It has been over two years since V01.47.00 was released but finally AdFind V01.48.00 has been released. I have no excuses other than allowing my day job to completely overrun my personal life. I would love to spend my days working on building and releasing tools but financially it just isn’t feasible at this time. 🙂 I do apologize for the extended period of inactivity. I do intend to do things differently this year and have some exciting thoughts around some tools. This is the year I tackle ESE coding and going directly into the AD Database tables. I have been looking to do that for some time as I have been intrigued by ESE coding from long conversations with Brett Shirley (one of the few ESE Devs at Microsoft and someone I am proud to have as a friend).
Anyway… I started updating the code base almost exactly a year ago and fixed bugs and added features in bursts throughout the year when I found time. At the very least you will find a bunch of new decodes built in for Windows Server 2012, Windows Server 2012 R2, and Windows Server Threshold but hopefully you will find the bug fixes and new features useful as well.
So without further adieu… Here is the general list of changes
Added many Windows Server 2012, Windows Server 2012 R2, and Windows Server Threshold Decodes
Added "mode decodes" for versions > Threshold as Windows Server Threshold+. I kept finding I was annoyed when newer versions of the OS modes that weren’t decoded properly defaulted to the most recent decoded version. I.E. Windows Server Threshold will decode as Windows Server 2012 in V01.47.00 whereas the version after Threshold will decode as Windows Server Threshold+ in V01.48.00. I intend to get out a quick update to change the decodes from Windows Server Threshold to whatever it formally becomes when it becomes it. 😉
Added a bunch more decodes for various attributes. New values that have been added, additional attributes, etc.
Tweaked a bunch of shortcuts so they are more intelligent with base selection, GC use, and enabling -dloid to speed up queries when possible, etc.
Added new features and modifiers for several shortcuts.
In one of the previous versions I changed how AdFind handled what happens when you specify the same attribute multiple times and had it normalize down to a single attribute so that the output was consistent between CSV and non-CSV output. Non-CSV output will always only show the attribute once, CSV output would populate two fields with the attribute. Apparently some folks used that functionality so I changed it back so that you can specify a single attribute multiple times and it will show up in the CSV output.
I ran into some cases where I needed to specify IPv6 IP addresses and the -h option got confused by that (it was parsing the string on colons to retrieve the port) so I updated the code so that it can handle IPv6 format addresses. I.E. [2001:0:5ef5:79fb:45:32c6:94fa:def9]:389.
To better support non-Microsoft LDAP Directories I have set AdFind up to auto-detect if a Directory is paging-capable and if not it will disable its use of paged queries.
To give more options for cmd piping scenarios I have changed the -b switch and STDIN stream reading to allow for SIDs, GUIDs, and IIDs. The code will detect the base type in the background and then properly wrap the string in the appropriate formatting. For example, SIDs will be changed from S-1-x-xxx-xxx-xxx to <SID=S-1-x-xxx-xxx-xxx>, GUIDs will be changed from 9AF9CD11-9AB3-44DF-B014-8673F3C562C6 or {9AF9CD11-9AB3-44DF-B014-8673F3C562C6} to <GUID=9AF9CD11-9AB3-44DF-B014-8673F3C562C6>. IIDs which are objectGUIDs that are BASE64 encoded and used in AzureAD are converted from BASE64 and then encoded as a GUID. Note that these queries may be a little slower than using a normal base because of the overhead AD has in locating the objects.
I have added several more constants for -replacedn
Added :dnwdata:= matching rule for -bit in filters.
Added BASE64 for -binenc.
Added HEX/BASE64 options for -guidbinout and -sidbinout. For example:
[Tue 01/13/2015 23:02:09.22]
F:\Dev\cpp\AdFind\Release>adfind -hh thr-dc1 -s base -b {9AF9CD11-9AB3-44DF-B014-8673F3C562C6} objectguid -guidbinout base64AdFind V01.48.00.00cpp Joe Richards (joe@joeware.net) January 2015
Using server: THR-DC1.threshold.loc:389
Directory: Windows Server Thresholddn:DC=threshold,DC=loc
>objectGUID: Ec35mrOa30SwFIZz88Vixg==1 Objects returned
And you may realize… Voila that is the IID for that object. Which, in review you could also do the following then
[Tue 01/13/2015 23:07:28.41]
F:\Dev\cpp\_old\OLD\AdFind\Release>adfind -hh thr-dc1 -s base -b Ec35mrOa30SwFIZz88Vixg== objectguidAdFind V01.48.00.00cpp Joe Richards (joe@joeware.net) January 2015
Using server: THR-DC1.threshold.loc:389
Directory: Windows Server Thresholddn:DC=threshold,DC=loc
>objectGUID: {9AF9CD11-9AB3-44DF-B014-8673F3C562C6}1 Objects returned
Added several special bases: -sitelinks, -legacydns, -quotas.
