joeware - never stop exploring... :)

Dear everyone out there still working with Active Directory (so most all large orgs and Security Vendors and other Software Vendors), please stop writing whenChanged or uSNChanged based AD Sync methods for your applications. Those may be fine (still bad) for some small company with 1-2 domain controllers but they are utter crap for large companies and do nothing but cause issues and confusion and inconsistent data syncing.

There is a MSFT article, “https://learn.microsoft.com/en-us/windows/win32/ad/polling-for-changes-using-usnchanged” that makes it seem like uSNChanged polling is a good thing, it isn’t. I have seen so many large well-known vendors using this technique and just causing any number of issues because of it, usually inconsistency in the synced data but also in large directories it is abusive when you have much better mechanisms to just return actual changes being tracked by the directory.

Currently, the very first bullet of that article is wrong, and has been wrong for quite some time

Only for highly privileged applications: To use the DirSync control, an application must run under an account that has the SE_SYNC_AGENT_NAME privilege on the domain controller. Few accounts are so highly privileged, so an application that uses the DirSync control cannot be run by ordinary users.

Since Windows Server 2003 we have had the LDAP Control “LDAP_DIRSYNC_OBJECT_SECURITY” which allows anyone who can see AD to perform DirSync operations on AD. In AdFind you can use the OS option in –dirsync_opts switch to see it in action. I use it on a regular basis with completely normal basic userids to watch flow of changes in AD. It is kind of fun actually, it helps to find stupidity in AD like products that are changing shit all of the time that shouldn’t be.

Anyway, if you are writing some quick and dirty application to look for changes quickly in some small application in some small directory, have at it. If you are writing a full blown application, especially an application you expect to sell to companies for thousands or millions of $$, do it correctly. Use DirSync if you are syncing data between AD and your application, if you just need occasional notifications of specific changes (like a config change), then use Change Notification.

DirSync (this is the most common case)

https://learn.microsoft.com/en-us/windows/win32/ad/polling-for-changes-using-the-dirsync-control

LDAP Specific – https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/ldap-server-dirsync-oid

Change Notification

https://learn.microsoft.com/en-us/windows/win32/ad/change-notifications-in-active-directory-domain-services

I recall talking to one large, well known company, actually this has happened a few times over the last decade with large software developers, about their AD Syncing, their app was abusing my AD with whenChanged syncing + just pulling all objects (millions) every few hours in case whenChanged missed something (because it is likely to happen if you don’t know how AD works) and likely fell back on the full syncs every few hours because of issues they had already seen in the past. I explained they needed to switch to usinig DirSync and do it correctly, the response back is that that is complicated and will take months. I spent a few hours over the weekend and added the functionality to AdFind, which, was not ever originally set up or structured to use DirSync. Is it perfect? No, but it shows it isn’t a months long issue for a company with professional developers.

So companies, don’t let your developers using shitty AD Syncing mechanisms. And if you are buying software and you know it is doing AD Syncing, find out HOW they are doing it and doon’t let them use shitty AD Syncing mechanisms. If they won’t tell you, you can do some packet tracing and sort out exactly what they are doing and if they do shitty syncing, they probably do other shitty things. There are not a lot of amazing developers out there, there are just a lot of developers out there and some really good sales people.

My favorite quote about programming is the following quote that I first heard from a professor at Michigan State University in 1988, it is called Weinberg’s Law:

If Builders Built Buildings the Way Programmers Wrote Programs, Then the First Woodpecker That Came Along Would Destroy Civilization

Somewhat ironically, the professor that shared this with me also argued with me about the idea that the more people who get involved with programming the better the overall code space would get (which is the battle cry of open source you may notice). I thought that was a complete crap position based on the fact that not even our very small coding classes back then had but maybe 10% of people who didn’t write complete crap code and that was a highly filtered group of people. I could not visualize any world where adding a whole bunch of people who weren’t as highly filtered could possibly increase the percentage of decent coders. And now nearly 4 decades later with huge amounts of random people thinking they are developers now, I look around and feel I was 100% accurate in my assessment all the way back then. All we have been doing is making the door wider for more unqualified people to come in building more and more complex frameworks for people and web based RESTful APIs and now the shitty AI we have at the moment which is, basically, glorified google focused on Stack Overflow.

   joe

AdFind updates for 2025 (and other things) is under way. Thirty something builds or so since the last publicly released version of AdFind.

