Example 1: Get tokenGroups attribute for every direct member of the domain admins group.
F:\Dev\Current\CPP\AdFind\Release>adfind -default -f name="domain admins" member -list | adfind -s base tokengroups -resolvesids
AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009
Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
dn:CN=TestAdminClone,OU=Users,OU=TestOU,DC=test,DC=loc
>tokenGroups: BUILTIN\Users
>tokenGroups: BUILTIN\Administrators
>tokenGroups: TEST\DnsAdmins
>tokenGroups: TEST\Domain Users
>tokenGroups: TEST\Domain Admins
dn:CN=$joe,OU=Users,OU=My,DC=test,DC=loc
>tokenGroups: BUILTIN\Users
>tokenGroups: BUILTIN\Administrators
>tokenGroups: TEST\DnsAdmins
>tokenGroups: TEST\Schema Admins
>tokenGroups: TEST\Enterprise Admins
>tokenGroups: TEST\Domain Users
>tokenGroups: TEST\Domain Admins
dn:CN=Administrator,CN=Users,DC=test,DC=loc
>tokenGroups: BUILTIN\Users
>tokenGroups: BUILTIN\Administrators
>tokenGroups: TEST\DnsAdmins
>tokenGroups: TEST\Schema Admins
>tokenGroups: TEST\Enterprise Admins
>tokenGroups: TEST\Domain Users
>tokenGroups: TEST\Group Policy Creator Owners
>tokenGroups: TEST\Domain Admins
3 Objects returned
Example 2a: Get sAMAccountName for all direct members of Domain Admins group
F:\Dev\Current\CPP\AdFind\Release>adfind -default -f name="domain admins" member -list | adfind -s base samaccountname
AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009
Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
dn:CN=TestAdminClone,OU=Users,OU=TestOU,DC=test,DC=loc
>sAMAccountName: TestAdminClone
dn:CN=$joe,OU=Users,OU=My,DC=test,DC=loc
>sAMAccountName: $joe
dn:CN=Administrator,CN=Users,DC=test,DC=loc
>sAMAccountName: Administrator
3 Objects returned
Example 2b: Get sAMAccountName for all direct members of Domain Admins group (alternate method using attribute scoped query)
F:\Dev\Current\CPP\AdFind\Release>adfind -default -f name="domain admins" -dsq | adfind -s base -asq member samaccountname
AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009
Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
dn:CN=Administrator,CN=Users,DC=test,DC=loc
>sAMAccountName: Administrator
dn:CN=$joe,OU=Users,OU=My,DC=test,DC=loc
>sAMAccountName: $joe
dn:CN=TestAdminClone,OU=Users,OU=TestOU,DC=test,DC=loc
>sAMAccountName: TestAdminClone
3 Objects returned
Example 3: Dump the serviceBindingInformation attribute for any ADAM serviceConnectionPoint objects that belong to Windows XP Professional machines. And no, this isn’t contrived, this is something I have wanted to do a few times to find people playing with ADAM on workstation class machines as well as something I have been asked how to do in the past… Normally this would take a script.
F:\Dev\Current\CPP\AdFind\Release>adfind -default -f "&(objectcategory=computer)(operatingsystem=Windows XP Professional)" -dsq | adfind -s one -f "&(objectcategory=serviceconnectionpoint)(serviceclassname=LDAP)" servicebindinginformation
AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009
Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
dn:CN={cb226d48-e9a7-420a-bce0-98edcc6b8cf2},CN=SFMXP64,CN=Computers,DC=test,DC=loc
>serviceBindingInformation: ldaps://sfmxp64.test.loc:636
>serviceBindingInformation: ldap://sfmxp64.test.loc:389
dn:CN={e4756748-fc8b-4166-8b7b-498bd97c9949},CN=SFMXP64,CN=Computers,DC=test,DC=loc
>serviceBindingInformation: ldaps://sfmxp64.test.loc:636
>serviceBindingInformation: ldap://sfmxp64.test.loc:389
dn:CN={3991aa1d-c87d-46cd-a08c-c52af9ae168e},CN=SFMXP32,CN=Computers,DC=test,DC=loc
>serviceBindingInformation: ldaps://sfmxp32.test.loc:636
>serviceBindingInformation: ldap://sfmxp32.test.loc:389
dn:CN={d3c0e3ee-d888-496d-acf0-6e4078052476},CN=HOMEXP,CN=Computers,DC=test,DC=loc
>serviceBindingInformation: ldaps://homexp.test.loc:636
>serviceBindingInformation: ldap://homexp.test.loc:389
4 Objects returned
When working on fixing several typos and mistakes in V01.39.00 I realized I had figured out a way to handle the piping from one instance of AdFind to another. I am still looking for holes but it looks good thus far. This is something I have wanted for some time but couldn’t see how to handle it with the current framework. Well out of the blue while looking at part of the code it struck me how to pull it off so I added it. Aside from that are the correction of some typos folks reported to me as well as adding some Windows 7 support (i.e. decoding some of the Windows 7 attribute values and support for the new object deletion/recycling capabilities).
joe
Actually … yes … this looks cool. I remember that I asked You about such feature in e-mail on or a group some time ago… really cool and will make some things easier.
Nice … very nice. Whatever gave you that idea? :0)
On a serious note, what’s with the -s base? Is that just a temp. requirement?
looks… um… Powershellish 🙂
Tomek: Yep this has been something I have wanted to do myself for some time. It finally hit me how to do it one night when I was really tired. 😉
Deano: The need for it over the years again and again and lots of folks saying, hey you need to be able to do this too… The -s base is not temporary. I didn’t want to lock it down to doing only base searches when you feed in a DN, I can see good reasons to be able to do one level and subtree searches. I may, however, have it default to doing a base search when multidn’s are piping in instead of default to subtree like it normally does. Still thinking that one out. Keep in mind, this isn’t dsget… It is a search tool that can do what dsquery and dsget can do that can pipe back into itself again to do a full query on the objects in the pipe…
Brandon: PoS without the .FAT… 😉 Seriously, wanted this for a long time and just couldn’t see how I could pull it off with the current framework and then one day I just looked at it in a slightly skewed way and about 15 lines of code later it was working… One of those duh, why didn’t I think of this before moments.
Outstanding!!! Like Tomek said this has been a feature that I know many of us have looked for. Piping adfind into adfind will definitely come in handy.