joeware - never stop exploring...

Information about joeware mixed with wild and crazy opinions...

7/8/2010

Some possibly useful batch commands

by joe @ 10:31 am. Filed under tech

I had to work out a few things to do in a batch file the last couple of days so I thought I would share. Note: so this doesn’t become a huge powershell versus perl versus whatever discussion, I had no choice, I had batch available period and even that was possibly stretching it a little as the people involved seemed very concerned about scripts, etc. Also, yes I am aware of Tim–Toadie (TIMTOWTDI). So please feel free to comment with additional methods.

 

Getting date and time in a useful format

for /f "tokens=1-4 Delims=/ " %%i in (‘date /t’) do  set dt=%%l/%%j/%%k
for /f "tokens=1" %%i in (‘time /t’) do set tm=%%i
echo Date: %dt%-%tm%

 

Is this machine virtual or physical? It could be VMWare, HyperV or Virtual Server or Virtual PC. I don’t have the strings for other virtualization techs, if people are using them and can post the results of the command “wmic computersystem get model” then they can be added to the batch commands.

set VIRTUAL=NO
set VMWARE=NO
set HYPERV=NO
for /f "skip=2 tokens=1-2 delims=," %%i in (‘wmic computersystem get model /format:csv’) do set MODEL=%%j

: Microsoft Virtualization
if "%MODEL%"=="Virtual Machine" (
  set VIRTUAL=YES
  set HYPERV=YES
)

: VMWare Virtualization
if "%MODEL%"=="VMware Virtual Platform" (
  set VIRTUAL=YES
  set VMWARE=YES
)

 

Is this machine Vista or better?

SET VISTA+=NO
if exist %systemroot%\system32\bcdedit.exe set VISTA+=YES

 

Is this machine x64?

SET x64=NO
if exist "%systemdrive%\program files (x86)" set x64=YES

Rating 4.00 out of 5

4/14/2010

Piping data from AdFind to ExchMbx

by joe @ 8:10 pm. Filed under tech

I received an email today from someone trying to pipe data from AdFind to ExchMbx. While ExchMbx is getting a little long in the tooth and PowerShell was supposed to have killed it by now since everything is Exchange is supposed to be done via PowerShell now, seems some people are still using it.

Anyway, the issue was a relatively simple one. ExchMbx can accept a quoted DN list via STDIN for input if you want to send it a large quantity of DNs at once. To send that list of DNs via AdFind, you want to use the –dsq option. The –dn option, the –adcsv option, nor the –csv options will not work for this purpose.

However, if you want to get fancy and send in the DNs from a group’s member attribute, you can use something like

adfind –default –f name=groupname member –qlist  exchmbx blah blah

which will give you a quoted DN list that is composed of the membership if the group.

 

    joe

Rating 3.00 out of 5

2/13/2010

AdFind V01.41.00 and AdMod V01.12.00 Released

by joe @ 2:58 am. Filed under updates

The betrunkener Schmetterling releases of AdFind and AdMod have been posted to the website.

You can find AdFind V01.41.00 here —>  http://www.joeware.net/freetools/tools/adfind/index.htm

You can find the new usage here —> http://www.joeware.net/freetools/tools/adfind/usage.htm

 

You can find AdMod V01.12.00 here —>  http://www.joeware.net/freetools/tools/admod/index.htm

You can find the new usage here —> http://www.joeware.net/freetools/tools/admod/usage.htm

 

You had to expect something was going to hit the joeware free tools website, we are again coming up to The Experts Conference (aka DEC) timeframe and I always try to push something out the door for DEC err TEC. Unfortunately as mentioned earlier, I will not be at TEC this year but I expect a few laptops running my utilities will be there which is almost as good. :)

 

I tried something different this time. I worked on updating AdFind and AdMod at the same time. I usually don’t like doing that because my focus can drift but it worked out very well in this case as changes I made to AdFind to get it to compile with Code Gear C++ Builder 2009 were needed for AdMod as well and I also took the opportunity to collapse some of the common functions. Not all of them, lots more can be done in that area but that is for me and not you because it doesn’t do anything for you. For me it means less places to look for changes and a change in one makes the change in both.

 

The AdFind updates that you will notice are mostly pretty small, various bug fixes and some more attributes decoded properly for Windows Server 2008 R2 (thanks to everyone who emails me items that could be decoded or aren’t decoded properly BTW) and a few new switches.

Probably the most “wanted” addition I have added to AdFind are the –tdcfmt and –tdcsfmt switches. These switches allow you to change the output of the time decoding done with the various –tdc* switches. I had lots of people who wanted to set up their own custom time formats and others who wanted me to localize the output. I figured out of the two, allowing someone to set their own format was the more flexible for them and the least amount of work for me. :) So now if you want to output the time like DAY/MONTH/YEAR or even MONTH-YEAR you are welcome to do so. More on that below in the full detailed list of updates.