[Sun 11/03/2024 14:05:12.57]
D:\DEV\cpp\vs\AdFind\Debug>adfind -appver

AdFind V01.64.00cppBETA Joe Richards (support@joeware.net) November 2024
  BUILD    : 1.64.0.6206_DEBUG
  BUILDDATE: 20241103-14:03:46 EST x86 VS2022
  WIN32  PATH: D:\DEV\cpp\vs\AdFind\Debug\AdFind.exe
  NATIVE PATH: \Device\HarddiskVolume4\DEV\cpp\vs\AdFind\Debug\AdFind.exe

[Sun 11/03/2024 14:05:21.11]
D:\DEV\cpp\vs\AdFind\Debug>adfind -hh k25-dc1.k25.test.loc -rootdse

AdFind V01.64.00cppBETA Joe Richards (support@joeware.net) November 2024

Using server: K25-DC1.K25.test.loc:389
Directory: Windows Server 2025 (10.0.26100.1)

dn:
> domainFunctionality: 10 [Windows Server 2025 Domain Mode]
> forestFunctionality: 10 [Windows Server 2025 Forest Mode]
> domainControllerFunctionality: 10 [Windows Server 2025 Mode]
> rootDomainNamingContext: DC=K25,DC=test,DC=loc
>ldapServiceName: K25.test.loc:k25-dc1$@K25.TEST.LOC
> isGlobalCatalogReady: TRUE
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: GSS-SPNEGO
> supportedSASLMechanisms: EXTERNAL
> supportedSASLMechanisms: DIGEST-MD5
> supportedLDAPVersion: 3
> supportedLDAPVersion: 2
> supportedLDAPPolicies: MaxPoolThreads
> supportedLDAPPolicies: MaxPercentDirSyncRequests
> supportedLDAPPolicies: MaxDatagramRecv
> supportedLDAPPolicies: MaxReceiveBuffer
> supportedLDAPPolicies: InitRecvTimeout
> supportedLDAPPolicies: MaxConnections
> supportedLDAPPolicies: MaxConnIdleTime
> supportedLDAPPolicies: MaxPageSize
> supportedLDAPPolicies: MaxBatchReturnMessages
> supportedLDAPPolicies: MaxQueryDuration
> supportedLDAPPolicies: MaxDirSyncDuration
> supportedLDAPPolicies: MaxTempTableSize
> supportedLDAPPolicies: MaxResultSetSize
> supportedLDAPPolicies: MinResultSets
> supportedLDAPPolicies: MaxResultSetsPerConn
> supportedLDAPPolicies: MaxNotificationPerConn
> supportedLDAPPolicies: MaxValRange
> supportedLDAPPolicies: MaxValRangeTransitive
> supportedLDAPPolicies: ThreadMemoryLimit
> supportedLDAPPolicies: SystemMemoryLimitPercent
> supportedLDAPPolicies: SecurityDescriptorWarningSize
> supportedControl: 1.2.840.113556.1.4.319 [LDAP_PAGED_RESULT_OID_STRING]
> supportedControl: 1.2.840.113556.1.4.801 [LDAP_SERVER_SD_FLAGS_OID]
> supportedControl: 1.2.840.113556.1.4.473 [LDAP_SERVER_SORT_OID]
> supportedControl: 1.2.840.113556.1.4.528 [LDAP_SERVER_NOTIFICATION_OID]
> supportedControl: 1.2.840.113556.1.4.417 [LDAP_SERVER_SHOW_DELETED_OID]
> supportedControl: 1.2.840.113556.1.4.619 [LDAP_SERVER_LAZY_COMMIT_OID]
> supportedControl: 1.2.840.113556.1.4.841 [LDAP_SERVER_DIRSYNC_OID]
> supportedControl: 1.2.840.113556.1.4.529 [LDAP_SERVER_EXTENDED_DN_OID]
> supportedControl: 1.2.840.113556.1.4.805 [LDAP_SERVER_TREE_DELETE_OID]
> supportedControl: 1.2.840.113556.1.4.521 [LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID]
> supportedControl: 1.2.840.113556.1.4.970 [LDAP_SERVER_GET_STATS_OID]
> supportedControl: 1.2.840.113556.1.4.1338 [LDAP_SERVER_VERIFY_NAME_OID]
> supportedControl: 1.2.840.113556.1.4.474 [LDAP_SERVER_RESP_SORT_OID]
