The latest version of AdFind, V01.52.00, is now released. You can find it at
If the website shows V01.51.00 then use CTRL-F5 to update your local browser cache.
File information
[Sat 01/11/2020 21:17:29.63]+
E:\DEV\cpp\vs\AdFind\Release>filever adfind.exe
—– W32i APP ENU 1.52.0.5064 shp 1,619,968 01-11-2020 adfind.exe
[Sat 01/11/2020 21:17:40.58]+
E:\DEV\cpp\vs\AdFind\Release>adfind -appver
AdFind V01.52.00cpp Joe Richards (support@joeware.net) January 2020
BUILD : 1.52.0.5064
BUILDDATE: 20200111-21:15:50 x86 VS2019
Digest information
[Sat 01/11/2020 21:17:48.44]+
E:\DEV\cpp\vs\AdFind\Release>joewaredigest adfind.exe
joewaredigest V01.00.00pl joe@joeware.net November 2012
adfind.exe 12011c44955fd6631113f68a99447515 4f4f8cf0f9b47d0ad95d159201fe7e72fbc8448d
Command Completed.
I have upgraded to Visual Studio 2019 and there are a slew of bug fixes, new 2019 decodes, new shortcuts, and a good selection of new switches (you know you wanted more!). Details of the changes including new switches are on the adfind usage pages which can also be found at
Specific things I want to call out.
New switch –hint
This is something I wanted particularly for working with ADAM/LDS and third party LDAP servers. While you can use –e or the joeware-default environment variables to really help with making working with ADAM/LDS easier, this is for the random ad hoc query where you stream the output from adfind to adfind or to the not yet released new version of admod. This switch outputs a header string with key fields that can be picked up out of the stream and give the next tool in line hints on what to connect to and how.
The output of the header has several switch values passed into the first call to adfind separated by “~~~X~~~”.
The specific switches are: –h , –p , –u , –up , –simple (0 or 1) , –hh , –url
Since that might be difficult to visualize the use case, here is an example:
[Fri 01/10/2020 22:40:35.48]+
E:\DEV\cpp\vs\AdFind\Release>adfind -hh .:389 -f objectclass=group -dsq | adfind objectguid
AdFind V01.52.00cpp Joe Richards (support@joeware.net) January 2020
Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
ldap_get_next_page_s: [LO-DC4.lockout.test.loc] Error 0x1 (1) – Operations Error
ldap_get_next_page_s: [LO-DC4.lockout.test.loc] Error 0x1 (1) – Operations Error
ldap_get_next_page_s: [LO-DC4.lockout.test.loc] Error 0x1 (1) – Operations Error
0 Objects returned
[Fri 01/10/2020 22:40:47.44]+
E:\DEV\cpp\vs\AdFind\Release>adfind -hh .:389 -f objectclass=group -dsq -hint | adfind objectguid
AdFind V01.52.00cpp Joe Richards (support@joeware.net) January 2020
Using server: jwp51:389
Directory: Windows Server 2019 (10.0.18362.1) ADLDS
dn:CN=Administrators,CN=Roles,O=BASIC
> objectGUID: {9A1C288D-2360-4A47-8115-39D7A978CD0F}
dn:CN=Users,CN=Roles,O=BASIC
> objectGUID: {E5DD9FEE-9F13-44F5-B504-B9BF4345E84B}
dn:CN=Readers,CN=Roles,O=BASIC
> objectGUID: {4FB18B14-D5D5-4E99-82AB-0C4D0AD9977B}
3 Objects returned
New switch –pause
This is for those folks who slap adfind into a for /f loop with a do start and fire multiple process windows at once instead of running the commands serially. With this switch adfind will pause before exiting so you can look at the output of each instance that was spawned.
New Switches –incllike / –excllike
Have you ever wanted to output only a certain group of attributes but don’t want to name all of them but perhaps they all have a similar format, for example say you have 15 attributes with your company prefix like jw-attr1, jw-attr2, jw-attr3, jw-attrN that is populated on every object of type X and you want just that info output. You simply add –incllike jw- and voila, only the jw-* attributes will be displayed. Note that all of the data will be returned that would normally be returned, it simply won’t be displayed. Unfortunately there is no way to tell AD to return attributes “like”, so this is the next best thing. Or alternately if there attributes you want to not display, you can use –excllike. Both of those switches take semicolon delimited lists of strings.
New Switch –sddlpsflag
This is a fun one that I have wanted for some time. Have you ever looked at the Security Descriptor output and want to quickly highlight or filter for the ACEs that have property sets, this switch prefixes the property sets with [PS]. This allows for quick and easy filtering with grep or find or whatever or with the SDDL filtering built into AdFind by default.
