joeware - never stop exploring... :)

I kept meaning to share this with everyone because I really want to get this video everywhere I can to get as much exposure as possible to it out in the world.

Troy is a friend of mine that works for Amazon, he has a 16 year old son with Autism. See what cool thing he cooked up to help him out. This is absolutely awesome work.

https://www.youtube.com/watch?v=BUewiOZTNzM

I really think this is just the start of what we are going to do with voice tech to make the world better and safer.

And the blog – https://aws.amazon.com/blogs/aws/pollexy-building-a-special-needs-voice-assistant-with-amazon-polly-and-raspberry-pi/

 

Hi, Joe,

I’ve been using these 2 excellent utilities to manage users both in our AD domain and our legacy Novell eDirectory tree.

Recently I needed to move disabled accounts without our ‘KEEP’ flag set into a Leavers OU and came up with the 2 commands below:

adfind -h novserver -ssl -sslignoresrvcert -simple -b o=merpol -f "(&(objectclass=user)(!(generationqualifier=KEEP))(logindisabled=TRUE))" cn fullname -u cn=ldapuser,o=isdept -up password -adcsv > c:\tmp\move2leavers.csv

admod -h novserver -ssl -simple -move o=leavers -u cn=ldapuser,o=isdept -up password < c:\tmp\move2leavers.csv

I managed to do all this in 1 command by piping the output of the adfind command with the –adcsv switch into the admod command but I wanted to record the accounts moved so that I could add them to a cumulative log – hence the intermediate move2leavers.csv file. Was this the best way of achieving this or could I have used the one-liner and somehow recorded the accounts going through the pipeline?

 

Hi Frank,

Sorry for slow response. I was working for Hewlett Packard Enterprise last year and working way too much. I left them and have a normal job now so I am slowly catching up on joeware email and updating tools.

So anyway, there is nothing builtin that will do what you want here. AdMod does have a -log switch but that is for my debugging mostly. However, that being said, you can use a command line tool called TEE which you would insert in the pipeline and it could output the pipeline to a file while simultaneously shipping it to the next binary in the pipeline.

You can actually do this with a quick perl script as well. See attached 7zip file, you will have to rename it to .7z. I made a really quick and dirty perl script that can do it.

[Sat 04/22/2017 13:29:25.87]
E:\DEV\perl\tee>adfind -h k16tst.test.loc -f name=norm* -dsq | jwtee.pl output.txt | admod -h k16tst.test.loc description::"normal user"

AdMod V01.18.00cpp Joe Richards (joe@joeware.net) March 2012

DN Count: 3
Using server: K16TST-DC2.k16tst.test.loc:389
Directory: Windows Server 2008 R2

Modifying specified objects…
   DN: CN=Norm User 3,OU=Users,OU=TestOU,DC=k16tst,DC=test,DC=loc…
   DN: CN=Norm User1,OU=Users,OU=TestOU,DC=k16tst,DC=test,DC=loc…
   DN: CN=Norm User2,OU=Users,OU=TestOU,DC=k16tst,DC=test,DC=loc…

The command completed successfully

[Sat 04/22/2017 13:34:22.66]
E:\DEV\perl\tee>type output.txt
"CN=Norm User 3,OU=Users,OU=TestOU,DC=k16tst,DC=test,DC=loc"
"CN=Norm User1,OU=Users,OU=TestOU,DC=k16tst,DC=test,DC=loc"
"CN=Norm User2,OU=Users,OU=TestOU,DC=k16tst,DC=test,DC=loc"

[Sat 04/22/2017 13:34:26.07]

If you don’t like compressed files, here is the code in clear text

my $filename=shift;

open OFH,">$filename" or die("ERROR: Couldn’t open filename – $filename: $!\n");

while (<stdin>)
{
  print OFH $_;
  print $_;
}
close OFH;

Cheers and again sorry for the slow response.

   joe

I am finally catching up on a lot of old email that I wasn’t able to get to, literally thousands of messages. I am quite happy with the number of people who find the tools useful saving them minutes or hours of time and the other comments of thanks we were told by MSFT this or that wasn’t possible but you show how to do it or provide a tool to do it and the other comments of we saved XX thousands of dollars by using your tools instead of buying products from other companies (don’t forget about the tip jar at the top left of the screen at http://blog.joeware.net/).

As for questions… Let me post some quick hit answers that are all that is needed for a large percentage of the emails I am going through.

 

Q: I need to learn AD and/or something isn’t working right in the tool because <insert some problem here that shows the user is not at all familiar with AD such as incorrect ordering of RDNs in the DN>.