> supportedControl: 1.2.840.113556.1.4.1339 [LDAP_SERVER_DOMAIN_SCOPE_OID]
> supportedControl: 1.2.840.113556.1.4.1340 [LDAP_SERVER_SEARCH_OPTIONS_OID]
> supportedControl: 1.2.840.113556.1.4.1413 [LDAP_SERVER_PERMISSIVE_MODIFY_OID]
> supportedControl: 2.16.840.1.113730.3.4.9 [LDAP_CONTROL_VLVREQUEST]
> supportedControl: 2.16.840.1.113730.3.4.10 [LDAP_CONTROL_VLVRESPONSE]
> supportedControl: 1.2.840.113556.1.4.1504 [LDAP_SERVER_ASQ_OID]
> supportedControl: 1.2.840.113556.1.4.1852 [LDAP_SERVER_QUOTA_CONTROL_OID]
> supportedControl: 1.2.840.113556.1.4.802 [LDAP_SERVER_RANGE_OPTION_OID]
> supportedControl: 1.2.840.113556.1.4.1907 [LDAP_SERVER_SHUTDOWN_NOTIFY_OID]
> supportedControl: 1.2.840.113556.1.4.1948 [LDAP_SERVER_RANGE_RETRIEVAL_NOERR_OID]
> supportedControl: 1.2.840.113556.1.4.1974 [LDAP_SERVER_FORCE_UPDATE_OID]
> supportedControl: 1.2.840.113556.1.4.1341 [LDAP_SERVER_RODC_DCPROMO_OID]
> supportedControl: 1.2.840.113556.1.4.2026 [LDAP_SERVER_DN_INPUT_OID]
> supportedControl: 1.2.840.113556.1.4.2064 [LDAP_SERVER_SHOW_RECYCLED_OID]
> supportedControl: 1.2.840.113556.1.4.2065 [LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID]
> supportedControl: 1.2.840.113556.1.4.2066 [LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID]
> supportedControl: 1.2.840.113556.1.4.2090 [LDAP_SERVER_DIRSYNC_EX_OID]
> supportedControl: 1.2.840.113556.1.4.2205 [LDAP_SERVER_UPDATE_STATS_OID]
> supportedControl: 1.2.840.113556.1.4.2204 [LDAP_SERVER_TREE_DELETE_EX_OID]
> supportedControl: 1.2.840.113556.1.4.2206 [LDAP_SERVER_SEARCH_HINTS_OID]
> supportedControl: 1.2.840.113556.1.4.2211 [LDAP_SERVER_EXPECTED_ENTRY_COUNT_OID]
> supportedControl: 1.2.840.113556.1.4.2239 [LDAP_SERVER_POLICY_HINTS_OID]
> supportedControl: 1.2.840.113556.1.4.2255 [LDAP_SERVER_SET_OWNER_OID]
> supportedControl: 1.2.840.113556.1.4.2256 [LDAP_SERVER_BYPASS_QUOTA_OID]
> supportedControl: 1.2.840.113556.1.4.2309 [LDAP_SERVER_LINK_TTL_OID]
> supportedControl: 1.2.840.113556.1.4.2330 [LDAP_SERVER_SET_CORRELATION_ID_OID]
> supportedControl: 1.2.840.113556.1.4.2354 [LDAP_SERVER_THREAD_TRACE_OVERRIDE_OID]
> supportedCapabilities: 1.2.840.113556.1.4.800 [LDAP_CAP_ACTIVE_DIRECTORY_OID]
> supportedCapabilities: 1.2.840.113556.1.4.1670 [LDAP_CAP_ACTIVE_DIRECTORY_V51_OID]
> supportedCapabilities: 1.2.840.113556.1.4.1791 [LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID]
> supportedCapabilities: 1.2.840.113556.1.4.1935 [LDAP_CAP_ACTIVE_DIRECTORY_V60_OID]
> supportedCapabilities: 1.2.840.113556.1.4.2080 [LDAP_CAP_ACTIVE_DIRECTORY_V61_R2_OID]
> supportedCapabilities: 1.2.840.113556.1.4.2237 [LDAP_CAP_ACTIVE_DIRECTORY_W8_OID]
> subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=K25,DC=test,DC=loc
> serverName: CN=K25-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=K25,DC=test,DC=loc
> schemaNamingContext: CN=Schema,CN=Configuration,DC=K25,DC=test,DC=loc
> namingContexts: DC=K25,DC=test,DC=loc
> namingContexts: CN=Configuration,DC=K25,DC=test,DC=loc