 

The AdMod updates are a collection of updates made since V01.10.00 was released back in February 2007. I jumped straight to V01.12.00 as I had stopped working on AdMod for some time and just used V01.11.00 myself to work out some really nasty bugs I somehow inserted into it. :) Then when I started working on it again I needed to rev the version number. So no, you didn’t have a black out, V01.11.00 was never publicly available.

There are a ton of changes in AdMod. Its not a major version release but it is definitely two minor releases in terms of bug fixes alone… The first big change is that I converted it to Code Gear C++ Builder 2009 like I did for AdFind. Most folks found tremendous speed increases between the old and new version of AdFind when I switched compilers and I have been seeing the same results with AdMod. Another big change is that AdMod will now encode SDDL strings into Security Descriptors. This is done like encoding GUIDs or SIDs but instead with a prefix of SD#. In the same encoding portion of the code I also added time string encoding as well with UTC##, LOCAL##, and CURRENT##. There are some neat tricks you will be able to pull off with those. One of the final big changes is to allow CSV mode –import switch works in update mode, not just add mode. However, in the interest of data safety, the import mode will NOT overwrite current values, it will only ADD values. So if you have a single valued attribute that is already populated, –import will not overwrite that value. It will bail with an already exists error. If you want that value overwritten, you need to specify the proper attribute operation like description::{{.}} as you did before. I initially set it up with an override switch to allow overwrites, but then saw someone do something that changed my mind.

As always, if you run into issues or just have thoughts, questions, please send me an email. I hope you find the updates to be useful for you. People keep telling me that AdFind/AdMod aren’t needed anymore because PowerShell can do it all but

1) That hasn’t been my experience in any company I have looked at

2) I still get flooded with email requests for new features and how to questions

so I feel the tools are still relevant and useful and will keep them available.

As I mentioned in another blog post, I am considering writing a book on LDAP, AD, ADAM, and AdFind/AdMod and actually started generating a draft table of contents last night while watching Survivor. I think it will be useful and I am, I expect, the best person to write it. :)

 

 

ADFIND UPDATE DETAILS

* Lots of bug fixes in logic, switch processing, shortcuts, and the usage.

* Added decodes for

  • linkID
  • msDS-OptionalFeatureFlags
  • msDS-RequiredForestBehaviorVersion
  • msDS-RequiredDomainBehaviorVersion

* Updated some other decoded attributes to include Windows Server 2008 R2

* Did some work on the –e and –ef functionality. These switches enable environment variables or switches from a file to allow you to “hardcode” certain switches into your commands without typing them each time. Also added/updated functionality around a default switch file for each program that is always read in case you have something that you always want done, say like –tdcs or one of the new time formatting switches. Note that the default file is read from the current working directory. This was a purposeful decision.

* Added the following new switches

  • -arecex : this enables A Record Exclusive mode. When you specify a host and this switch together, the underlying API will only look at the A record for the name, it will not try to guess if it is a domain. This can dramatically speed up bind times when you specify a host.
  • -hh : this is a shortcut for –h and –arecex together. I sort of look at –hh as meaning, no I really mean this server name, don’t try to look at domain names.
  • -hd: this was a request from a friend of mine, he wanted a shortcut for –h and –default.
  • -digest : Digest authentication
  • -this : Shortcut for –s base
  • -jtsv : Joe’s TSV mode, sets up a couple of options I often use with in CSV mode
  • -users : Shortcut base to cn=users,<domainDN>
  • -displayspecifiers : Shortcut base to the display specifiers container in the configuration container.
  • -nocsvq : alias for –csvnoq
  • -csvnoheader : alias for nocsvheader
  • -tdcfmt/-tdcsfmt : These allow you to modify the time format output of the various –tdc* switches. Specifically you get to specify the normal time format and the “sortable” time format. The format for each is specified with a string with replaceable parameters.
  • The default format for –tdc is %MM%/%DD%/%YYYY%-%HH%:%mm%:%ss% %TZ%
  • The default format for –tdcs is %YYYY%/%MM%/%DD%-%HH%:%mm%:%ss% %TZ%
  • The parameters are:
  • %MM%    – 2 digit month
  • %DD%    – 2 digit day
  • %YYYY%  – 4 digit year
  • %HH%    – 2 digit hour (24 hour format)
  • %mm%    – 2 digit minute
  • %ss%    – 2 digit second
  • %ms%    – 2 digit millisecond
  • %TZ%    – Time Zone string
  • %%      – Percent symbol

* Added the following shortcuts

  • -sc replstat – Combines several switches to retrieves replication cursors (excluding deleted DSAs) for the configuration NC which can give you a quick view on forest wide replication status.
  • -sc getacl – Combines several switches to get the ACL of a specific object.
  • -sc getacls – Combines several switches to get ACLs on all objects returned.

