joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...


AdFind close to the finish line…

by @ 5:04 am. Filed under general, tech

I believe we will see AdFind released in the next few days. It seems to be very stable, I use it every single day for literally thousands of queries of a very large production Active Directory environments (millions of user accounts). Speed perfs are amazingly useful especially for the Security Descriptors. I got most of what I wanted into it though to be honest what I mostly wanted was a stable Visual Studio version with Windows 2016 decodes. I am working on updating the web page now. I had to go find the old web site source code as I switched laptops since the last time I released and silly me didn’t put the web site code with the rest of my source code… When am I going to learn that web pages are like app code if not actual app code and needs version control just like my cpp files?? I guess now. Smile

BTW, sad day. I finally bit the bullet and switched it from reporting Active Directory Application Mode if the ADAM service is older than the 2003 era service. The reason being that the number of emails I was receiving saying “Hey it is calling my ADLDS server an Active Directory Application Mode Server, what is wrong with the tool??” has increased substantially and I don’t have the time to explain to every admin who doesn’t understand the history. Overall, quick rant… The quality of admins (in general, just not AD) has been going down in the world, sadly, as well as those who understand the history. I am not the only one seeing this, I have had conversations with several well known (to me and the general AD public) MVPs and former MVPs who feel the same. Even though the product is in the C:\Windows\ADAM folder and has ADAM in the default installation path a lot of people now no longer know what ADAM is… Congratulations Microsoft Marketing…

Long live ADAM!


Rating 4.00 out of 5


Flash Back Friday

by @ 7:11 pm. Filed under general, tech


But the schema says description is multivalued…

Rating 3.00 out of 5


The Pollexy Project–Special Needs Voice Assistance

by @ 6:10 pm. Filed under general, tech

I kept meaning to share this with everyone because I really want to get this video everywhere I can to get as much exposure as possible to it out in the world.

Troy is a friend of mine that works for Amazon, he has a 16 year old son with Autism. See what cool thing he cooked up to help him out. This is absolutely awesome work.

I really think this is just the start of what we are going to do with voice tech to make the world better and safer.

And the blog –

Rating 4.00 out of 5


Now this is a great email…

by @ 2:07 pm. Filed under general

I have been going through thousands of emails I was behind on and in great part there are a lot of “thanks but…” emails, this one is simply a thanks email. Loved it.


Subject: Thank you!

I just wanted to let you know that between ADFind, and some Unix/bash regular expressions-based pixie dust, I’ve been able to extract tons of information out of the active directory domain where I work…

Like a list of every (unique) job title used, a list of every sever used as a network home, etc, etc, etc…

It’s been incredibly helpful in tracking the likely causes of some of the odd behaviors that the other techs and I have noticed over the years (specifically users in the same job who don’t have the same policies/access to things).

If you’re curious, I’d be happy to go into detail.

I strongly believe that life would be better if we were as compelled to thank people and tell them what they’re doing right as we are to complain. So, I wanted to thank you (in as direct a way as I can) for everything and offer my wishes that everything is going well for you. 🙂

– Kevin

Rating 4.50 out of 5

From the mailbag… I want to see the information going through the pipeline from one command to the next…

by @ 1:49 pm. Filed under general, tech


Hi, Joe,

I’ve been using these 2 excellent utilities to manage users both in our AD domain and our legacy Novell eDirectory tree.

Recently I needed to move disabled accounts without our ‘KEEP’ flag set into a Leavers OU and came up with the 2 commands below:

adfind -h novserver -ssl -sslignoresrvcert -simple -b o=merpol -f "(&(objectclass=user)(!(generationqualifier=KEEP))(logindisabled=TRUE))" cn fullname -u cn=ldapuser,o=isdept -up password -adcsv > c:\tmp\move2leavers.csv

admod -h novserver -ssl -simple -move o=leavers -u cn=ldapuser,o=isdept -up password < c:\tmp\move2leavers.csv

I managed to do all this in 1 command by piping the output of the adfind command with the –adcsv switch into the admod command but I wanted to record the accounts moved so that I could add them to a cumulative log – hence the intermediate move2leavers.csv file. Was this the best way of achieving this or could I have used the one-liner and somehow recorded the accounts going through the pipeline?