> namingContexts: CN=Schema,CN=Configuration,DC=K25,DC=test,DC=loc
> isSynchronized: TRUE
> highestCommittedUSN: 12989
> dsServiceName: CN=NTDS Settings,CN=K25-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=K25,DC=test,DC=loc
> dnsHostName: K25-DC1.K25.test.loc
> defaultNamingContext: DC=K25,DC=test,DC=loc
> currentTime: 20241103190552.0Z
> configurationNamingContext: CN=Configuration,DC=K25,DC=test,DC=loc
> validFSMOs: CN=Schema,CN=Configuration,DC=K25,DC=test,DC=loc
> validFSMOs: CN=Partitions,CN=Configuration,DC=K25,DC=test,DC=loc
> validFSMOs: DC=K25,DC=test,DC=loc
> validFSMOs: CN=Infrastructure,DC=K25,DC=test,DC=loc
> validFSMOs: CN=RID Manager$,CN=System,DC=K25,DC=test,DC=loc
> usnAtRifm: 1
> tokengroups: S-1-5-21-1203498047-784946223-2106378776-500
> tokengroups: S-1-5-21-1203498047-784946223-2106378776-513
> tokengroups: S-1-1-0
> tokengroups: S-1-5-32-544
> tokengroups: S-1-5-32-545
> tokengroups: S-1-5-32-554
> tokengroups: S-1-5-2
> tokengroups: S-1-5-11
> tokengroups: S-1-5-15
> tokengroups: S-1-5-21-1203498047-784946223-2106378776-512
> tokengroups: S-1-5-21-1203498047-784946223-2106378776-520
> tokengroups: S-1-5-21-1203498047-784946223-2106378776-518
> tokengroups: S-1-5-21-1203498047-784946223-2106378776-519
> tokengroups: S-1-5-21-1203498047-784946223-2106378776-572
> tokengroups: S-1-5-64-10
> supportedExtension: 1.3.6.1.4.1.1466.20037 [LDAP_SERVER_START_TLS_OID]
> supportedExtension: 1.3.6.1.4.1.1466.101.119.1 [LDAP_TTL_REFRESH_OID]
> supportedExtension: 1.2.840.113556.1.4.1781 [LDAP_SERVER_FAST_BIND_OID]
> supportedExtension: 1.3.6.1.4.1.4203.1.11.3 [LDAP_SERVER_WHO_AM_I_OID]
> supportedExtension: 1.2.840.113556.1.4.2212 [LDAP_SERVER_BATCH_REQUEST_OID]
> supportedConfigurableSettings: DynamicObjectDefaultTTL
> supportedConfigurableSettings: DynamicObjectMinTTL
> supportedConfigurableSettings: DisableVLVSupport
>supportedConfigurableSettings: ADAMDisablePasswordPolicies
> supportedConfigurableSettings: ADAMDisableLogonAuditing
> supportedConfigurableSettings: ADAMLastLogonTimestampWindow
> supportedConfigurableSettings: RequireSecureSimpleBind
> supportedConfigurableSettings: RequireSecureProxyBind
> supportedConfigurableSettings: MaxReferrals
> supportedConfigurableSettings: ReferralRefreshInterval
> supportedConfigurableSettings: SelfReferralsOnly
> supportedConfigurableSettings: ADAMAllowADAMSecurityPrincipalsInConfigPartition
> supportedConfigurableSettings: ADAMDisableSPNRegistration
> supportedConfigurableSettings: ADAMDisableSSI
> supportedConfigurableSettings: DenyUnauthenticatedBind
> spnRegistrationResult: 21
> serviceAccountInfo: machineDomainName=K25
> schemaIndexUpdateState: 3
> msDS-PrincipalName: K25\Administrator
> msDS-PortSSL: 636
> msDS-PortLDAP: 389
> dsSchemaPrefixCount: 39
> dsSchemaClassCount: 270
> dsSchemaAttrCount: 1507
> dsaVersionString: 10.0.26100.1 (WinBuild.160101.0800)
> databaseGuid: 00000000-0000-0000-0000-000000000000
> approximateHighestInternalObjectID: 5147

