joeware - never stop exploring...

You may have read my other post on using the SID/GUID alternate formats for DNs for queries and my post last year on using alternate DN formats for binding and searching as well… Here is something else I recently learned that I thought was interesting.
There are actually more alternate DN formats…
All of these [...]

About a year ago I wrote a popular blog post about DN formats available in Active Directory. The article is here –> http://blog.joeware.net/2008/05/03/1226/. Great article if I can believe the feedback because it helps people set up their environment and apps in a more generic way that avoids some of the pitfalls of hardcoding DNs [...]

I received an email a couple of months ago from someone looking to remove SIDs from a specific domain from the sIDHistory attribute of all of their users. Here is the response I sent
 
So the ability to remove SID’s from sIDHistory is very simple and basic, you basically have to supply the specific SIDs you [...]

http://support.microsoft.com/kb/970789/en-us
A folder that is created under the root of the system drive is missing entries in its security descriptor, which may cause some application failures on the English version of Windows 7 Release Candidate 32-bit Ultimate
In the English version of Windows 7 Release Candidate (build 7100) 32-bit Ultimate, the folder that is created as the [...]

http://msdn.microsoft.com/en-us/magazine/dd695919.aspx
 
..
Man, That C Is Sharp
For the majority of my fifteen year career at Microsoft, I’ve been a systems and drivers developer. My language of choice and necessity has been a fairly bare bones C++. I rarely get to use runtimes like MFC and the Microsoft .NET Framework. Until recently, I couldn’t have even spelled [...]

I got this from Tony and I wanted to post it, looking at the site and trying to send email to the list it appears their ISP already chopped the lines…
 
Hi all
The ISP that we have been using to host ActiveDir.org for the past 8 years is shutting down and we are preparing to [...]

Another discussion recently popped up on AD Org about indexing the objectClass attribute. Don Hatcherl (previously mentioned on this blog multiple times - short and sweet, when he talks about AD, I and everyone else with any sense listens…) said the following about indexing objectClass…
…An early version of ESE (the one shipped in Exchange 4.0, [...]

I have spoken about this tool before. The old version I have is hands down the best file copy app out there. I expect this newer version that is now publicly available is just as good… Thanks to Scott C for letting me know this was now out there.
http://technet.microsoft.com/en-us/magazine/2009.04.utilityspotlight.aspx
 
   joe

PS C:\Documents and Settings\$joe.TEST> cd\The term ‘cd\’ is not recognized as a cmdlet, function, operable program, or script file. Verify the term and try again.At line:1 char:3+ cd\ <<<<

So who is going to TEC? Excited yet? You should be, it will be fun. Personally, I can’t wait to hear Dmitri, Brett, and yes, even Dean, speak. Those guys are incredibly bright and just plain know a lot of stuff. The weather in Vegas is slated to be in the low 70’s and sunny. [...]

One of the things I love about the MVP summit is getting together with really smart people and discussing various deployment architectures.
One of the topics of conversation during a get together at the Experience Music Project social event was a discussion about how to make a high visibility public web site based on Windows [...]

Recently needed to pull some QFE info to validate some things… Found some fun commands.
wmic qfe list full /format:htable
wmic /node:”servername” qfe list full /format:csv

Today I ran into an issue where a syncing tool blew up because it encountered an object that had multiple values in an attribute that “normally” has a single value in it and it didn’t know how to properly sync that object. Well obviously whomever set up the syncing tool kind of made a mistake [...]

Recently I was searching for some specific OU’s in Active Directory that had a specific substring within the name. i.e. it didn’t start with a specific substring, the substring I wanted was buried in the main string like for example the substring Crab in the string Joe’s Crab Shack which would be represented as *crab* [...]

Back on Jan 21 I tipped my hand on a new capability in AdFind which for many people is extremely exciting based on the feedback in my inbox. To refresh your memory, that was the ability for AdFind to take in a list of Base DN’s to execute queries against. For short we will say [...]

I received an email this evening that I swore I had previously wrote something up on the blog for and didn’t, so I will share…
The email
From: xxx@domain.gov Sent: Wednesday, January 28, 2009 7:28 PMTo: ‘joe@joeware.net’Subject: Adfind piped into admod question
Good evening Joe,
First I’d like to commend you on your books, website, [...]

Example 1: Get tokenGroups attribute for every direct member of the domain admins group.
F:\Dev\Current\CPP\AdFind\Release>adfind -default -f name="domain admins" member -list | adfind -s base tokengroups -resolvesids
AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009
Using server: TEST-DC1.test.loc:389 Directory: Windows Server 2003
dn:CN=TestAdminClone,OU=Users,OU=TestOU,DC=test,DC=loc >tokenGroups: BUILTIN\Users [...]