* Updated the –sc s: and –sc sl: shortcuts to allow you to append ;class or ;attr to focus only on returning classes or attributes.

 

 

ADMOD UPDATE DETAILS

* Converted to CodeGear C++ Builder 2009

* Lots and Lots of bug fixes in logic, switch processing, shortcuts, and the usage.

* Added CSV variable expansion modifiers __lc, __uc, __spec, __hex, __num, *origdn*.

* Added SD## to allow for SDDL encoding to modify Security Descriptors

* Added UTC##, LOCAL##, CURRENT## to allow for int8 time encoding.

* Like with AdFind, worked on the –e and –ef switches and functionality.

* Warn if no redirection is detected and no base is specified.

* Error out if a bad DN is detected in stdin redirection mode.

* Allow non-CSV mode expansion capability. Gives limited variable expansion functionality.

* The –import switch now works with updates as well as adds. Will not overwrite existing values!

* –CSV specified with no arguments enables –import

* Added new switches:

  • -log : Logs AdMod operation info to a file
  • -forestdns : Shortcut Base like in AdFind
  • -domaindns : Shortcut Base like in AdFind
  • -dcs : Shortcut Base like in AdFind
  • -fsps : Shortcut Base like in AdFind
  • -gpo : Shortcut Base like in AdFind
  • -ldappolicy : Shortcut Base like in AdFind
  • -psocontainer : Shortcut Base like in AdFind
  • -xrights : Shortcut Base like in AdFind
  • -partitions : Shortcut Base like in AdFind
  • -sites : Shortcut Base like in AdFind
  • -subnets : Shortcut Base like in AdFind
  • -exch : Shortcut Base like in AdFind
  • -users : Shortcut Base like in AdFind
  • -displayspecifiers : Shortcut Base like in AdFind
  • -stdinadd : Allows you to redirect quoted DNs from STDIN into a multivalue attribute.
  • -stdinrm : Allows you to redirect quoted DNs from STDIN to remove from a multivalue attribute.
  • -stdinreplace : Allows you to redirect quoted DNs from STDIN to replace the values in a multivalue attribute.
  • -csvfile : Read CSV stream from a file
  • -tmpobj : Create an dynamic object (i.e. object with a TTL).
  • -optenc : Alias for –kerbenc
  • -digest : Digest authentication
  • -arecex : this enables A Record Exclusive mode. When you specify a host and this switch together, the underlying API will only look at the A record for the name, it will not try to guess if it is a domain. This can dramatically speed up bind times when you specify a host.
  • -hh : this is a shortcut for –h and –arecex together. I sort of look at –hh as meaning, no I really mean this server name, don’t try to look at domain names.
  • -hd: this was a request from a friend of mine, he wanted a shortcut for –h and –default.
  • digest : Digest authentication

* Added new shortcuts

  • -sc phantomgc : doGarbageCollectionPhantomsNow
  • -sc igcc : invalidateGCConnection
  • -sc rsc : renewServerCertificate
  • -sc rodcpurge : rODCPurgeAccount
  • -sc runpag : runProtectAdminGroupsTask
  • -sc runsamupg : runSamUpgradeTasks
  • -sc rsos : replicateSingleObject – SECRETS_ONLY
Rating 3.00 out of 5

1/6/2010

Nice…

by joe @ 6:41 pm. Filed under tech

Someone asked me a question at work today about PowerShell… yes, I know, silly silly people but I was a bit curious as well so I opened up the PSompt (hmmm PSPrompt… Command PS… P Prompt… PS Prompt… ) err whatever… I opened the Windows application that gives me an interactive PowerShell instance and typed

help import-csv

That gave me what I needed to answer the question that was asked so I responded to the question and said don’t ask me PowerShell questions every again…

 

After that I noticed in the help where it said “RELATED LINKS” and it specified an online version. I thought that was quite cool, a link to the online assistance for a command right from the command line usage. That seemed very intelligent to me as it gave a location to go for quick help that could be more up to date or more fleshed out, etc. Then I thought, it would be really cool if you could ask for that help right from the command line… So without knowing if it would work or not I typed

help –online import-csv

and sure enough it popped an IE tab with the online help that was more fleshed out than the local usage.

I loved it. Great idea. I have filed that in the back of my head for future tools as well.

Anyway, I give Kudo’s where Kudo’s are due and definitely someone at MSFT who came up with that idea gets a Kudo. :)

   joe

Rating 3.00 out of 5

10/1/2009

So I used Serverless Binding with ADSI (or .NET), now what DC am I talking to??

by joe @ 6:33 pm. Filed under tech

This is something that people occasionally want to do. There are two basic answers that I am aware of. The first I always remember right off since I am an LDAP API coder, is to look at the dnsHostName attribute of the rootdse of the server you are connected to. That is what AdFind and AdMod do when you see the lines

Using server: JOEWARE-DC1.joeware.local:389
Directory: Windows Server 2003

The other way which is ADSI specific and I spent an hour trying to recall today when asked is to use the ADSI GetOption method (IADsObjectOptions::GetOption) to retrieve the ADS_OPTION_SERVERNAME value. I actually have this in an example in my book that lists ACEs in an ACL.