A: There are lots of good books out there, I will initially recommend my book as it has gone through multiple revisions to fix issues and it really does hit things from beginner to advanced. http://amzn.to/2ofDlEN

 

Q: I love your free tools but <insert some aspect of how I provide the tools that someone doesn’t like for example they have to go to different links to download the tools or they aren’t available in a single zip or the tools display my joeware banner or anything else like that>. When will you get smart and fix it so I don’t have to deal with this?   (seriously had multiple emails that ended like that as if people are doing me a favor by using a tool I provide for free and ALLOW them to use)

A: The tools are free, I provide them in the way I do for specific reasons. The fact that they are free and you find them extremely useful and don’t have to pay for them (did I say free) means you can deal with it or you can find something else if there is anything else out there that does what you need. Alternately you could write your own see https://www.visualstudio.com/vs/community/

 

Q: I need to learn PowerShell, how do I do that?

A: I don’t really use PowerShell but if you want to learn I recommend the many online resources for the topic.

 

Q: What is the warranty? I have a problem with the tool and I wrote critical processes that depend on it and I need the tool changed immediately. Or it broke something of mine and I need you to fix it for us now.

A: See warranty – http://www.joeware.net/freetools/warranty.htm

 

Q: I need the source for tool X for <insert any reason in the universe here>, when can you get that to me?

A: See the FAQ – http://www.joeware.net/faq/index.htm

 

Q: When I start my computer or run XYX app I see your name/email pop for a second on my screen. What did you put on my machine?

A: Nothing, someone else, probably an admin or application provider is using one of my tools for something. My tools can all be found at http://www.joeware.net/freetools/index.htm and if you didn’t download something from there, you got it from someone other than me.

 

Q: Your initial image on your website is perverted.

A: No, it really isn’t.

 

Q: AdFind is broken because I see groups in ADUC that I don’t see in AdFind.

A: It isn’t broken, group enumeration isn’t a single straightforward LDAP query. Get my book and learn about how AD does groups. Also look at using my memberof utility.

 

I have now uploaded a second beta of AdFind V01.50.00 to the website, you can find it at

http://www.joeware.net/downloads/beta/adfind_v150_beta2.zip

The previous beta had two main issues with it.

First it was built with dynamic linking meaning that it looked for MSFT DLLs on the machine it was running on to utilize the API functions there. One of the “selling points” of using Visual Studio is using DLLs that are most likely already on Windows machines but I had enough folks respond saying that they didn’t or couldn’t load the redistributable packages that I decided to go back to my old ways of static linking meaning no other files should be required to run this version of the AdFind beta. If you find that not to be the case, please let me know.

Second I learned some interesting stuff about Visual Studio in that it is switching to Universal CRT / virtual APIs but this only works on newer OS machines, specifically it is not compatible with Windows 7 and Windows Server 2008 R2. I, being silly, had not tested the beta on Windows 7 nor Windows Server 2008 R2 machine so I didn’t catch that problem. It was quite a learning curve the last nine or so days to sort that out and get it fixed. That was especially fun with the lack of solid documentation as mentioned previously. I apologize it took so long, I have been pretty busy with my day job working a few more hours than I should be but that will be settling down soon once I get one of my current projects handled so I can focus on personal stuff and joeware some more again.  

As before, please let me know any feedback you have, email to support@joeware.net with ADFIND BETA in the subject so I will see it amongst everything else. I am still working through some of the other feedback, I will respond to everyone I just wanted to get these two main issues out of the way to allow for more testing for folks who were excluded with the first beta.

     joe

I previously released a beta for AdFind that wasn’t statically linked. I did that with the thought that one of the big benefits of using Visual Studio is that a lot of people would already have the necessarily DLLs. While a lot do, a lot also do not so I will be releasing a beta version of AdFind that is statically linked so there will be no need for other DLLs to be present on the machine.

And in the same vein, I took me a couple of weeks but I finally sorted out an issue with Visual Studio with writing code for Windows 7 / Windows Server 2008 R2. There is this new concept of Universal CRT and “API Sets” which are awesome for newer OSes but do not support the older OSes at all. It took me entirely too long to find this article

https://msdn.microsoft.com/en-us/library/windows/desktop/dn505783(v=vs.85).aspx

and in particular

Note Compatibility with Windows 7, Windows Server 2008 R2 and older operating systems: Binaries that link to MinCore.lib or MinCore_Downlevel.lib are not designed to work on Windows 7, Windows Server 2008 R2 or earlier. Binaries that need to run on earlier versions of Windows or Windows Server must not use either MinCore.lib or MinCore_Downlevel.lib.