Again since this may not be easy to visualize, here is an example (you may want to make your browser window wider to more easily see this):
[Fri 01/10/2020 22:44:00.67]+
E:\DEV\cpp\vs\AdFind\Release>adfind -jsdnlb ;;;[PS] -sddlpsflag
AdFind V01.52.00cpp Joe Richards (support@joeware.net) January 2020
Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: DC=lockout,DC=test,DC=loc
dn:DC=lockout,DC=test,DC=loc
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]Account Restrictions;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]Account Restrictions;user;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]Logon Information;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]Logon Information;user;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]Group Membership;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]Group Membership;user;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]General Information;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]General Information;user;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]Remote Access Information;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]Remote Access Information;user;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;;[READ PROP];[PS]Domain Password & Lockout Policies;;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;;[READ PROP];[PS]Other Domain Parameters (for use by SAM);;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;;[READ PROP];[PS]Other Domain Parameters (for use by SAM);;NT AUTHORITY\Authenticated Users
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP][WRT PROP][CTL];[PS]Private Information;;NT AUTHORITY\SELF
1 Objects returned
New Switch –rawsddlexpl
As you may or may not know, if you want to use AdMod to set a Security Descriptor (currently) you must provide the SDDL string for it. This can be painful (and yes I know how painful and hate it and am working on it) so I came up with a way to help make it less painful. When you apply the SDDL string it doesn’t need all of the inherited ACEs which is what usually makes the SDDL strings crazy long and painful. This switch nibbles the SDDL down to just the explicit ACEs that matter when you need to apply to something.
Again, here is an example, this will be long though not anywhere as long as what you see in many domains where people weren’t properly controlling stupid ACE bloat or had to install Exchange which is a whole other level of stupid ACE bloat that could only be accomplished by people who truly have no clue how to properly secure AD.
[Fri 01/10/2020 23:33:57.04]+
E:\DEV\cpp\vs\AdFind\Release>adfind -f name=testuser1 ntsecuritydescriptor -rawsddl
AdFind V01.52.00cpp Joe Richards (support@joeware.net) January 2020
Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: DC=lockout,DC=test,DC=loc
dn:CN=testuser1,OU=TESTUSERS,DC=lockout,DC=test,DC=loc
> nTSecurityDescriptor: [SDDL] O:S-1-5-21-3057091654-2329156990-3385121676-512G:S-1-5-21-3057091654-2329156990-3385121676-512D:AI(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3057091654-2329156990-3385121676-517)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;RP;77b5b886-944a-11d1-aebd-0000f80367c1;;AU)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;AU)(OA;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b2-9455-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b3-9455-11d1-aebd-0000f80367c1;;PS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3057091654-2329156990-3385121676-512)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AO)(A;;RC;;;AU)(A;;LCRPLORC;;;PS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-3057091654-2329156990-3385121676-526)(OA;CIID;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-3057091654-2329156990-3385121676-527)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIOID;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;OICIID;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3057091654-2329156990-3385121676-519)(A;CIID;LC;;;RU)(A;CIID;CCLCSWRPWPLOCRSDRCWDWO;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
1 Objects returned
[Fri 01/10/2020 23:34:08.33]+
E:\DEV\cpp\vs\AdFind\Release>adfind -f name=testuser1 ntsecuritydescriptor -rawsddlexpl
AdFind V01.52.00cpp Joe Richards (support@joeware.net) January 2020
Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: DC=lockout,DC=test,DC=loc
dn:CN=testuser1,OU=TESTUSERS,DC=lockout,DC=test,DC=loc
> nTSecurityDescriptor: [SDDL_EXPLICIT] O:S-1-5-21-3057091654-2329156990-3385121676-512G:S-1-5-21-3057091654-2329156990-3385121676-512D:AI(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3057091654-2329156990-3385121676-517)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;RP;77b5b886-944a-11d1-aebd-0000f80367c1;;AU)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;AU)(OA;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b2-9455-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b3-9455-11d1-aebd-0000f80367c1;;PS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3057091654-2329156990-3385121676-512)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AO)(A;;RC;;;AU)(A;;LCRPLORC;;;PS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:AI
1 Objects returned
New Switches –ldapping / –ldappingex / –netlogonexdc
I posted a series of blog posts on DC Locator and ldap ping. Adding ldap ping to AdFind is another thing that I have wanted for some time. It shoots over the proper query to retrieve the LDAP Ping info which will tell you what AD site your machine is in per the DC’s decision processes and the querying machine’s IP address. It will also show you next closest site, no you don’t have to enable anything for that to work, it is always there, the client just has to know how to ask for it. Most folks will likely want to use –ldappingex as that is the easiest to read. It is effectively the –ldapping and –netlogonexdc switches together. Why did I do it that way? Why do I have the –netlogonexdc switch at all??? For people who know how to formulate the different acceptable ldap ping queries manually and want the extended output instead of the normal output. Note that this is COMPLETELY anonymous. You don’t have to have a valid ID in the domain to perform this operation.
