4.00 out of 5


Getting the DN of the parent of an object

by @ 10:33 pm. Tags:
Filed under general, tech

Do you remember how several years ago I added to AdFind the ability to display the parent of the object you searched for? Microsoft finally added that ability as well for any LDAP query as of Windows Server 2012 R2 and ADLDS for Windows 8.1/Windows Server 2012 R2.

The attribute is called msDS-parentdistname.

[Thu 05/11/2017  22:10:46.92]
E:\>adfind -e k16 -f name=unix* msDS-parentdistname -dpdn

AdFind V01.50.00cpp Joe Richards ( May 2017

Using server: K16TST-DC1.k16tst.test.loc:389
Directory: Windows Server 2016
Base DN: DC=k16tst,DC=test,DC=loc

>parentdn: OU=TestOU,DC=k16tst,DC=test,DC=loc
>msDS-parentdistname: OU=TestOU,DC=k16tst,DC=test,DC=loc

>parentdn: CN=TestContainer,DC=k16tst,DC=test,DC=loc
>msDS-parentdistname: CN=TestContainer,DC=k16tst,DC=test,DC=loc

>parentdn: CN=UnixCN,CN=TestContainer,DC=k16tst,DC=test,DC=loc
>msDS-parentdistname: CN=UnixCN,CN=TestContainer,DC=k16tst,DC=test,DC=loc

>parentdn: OU=Unix,OU=TestOU,DC=k16tst,DC=test,DC=loc
>msDS-parentdistname: OU=Unix,OU=TestOU,DC=k16tst,DC=test,DC=loc

>parentdn: OU=Unix,OU=TestOU,DC=k16tst,DC=test,DC=loc
>msDS-parentdistname: OU=Unix,OU=TestOU,DC=k16tst,DC=test,DC=loc

5 Objects returned

Now I could change AdFind to just use that attribute but since I know for a fact people who are using AdFind for earlier Windows versions and for non-Microsoft LDAP implementations it will stay right where it is.


Rating 4.00 out of 5


AdFind -sslinfo

by @ 9:06 pm. Tags:
Filed under general, tech

One of the new switches I have added to AdFind V01.50.00 is the –sslinfo switch.

This is some functionality I have long wanted to have in AdFind because getting info about the certs the Domain Controllers (or ADLDS) is presenting can be very useful information, especially for troubleshooting. That being said this switch should probably still have the BETA tag on it because it isn’t fully integrated into the rest of AdFind. That means you won’t be able to ask for just specific attributes that it outputs for the certs or get the info in CSV format or do ANY of the output manipulation that you can do with most things. You will also notice the normal server info header info isn’t there either.

I do intend to fix it and make it work in the normal way. The reason it is done this way is because it was a last minute add because I needed it (which is why AdFind and 90% of its functionality was produced anyway) and it is outside the normal LDAP data stream flow so is outside of the space where I have all of the searching/formating functionality.

If you haven’t checked it out though it is pretty cool.

[Wed 05/10/2017 20:59:31.16]
E:\issues\OU_DC>adfind -hh k16tst-dc1.k16tst.test.loc -sslinfo

AdFind V01.50.00cpp Joe Richards ( May 2017

dn:CN=Certificate Info,CN=k16tst-dc1.k16tst.test.loc
>ciEncodingType: X509_ASN_ENCODING (0x01)
>ciVersion: CERT_V3 (0x02)
>ciNotBefore: 2017/04/27-09:24:40 Eastern Daylight Time
>ciNotAfter: 2018/04/27-09:24:40 Eastern Daylight Time
>ciSignatureAlgorithm: 1.2.840.113549.1.1.13
>ciIssuer: CN=CA1,DC=k16tst,DC=test,DC=loc
>ciSubject: CN=K16TST-DC1.k16tst.test.loc
>ciAltNameDNSName: K16TST-DC1.k16tst.test.loc
>ciAltNameDNSName: k16tst.test.loc
>ciAltNameDNSName: K16TST