The really awesome thing is that the MSDN Documentation for the API calls apparently assumes that no one wants to write code that runs on the older OSes so when they tell you what library (*.lib) to link in they tell you mincore.lib for a lot of stuff and not what the actual library needs to be if you need people to use an older OS with your application. IMO this is a massive documentation fail on the part of Microsoft. For example when you need to use the function GetFileVersionInfoSize you see on the website https://msdn.microsoft.com/en-us/library/windows/desktop/ms647005(v=vs.85).aspx that you need mincore.lib, no mention of what to use if you need compatibility. Searching around doesn’t help you a whole lot until you start digging up some older posts where you find that it should be version.lib that is actually included.

The only way I am immediately aware to quickly determine this information will require generous use of DUMPBIN /EXPORTS against the *.LIB files on your machine looking for the function you need. I visualize a perl script in my future.

Here is an example of what DUMPBIN /EXPORTS will show you for version.lib.

[Tue 04/18/2017  8:25:20.40]
E:\DEV\cpp>"C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\bin\x86_amd64\dumpbin" /exports "c:\Program Files (x86)\Microsoft SDKs\windows\v7.1a\lib\version.lib"
Microsoft (R) COFF/PE Dumper Version 14.00.24218.2
Copyright (C) Microsoft Corporation.  All rights reserved.

Dump of file c:\Program Files (x86)\Microsoft SDKs\windows\v7.1a\lib\version.lib

File Type: LIBRARY

     Exports

       ordinal    name

                  _GetFileVersionInfoA@16
                  _GetFileVersionInfoExW@20
                  _GetFileVersionInfoSizeA@8
                  _GetFileVersionInfoSizeExW@12
                  _GetFileVersionInfoSizeW@8
                  _GetFileVersionInfoW@16
                  _VerFindFileA@32
                  _VerFindFileW@32
                  _VerInstallFileA@32
                  _VerInstallFileW@32
                  _VerQueryValueA@16
                  _VerQueryValueW@16

  Summary

          C3 .debug$S
          14 .idata$2
          14 .idata$3
           4 .idata$4
           4 .idata$5
           C .idata$6

 

Anyway, I am testing the new beta build of AdFind compiled with Visual Studio 2017 with static linking and LIBS that are actually supposed work on the older (and still supported MICROSOFT THANKYOUVERYMUCH) operating systems. I hope to post the new beta binary in the next day or so depending on issues encountered. 

    joe

p.s. This had me pretty close to dumping Visual Studio again. I still might because it is crap that it is so poorly documented and I could see this causing all sorts of issues for developers.

In case it is ever a question (say like someone from MSFT tells you it works differently), objects deleted in Active Directory go into the Deleted Objects container[1] of the Partition the objects live in. They do not get moved to the Configuration Partition Deleted Objects container.

[Mon 04/10/2017 14:37:42.83]
C:\>adfind -hh k16tst-dc1.k16tst.test.loc -gcb -f "cn=deleted objects" -dn -showdel

AdFind V01.50.00.00cpp VS BETA Joe Richards (support@joeware.net) April 2016

Using server: K16TST-DC1.k16tst.test.loc:3268
Directory: Windows Server 2016

dn:CN=Deleted Objects,DC=k16tst,DC=test,DC=loc
dn:CN=Deleted Objects,CN=Configuration,DC=k16tst,DC=test,DC=loc
dn:CN=Deleted Objects,DC=k16tstchld,DC=k16tst,DC=test,DC=loc

3 Objects returned

   joe

 

[1] There are some special cases here, but under no circumstances do objects from PartitionN go to the Configuration Partition CN=Deleted Objects container once deleted.

I think I have settled on the data I want to make available for the –sslinfo switch. If someone thinks there would be some additional info that would be useful please let me know.

Below is what I have for output so far for the –sslinfo switch. I am thinking the switch will initially be in BETA mode even with the release version of V01.50.00 until I sort out exactly how I want it formatted and how it might be used. I also have to sort out how to add the CSV/TSV functionality for it since when it runs in this mode it doesn’t actually get anywhere near the normal output stage of the code. I know for a mass scan of a forest that would likely be the preferred output model.

