joeware - never stop exploring... :)

So here is an odd one from me, anyone that knows me knows I am not a GUI person. However every now and then I find something that catches my attention for a second and I will peek at it unless it exceeds my bored timeout of about 15 minutes (for GUI type things).

So I decide to try and dig through the masses of email I get every day and I see this email

Hi Joe,

This has been puzzling me for quite some time and now I have a need to make this work.

Is there any way of exposing the Operating-System-Servicepack-Level attribute to the Search tool?

Right now, you can select Computer Name, Description, Managed By, Name, Operating System, Operating System Version – and I would like Operating System Service Pack Level to be exposed.

I have gone through ADSIEdit and figured it might have something to do with the Security Descriptors on the Computers object, but the SDDL is pretty cryptic.

I know this can be done by VBScript, but I’d like to figure out how to expose attributes to Search.

Any ideas??

I hit reply and started to type “I don’t really do GUI” and then I thought, wait, I am collecting a list of things to send to Dmitri at MS of improvements people would like to see in ADUC. I figured, heck, at least lets see how hard this is to do.

Normally I would dig into the MSDN and start working from there but I seemed to recall seeing these strings in the config before so I ran the command

adfind -config -f * | grep -i "operating system version"

which generated

G:\>adfind -config -f * |grep -i "operating system version"

File STDIN:
>attributeDisplayNames: operatingSystemVersion,Operating System Version
>attributeDisplayNames: operatingSystemVersion,Operating System Version
STDIN: grep: input lines truncated - result questionable

Hmm ok, there is it. I see two attributes with it, most likely this is for multiple languages where it just so happens that two of the languages had the same string. So I need to narrow this down to a specific object

adfind -config -f "attributedisplaynames=operatingSystemVersion,Operating System Version" -incldn 409

I put in the -incldn 409 because I know English is 409 and I don’t care about the non-English items because I run English on my machine. Had I not put that parameter in there two objects would have been output. Did you know adfind did that? Most people don’t. If you knew, count yourself in the good adfind users.

So anyway, that gives me

dn:CN=computer-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=joe,DC=com
>objectClass: top
>objectClass: displaySpecifier
>cn: computer-Display
>distinguishedName: CN=computer-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=joe,DC=com
>instanceType: 4
>whenCreated: 20040309041843.0Z
>whenChanged: 20051221062452.0Z
>uSNCreated: 6909
>uSNChanged: 3669564
>showInAdvancedViewOnly: TRUE
>name: computer-Display
>objectGUID: {C1C924F7-E140-403B-94A5-1777D39B686D}
>contextMenu: 0,{62AE1F9A-126A-11D0-A14B-0800361B1103}
>adminPropertyPages: 10,{0F65B1BF-740F-11d1-BBE6-0060081692B3}
>adminPropertyPages: 7,{B52C1E50-1DD2-11D1-BC43-00C04FC31FD3}
>adminPropertyPages: 6,{4E40F770-369C-11d0-8922-00A024AB2DBB}
>adminPropertyPages: 5,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
>adminPropertyPages: 4,{6dfe648b-a212-11d0-bcd5-00c04fd8d5b6}
>adminPropertyPages: 3,{77597368-7b15-11d0-a0c2-080036af3f03}
>adminPropertyPages: 1,{6dfe6492-a212-11d0-bcd5-00c04fd8d5b6}
>shellPropertyPages: 2,{dde2c5e9-c8ae-11d0-bcdb-00c04fd8d5b6}
>shellPropertyPages: 1,{f5d121f4-c8ac-11d0-bcdb-00c04fd8d5b6}
>classDisplayName: Computer
>adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
>attributeDisplayNames: samAccountName,Computer name (pre-Windows 2000)
>attributeDisplayNames: operatingSystemVersion,Operating System Version
>attributeDisplayNames: operatingSystem,Operating System
>attributeDisplayNames: managedBy,Managed By
>attributeDisplayNames: description,Description
>attributeDisplayNames: cn,Name
>objectCategory: CN=Display-Specifier,CN=Schema,CN=Configuration,DC=joe,DC=com
>treatAsLeaf: TRUE
>createWizardExt: 1,{D6D8C25A-4E83-11d2-8424-00C04FA372D4}

Hmm, the attributeDisplayNames attribute looks like the list I see ADUC… I bet if I just jam in an attributedisplayname=operatingSystemServicePack,Operating System Service Pack in there it will show up next time I start ADUC[1]. So I test it with….

admod -b CN=computer-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=joe,DC=com "attributeDisplayNames:+:operatingSystemServicePack,Operating System Service Pack"

So now my attributeDisplayName looks like

>attributeDisplayNames: operatingSystemServicePack,Operating System Service Pack
>attributeDisplayNames: samAccountName,Computer name (pre-Windows 2000)
>attributeDisplayNames: operatingSystemVersion,Operating System Version
>attributeDisplayNames: operatingSystem,Operating System
>attributeDisplayNames: managedBy,Managed By
>attributeDisplayNames: description,Description
>attributeDisplayNames: cn,Name

Looks good. Let’s see if ADUC salutes…

Start up ADUC, right click dc=joe,dc=com and select find. Select computers in the Find dropdown. Select the advanced tab, cick on Field, voila, Operating System Service Pack is in the list… Now lets verify it will actually search it. Add the criteria (starts with s) and clicked Find Now. Cool, up pops machines. But wait, do they really have an SP on them? Click View | choose columns. Cool There is Operating System Version… Add that to Column. Click Ok and there it is, operating system service pack listed.

So how could I have done that faster and easier?

All one command that would work on any AD that you have the appropriate perms to write too…

adfind -config -f "attributedisplaynames=operatingSystemVersion,Operating System Version" -incldn 409 | admod "attributeDisplayNames:+:operatingSystemServicePack,Operating System Service Pack"

That will “fix” the English version.

I guess the logical suggestion to MS on this is to maybe have a nice GUI option in ADUC or maybe separately to select which display specifiers you have available for the various items. It is very cool this is here to manipulate that but I would venture to say that most admins would be (rightly usually) scared to touch it with raw AD edits and possibly their corporate policy doesn’t let them go in and directly make changes like that.

This is almost certainly fully documented in MSDN or technet, searching google would probably turn up 1 or 100 links with documentation that may or may not be straightforward and good[2]. I imagine some of you are like, yo dude, why didn’t you go look it up? See above. Plus, I don’t care all that much, AD should mostly be managed at the command line in my opinion, GUIs are generally slow and inefficient. You don’t manage a 100,000 user or even a small 1000 user AD from ADUC. If you do, someone probably needs fired. That is extremely inefficient. Those who know me are probably boggled that I spent any time at all even looking at a GUI problem but hey, someone asked and if someone asks me something and I don’t know the answer, I tend to wonder myself. 😉

joe

[1] You will note I generally assume the DS guys do things the intelligent way because usually they do. Ok, maybe not the intelligent way, in a way similar to what I would consider doing which I will usually define as intelligent. 🙂

[2] Thankfully AD works better than it is documented. A lot of iffy if not really bad documentation floating around out there.