Examples:

VBScript:

Const ADS_OPTION_SERVERNAME=0
‘****************************************************************************
‘Bind to object
‘****************************************************************************
Out "Opening object – " & strLDAPPath
Set objObject = GetObject(strLDAPPath)
strDC = objObject.GetOption(ADS_OPTION_SERVERNAME)

PowerShell (no not me, Brandon gave this to me…)

$dcobject = [adsi]"$Ldap"
$dc = $dcobject.Invoke("GetOption",0)

[ Correction: Quick thanks to Mike for pointing out Brandon’s typo so I could correct it. Brandon obviously meant $dcobject= and not $object= in line 1. He is very sorry to everyone for the typo and he will buy you a cup of coffee the next time he sees you all.  ;o) ]

.NET (again not me, but from a post by Mr. DS.NET programming… Joe Kaplan)

const int ADS_OPTION_SERVERNAME = 0; 
object server = entry.Invoke("GetOption", new object[] {ADS_OPTION_SERVERNAME});

 

  joe

Rating 3.00 out of 5

4/1/2009

Goodbye LDAP… joe enters the exciting field of Cybernetics, Robotics, and Artificial Intelligence Constructs

by joe @ 1:54 pm. Filed under humour

As some of you were witness at TEC 2009[1], I have put down my work on LDAP (since its a dead protocol and all…) and decided to enter the exciting field of Cybernetics, Robotics, and Artificial Intelligence Constructs. I was secretly testing my latest secret beta of the Tracy-bot artificial intelligence construct while attending TEC 2009.

While the sheer presence of the Tracy-bot in the technical sessions with a bunch of Nerds, Geeks, and other technical folks was enough to cause some folks to guess that it was an artificial construct, others needed to see the Tracy-bot getting drinks and snacks for myself and my friends as well as refusing to take money to go gamble to fully understand it was an artificial device. Still others were just standing around completely unaware and/or confused by the fact that the Tracy-bot was not human.

For those of you who didn’t realize that an artificial product was running around the conference, here is a picture of the secret beta product and possibly you will recall the artificial life form’s presence in several technical sessions at TEC 2009, including the Active Directory ESE (Extensible Storage Engine) session put on by none other than #2 of 6… Brett Shirley up to and including shouting out comments to have the presentation continue so Brett could show off his cool ESE Data Commit in Action Slide.

Tracy-bot with Bwandon

[Tracy-bot with Bwandon]

The Tracy-bot kernel is code complete. The product will not be released until there is a full Software Development Kit for complete customization via Perl scripting as well as many pluggable modules such as the Chess Expert Module, Dungeons and Dragons module, Face Book module, French Maid Module, Catholic School Girl Module, Lawn Mowing Module, Pole Dancing module, Back Scratching Module, as well as the very difficult to produce “Enjoying Watching Science Fiction Shows” module. I have completed several modules but have been having issues with the Sci-Fi shows module as it is still producing crashes and system hangs in the kernel software that result in a snore like sound output as well as unintended hand gestures that result in channel changing.

Please note that neither a .NET Framework interface nor a Power Shell provider will ever be built or supported for the Tracy-bot. The goal is to make sure the Tracy-bot doesn’t become bloated and non-performant and that requires careful programming with native code. The engine is based on the Windows Server 2008 R2 Server Core OS though a fully functional Microsoft Surface GUI not based on any .NET framework components nor Explorer has been produced and is going through intense acceptance testing. Virtual versions of the Tracy-bot are being considered for the Nintendo Wii and iPod Touch.

No requests for beta products will be accepted. This is a closed beta testing program. :)

  joe

 

[1] Note that this is NOT my wrap-up on DEC/TEC/Whatever, simply a quick comment on what was going on as I have received some email on the subject and people are concerned that good non-NET based tools will no longer be produced.

Rating 3.00 out of 5

3/20/2009

DEC^H^H^HTEC is almost here…

by joe @ 2:08 pm. Filed under tech

So who is going to TEC? Excited yet? You should be, it will be fun. Personally, I can’t wait to hear Dmitri, Brett, and yes, even Dean, speak. Those guys are incredibly bright and just plain know a lot of stuff. The weather in Vegas is slated to be in the low 70′s and sunny. We missed the 80′s by a week unfortunately.