dn:CN=SSL Connection Information,CN=k16tst-dc1.k16tst.test.loc
>ciProtocol: Transport Layer Security 1.2 client-side (SP_PROT_TLS1_2_CLIENT)
>ciCipherAlgorithm: AES 256-bit encryption algorithm (CALG_AES_256)
>ciCipherStrength: 256 bits
>ciHashAlgorithm: 384 bit SHA hashing algorithm (CALG_SHA_384)
>ciHashStrength: 0 bits
>ciKeyExchAlgorithm: Ephemeral elliptic curve Diffie-Hellman key exchange (CALG_ECDH_EPHEM)
>ciKeyExchStrength: 255 bits

The command completed successfully

[Wed 05/10/2017 20:59:33.33]
E:\issues\OU_DC>adfind -hh k16tst-dc2.k16tst.test.loc -sslinfo

AdFind V01.50.00cpp Joe Richards ( May 2017

dn:CN=Certificate Info,CN=k16tst-dc2.k16tst.test.loc
>ciEncodingType: X509_ASN_ENCODING (0x01)
>ciVersion: CERT_V3 (0x02)
>ciNotBefore: 2017/04/08-12:15:53 Eastern Daylight Time
>ciNotAfter: 2018/04/08-12:15:53 Eastern Daylight Time
>ciSignatureAlgorithm: 1.2.840.113549.1.1.13
>ciIssuer: CN=CA1,DC=k16tst,DC=test,DC=loc
>ciSubject: CN=K16TST-DC2.k16tst.test.loc
>ciAltNameDNSName: K16TST-DC2.k16tst.test.loc

dn:CN=SSL Connection Information,CN=k16tst-dc2.k16tst.test.loc
>ciProtocol: Transport Layer Security 1.2 client-side (SP_PROT_TLS1_2_CLIENT)
>ciCipherAlgorithm: AES 256-bit encryption algorithm (CALG_AES_256)
>ciCipherStrength: 256 bits
>ciHashAlgorithm: 384 bit SHA hashing algorithm (CALG_SHA_384)
>ciHashStrength: 0 bits
>ciKeyExchAlgorithm: Ephemeral elliptic curve Diffie-Hellman key exchange (CALG_ECDH_EPHEM)
>ciKeyExchStrength: 255 bits

The command completed successfully

Rating 3.00 out of 5


AdFind V01.50.00 Released

by @ 9:49 pm. Tags:
Filed under general, tech, updates

May the Fourth be with you. Smile 

I have uploaded the release version of AdFind V01.50.00 to the web site. You can find it at:

I have mentioned previously some of the updates, the big change was to change from using the Code Gear (Embarcadero previously Borland) Builder C++ to Visual Studio 2015 and then to Visual Studio 2017. That conversion alone results in a 20%+ improvement in performance.

I have to eat some dinner so I will try to write some more blog entries later on about some of the new features. Mostly at this point you all know what the tool does and this just does it a little more better before.


Rating 4.60 out of 5


AdFind close to the finish line…

by @ 5:04 am. Filed under general, tech

I believe we will see AdFind released in the next few days. It seems to be very stable, I use it every single day for literally thousands of queries of a very large production Active Directory environments (millions of user accounts). Speed perfs are amazingly useful especially for the Security Descriptors. I got most of what I wanted into it though to be honest what I mostly wanted was a stable Visual Studio version with Windows 2016 decodes. I am working on updating the web page now. I had to go find the old web site source code as I switched laptops since the last time I released and silly me didn’t put the web site code with the rest of my source code… When am I going to learn that web pages are like app code if not actual app code and needs version control just like my cpp files?? I guess now. Smile

BTW, sad day. I finally bit the bullet and switched it from reporting Active Directory Application Mode if the ADAM service is older than the 2003 era service. The reason being that the number of emails I was receiving saying “Hey it is calling my ADLDS server an Active Directory Application Mode Server, what is wrong with the tool??” has increased substantially and I don’t have the time to explain to every admin who doesn’t understand the history. Overall, quick rant… The quality of admins (in general, just not AD) has been going down in the world, sadly, as well as those who understand the history. I am not the only one seeing this, I have had conversations with several well known (to me and the general AD public) MVPs and former MVPs who feel the same. Even though the product is in the C:\Windows\ADAM folder and has ADAM in the default installation path a lot of people now no longer know what ADAM is… Congratulations Microsoft Marketing…

Long live ADAM!


