There are a whole slew of AdFind shortcuts added the last few versions specifically to assist people in using AdFind in FOR /F loops. Some of those shortcuts are dclist, gclist, domainlist, domainncssl, apppartsl, etc.
For example… You need to loop through all of the DCs of your domain to execute an ldap query looking for last logon time and last bad logon time for an account on each DC…
for /f %i in (‘adfind -sc dclist’) do @adfind -hh %i -f name=$joe dc:%i samaccountname lastlogon badpasswordtime -nodn -csv -csvnoheader -tdcs
That output looks like
"K8R2Dom-DC1.k8r2dom.loc","$joe","2012/01/09-14:34:10 Eastern Standard Time","2011/12/06-13:08:07 Eastern Standard Time"
"K8R2DOM-DC2.k8r2dom.loc","$joe","2012/01/03-14:31:15 Eastern Standard Time","0000/00/00-00:00:00 "
"K8R2DOM-DC3.k8r2dom.loc","$joe","2012/01/06-12:11:06 Eastern Standard Time",""
Alternately if you don’t want it in CSV mode you could use the command
for /f %i in (‘adfind -e -sc dclist’) do @adfind -hh %i -f name=$joe samaccountname lastlogon badpasswordtime -tdcs
which has output like
AdFind V01.46.00cpp **BETA** Joe Richards (joe@joeware.net) January 2012
Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=k8r2dom,DC=locdn:CN=$joe,CN=Users,DC=k8r2dom,DC=loc
>badPasswordTime: 2011/12/06-13:08:07 Eastern Standard Time
>lastLogon: 2012/01/09-14:34:10 Eastern Standard Time
>sAMAccountName: $joe1 Objects returned
AdFind V01.46.00cpp **BETA** Joe Richards (joe@joeware.net) January 2012
Using server: K8R2DOM-DC2.k8r2dom.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=k8r2dom,DC=locdn:CN=$joe,CN=Users,DC=k8r2dom,DC=loc
>badPasswordTime: 0000/00/00-00:00:00
>lastLogon: 2012/01/03-14:31:15 Eastern Standard Time
>sAMAccountName: $joe1 Objects returned
AdFind V01.46.00cpp **BETA** Joe Richards (joe@joeware.net) January 2012
Using server: K8R2Dom-DC3.k8r2dom.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=k8r2dom,DC=locdn:CN=$joe,CN=Users,DC=k8r2dom,DC=loc
>lastLogon: 2012/01/06-12:11:06 Eastern Standard Time
>sAMAccountName: $joe1 Objects returned
I sometimes use something like that when just trying to wade through information on different DCs and am not really sure what I am looking for so CSV may be a little confusing to look at initially. Where a lot of people immediately start thinking, oh my, we need to write a script I start thinking about command chaining and FOR /F.
Here is a useful little one liner I have used on many occasions… easily ascertain schema version on all DCs.
F:\dev\cpp\AdFind\Release>for /f %i in (‘adfind -e -sc domainlist’) do @for /f %j in (‘adfind -h %i -sc dclist’) do @adfind -hh %j dc:%j -sc schver -csv -csvnoheader -nodn
"K8R2DOM-DC3.k8r2dom.loc","47 [Windows Server 2008 R2]"
"K8R2Dom-DC1.k8r2dom.loc","47 [Windows Server 2008 R2]"
"K8R2DOM-DC2.k8r2dom.loc","47 [Windows Server 2008 R2]"F:\dev\cpp\AdFind\Release>
or if you need more details schema details such as attribute/class/prefix counts…
F:\dev\cpp\AdFind\Release>for /f %i in (‘adfind -e -sc domainlist’) do @for /f %j in (‘adfind -h %i -sc dclist’) do @adfind -hh %j dc:%j -rootdse dsSchemaClassCount dsSchemaAttrCount dsSchemaPrefixCount -csv –
csvnoheader -nodn
"K8R2DOM-DC3.k8r2dom.loc","234","1314","39"
"K8R2Dom-DC1.k8r2dom.loc","234","1314","39"
"K8R2DOM-DC2.k8r2dom.loc","234","1314","39"F:\dev\cpp\AdFind\Release>
Or say you need the DSA Version String for each DC…
F:\dev\cpp\AdFind\Release>for /f %i in (‘adfind -e -sc domainlist’) do @for /f %j in (‘adfind -h %i -sc dclist’) do @adfind -hh %j dc:%j -rootdse dsaVersionString -csv -csvnoheader -nodn
"K8R2DOM-DC3.k8r2dom.loc","6.1.7601.17514 (win7sp1_rtm.101119-1850)"
"K8R2Dom-DC1.k8r2dom.loc","6.1.7600.16385 (win7_rtm.090713-1255)"
"K8R2DOM-DC2.k8r2dom.loc","6.1.7601.17514 (win7sp1_rtm.101119-1850)"F:\dev\cpp\AdFind\Release>
So just a few simple, non-scripting methods to get some pretty cool and interesting information. Works without any special Web Services, etc running. 😉
joe