My original thinking was that the bit strength, cert version, dates, and issuer would be the most valuable bits of info. I visualize being able to tear through an entire forest looking at this info for every DC with a simple for /f loop like

for /f %i in (‘adfind -gcb -dclist’) do adfind -hh %i -sslinfo 

Like so:

[Sat 04/08/2017 18:10:11.39]
E:\DEV\cpp\vs\AdFind>for /f %i in (‘release\adfind -gcb -sc dclist’) do release\adfind -hh %i -sslinfo -utc

[Sat 04/08/2017 18:10:22.83]
E:\DEV\cpp\vs\AdFind>release\adfind -hh K16TST-DC1.k16tst.test.loc -sslinfo -utc

AdFind V01.50.00.00cpp VS BETA Joe Richards (support@joeware.net) April 2016

Certificate Info
================
  Encoding Type = X509_ASN_ENCODING (0x01)
  Version       = CERT_V3 (0x02)
  NotBefore     = 2017/04/08-16:11:31 UTC
  NotAfter      = 2018/04/08-16:11:31 UTC
  Sig Algorithm = 1.2.840.113549.1.1.13
  Issuer        = CN=CA1,DC=k16tst,DC=test,DC=loc
  Subject       = CN=K16TST-DC1.k16tst.test.loc

SSL Connection Information
==========================
  Protocol           = Transport Layer Security 1.2 client-side (SP_PROT_TLS1_2_CLIENT)
  Cipher Algorithm   = AES 256-bit encryption algorithm (CALG_AES_256)
  Cipher Strength    = 256 bits
  Hash Algorithm     = 384 bit SHA hashing algorithm (CALG_SHA_384)
  Hash Strength      = 0 bits
  Key Exch Algorithm = Ephemeral elliptic curve Diffie-Hellman key exchange (CALG_ECDH_EPHEM)
  Key Exch Strength  = 255 bits

The command completed successfully

[Sat 04/08/2017 18:10:22.90]
E:\DEV\cpp\vs\AdFind>release\adfind -hh K16TST-DC2.k16tst.test.loc -sslinfo -utc

AdFind V01.50.00.00cpp VS BETA Joe Richards (support@joeware.net) April 2016

Certificate Info
================
  Encoding Type = X509_ASN_ENCODING (0x01)
  Version       = CERT_V3 (0x02)
  NotBefore     = 2017/04/08-16:15:53 UTC
  NotAfter      = 2018/04/08-16:15:53 UTC
  Sig Algorithm = 1.2.840.113549.1.1.13
  Issuer        = CN=CA1,DC=k16tst,DC=test,DC=loc
  Subject       = CN=K16TST-DC2.k16tst.test.loc

SSL Connection Information
==========================
  Protocol           = Transport Layer Security 1.2 client-side (SP_PROT_TLS1_2_CLIENT)
  Cipher Algorithm   = AES 256-bit encryption algorithm (CALG_AES_256)
  Cipher Strength    = 256 bits
  Hash Algorithm     = 384 bit SHA hashing algorithm (CALG_SHA_384)
  Hash Strength      = 0 bits
  Key Exch Algorithm = Ephemeral elliptic curve Diffie-Hellman key exchange (CALG_ECDH_EPHEM)
  Key Exch Strength  = 255 bits

The command completed successfully

[Sat 04/08/2017 18:10:22.98]
E:\DEV\cpp\vs\AdFind>release\adfind -hh K16TSTCHLD-DC1.k16tstchld.k16tst.test.loc -sslinfo -utc

AdFind V01.50.00.00cpp VS BETA Joe Richards (support@joeware.net) April 2016

Certificate Info
================
  Encoding Type = X509_ASN_ENCODING (0x01)
  Version       = CERT_V3 (0x02)
  NotBefore     = 2017/04/08-21:19:19 UTC
  NotAfter      = 2018/04/08-21:19:19 UTC
  Sig Algorithm = 1.2.840.113549.1.1.13
  Issuer        = CN=CA1,DC=k16tst,DC=test,DC=loc
  Subject       = CN=K16TSTCHLD-DC1.k16tstchld.k16tst.test.loc

SSL Connection Information
==========================
  Protocol           = Transport Layer Security 1.2 client-side (SP_PROT_TLS1_2_CLIENT)
  Cipher Algorithm   = AES 256-bit encryption algorithm (CALG_AES_256)
  Cipher Strength    = 256 bits
  Hash Algorithm     = 384 bit SHA hashing algorithm (CALG_SHA_384)
  Hash Strength      = 0 bits
  Key Exch Algorithm = Ephemeral elliptic curve Diffie-Hellman key exchange (CALG_ECDH_EPHEM)
  Key Exch Strength  = 255 bits

The command completed successfully

[Sat 04/08/2017 18:10:23.11]
E:\DEV\cpp\vs\AdFind>release\adfind -hh K16TSTCHLD-DC2.k16tstchld.k16tst.test.loc -sslinfo -utc