Not really an issue or at least it shouldn’t be, if something is generating more than 50 concurrent NSPI connections, it likely needs to be checked out anyway…
 
NSPI connections from Microsoft Outlook to a Windows Server 2008-based domain controller may fail with an error code: “MAPI_E_LOGON_FAILED”
This behavior occurs because Windows Server 2008 only allows for [...]

My recent post about getting Active Directory replication Meta Data has spawned a considerable number of emails. I wanted to take a moment and remind everyone of the help switch specifically talking about the replication metadata info. This usage provided in AdFind tells you your sort options available for each metadata attribute and what info [...]

This is a new feature that I added to AdFind on this last version. Sometimes you look at a record and you want to quickly know the delta time between now and the time listed. I have added the –tdcd option to do that. By default it will handle the int8 values, but if you [...]

Sorry folks, haven’t released adfind yet, still testing and checking it out. Amongst other things, I have found some new constants in some of the binary flags to decode for Windows Server 2008 when I was testing that I needed to get into the tool because I hate seeing things like
F:\Dev\Current\CPP\AdFind\Debug>adfind -rootdse msds-replallinboundneighbors;binary -h trouble-rodc1 [...]

I have lots of features in AdFind that I like, but I have to say I am particularly happy with the –mvfilter function. Its something so simple and so widely requested yet NOT done by most LDAP clients… You want this functionality when you only want to see the values in the attribute that match [...]

Which is the correct spelling? Anyone?
I would tend to go with cachEable but Microsoft went with cachAble in the attribute msDS-IsUserCachableAtRodc so I keep misspelling the darn attribute.
Interestingly Live Writer spell check thinks Cacheable is ok but Cachable is an error…
 

I added support for the input DN control in AdFind V01.39.00. What is the input DN control? It is a new control for Windows Server 2008 which will show you the RODC caching policy for a given (or set of) RODC(s) for a given security principal. This is done by specifying the LDAP_SERVER_INPUT_DN_OID control and [...]

The email
From: xxx Sent: Monday, December 22, 2008 8:04 AM To: support@joeware.net Cc: joe@joeware.net Subject: Query - Inactive domain users accounts?
Hi Joe,
This is Turab from Bombay - INDIA. I am working as a System Administrator. [...]

Have you been around long enough to remember ASCII art… You can generate some with the code at the following link:
http://www.codeproject.com/KB/recipes/ASCII_Imager.aspx

Dear joe,
The next time you get an error 0×8007232B aka DNS name does not exist on Vista or Windows Server 2008 don’t forget to do
slmgr.vbs –ipk “activation key”
slmgr.vbs –ato
 
   thanks, joe

The primary updates I was looking to put into AdFind V01.39.00 are now done. Now I am adding/updating shortcuts. After that, I have to do the part I hate the most, update the usage… Ugh.
As I look at the usage I think, I really need to write a book that goes into depth on [...]

As you all know, I have been working away on AdFind lately. I added the ability to decode msPKIRoamingTimeStamp to its two components (create and update time). I wanted to test it and because I don’t have that attrib set on my test environments I needed to compile AdFind in a non-debug mode… And my [...]

I’m on a roll…
This evening while partaking in a little turkey, ham, mashed potatoes, and some sautéed squash fries and visiting with friends and family the code I needed to write to add delta time filter capability popped into my head and this evening I inserted that code so now you can do something like
 
F:\Dev\Current\CPP\AdFind\Debug>adfind [...]

So you have this big nasty LDAP filter and for some reason it isn’t working and by that I mean when you submit the query it comes back and says invalid filter or maybe it doesn’t return what you expect for the data set. You know if you could just see the filter in a [...]

I received my complementary copy of Active Directory Fourth Edition today and noted that it is now IN STOCK on Amazon.com
http://www.amazon.com/Active-Directory-Designing-Deploying-Running/dp/059652059X/ref=sr_1_1?ie=UTF8&s=books&qid=1227681383&sr=8-1
 
My version of the book is now officially dead. :o(
 
At some point possibly Brian will outline what is different about his edition of the book. It will most likely be posted to his blog which [...]

If I already have administrative or extremely privileged rights on a box, an “exploit” that can do things to the kernel is just a normal bug… Don’t get too excited about it.
 
I am talking about this article…
http://redmondmag.com/news/article.asp?editorialsid=10415

When I heard about the naming of the Windows OSes following version numbers I was pretty excited…. Gone were Windows Vista, Windows Me, Windows 95/98, Windows XP, Windows 2000, Windows Server 2003, Windows Server 2003 R2, etc. Long live Windows 7, Windows 8, Windows 9, etc.
Imagine my chagrin as I start reading that the next [...]