Rating 4.00 out of 5


Flash Back Friday

by @ 7:11 pm. Filed under general, tech


But the schema says description is multivalued…

Rating 3.00 out of 5


The Pollexy Project–Special Needs Voice Assistance

by @ 6:10 pm. Filed under general, tech

I kept meaning to share this with everyone because I really want to get this video everywhere I can to get as much exposure as possible to it out in the world.

Troy is a friend of mine that works for Amazon, he has a 16 year old son with Autism. See what cool thing he cooked up to help him out. This is absolutely awesome work.

I really think this is just the start of what we are going to do with voice tech to make the world better and safer.

And the blog –

Rating 4.00 out of 5


Now this is a great email…

by @ 2:07 pm. Filed under general

I have been going through thousands of emails I was behind on and in great part there are a lot of “thanks but…” emails, this one is simply a thanks email. Loved it.


Subject: Thank you!

I just wanted to let you know that between ADFind, and some Unix/bash regular expressions-based pixie dust, I’ve been able to extract tons of information out of the active directory domain where I work…

Like a list of every (unique) job title used, a list of every sever used as a network home, etc, etc, etc…

It’s been incredibly helpful in tracking the likely causes of some of the odd behaviors that the other techs and I have noticed over the years (specifically users in the same job who don’t have the same policies/access to things).

If you’re curious, I’d be happy to go into detail.

I strongly believe that life would be better if we were as compelled to thank people and tell them what they’re doing right as we are to complain. So, I wanted to thank you (in as direct a way as I can) for everything and offer my wishes that everything is going well for you. 🙂

– Kevin

Rating 4.33 out of 5

From the mailbag… I want to see the information going through the pipeline from one command to the next…

by @ 1:49 pm. Filed under general, tech


Hi, Joe,

I’ve been using these 2 excellent utilities to manage users both in our AD domain and our legacy Novell eDirectory tree.

Recently I needed to move disabled accounts without our ‘KEEP’ flag set into a Leavers OU and came up with the 2 commands below:

adfind -h novserver -ssl -sslignoresrvcert -simple -b o=merpol -f "(&(objectclass=user)(!(generationqualifier=KEEP))(logindisabled=TRUE))" cn fullname -u cn=ldapuser,o=isdept -up password -adcsv > c:\tmp\move2leavers.csv

admod -h novserver -ssl -simple -move o=leavers -u cn=ldapuser,o=isdept -up password < c:\tmp\move2leavers.csv

I managed to do all this in 1 command by piping the output of the adfind command with the –adcsv switch into the admod command but I wanted to record the accounts moved so that I could add them to a cumulative log – hence the intermediate move2leavers.csv file. Was this the best way of achieving this or could I have used the one-liner and somehow recorded the accounts going through the pipeline?


Hi Frank,

Sorry for slow response. I was working for Hewlett Packard Enterprise last year and working way too much. I left them and have a normal job now so I am slowly catching up on joeware email and updating tools.

So anyway, there is nothing builtin that will do what you want here. AdMod does have a -log switch but that is for my debugging mostly. However, that being said, you can use a command line tool called TEE which you would insert in the pipeline and it could output the pipeline to a file while simultaneously shipping it to the next binary in the pipeline.

You can actually do this with a quick perl script as well. See attached 7zip file, you will have to rename it to .7z. I made a really quick and dirty perl script that can do it.

