I saw a posting that had a piece on AdFind at ActiveDir.org that made me want to post something to my blog here for anyone who doesn’t read ADOrg…
Basically one of the posters came up with a good way of setting local admin passwords on machines and part of the solution was to use adfind to get the list of machines. I was thrilled to see that but the command line was a little longer than needed but I don’t blame the poster… That is actually an issue with AdFind because there are soooo many options, sometimes you don’t see the cool option that you need. So in case anyone else is doing anything similar… here is some help for you
Basically the command used was
adfind -b ou=prodservers,ou=computers,dc=contoso,dc=com -f “objectcategory=computer” cn -nolabel -nodn | grep -iv “Objects returned” | grep -iv “Directory” | grep -iv “Using Server” | grep -iv “^$” > d:\servers.txt
The goal here is to get a list of computer names that doesn’t have my “shameless” AdFind Banner in the listing… I actually have an option explicitly to help with that when listing a single attribute… that option is called… -list
So instead of the command above using the grep’s to filter out some of the output, you can instead do something like
adfind -b ou=prodservers,ou=computers,dc=contoso,dc=com -f “objectcategory=computer” cn -list > d:\servers.txt
Much simpler, much cleaner, more pretty. 🙂
And in the spirit of perl… there is more than one way to slice this orange… You could also do something like
adfind -b ou=prodservers,ou=computers,dc=contoso,dc=com -f “objectcategory=computer” cn -nodn -nocsvheader -csv > d:\servers.txt
Granted that isn’t as elegant but it does quote the server names for you if you need them quoted.
Probably the one functional change I would make overall would be to dump the dNSHostName attribute instead of the cn/name. Why you ask? Well my dear reader, because you don’t have to rely on short hostname resolution… I would also change the filter to be an AND of the computer objectcategory tied together with dNSHostName having a value. If that attribute isn’t populated on the computer, it means the computer hasn’t successfully spoken to AD yet, why waste time on it? So how about…
adfind -b ou=prodservers,ou=computers,dc=contoso,dc=com -f “&(objectcategory=computer)(dnshostname=*)” dnshostname -list > d:\servers.txt
joe
!!!!!!!!!
Where the frakk has the -list switch been all my life?!?!?!?!?
🙂
@Laura
The same place it was when I was contemplating asking for a feature enhancement, but figured I’d better scour the 4 pages of adfind /?? first.
Also, the -qlist switch produces pretty similar output to “-nodn -nocsvheader -csv”. The only difference I can see is that the -list and -qlist switches output a blank line before the list.
Hey, Joe.
The (dnshostname=*) restriction will also exclude any NT hosts in your domain, i.e. it will be a superset of the “machines that haven’t spoken to AD yet”, and also find what the (operatingSystem=Windows NT) restriction would find.
… and I think using a OU=computers is confusticating in the base DN. Can I suggest that a sample base DN of just:
-b ou=prodservers,dc=contoso,dc=com
or
-b cn=computers,dc=contoso,dc=com
would be clearer for those of us that don’t speak LDAP as a mother tongue?
… and WordPress is getting in the way of the copy and paste again; this time, instead of spacing being an issue, it is converting the quotes from ASCII 34 to pretty glyphs (Unicode 8220 and 8221, I think).
… and to get my vote in, I use the -csv output option, usually like this:
-csv -csvnoq -csvdelim \t
and that works for me. I started there, and therefore hadn’t noticed the banner being a problem!
An interesting variation of the banner output is in Mark Russinovich’s psexec.exe utility … if I remember it rightly, he outputs his banner to stderr so that it appears with stdio output at the console, but a simple (and optimistic) redirection to a file does not include the banner (or any errors). I hope you find that interesting, too.
8)
Scotte:
LOL, totally forgot about the -qlist option. 🙂
Andrew:
The example actually was a direct cut and paste from the ActiveDir Org post. I didn’t even look at the DN LOL. That is definitely not a good base DN. 🙂
You are obviously correct on the NT4 exclusion, that would also hit an NT emulator type devices like some of of the SMB/CIFs NAS devices. Totally forgot about that whole range of boxes. I would argue that NT4 should be gone by now. and well you won’t be setting passwords on the NAS devices likely.
Yeah I noticed the funky handling of some of the characters as well; I need to dig into that…
I actually used stderr exclusively for a long time for banners and errors because that is the old cmd line tool way going back years and years and years. However I have had so many people bitch about it because it didn’t redirect as “they” expected I started moving things to stdout in the various tools because it seems fewer and fewer people know about or care about stderr.