joeware - never stop exploring... :)

AdFind has been updated. I call this the DEC Release for the Directory Experts Conference because my good friend Dean kept saying when working out presentation ideas, “It sure would be cool if AdFind could do this and this and that and this and maybe some of that and…”. I just kept writing his ideas down thinking yeah that would be useful, that is cool, that is going to be pain, etc etc but I think I got everything he asked about.

Certainly there is no other command line AD or ADAM LDAP tool publicly available or probably even privately available that can display info in the way AdFind can as well as decode things that others can’t. :o) A lot of the things that you can’t do with LDAP queries that you normally have to script around I have put into the tool so you can do things like filter out objects with specific strings in the DNs or only display objects with specific strings in the DNs or only display values in a multivalue attribute that have a specific string in them (see -sc exchaddresses and consider the power of the -sc exchaddresses:smtp shortcut switch). Also I now have a replaceDN capability so say you want a generic Schema Dump that doesn’t have any forest references, you do something like -sc schemadump and voila… Now you do that against another forest and use Windiff and you can quickly see differences if you don’t want to work out how to use adschemaanalyzer from the R2/Sp1 ADAM installation.

Seeing that this is one of the most popular joeware tools out there this should be pretty exciting for folks. I have a TON of changes in this version, so many I am not even going to list them all here, instead go to

http://www.joeware.net/win/free/tools/adfind.htm

Something that I think is pretty cool is I made some previously hidden “shortcut” options available. Shortcuts are “quicker” ways to do things that at least I like to do so I don’t have to type as much. For instance if I want a schema definition for a name of a class/attribute I could do

adfind -schema -f "|(name=somename)(ldapdisplayname=somename)" -schdc

or I can use the new shortcut

adfind -sc s:somename

There are a ton of these shortcuts which I have put below. But in the meanwhile there are a bunch of other switches and mods added as well. So many in fact that I am going to write up a little book about AdFind I think walking people through how to use it. It will be a general AD and AD/AM LDAP primer as well as how to use AdFind to its best capacity.

Here is the list of shortcut options that are now availabe. If you have common tasks you do with adfind which is a large collection of switches, let me know what it is and maybe I will add it to the shortcut list.

AdFind Shortcuts
================
AdFind has a new option to allow you to specify shortcuts. Shortcuts are
not actual commands themselves but instead are shortcuts to other commands
so you do not have to recall or type the longer commands. Anything one of
the shortcuts does is actually a combination of various other switches. To
see exactly what switches are specified on your behalf, use the -po switch
in combination with the shortcut switch and it will show you everything that
AdFind is processing.

Since these shortcuts are simply a combination of switches auto-entered for
you it means that generally you can use the other switches in AdFind to add
to the query to focus it further or get output closer to what you need. In
addition, most of the shortcuts support the added switch -af xxx, this
allows you to ‘add on’ to the filter that is specified by the shortcut
in case you want to make the filter more granular

If you have an issue with any of these shortcuts, remember you can just
enter the proper combination of real switches yourself. In general the
shortcuts will work on Windows 2000 AD, Windows Server 2003 AD, and ADAM.
There are however some shortcuts that will not work on Windows 2000 AD
and those have been noted and where possible I have added other shortcuts
specific to Windows 2000 to try and get the same info. There are also some
shortcuts that are specific to AD or ADAM. The name of the shortcut should
should help in the event that a switch is specific to ADAM or AD in most
cases. This isn’t for all cases because there are shortcuts that don’t
don’t work on Windows 2000 AD or Windows Server 2003 AD but expect to work
in a future version of AD.

When in doubt, just try the switches, AdFind is a query only tool, it can
not harm your directory by writing data to it because it can’t write.

————–Shortcuts————–
-af xxx Add filter to hardcoded filter in most shortcuts

-sc modes Show DC, Domain, and Forest Mode info from RootDSE

-sc forestmodes Show modes from NC partition objects for forest
-sc forestmodes:csv Same as above but CSV output

-sc dcmodes Show modes of all DCs in forest from config
-sc dcmodes:csv Same as above but CSV output

-sc masterncs Show NCs mastered by all DCs in forest
-sc masterncs:csv Same as above but CSV output

-sc appparts Show application partitions
-sc appparts:csv Same as above but CSV output
-sc apppartsl Same as above but sorted list output

-sc appparts+ Show application partitions (extra info)
-sc appparts+:csv Same as above but CSV output

-sc adsid:xx Resolve Active Directory SID (xx) to object
-sc adguid:xx Resolve Active Directory GUID (xx) to object

-sc fo:xx Find object in GC with name xx.
-sc kids:xx Dump one level kids of DN xx.
-sc u:xx Find user in GC with name/samaccountname of xx.
-sc g:xx Find group in GC with name/samaccountname of xx.
-sc c:xx Find computer in GC with name/samaccountname of xx.