I was asked a question this week about how to “batch script” the use of nslookup to test looking up a specific hostname. The “tricky” part was that the person wanted to use a specific DNS server instead of the default for the machine.
The person was shocked by my response so I thought I [...]

Very serious patch came out from Microsoft today. Unless you are running Vista or Windows Server 2008 anyone, and I mean anyone, who can touch the RPC port on your machine can hurt you. Be safe, go to Microsoft or Windows Update and update your machines now. Or if you are an IT type you [...]

More comments on the Active Directory Services Team blog concerning Lag Sites. My friend Guido, probably one of the top guys in the industry in terms of understanding the backup/recovery solution space for Active Directory stepped up and commented as well. He didn’t even know I had left a comment and later pinged me and [...]

Yes! I hit a milestone in AdFind V01.38.00…. I got it to compile under Code Gear C++ Builder 2009. This was quite an accomplishment as there have been some serious changes in that compiler from Borland C++ Builder 6.0 (circa 2002) which was the last compiler that I was using for it. Mostly the issues [...]

Over on the “Ask the Directory Services Team” blog there is a post about Lag Sites. I really disliked what was written and left a nice long comment. I am not sure if it will be posted or not and I also wanted to reach folks with my comments about lag sites that possibly don’t [...]

…because yesterday I ordered the new Code Gear Builder Pro 2009 compiler/IDE and I paid for it in part with PayPal donations from some of you folks. I greatly appreciate the donations and as you can see just roll it right back into producing more products.
While I could start using the Visual Studio suite [...]

This was an outstanding post and I thought should be copied here…
 
From: ActiveDir-owner@mail.activedir.org On Behalf Of Don HacherlSent: Sunday, September 07, 2008 12:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Delegating Start/Stop Service on DCs
Years ago I worked with a “domain admin qualified” person at Microsoft who fat fingered the admin UI and deleted a container instead [...]

Now this is really stupid, hope they have a fix in the works.
http://blogs.technet.com/sus/archive/2008/09/03/wsus-windows-vista-clients-reboot-automatically-even-though-a-user-is-logged-on.aspx
The idea is to shut off things that you don’t need and I would argue, successfully I think, that if you aren’t using remote desktop to control a machine, it doesn’t need to be running. I don’t care if the WUA people did [...]

Recently in working with Laura Hunter on my Technical Review of Active Directory Cookbook 3rd Edition, I mentioned that AdFind and AdMod could be used together to do a smart™  update of bit flag attributes. She was a bit surprised so I figured I would mention it here as well for everyone.
But first let’s back [...]

Familar with Service Connection Point objects? This is an object in AD that is published by various services so people/processes can find them. For example, by default ADAM will publish a service connection point object in AD so you can easily track down the instances, it will look something like
dn:CN={04c817c7-46a4-4a0e-b258-c2bd69c00f78},CN=2K3UTL01,CN=Computers,DC=test,DC=loc>objectClass: top>objectClass: joeware-ServerClass>objectClass: leaf>objectClass: connectionPoint>objectClass: serviceConnectionPoint>cn: [...]

Imagine that…
http://www.vmware.com/company/news/releases/svvp.html
 
PALO ALTO, Calif. – Sept 3, 2008 — VMware, Inc. (NYSE: VMW), the global leader in virtualization solutions from the desktop to the datacenter, today announced it has qualified its industry-leading VMware ESX hypervisor under the Microsoft Server Virtualization Validation Program (SVVP). VMware ESX 3.5 update 2 (ESX 3.5u2) is the first hypervisor to [...]

Got this in the inbox…
Hi Joe,
Thanks great tool. One quick question, I’m using CPAU to run a vbscript under a different user id however I was wonder if there was an easy way to pass parameters back to the calling application without having to give the “runas” account a lot of local access [...]

http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html
 
Two security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency.

So who here likes to run ADAM on their client PCs? Who would like to run the Windows Server 2008 version of ADAM on Vista? Yeah me too.
Microsoft was stupid and didn’t make it so Windows Server 2008 ADAM could be installed on the Client OS. Extremely shortsighted. Extremely silly.
So what we need is [...]

In reference to the previous MSFT Virtualization platform validation post
http://www.networkworld.com/news/2008/081908-vmware.html
There doesn’t seem to be any official announcement, but a Microsoft spokeswoman said Tuesday that VMware has joined Microsoft’s Server Virtualization Validation Program. This means that VMware will try to get its hypervisor certified by Microsoft, and once that happens Microsoft will offer technical support for [...]

I want to see your name on this list…
http://www.windowsservercatalog.com/svvp/