Hi Frank,

Sorry for slow response. I was working for Hewlett Packard Enterprise last year and working way too much. I left them and have a normal job now so I am slowly catching up on joeware email and updating tools.

So anyway, there is nothing builtin that will do what you want here. AdMod does have a -log switch but that is for my debugging mostly. However, that being said, you can use a command line tool called TEE which you would insert in the pipeline and it could output the pipeline to a file while simultaneously shipping it to the next binary in the pipeline.

You can actually do this with a quick perl script as well. See attached 7zip file, you will have to rename it to .7z. I made a really quick and dirty perl script that can do it.

[Sat 04/22/2017 13:29:25.87]
E:\DEV\perl\tee>adfind -h k16tst.test.loc -f name=norm* -dsq | output.txt | admod -h k16tst.test.loc description::"normal user"

AdMod V01.18.00cpp Joe Richards ( March 2012

DN Count: 3
Using server: K16TST-DC2.k16tst.test.loc:389
Directory: Windows Server 2008 R2

Modifying specified objects…
   DN: CN=Norm User 3,OU=Users,OU=TestOU,DC=k16tst,DC=test,DC=loc…
   DN: CN=Norm User1,OU=Users,OU=TestOU,DC=k16tst,DC=test,DC=loc…
   DN: CN=Norm User2,OU=Users,OU=TestOU,DC=k16tst,DC=test,DC=loc…

The command completed successfully

[Sat 04/22/2017 13:34:22.66]
E:\DEV\perl\tee>type output.txt
"CN=Norm User 3,OU=Users,OU=TestOU,DC=k16tst,DC=test,DC=loc"
"CN=Norm User1,OU=Users,OU=TestOU,DC=k16tst,DC=test,DC=loc"
"CN=Norm User2,OU=Users,OU=TestOU,DC=k16tst,DC=test,DC=loc"

[Sat 04/22/2017 13:34:26.07]

If you don’t like compressed files, here is the code in clear text

my $filename=shift;

open OFH,">$filename" or die("ERROR: Couldn’t open filename – $filename: $!\n");

while (<stdin>)
  print OFH $_;
  print $_;
close OFH;

Cheers and again sorry for the slow response.


Rating 3.00 out of 5


by @ 1:39 pm. Filed under general, tech

I am finally catching up on a lot of old email that I wasn’t able to get to, literally thousands of messages. I am quite happy with the number of people who find the tools useful saving them minutes or hours of time and the other comments of thanks we were told by MSFT this or that wasn’t possible but you show how to do it or provide a tool to do it and the other comments of we saved XX thousands of dollars by using your tools instead of buying products from other companies (don’t forget about the tip jar at the top left of the screen at

As for questions… Let me post some quick hit answers that are all that is needed for a large percentage of the emails I am going through.


Q: I need to learn AD and/or something isn’t working right in the tool because <insert some problem here that shows the user is not at all familiar with AD such as incorrect ordering of RDNs in the DN>.

A: There are lots of good books out there, I will initially recommend my book as it has gone through multiple revisions to fix issues and it really does hit things from beginner to advanced.


Q: I love your free tools but <insert some aspect of how I provide the tools that someone doesn’t like for example they have to go to different links to download the tools or they aren’t available in a single zip or the tools display my joeware banner or anything else like that>. When will you get smart and fix it so I don’t have to deal with this?   (seriously had multiple emails that ended like that as if people are doing me a favor by using a tool I provide for free and ALLOW them to use)

A: The tools are free, I provide them in the way I do for specific reasons. The fact that they are free and you find them extremely useful and don’t have to pay for them (did I say free) means you can deal with it or you can find something else if there is anything else out there that does what you need. Alternately you could write your own see


Q: I need to learn PowerShell, how do I do that?

A: I don’t really use PowerShell but if you want to learn I recommend the many online resources for the topic.


Q: What is the warranty? I have a problem with the tool and I wrote critical processes that depend on it and I need the tool changed immediately. Or it broke something of mine and I need you to fix it for us now.

A: See warranty –


Q: I need the source for tool X for <insert any reason in the universe here>, when can you get that to me?

A: See the FAQ –


Q: When I start my computer or run XYX app I see your name/email pop for a second on my screen. What did you put on my machine?