If you are sitting in the sessions and wondering what kind of questions you should be asking…

In the sessions on PowerShell and ADAC (or ADMUX if you prefer) ask why the PowerShell cmdlets aren’t using LDAP[1] which is already present on every single domain controller… But instead a brand new “Web” Service that runs on a Windows Server 2008 R2 Domain Controller. See

http://technet.microsoft.com/en-us/library/dd378937.aspx

http://technet.microsoft.com/en-us/library/dd391908.aspx

http://msdn.microsoft.com/en-us/library/dd303965(PROT.10).aspx

http://msdn.microsoft.com/en-us/library/dd304395(PROT.10).aspx

 

No, this doesn’t mean you need to load IIS on the DCs. It is another binary. And in fact it really doesn’t have any HTTP involvement and doesn’t run over port 80, it is just XML. Just to get that easy question out of the way… But maybe questions along the amount of network traffic may be good ones to ask about since XML is such a ‘sparse’ protocol compared to LDAP. Maybe if we are lucky we could get a demo of (including network traffic comparison) of say dumping the email addresses for all users in a 50k user forest to a text file as done via LDAP and done through PowerShell using the AD Cmdlets. That is actually a test I have been wanting to do but haven’t had the opportunity to set up a 2008R2 DC to do the tests. If I could only just install the PowerShell AD cmdlets to test… ;)   Another interesting test of something that I just had to do at work yesterday in fact would be to dump the replication metadata value for the legacyExchangeDN attribute for all person objects in a 75k user forest[3]. I needed to see if the LEDN had gone through some mass change at some point so was interested in version numbers and originating write dates. I can’t say for sure what the network impact delta would be between these two types of requests but I could hazard a guess.

 

Don’t worry, one of the presenters of this info is my good friend Dean Wells formerly the Dean of the Dean and joe Show before he joined the dark side (<insert heavy breathing>I’m your father Lucas</heavy breathing>) and he actually enjoys audience participation versus just everyone sitting there dead silent. If you weren’t planning on attending that session… “What are you INSANE!”. You know Dean, he is easily, hands down, the best presenter I have ever seen. It may not be the most informative presentation of the whole conference (though it very well likely could be – I would say it would be but it isn’t the Dean and joe Show where we could pick any topics we wanted, the topic is constrained) but it will certainly be the most entertaining and energetic and fun presentation at the whole conference as Dean could present the phone book and have everyone trying to get him to do a second session[4]. If you can make him stutter or be unable to respond to a question, kudos to you because I just haven’t seen it happen. No fair asking him questions like “Do you still beat your maid that you snuck into the country illegally from Romania?” as that just isn’t nice and really, how do you answer that question without stuttering? No, err yes err… Err Romania?? Where’s that? Oh Maid?? I don’t have a maid! ;o)

 

Note that I am aware that Active Directory 4th Edition is now out on the book shelves and at Amazon. While I won’t be bringing any copies I think Brian may be bringing copies for purchase. I don’t believe he will have any to give out for free because unlike when AD3E came out, O’Reilly didn’t seem interested in giving copies out at DEC err darnit TEC[5].  I don’t mind signing the books however you probably really want Brian’s signature as he is the author for this version. He took what I did and extended it and chopped out a bunch of stuff that I wanted to chop out but wasn’t allowed to chop out. 

 

So if you are going to TEC/DEC/Whatever… Have a safe flight/drive/train trip/whatever. If you aren’t going… I’m sorry that sucks. I know the company I work for wasn’t interested in paying my way and I didn’t want to speak to have NetPro/Quest pay to get me out there so I took it as a vacation time and am paying for it. On reflection, it probably is silly of me not to speak but in all honesty, I don’t much like to do it unless I have something specific I need to say and I never have anything I need to say at DEC. I just go to meet the people and talk to folks about the issues they encounter to give me ideas on ways I can try to help. If you folks who attend DEC/TEC/Whatever think that had value, tell every NetPro/Quest person you run into that and maybe they will bring me out there just to chat with people like I usually do. Especially do that if you have in the past told the NetPro/Quest people that you wanted to meet me or came because of me or my blog.

I think though if next year I am taking my vacation at this time and I am paying for it, I should take it in the an island paradise and if someone happens to be there that is into Active Directory stuff then I can chat with them there. :)  

    joe

 

[1] Don’t worry, the Quest cmdlets for AD still use it though. So they will work against the various versions of AD without the need of a K8R2 DC with the Web Service loaded.

[2] That may or may not be a sarcastic comment. ;)

[3] adfind -gcb -f “&(objectcategory=person)(legacyexchangedn=*)” msDS-ReplAttributeMetaData;binary -mvfilter msDS-ReplAttributeMetaData=legacyexchangedn -csv

[4] Serously, my opinion of Dean’s speaking ability is that high. Trust me on this, I had to try and speak after him in the same presentation and generally I consider myself to be a humourous interesting person to chat with, just not after Dean has been up there prancing around in his glory. ;o)

[5] Had NetPro/Quest/Whatever not changed the name of the conference, who knows, O’Reilly might have gave out some free copies… Now instead they hear, free books for TEC? Why? Now DEC, that we would give out free books at… (Man I am on a roll today!)