Added two new shortcuts: -sc sitelinkdmp and -scsitelinkdmpl. You specify the site short name with the shortcut and it will dump the links for that site ex: -sc sitelinkdmp:site2
Several new switches:
-exclrepl : For some reason MSFT didn’t think to not return some of the AD Replication Metadata in the star (*) default attribute set so in larger environments you can literally get screens of output when just dumping the NC Head object that you pretty much won’t care about. This switch is like a shortcut switch in that it simply adds several attributes to the -excl switch in the background.
-ametal/-vmetal: Versions of -ameta and -vmeta with -list enabled too.
-encguidtoiid: Encode a GUID to an IID. Doesn’t need to talk to AD to do this.
-deciidtoguid: Decode an IID to a GUID. Doesn’t need to talk to AD to do this.
-objcnterrlevel: This one is an often requested switch… Dear joe, please output the returned object count in the errorlevel attribute… Well since I already populate the errorlevel attribute for status of the execution I had to think long and hard about doing this. I finally decided to add the switch. Note I didn’t perform comprehensive tests for this one. As always, if you see issues, please let me know.
-stripdn: This was a customer request as well, it simply strips DNs down to the most relevant RDN for all normal DN type attributes (based on attribute syntax)… For example:
[Tue 01/13/2015 23:24:30.34]
F:\Dev\cpp\AdFind\Release>adfind -hh thr-dc1 -default -s one -dn -stripdnAdFind V01.48.00.00cpp Joe Richards (joe@joeware.net) January 2015
Using server: THR-DC1.threshold.loc:389
Directory: Windows Server Threshold
Base DN: DC=threshold,DC=locdn:Builtin
dn:Computers
dn:Domain Controllers
dn:ForeignSecurityPrincipals
dn:Infrastructure
dn:LostAndFound
dn:Managed Service Accounts
dn:NTDS Quotas
dn:Program Data
dn:System
dn:TPM Devices
dn:Users12 Objects returned
That may not look interesting but this may look more interesting:
[Tue 01/13/2015 23:28:51.19]
F:\Dev\cpp\AdFind\Release>adfind -hh thr-dc1 -config -f objectclass=sitelink sitelist -stripdn -list
Site3
Site2
Default-First-Site-Name
-fdnx: This allows DN Expansion for some common base DNs within a filter. This is so you can come up with a general query command that could work in multiple environments or so you can type less. It is actually put into place to help with the two new shortcuts.
[Tue 01/13/2015 23:33:29.74]
F:\Dev\cpp\AdFind\Release>adfind -hh thr-dc1 -sc sitelinkdmpl:site3 -po
Selected Switches
-alldc
-arecex
-config
-f (&(objectclass=sitelink)(sitelist=CN=site3,CN=Sites,[CONFIG]))
-fdnx
-flagdc
-h thr-dc1
-hh thr-dc1
-list
-po
-rb CN=Inter-Site Transports,CN=Sites
-rootdsedc
-s subtree
-samdc
-sc sitelinkdmpl:site3
-schdc
-sitelinks
-sitenamedc
-sites
-tdcas
-utcSelected Attributes
nameDEFAULTIPSITELINK
Note the filter "-f (&(objectclass=sitelink)(sitelist=CN=site3,CN=Sites,[CONFIG]))"
I usually release a new version of AdMod with AdFind but I didn’t want to hold AdFind back any longer so AdMod will be released at some later date.
You can find AdFind V01.48.00 at http://www.joeware.net/freetools/tools/adfind. Feel free to check out the sponsored link when you are there. 🙂
joe