A: Nothing, someone else, probably an admin or application provider is using one of my tools for something. My tools can all be found at and if you didn’t download something from there, you got it from someone other than me.


Q: Your initial image on your website is perverted.

A: No, it really isn’t.


Q: AdFind is broken because I see groups in ADUC that I don’t see in AdFind.

A: It isn’t broken, group enumeration isn’t a single straightforward LDAP query. Get my book and learn about how AD does groups. Also look at using my memberof utility.

Rating 3.00 out of 5


AdFind V01.50.00 Beta 2 is now available

by @ 11:06 pm. Filed under general, tech


I have now uploaded a second beta of AdFind V01.50.00 to the website, you can find it at

The previous beta had two main issues with it.

First it was built with dynamic linking meaning that it looked for MSFT DLLs on the machine it was running on to utilize the API functions there. One of the “selling points” of using Visual Studio is using DLLs that are most likely already on Windows machines but I had enough folks respond saying that they didn’t or couldn’t load the redistributable packages that I decided to go back to my old ways of static linking meaning no other files should be required to run this version of the AdFind beta. If you find that not to be the case, please let me know.

Second I learned some interesting stuff about Visual Studio in that it is switching to Universal CRT / virtual APIs but this only works on newer OS machines, specifically it is not compatible with Windows 7 and Windows Server 2008 R2. I, being silly, had not tested the beta on Windows 7 nor Windows Server 2008 R2 machine so I didn’t catch that problem. It was quite a learning curve the last nine or so days to sort that out and get it fixed. That was especially fun with the lack of solid documentation as mentioned previously. I apologize it took so long, I have been pretty busy with my day job working a few more hours than I should be but that will be settling down soon once I get one of my current projects handled so I can focus on personal stuff and joeware some more again. Smile 

As before, please let me know any feedback you have, email to with ADFIND BETA in the subject so I will see it amongst everything else. I am still working through some of the other feedback, I will respond to everyone I just wanted to get these two main issues out of the way to allow for more testing for folks who were excluded with the first beta. Smile


Rating 3.00 out of 5

Stand Alone Binary of AdFind Beta that runs on Windows 7/Windows Server 2008 R2 and newer (and possibly older)

by @ 8:30 am. Filed under general, tech

I previously released a beta for AdFind that wasn’t statically linked. I did that with the thought that one of the big benefits of using Visual Studio is that a lot of people would already have the necessarily DLLs. While a lot do, a lot also do not so I will be releasing a beta version of AdFind that is statically linked so there will be no need for other DLLs to be present on the machine.

And in the same vein, I took me a couple of weeks but I finally sorted out an issue with Visual Studio with writing code for Windows 7 / Windows Server 2008 R2. There is this new concept of Universal CRT and “API Sets” which are awesome for newer OSes but do not support the older OSes at all. It took me entirely too long to find this article

and in particular

Note Compatibility with Windows 7, Windows Server 2008 R2 and older operating systems: Binaries that link to MinCore.lib or MinCore_Downlevel.lib are not designed to work on Windows 7, Windows Server 2008 R2 or earlier. Binaries that need to run on earlier versions of Windows or Windows Server must not use either MinCore.lib or MinCore_Downlevel.lib.

The really awesome thing is that the MSDN Documentation for the API calls apparently assumes that no one wants to write code that runs on the older OSes so when they tell you what library (*.lib) to link in they tell you mincore.lib for a lot of stuff and not what the actual library needs to be if you need people to use an older OS with your application. IMO this is a massive documentation fail on the part of Microsoft. For example when you need to use the function GetFileVersionInfoSize you see on the website that you need mincore.lib, no mention of what to use if you need compatibility. Searching around doesn’t help you a whole lot until you start digging up some older posts where you find that it should be version.lib that is actually included.

The only way I am immediately aware to quickly determine this information will require generous use of DUMPBIN /EXPORTS against the *.LIB files on your machine looking for the function you need. I visualize a perl script in my future.

Here is an example of what DUMPBIN /EXPORTS will show you for version.lib.

[Tue 04/18/2017  8:25:20.40]
E:\DEV\cpp>"C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\bin\x86_amd64\dumpbin" /exports "c:\Program Files (x86)\Microsoft SDKs\windows\v7.1a\lib\version.lib"
Microsoft (R) COFF/PE Dumper Version 14.00.24218.2
Copyright (C) Microsoft Corporation.  All rights reserved.