Rating 3.00 out of 5

3/5/2009

Thanks to Active Directory Product Group and MVP Program and Thanks to my friends Dean/Erika for their hospitality

by joe @ 9:24 am. Filed under general

I just wanted to take a moment to send out a general thanks to the Active Directory Product Group at Microsoft. I always enjoy seeing the team as a whole but really enjoy the individual talk time with the PM’s and Devs even more. My favorite time for this summit was the open session where we got to sit and discuss the Recycle Bin feature stuff with Tim and Stephanie. Not because I think it is the only cool feature or anything, but because I really enjoyed the open discussion and it was nice to learn the technical details behind a feature that has been so long in coming. 

Uday and Moon, your presence was missed. Also I will miss seeing a large portion of the DS Team at DEC/TEC… Unfortunately it seems only a few of the DS Team will be able to make it to DEC/TEC due to budget cutbacks at MSFT. This is unfortunate because I often hear from the attendees that they really appreciate the availability of the Microsoft DS Team resources at DEC to respond to questions and hear feedback. Since this is the only conference with solid real deep focus on the DS pieces this is the best conference for Microsoft to send those resources but someone at some level doesn’t seem to understand that.

It was odd having my good friend Dean over on the other side of the fence as a Microsoft employee but I think it was good and he did Microsoft proud. I had a lovely time visiting with him and his wife (hmmm good meatballs) and awesome son (Hello Lucas… volcano!!!).

Just a quick FYI for those who kept asking me… The fact that Dean is working on PowerShell a lot now is not going to sway my opinion on it. Again, sorry to all those who asked me that specific direct question… but no. Not even for Dean. :) I will or will not use PowerShell when it becomes compelling specifically for me to use. This isn’t to say it isn’t the right answer for others, but that is for each individual to decide. I doubt there is anything that can be presented or said in a single presentation that could get any serious folks to just jump whole hog, this will be something admins choose to do or not based on their own thoughts, needs, and preferences. I found it odd when asked by some of the PM’s if I was just all of a sudden going to change my mind on it because of a good presentation. Does anyone make up their mind on whether they will change directions based on a good presentation? Once I need to do something that isn’t truly feasible for me to do (by my definition, no one else’s) in perl or command line tools that I have or can write, I will maybe look in that direction. More on the PowerShell stuff and specifically the DS Team’s AD and ADAM cmdlets for PowerShell in a later blog post.

 

Also a general thanks to the overall MVP program for having the Global Summit. It is always useful to me and this year by moving the Executive presentations to the end it really made me feel like my time was used well.

 

   joe

Rating 3.00 out of 5

2/7/2009

More AdFind V01.40.00 sneak peek…

by joe @ 6:48 pm. Filed under tech

Back on Jan 21 I tipped my hand on a new capability in AdFind which for many people is extremely exciting based on the feedback in my inbox. To refresh your memory, that was the ability for AdFind to take in a list of Base DN’s to execute queries against. For short we will say piping AdFind into AdFind though you could, if for whatever reason gripped you, pipe dsquery into AdFind.

Well in a follow up conversation with my friend and co-Author Brian Desmond, he asked “How do I pipe DNs from AdFind into AdFind and then get counts for the number of users under each of those DN’s?” My response was… well you can’t. The whole counting mechanism is based on the number of objects AdFind returns period… But then I thought, I hacked in CSV when I didn’t think I could… then I hacked in the piping in multiple DNs when I didn’t think I could, let me give this a try before totally saying no… So voila, a new switch because you just know there aren’t enough switches in AdFind yet…. The new switch is -ic… where -c stands for count, -ic stands for intermediate count… That lets you do something like….

G:\>adfind -default -f ou=* -dsq | adfind -sc adobjcnt:user

AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) February 2009

Using server: r2dc1.test.loc:3268
Directory: Windows Server 2003

BaseDN: OU=CharTests,OU=TestOU,DC=test,DC=loc
1 intermediate objects returned

BaseDN: OU=createtest,OU=TestOU,DC=test,DC=loc
10 intermediate objects returned

BaseDN: OU=Deleted,OU=XXXTest,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=XXXTest,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=Domain Controllers,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=Email,OU=My,DC=test,DC=loc
1 intermediate objects returned

BaseDN: OU=GPOTest,OU=TestOU,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=Groups,OU=My,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=Groups,OU=TestOU,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=HideTest,OU=TestOU,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=joeperm,OU=TestOU,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=My,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=oneleveldown,OU=createtest,OU=TestOU,DC=test,DC=loc
1 intermediate objects returned

