I sent out the second beta for AdMod yesterday afternoon, I am expecting to release it to the general public within a week. The beta testers have not reported back any issues other than the general comments of the usage/help is huge… Note that is light help too, the tool now will do so much and I just gave brief highlights of the capability.
This weekend it rained a lot so I had a creative streak and tore through a bunch of updates for AdFind. It was about 700 new lines of code incorporating items various users have requested like decoding the password policy time attributes on the NC Head as well as items I have wanted to add myself such as decoding the defaultSecurityDescriptor of schema classes, filtering SD values with a matching or non-matching string (more blog posts on this later), adding some stuff for Longhorn, etc. Lots of cool stuff from my point of view.
I also changed the usage screens because the /? , /??, /??? annoyed me and I found I was either using /? or /??? so I killed /??. This is similar to what I did for AdMod. That mostly involved chopping code out.
I added several more shortcuts and am thinking of even more based on some of the other new functionality I have added…
- listpropsets
- listpropsetsl
- listpropsetscsv
- listvwrites
- listvwritesl
- listvwritescsv
- listxrights
- listxrightsl
- listxrightscsv
- exchmbxs
- exchme
- sdfilter:xx
- sdfilterns:xx
Oh yeah, along with the other Security Descriptor changes I added an -sddl++ mode. You may be familiar with the previous -sddl+ mode which would decode the GUID in the SDDL ACE entries to class/attributes/extended right objects and also break the ACEs into one per line. Well -sddl++ goes a step further and also decodes the the other fields the Security Descriptor as well. It still isn’t as verbose as say DSACLS but you can get a quick listing of all objects in a branch or the entire directory much faster than you can with DSACLS. Also with the -mvfilter switch you can filter out all ACEs except those matching some string criteria you specify, for instance, those that have a certain security principal listed or a certain permission…
F:\Dev\CPP\AdFind>adfind -default -f “(objectcategory=organizationalunit)” -sc sdfilterns:FC -elapsed
AdFind V01.32.00cpp_BETA1 Joe Richards (joe@joeware.net) September 2006
Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003
Base DN: DC=joe,DC=comdn:OU=Exchange,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] ALLOW;;(FC);;;JOE\Domain Admins
>nTSecurityDescriptor: [DACL] ALLOW;;(FC);;;NT AUTHORITY\SYSTEM
>nTSecurityDescriptor: [DACL] ALLOW;(CONT INHERIT)(INHERITED);(FC);;;JOE\Enterprise Adminsdn:OU=joeware2,OU=Exchange,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] ALLOW;;(FC);;;JOE\Domain Admins
>nTSecurityDescriptor: [DACL] ALLOW;;(FC);;;NT AUTHORITY\SYSTEM
>nTSecurityDescriptor: [DACL] ALLOW;(CONT INHERIT)(INHERITED);(FC);;;JOE\Enterprise Adminsdn:OU=MailUsers,OU=joeware2,OU=Exchange,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] ALLOW;;(FC);;;JOE\Domain Admins
>nTSecurityDescriptor: [DACL] ALLOW;;(FC);;;NT AUTHORITY\SYSTEM
>nTSecurityDescriptor: [DACL] ALLOW;(CONT INHERIT)(INHERITED);(FC);;;JOE\Enterprise Adminsdn:OU=Domain Controllers,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] ALLOW;;(FC);;;NT AUTHORITY\SYSTEM
>nTSecurityDescriptor: [DACL] ALLOW;(CONT INHERIT)(INHERITED);(FC);;;JOE\Enterprise Admins<SNIP>
dn:OU=Level1500,OU=UnixComputers,OU=5002,OU=buildings,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] ALLOW;;(FC);;;JOE\Domain Admins
>nTSecurityDescriptor: [DACL] ALLOW;;(FC);;;NT AUTHORITY\SYSTEM
>nTSecurityDescriptor: [DACL] ALLOW;(CONT INHERIT)(INHERITED);(FC);;;JOE\Enterprise Adminsdn:OU=Level1600,OU=UnixComputers,OU=5002,OU=buildings,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] ALLOW;;(FC);;;JOE\Domain Admins
>nTSecurityDescriptor: [DACL] ALLOW;;(FC);;;NT AUTHORITY\SYSTEM
>nTSecurityDescriptor: [DACL] ALLOW;(CONT INHERIT)(INHERITED);(FC);;;JOE\Enterprise Adminsdn:OU=xdom,OU=TestOU,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] ALLOW;;(FC);;;JOE\Domain Admins
>nTSecurityDescriptor: [DACL] ALLOW;;(FC);;;NT AUTHORITY\SYSTEM
>nTSecurityDescriptor: [DACL] ALLOW;(CONT INHERIT)(INHERITED);(FC);;;JOE\Enterprise Admins13222 Objects returned
Time Elapsed (sec): 90.68
Yes, that number is correct, thirteen thousand, two hundred and twenty two organizational units in my joe.com test domain and I enumerated the ACLs on all of those objects and filtered the output in a little over 90 seconds… Over wireless run from an old Dell Inspiron 8500… The DC is running on hardware that was my desktop PC about 6 or 7 years ago.
I plan to release the new version of AdFind at the same time I release the new version of AdMod.
joe
Joe,
I have to say simply, thank you for your great work on these utilities.
No problem Fred, I have fun doing this stuff. In fact, the amount of work I have been putting into it lately is directly inversely proportional to how much fun I am having at work… I need to accomplish a certain amount every week, if I don’t do it at work, I do it in joeware. Otherwise I go insane. 🙂
Yeah I’m the same way. Stuff in my projects folder gets tinkered with when its a slow week at the office. I’ve actually been cooking something and it works. Haven’t decided what to do with it.
A suggestion for that ACL output – add a switch to filter inherited permissions. I once wrote a VBScript for a client that generated an access database for them of all the explicit permissions on each OU in the tree and I had to do the inherited filtering in there. I think I’ve used that script a couple more times, so its certainly useful feature imho.
PS “OU=5002,OU=buildings,DC=joe,DC=com” … Is this actually the state of michigan AD in your demo? I didn’t think they had more than 5K buildings or thereabouts in that state.
Brian: Ah but this isn’t about being slow… it is more like I need something to keep me sane, so even if I am busy at work, if it isn’t stuff that I feel is productive I have to do something with joeware that is. Also I do a lot of joeware when it is nasty weather and there is nothing good on TV. ;o)
As for the OU structure, nope not State of Michigan… Just a test of a OU structure building script where I specified an base OU name.
Good idea on that specific filter. You can do it through mvdelim but I think I will add SDDL specific filtering as well so you can filter by any of the 5 fields independently instead of just allowing filtering on the entire string.
13,000 OU’s and 300K+ users. Damn your test domains and forests are much bigger than what most of will ever work on in a real environment. This is part of the reason why you are one of the top AD guys around.
Have you ever blogged about your test network at home. That would be sn interesting read.
Mike: I like ot test at that scale as I figure if something handled the environment well there, anything smaller shouldn’t be much of an issue.
I don’t think I have blogged my test environments. But then I have several that I spin up and spin down as needed. I have a ton of Virtuals built and stored on DVDs that I pull out as necessary.