1 Objects returned

A colleague from my HP days (neither he nor I work for HP anymore) reached out to me to ask for clarification on the joeware licensing for use WITHIN a company, specifically the company he works for now. He wasn’t asking for you and your company, I mean, he is a terribly great nice person and cares a great deal about people and I can absolutely say this as I worked with him for quite a while, but he does have his priorities.   What he asked does apply to most companies as well so if there was any confusion in your companies, I am sorry for that. I hope this clarifies things.

The question was, basically… If we want to use your tools internally, does every single person in the company have to download the tools individually or can we download a copy and put it up on an internal SharePoint, File Share, or OneDrive (or whatever)?

If it is for corporate use and not being distributed to others, especially as part of a solution being sold, then feel free to download and serve out to your internal corporate users from whatever internal distribution model you want to use. Feel free to drop me a line giving me hints on what tools and how popular they are so I can keep the usage in the back of my mind for tool popularity but you don’t even have to do that.

I will even, and have in the past, negotiated terms with folks who want to distribute joeware tools as part of their solutions they are selling to their customers. I am not greedy about it, I just think my beak should get a little bit wet too if someone is taking my work and using it to make some money themselves. I, at least, deserve a nice dinner and something from the top shelf of the dessert cart if someone is making money off of what I have created that they find to be so good it is worth selling as part of something under their own banner. Considering over the last 25 years how much time my tools have saved, how many people and companies I have helped, and how many millions, yes millions of $$$ that my tools have saved companies it is a bit stingy not to share some love with me.

     joe  

…Microsoft, you have become so damn annoying with Windows Defender and other things that I am looking to turn it off permanently because I, not you, gets to be the arbiter of what I want on my machine and if I say leave this on my machine, I shouldn’t have to retell you over and over and over and over again.

Not only that, I am now looking to completely replace my Windows Laptops with FreeBSD laptops. It brings me no joy to say that as a near 20 year Microsoft MVP but you always wanted us to be honest about when MSFT is doing a shit job and well… In many areas and in many ways, you are absolutely doing a shit job. If I can find a manufacturer that actually builds decent quality laptops that come pre-loaded and fully supported with FreeBSD, I will start buying them exclusively for my home. I will sill have virtual Windows servers for testing things for work until I find alternative solutions for that as well but I am likely going to be removing all Windows from my personal life.

In the meanwhile I am looking into this.

https://www.makeuseof.com/permanently-disable-microsoft-defender-windows-11/

I released V01.62.00 last night to fix a crash bug introduced in V01.61.00 from integrating some of the joe only private ldap query tool functionality because some of the core functionality was different enough to be problematic.

If you ran into that crash bug, my deepest apologies.  

  joe

I just performed the final compiles and final commits for AdFind V01.61.00, AdMod V01.28.00, and joe’s private LDAP query tool because MSFT has their head up their ass in going after AdFind and I need a tool around that doesn’t just disappear when they decide to take it because they know better than anyone else what should be allowed on Windows machines and casually ignore that AdFind has never caused any damage and that PowerShell is used regularly to harm companies. This tells you the level of intelligence going on in the MSFT Antimalware/Antivirus space. They could be redefining how Antimalware and Antivirus are handled but clearly have no one smart enough to do it. If they ran the rest of the world there would be no pressure cookers, cars, bats, knives, guns, sticks, or rocks.

I should have the new versions of AdFind and AdMod up on the website in the next 1-7 days I expect.

   joe

The first bit is of course wrong, AdFind cannot bypass any security in place.

The second bit is of course right, AdFind is not malware despite what Windows Defender says. I expect this goes back to some person at Microsoft who doesn’t understand what software is nor how it works and has never, on their own, ever produced anything of value that people liked to use.