BaseDN: OU=Outlook,OU=TestOU,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=permtest,OU=TestOU,DC=test,DC=loc
2 intermediate objects returned

BaseDN: OU=PoSTest,DC=test,DC=loc
700001 intermediate objects returned

BaseDN: OU=Skip,OU=TestXXX,OU=XXXTest,DC=test,DC=loc
1 intermediate objects returned

BaseDN: OU=TestXXX,OU=XXXTest,DC=test,DC=loc
4 intermediate objects returned

BaseDN: OU=TestDisable,OU=XXXTest,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=TestOU,DC=test,DC=loc
6 intermediate objects returned

BaseDN: OU=Users,OU=My,DC=test,DC=loc
2 intermediate objects returned

BaseDN: OU=Users,OU=TestOU,DC=test,DC=loc
10 intermediate objects returned

700039 Objects returned

Anyone think that is pretty handy??? If so, you can thank Brian, he asked the right question at the right time… I modified the adobjcnt shortcut such that when it detects it is in multi-DN mode it will also insert the -ic switch as well as set the search scope to one-level. If you wanted counts of all of the users in each OU but you wanted the counts to roll up to the higher OU’s as well you would simply add the -s sub or -s subtree switch to your command.

But then I thought, while that is useful, it would be even more useful if I could somehow get that in a CSV format so I could use this more easily from scripts when trying to get a snapshot of an environment… I looked and there was just no way I could get it into the CSV code path. When you do CSV the whole counting section isn’t used and even if it were, it is outside of the location where the CSV code is and in order to try and get it in there would cause me to use some wholly unnatural global variables and other things that just made me go, no, I will not go there, that is too ugly, too inelegant… I know I do some bad things in code, but I don’t want to do THAT bad of things in code.

All hope is not lost however. I decided to add… yes… another switch. I know I know, another one truly isn’t needed but I wanted this functionality and if you don’t like it, just ignore the fact that it is there. This switch is not a very flexible switch, there are no modifiers for it. It is called -ictsv and it simply takes the -ic output and makes it into a TAB Delimited format output. This isn’t going to be tweaked to allow different delimiters or anything like that. It is a hack completely outside the normal CSV routines which have all that flexibility. I chose tab delimited because DNs have commas and it is unlikely (impossible? I don’t know, didn’t test) to see a tab in a DN and to be honest, I like tab delimited output. I usually use TABs for my delimiters for CSV output. Anyway that output looks like…

G:\>adfind -default -f ou=* -dsq | adfind -sc adobjcnt:user -ictsv
OU=CharTests,OU=TestOU,DC=test,DC=loc   1
OU=createtest,OU=TestOU,DC=test,DC=loc  10
OU=Deleted,OU=XXXTest,DC=test,DC=loc 0
OU=XXXTest,DC=test,DC=loc    0
OU=Domain Controllers,DC=test,DC=loc    0
OU=Email,OU=My,DC=test,DC=loc   1
OU=GPOTest,OU=TestOU,DC=test,DC=loc     0
OU=Groups,OU=My,DC=test,DC=loc  0
OU=Groups,OU=TestOU,DC=test,DC=loc      0
OU=HideTest,OU=TestOU,DC=test,DC=loc    0
OU=joeperm,OU=TestOU,DC=test,DC=loc     0
OU=My,DC=test,DC=loc    0
OU=oneleveldown,OU=createtest,OU=TestOU,DC=test,DC=loc  1
OU=Outlook,OU=TestOU,DC=test,DC=loc     0
OU=permtest,OU=TestOU,DC=test,DC=loc    2
OU=PoSTest,DC=test,DC=loc       700001
OU=Skip,OU=TestXXX,OU=XXXTest,DC=test,DC=loc      1
OU=TestXXX,OU=XXXTest,DC=test,DC=loc      4
OU=TestDisable,OU=XXXTest,DC=test,DC=loc     0
OU=TestOU,DC=test,DC=loc        7
OU=Users,OU=My,DC=test,DC=loc   2
OU=Users,OU=TestOU,DC=test,DC=loc       10

Pretty cool huh… Anyone think that is handy? If so… well you are welcome… But something still bothers me about that output… Anyone else bothered by it? It could be just me but I kind of like seeing things that normally have a hierarchical form to be displayed that way. I don’t mean in the white space, but instead, I mean I don’t want to see something like

OU=Outlook,OU=TestOU,DC=test,DC=loc     0
OU=permtest,OU=TestOU,DC=test,DC=loc    2
OU=TestOU,DC=test,DC=loc        7