Here is an example:
[Fri 01/10/2020 23:55:42.28]+
E:\DEV\cpp\vs\AdFind\Release>adfind -hh k16tst.test.loc -ldappingex
AdFind V01.52.00cpp Joe Richards (support@joeware.net) January 2020
Using server: K16TST-SCDC1.k16tst.test.loc:389
Directory: Windows Server 2016
dn:
> OpCode: 0x18
> Flags: 0x1F1FC
> Flags: DS_GC_FLAG
> Flags: DS_LDAP_FLAG
> Flags: DS_DS_FLAG
> Flags: DS_KDC_FLAG
> Flags: DS_TIMESERV_FLAG
> Flags: DS_CLOSEST_FLAG
> Flags: DS_WRITABLE_FLAG
> Flags: DS_FULL_SECRET_DOMAIN_6_FLAG
> Flags: DS_WS_FLAG
> Flags: DS_DS_8_FLAG
> Flags: DS_DS_9_FLAG
> Flags: DS_DS_10_FLAG
> DomainGuid: {98FD1190-E167-4734-A585-7981238A135E}
> DnsForestName: k16tst.test.loc
> DnsDomainName: k16tst.test.loc
> DnsHostName: K16TST-SCDC1.k16tst.test.loc
> NetbiosDomainName: K16TST
> NetbiosComputerName: K16TST-SCDC1
> UserName: [EMPTY]
> DcSiteName: Default-First-Site-Name
> ClientSiteName: joenetlogontestsite
> NextClosestSiteName: Default-First-Site-Name
1 Objects returned
Filter intelligence enhancement – AKA the AJ Fix.
I have a friend that I worked with at my last day job employer that I dragged over to my current day job employer named AJ. AJ is more of an architecture type person who had to come in and actually do real work, ops type work. I mean architecture is real work but I don’t have a lot of respect or need for pure architects, if you cannot sit down and do daily support work as well as design infrastructures you are pretty worthless in my eyes. Anyway, AJ is now doing ops work in the IDM team (one of the leaders of that team now in fact) and learning a lot about how to do things in AD. Slowly more and more he started seeing the light about why AdFind blows other things (like ADUC, ADAC, PowerShell AD Cmdlets) out of the water and I would have a constantly running Zoom chat window with him asking questions. Well very often, especially one really bad week he would post a command string and say why isn’t this working or why it was spitting out so much information that he didn’t ask for (is AD broken?)… And the reason was usually the query looked something like
adfind "&(objectclass=user)(samaccountname=someid)" pwdlastset –tdcda
or something like that. Of course the issue is that he specified a filter without actually specifying the –f switch to tell AdFind, hey AdFind, this is a filter to submit for me. AdFind sees that command and treats the filter as an argument instead of a switch so by default it used a query of objectclass=* and of course that filter doesn’t exist as an attribute. So now I added some parameter logic to look for mistakes like this and it will throw what I call an AJ error and in fact in the initial betas with the functionality the error message was quite funny and named AJ by name.
This is what the error message looks like:
ERROR:
ERROR: Specified attribute contains ‘=’, did you perhaps mean this as an LDAP filter and forgot -f?
ERROR: Argument in question [&(objectclass=user)(samaccountname=someid)]
ERROR:
Type AdFind /help or AdFind /? for usage assistance.
or in the case where you have a filter but don’t specify what looks like a filter you get this:
ERROR:
ERROR: Filter missing ‘=’.
ERROR: Filter value [objectclass]
ERROR:
Type AdFind /help or AdFind /? for usage assistance.
So if you know AJ, go ahead and razz him. This fix has probably saved me about 500 questions a year.
Another fun change that I have wanted for some time is auto-decode of attributeSecurityGUID in the Schema output. It is always a pain to chase that manually and doing this is likely going to save me a lot of time every year as well.
For example:
[Sat 01/11/2020 0:15:41.68]+
E:\DEV\cpp\vs\AdFind\Release>adfind -sc s:* -af attributesecurityguid=* ldapdisplayname attributesecurityguid -maxe 5
AdFind V01.52.00cpp Joe Richards (support@joeware.net) January 2020
Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc
dn:CN=Account-Expires,CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc
> lDAPDisplayName: accountExpires
> attributeSecurityGUID: {4C164200-20C0-11D0-A768-00AA006E0529} [Account Restrictions]
dn:CN=Admin-Description,CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc
>lDAPDisplayName: adminDescription
> attributeSecurityGUID: {59BA2F42-79A2-11D0-9020-00C04FC2D3CF} [General Information]
dn:CN=Allowed-Attributes,CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc
> lDAPDisplayName: allowedAttributes
> attributeSecurityGUID: {E48D0154-BCF8-11D1-8702-00C04FB96050} [Public Information]
dn:CN=Allowed-Attributes-Effective,CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc
> lDAPDisplayName: allowedAttributesEffective
> attributeSecurityGUID: {E48D0154-BCF8-11D1-8702-00C04FB96050} [Public Information]
dn:CN=Allowed-Child-Classes,CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc
>lDAPDisplayName: allowedChildClasses
>attributeSecurityGUID: {E48D0154-BCF8-11D1-8702-00C04FB96050} [Public Information]
5 Objects returned
And the last few things I am going to mention that are kind of cool are some beta features that I know still need more work but wanted to get this out there… Regular Expression capability for filtering output and outputting MSA/gMSA passwords. I don’t have much to say other than it is there but is still a work in progress. There is a new usage page for regular expressions that you access with “–regex?”.If you find something that isn’t working or something that could be done in a different way to make it more useful please email me at support@joeware.net and let me know.
joe