[Sat 04/22/2017 13:29:25.87]
E:\DEV\perl\tee>adfind -h k16tst.test.loc -f name=norm* -dsq | output.txt | admod -h k16tst.test.loc description::"normal user"

AdMod V01.18.00cpp Joe Richards ( March 2012

DN Count: 3
Using server: K16TST-DC2.k16tst.test.loc:389
Directory: Windows Server 2008 R2

Modifying specified objects…
   DN: CN=Norm User 3,OU=Users,OU=TestOU,DC=k16tst,DC=test,DC=loc…
   DN: CN=Norm User1,OU=Users,OU=TestOU,DC=k16tst,DC=test,DC=loc…
   DN: CN=Norm User2,OU=Users,OU=TestOU,DC=k16tst,DC=test,DC=loc…

The command completed successfully

[Sat 04/22/2017 13:34:22.66]
E:\DEV\perl\tee>type output.txt
"CN=Norm User 3,OU=Users,OU=TestOU,DC=k16tst,DC=test,DC=loc"
"CN=Norm User1,OU=Users,OU=TestOU,DC=k16tst,DC=test,DC=loc"
"CN=Norm User2,OU=Users,OU=TestOU,DC=k16tst,DC=test,DC=loc"

[Sat 04/22/2017 13:34:26.07]

If you don’t like compressed files, here is the code in clear text

my $filename=shift;

open OFH,">$filename" or die("ERROR: Couldn’t open filename – $filename: $!\n");

while (<stdin>)
  print OFH $_;
  print $_;
close OFH;

Cheers and again sorry for the slow response.


Rating 3.00 out of 5


by @ 1:39 pm. Filed under general, tech

I am finally catching up on a lot of old email that I wasn’t able to get to, literally thousands of messages. I am quite happy with the number of people who find the tools useful saving them minutes or hours of time and the other comments of thanks we were told by MSFT this or that wasn’t possible but you show how to do it or provide a tool to do it and the other comments of we saved XX thousands of dollars by using your tools instead of buying products from other companies (don’t forget about the tip jar at the top left of the screen at

As for questions… Let me post some quick hit answers that are all that is needed for a large percentage of the emails I am going through.


Q: I need to learn AD and/or something isn’t working right in the tool because <insert some problem here that shows the user is not at all familiar with AD such as incorrect ordering of RDNs in the DN>.

A: There are lots of good books out there, I will initially recommend my book as it has gone through multiple revisions to fix issues and it really does hit things from beginner to advanced.


Q: I love your free tools but <insert some aspect of how I provide the tools that someone doesn’t like for example they have to go to different links to download the tools or they aren’t available in a single zip or the tools display my joeware banner or anything else like that>. When will you get smart and fix it so I don’t have to deal with this?   (seriously had multiple emails that ended like that as if people are doing me a favor by using a tool I provide for free and ALLOW them to use)

A: The tools are free, I provide them in the way I do for specific reasons. The fact that they are free and you find them extremely useful and don’t have to pay for them (did I say free) means you can deal with it or you can find something else if there is anything else out there that does what you need. Alternately you could write your own see


Q: I need to learn PowerShell, how do I do that?

A: I don’t really use PowerShell but if you want to learn I recommend the many online resources for the topic.


Q: What is the warranty? I have a problem with the tool and I wrote critical processes that depend on it and I need the tool changed immediately. Or it broke something of mine and I need you to fix it for us now.

A: See warranty –


Q: I need the source for tool X for <insert any reason in the universe here>, when can you get that to me?

A: See the FAQ –


Q: When I start my computer or run XYX app I see your name/email pop for a second on my screen. What did you put on my machine?

A: Nothing, someone else, probably an admin or application provider is using one of my tools for something. My tools can all be found at and if you didn’t download something from there, you got it from someone other than me.


Q: Your initial image on your website is perverted.

A: No, it really isn’t.


Q: AdFind is broken because I see groups in ADUC that I don’t see in AdFind.

A: It isn’t broken, group enumeration isn’t a single straightforward LDAP query. Get my book and learn about how AD does groups. Also look at using my memberof utility.

Rating 3.00 out of 5

[joeware – never stop exploring… :) is proudly powered by WordPress.]