AdFind V01.50.00.00cpp VS BETA Joe Richards (support@joeware.net) April 2016

Certificate Info
================
  Encoding Type = X509_ASN_ENCODING (0x01)
  Version       = CERT_V3 (0x02)
  NotBefore     = 2017/04/08-21:27:51 UTC
  NotAfter      = 2018/04/08-21:27:51 UTC
  Sig Algorithm = 1.2.840.113549.1.1.13
  Issuer        = CN=CA1,DC=k16tst,DC=test,DC=loc
  Subject       = CN=K16TSTCHLD-DC2.k16tstchld.k16tst.test.loc

SSL Connection Information
==========================
  Protocol           = Transport Layer Security 1.2 client-side (SP_PROT_TLS1_2_CLIENT)
  Cipher Algorithm   = AES 256-bit encryption algorithm (CALG_AES_256)
  Cipher Strength    = 256 bits
  Hash Algorithm     = 384 bit SHA hashing algorithm (CALG_SHA_384)
  Hash Strength      = 0 bits
  Key Exch Algorithm = Ephemeral elliptic curve Diffie-Hellman key exchange (CALG_ECDH_EPHEM)
  Key Exch Strength  = 255 bits

The command completed successfully

[Sat 04/08/2017 18:10:23.24]
E:\DEV\cpp\vs\AdFind>release\adfind -hh K16TST-RODC1.k16tst.test.loc -sslinfo -utc

AdFind V01.50.00.00cpp VS BETA Joe Richards (support@joeware.net) April 2016

Certificate Info
================
  Encoding Type = X509_ASN_ENCODING (0x01)
  Version       = CERT_V3 (0x02)
  NotBefore     = 2017/04/08-16:27:19 UTC
  NotAfter      = 2018/04/08-16:27:19 UTC
  Sig Algorithm = 1.2.840.113549.1.1.13
  Issuer        = CN=CA1,DC=k16tst,DC=test,DC=loc
  Subject       = CN=K16TST-RODC1.k16tst.test.loc

SSL Connection Information
==========================
  Protocol           = Transport Layer Security 1.2 client-side (SP_PROT_TLS1_2_CLIENT)
  Cipher Algorithm   = AES 256-bit encryption algorithm (CALG_AES_256)
  Cipher Strength    = 256 bits
  Hash Algorithm     = 384 bit SHA hashing algorithm (CALG_SHA_384)
  Hash Strength      = 0 bits
  Key Exch Algorithm = Ephemeral elliptic curve Diffie-Hellman key exchange (CALG_ECDH_EPHEM)
  Key Exch Strength  = 255 bits

The command completed successfully

 

And if you have a machine that doesn’t have a valid cert installed it will give the standard connection failure you already get.

[Sat 04/08/2017 18:10:23.35]
E:\DEV\cpp\vs\AdFind>release\adfind -hh k16tst2-dc1.k16tst2.test.loc -sslinfo -utc

AdFind V01.50.00.00cpp VS BETA Joe Richards (support@joeware.net) April 2016

LDAP_BIND: [k16tst2-dc1.k16tst2.test.loc] Error 0x51 (81) – Server Down
Terminating program.
And if you have a machine that doesn’t have a valid cert installed it will give the standard connection failure you already get.

 

     joe

Added this SSL Info functionality this week. I am likely to still change it up a little. I would like to see if I can report on the server cert too. And maybe see about this going into a CSV/TSV type output format as well since it is well outside the normal code path.

Beta drop to the web site in the next week I would say… It got delayed because I started decoding msDS-RevealedUsers for RODC computer objects. That BLOB was a little different than I expected and it took a bit but I got it sorted. In the meanwhile while thinking that issue out I realized I wanted to give out info about the LDAPS connection too. 

 

E:\>adfind -ssl -rootdse -sslinfo
 
AdFind V01.50.00.00cpp VS BETA Joe Richards (support@joeware.net) April 2016
 
SSL Connection Information
  protocol           = Transport Layer Security 1.0 client-side (SP_PROT_TLS1_CLIENT)
  cipher algorithm   = AES 256-bit encryption algorithm (CALG_AES_256)
  cipher strength    = 256 bits
  hash algorithm     = SHA hashing algorithm (CALG_SHA) bits
  hash strength      = 160 bits
  key exch algorithm = Ephemeral elliptic curve Diffie-Hellman key exchange (CALG_ECDH_EPHEM)
  key exch strength  = 256 bits
 
The command completed successfully