SCHEMA SHORTCUTS
****************
-sc sguid:xx Resolves rightsGuid or schemaIdGuid to object
will not work on Windows 2000. Use next switches.
-sc s2kguid:xx Resolves schemaIDGuid to object
-sc r2kguid:xx Resolves rightsGuid to object

-sc fincpropsetrg:xx Resolves property set displayname to rightsGuid
-sc propsetmembers:xx Finds all attributes with specified rightsGuid
-sc propsetmembersl:xx Same as above but sorted list output

-sc s:xx Find schema objects by name/lDAPDisplayName
-sc sl:xx Same as above but sorted list output

-sc scontains:xx Find classes an attribute is directly part of
-sc scontainsl:xx Same as above but sorted list output

-sc cc:xx Find classes that include specified class
-sc ccl:xx Same as above but sorted list output

-sc pas Display attributes marked for PAS inclusion
-sc pasl Same as above but sorted list output

-sc indexed Display attributes marked as indexed
-sc indexedl Same as above but sorted list output

-sc tuple Display attributes marked as tuple indexed
-sc tuplel Same as above but sorted list output

-sc cindexed Display attributes marked as container indexed
-sc cindexedl Same as above but sorted list output

-sc sindexed Display attributes marked as subtree indexed
-sc sindexedl Same as above but sorted list output

-sc confidential Display attributes marked as confidential
-sc confidentiall Same as above but sorted list output

-sc copy Display attributes marked to be copied
-sc copyl Same as above but sorted list output

-sc constructed Display contructed attributes
-sc constructedl Same as above but sorted list output

-sc cat1 Display category 1 attributes
-sc cat1l (cat one el) Same as above but sorted list output

-sc norepl Display non-replicated attributes
-sc norepll Same as above but sorted list output

-sc norepl+ Display non-replicated attributes (no links)
-sc norepll+ Same as above but sorted list output

-sc anr Display ANR attributes
-sc anrl Same as above but sorted list output

-sc tombstone Display attributes maintained in tombstone
-sc tombstonel Same as above but sorted list output

-sc linked Display linked value attributes
-sc linkedl Same as above but sorted list output

-sc linked:fwd Display forward linked value attributes
-sc linkedl:fwd Same as above but sorted list output

-sc linked:rev Display reverse linked value attributes
-sc linkedl:rev Same as above but sorted list output

-sc sdump Dump schema in generic format for comparison
-sc sdump:csv Same as above but CSV output

UNIVERSAL GROUP CACHING SHORTCUTS
*********************************
-sc ugcenabled Sites enabled for Universal Group Caching (UGC)
-sc ugcenabledl Same as above but sorted list output

-sc usedugc Display users/computers that have used UGC
-sc usedugc:decode Same as above but decode values

-sc dumpugcinfo Dump info for users/computers that have used UGC
-sc dumpugcinfo:decode Same as above but decode values

FSMO SHORTCUTS
**************
-sc fsmo Display all FSMOs in domain of DC plus forest roles

-sc fsmo:domain Display all FSMOs in domain of DC
-sc fsmo:pdc Display PDC FSMO
-sc fsmo:rid Display RID FSMO
-sc fsmo:im Display Infrastructure Master FSMO

-sc fsmo:forest Display forest FSMOs
-sc fsmo:schema Display Schema FSMO
-sc fsmo:dnm Display Domain Naming Master FSMO

EXCHANGE SHORTCUTS
******************
-sc exchaddresses Display objects with Exch addresses and addresses
-sc exchaddresses:xx Same as above, but only display addresses with xx

ADAM SHORTCUTS
**************
-sc whoami Display authenticated user info and token
-sc whoami:csv Same as above but CSV output

-sc adamsid: Resolve ADAM SID (xx) to object
-sc adamguid: Resolve ADAM GUID (xx) to object

-sc caua Add Constructed ADAM User Attribs for display