I want to see the TestOU first and then its sub-OU’s after… I tried modifying my search to see if I could force AD to return the info in that order but quite frankly, AD truly isn’t hierarchical, it just appears that way. It is actually a flat database. The idea of hierarchy is imposed on it for LDAP purposes. So I thought, I really need to do something about this… This will drive me nuts. However, trying to retrieve all of the information and maintain it in memory so I can then sort it is ridiculous, might as well just write this thing in PowerShell or .NET… (count it…) if I do it in such a silly way… Then I thought, wait, I already have what I need in memory to sort it hierarchically after the DNs have been piped in so I added, yes thankyou, another switch called -stdinsort. Why did I do this with a switch? Because I didn’t want to assume someone would want it sorted like I would and I didn’t want to assume I would always want it sorted. Also I wanted to give myself the ability to sort it hierarchically as well as alphabetically both case sensitive and case insensitive, so it is a switch with a default sort order of hierarchical but you can add cialpha or csalpha to get the other types of sort… Now that output looks like

G:\>adfind -default -f ou=* -dsq | adfind -sc adobjcnt:user -ictsv -stdinsort
OU=Domain Controllers,DC=test,DC=loc    0
OU=My,DC=test,DC=loc    0
OU=Email,OU=My,DC=test,DC=loc   1
OU=Groups,OU=My,DC=test,DC=loc  0
OU=Users,OU=My,DC=test,DC=loc   2
OU=PoSTest,DC=test,DC=loc       700001
OU=TestOU,DC=test,DC=loc        7
OU=CharTests,OU=TestOU,DC=test,DC=loc   1
OU=createtest,OU=TestOU,DC=test,DC=loc  10
OU=oneleveldown,OU=createtest,OU=TestOU,DC=test,DC=loc  1
OU=GPOTest,OU=TestOU,DC=test,DC=loc     0
OU=Groups,OU=TestOU,DC=test,DC=loc      0
OU=HideTest,OU=TestOU,DC=test,DC=loc    0
OU=joeperm,OU=TestOU,DC=test,DC=loc     0
OU=Outlook,OU=TestOU,DC=test,DC=loc     0
OU=permtest,OU=TestOU,DC=test,DC=loc    2
OU=Users,OU=TestOU,DC=test,DC=loc       10
OU=XXXTest,DC=test,DC=loc       0
OU=Deleted,OU=XXXTest,DC=test,DC=loc    0
OU=TestDisable,OU=XXXTest,DC=test,DC=loc        0
OU=TestXXX,OU=XXXTest,DC=test,DC=loc    4
OU=Skip,OU=TestXXX,OU=XXXTest,DC=test,DC=loc    1

Much better… ;o)

This and more in the new version of AdFind… AdFind V01.40.00 is expected to emerge from the cocoon on Feb 13, 2009.

     joe

Rating 3.00 out of 5

10/7/2008

I code… therefore I am

by joe @ 10:42 pm. Filed under general

I am finally writing code again… I am happy about that because I was effectively not coding for over a year. Yes, for over a year, almost 15 months actually. That is a long time for me not to write code because it is one of my main creative outlets.

I will be releasing one of the tools because it is an update to GCChk. When I originally wrote GCChk I thought about allowing you to specify the DCs to use to check and then decided that AD is probably better at picking the DCs to use than most admins and didn’t allow you to specify the DCs. Well my good friend Guido ran into an issue that was a perfect example of why you may need to specify a DC to use to do the check. He actually needed to check one GC against the partitions on another GC. Now this normally wouldn’t be a good idea because you should probably check against a writeable partition as it would be considered a bit more authoritative but Guido was in a position where he didn’t have network access to a writeable DC for the partitions he was checking due to the network configuration. The ONLY way to check for lingering objects would be to daisy chain from the writeable to the closest GC to the next closest GC etc all the way to the end of the WAN. The MSFT lingering object check in repadmin just can’t do it and trying to get that updated to do that would take an OS release and Guido was on a project that needed a very troubled forest checked out and fixed quickly. I couldn’t help him with the correcting the issues, but I could help him out with identifying GCs and their specific issues. And so I updated GCChk to to allow specifying GCs for the comparison. Again that will be uploaded in the next few weeks.

 

And the second tool I worked on was a complete surprise for me…. This one I had to work on for my day job so obviously I will never be releasing it. It is… yes wait for it… a C# utility… Yes I wrote my first .NET program. I will admit it was better than I expected but at the same time it was worse. The ".NET is so intuitive and easy" really wasn’t the case, at least not for me. And System.DirectoryServices has some serious issues and bad assumptions. I know I know Eric and JoeK and BrianD and everyone else who told me to use System.DirectoryServices.Protocols. Next time I play with .NET, I will do so. But I think it was good for me to see what most people who jump into .NET (and PowerShell) are likely going to use for directory access and I feel for them. I will try to write a blog or two on a few things that I found to be really annoying and/or bad.

Rating 3.00 out of 5
« Older Entries

[joeware – never stop exploring… is proudly powered by WordPress.]