Dump of file c:\Program Files (x86)\Microsoft SDKs\windows\v7.1a\lib\version.lib

File Type: LIBRARY


       ordinal    name



          C3 .debug$S
          14 .idata$2
          14 .idata$3
           4 .idata$4
           4 .idata$5
           C .idata$6


Anyway, I am testing the new beta build of AdFind compiled with Visual Studio 2017 with static linking and LIBS that are actually supposed work on the older (and still supported MICROSOFT THANKYOUVERYMUCH) operating systems. I hope to post the new beta binary in the next day or so depending on issues encountered. 


p.s. This had me pretty close to dumping Visual Studio again. I still might because it is crap that it is so poorly documented and I could see this causing all sorts of issues for developers.

Rating 3.00 out of 5


Active Directory Deleted Objects

by @ 2:41 pm. Filed under general, tech

In case it is ever a question (say like someone from MSFT tells you it works differently), objects deleted in Active Directory go into the Deleted Objects container[1] of the Partition the objects live in. They do not get moved to the Configuration Partition Deleted Objects container.

[Mon 04/10/2017 14:37:42.83]
C:\>adfind -hh k16tst-dc1.k16tst.test.loc -gcb -f "cn=deleted objects" -dn -showdel

AdFind V01.50.00.00cpp VS BETA Joe Richards ( April 2016

Using server: K16TST-DC1.k16tst.test.loc:3268
Directory: Windows Server 2016

dn:CN=Deleted Objects,DC=k16tst,DC=test,DC=loc
dn:CN=Deleted Objects,CN=Configuration,DC=k16tst,DC=test,DC=loc
dn:CN=Deleted Objects,DC=k16tstchld,DC=k16tst,DC=test,DC=loc

3 Objects returned



[1] There are some special cases here, but under no circumstances do objects from PartitionN go to the Configuration Partition CN=Deleted Objects container once deleted.

Rating 4.67 out of 5


AdFind V01.50.00 Beta is now available

by @ 8:16 pm. Tags:
Filed under general, tech, updates


I am now comfortable enough with the stability of AdFind V01.50.00 to release a beta of what is likely to be released.

I went extra slow on testing on this version because I have converted the compiler from C++ Builder (previously Borland) to Visual Studio. This resulted in a considerable speed increase which really surprised me. I have also made some other internal changes to help speed things up in larger environments, in particular with Security Descriptor decodes.

Here is a basic listing of the the major updates:

BUGFIX: Fixed auto-nopaging        
Ported to Visual Studio 2015       
Change CHAR functions to _s versions
__int64 stuff for dstime for VS    
Threshold -> Windows Server 2016   
Fix bugs/add changes to dsheuristics
Added -prb                         
Added -appver                      
Fixed bad ! formatting for filterEx
Added -nonoise alias for exclrepl  
Added -sc schemadmp alias for sdump
Added -sc xrdmp alias for xrdump   
Added special bases -ds -svcs      
Fixed CanonicalName for \0A        
Bug Fix -sddl+ ***INVALID***       
Speed up SID resolve for SDDLs     
Decode msDS-ReplAuthenticationMode 
Added -dplsids                     
Added "short" option to -sc dclist 
Added decode of msds-revealedusers 
Added special base -delobjs        
Added utcgt/localgt for -binenc    
Removed GCLIST because it doesn’t work 
Added sslinfo (BETA)               
Changed schema pull page size to 1k
Changed ADAM to ADLDS              
Changed output format of sslinfo  

Get it here:

Please let me know any feedback you have, email to with ADFIND BETA in the subject so I will see it amongst everything else. Smile 


UPDATE: I have received some emails and other contact indicating that when some people run AdFind.exe it pops a dialog for missing DLLs. This beta build of AdFind is not a static build and depends on the VC++ 2015 Redistributables to be in place. If you don’t have them, you can get them at You need the x86 ones because currently AdFind x64 is still in the shop (and likely will not be released for V01.50.00).

Rating 4.33 out of 5

[joeware – never stop exploring… :) is proudly powered by WordPress.]