… or at least I was in 2014!!
https://www.onelogin.com/blog/microsoftactive-directory-integration-experts
joeware - never stop exploring... :)
Information about joeware mixed with wild and crazy opinions...
4/7/2017
4/6/2017
4/3/2017
3/26/2017
AdFind V01.50.00 Speed Increase for Security Descriptors When Resolving SIDs to Names
As previously mentioned I have been focusing on some speed tweaks for AdFind for larger scale environments. One of the items I have wanted to speed up was the decoding of Security Descriptors especially in orgs where they got a little crazy with AD Delegation and added a ton of ACEs to object Security Descriptors. I have succeeded in this space, even better than what I had hoped.
The test AD object I am performing my speed tests on had 390 ACEs and I am resolving the SIDs halfway across the USA via a “slowish” VPN connection. Resolving the SIDs for multiple objects is actually not bad because once AdFind resolves a SID it caches it for quick retrieval the next time it encounters it within that run[1].
Here are the numbers:
| VERSION | Time MS |
| V01.49.00 SIDs only | 3219 |
| V01.50.00 SIDs only | 3078 |
| V01.49.00 Resolve SIDs | 75296 |
| V01.50.00 Resolve SIDs (initial) | 35719 |
| V01.49.00 Resolve SIDs | 75296 |
| V01.50.00 Resolve SIDs (enhanced) | 4250 |
Yes you are reading that right, Security Descriptor expansion with SID Resolution reduced from 75.3 seconds to 35.72 seconds to 4.25 seconds.
I am expecting to wrap up a zip file with the V01.50.00 Beta in the next week with a special download location. If you are interested, stay tuned. 
joe
[1] I have long considered adding some persistence for SID caching but I haven’t thought about it enough to pull the trigger yet.
3/21/2017
Where did this OS binary come from?
Is anyone aware of a mechanism to determine what the source of a given OS binary is from?
I.E. Say you want to know where your lsass.exe binary or tcpip.sys binary came from, what specific hot fix or rollup or whatever. How do you do it?
joe
3/13/2017
The postings on this site…
I recently saw some internal guidance at work and decided I should post this message in case anyone at any time ever had any kind of confusion around it…
The postings on this site are my own and do not necessary reflect the views of my employer, ANY employer, or anyone else ever anywhere.
3/8/2017
AdFind Build Info
Thoughts?
[Wed 03/08/2017 0:27:11.67]
E:\DEV\cpp\vs\AdFind\Debug>adfind -appver
AdFind V01.50.00.00cpp VS BETA Joe Richards (support@joeware.net) February 2016
BUILD :1.50.0.3150
BUILDDATE:20170308-00:26:46
[Wed 03/08/2017 0:27:13.79]
2/14/2017
Additional UPN Suffixes
One of my good AD aware friends pinged me yesterday while I was at work asking about what was the specific AdFind command to find out the additional (or alternate) UPN Suffixes that may be defined for a domain. I responded back with a quick answer off the top of my head that it was on the Partitions container in the configuration container. I don’t usually like giving short answers like that but I was at work and that is the time I had available.
Once off work I did a quick google to find where someone had written this up before so I could share it. The several top links I kept clicking on just talked about how to do this from Domains and Trusts so I thought, WTH, I will write it up and hopefully this post will become one of the top posts for adding or viewing additional (or alternate) UPN Suffixes so people know you don’t have to use the GUI.
So the quick (and possibly wrong depending on your actual need, more on that later) answer is that you can find the additional (or alternate) UPN Suffixes defined in AD with the following query.
adfind -partitions -s base upnsuffixes
Or if you want to point to an AD Forest that isn’t your default forest you can use
adfind -h domainname -partitions -s base upnsuffixes
Why is that possibly wrong? Let’s walk through it.
So first the way most sites and instructions seem to be giving you for adding additional (or alternate) UPN Suffixes is to open Domains and Trusts (domain.msc) and right click on the top line that shows what you are connected to and then click on Properties which will give you the following dialog box which you can then populate with the additional (or alternate) UPN Suffixes you care to use.
What is placed there can indeed be found with the command shown above as so:
[Mon 02/13/2017 19:30:23.13]
E:\DEV>adfind -h k16tst.test.loc -partitions -s base upnsuffixes
AdFind V01.50.00.00cpp VS BETA Joe Richards (joe@joeware.net) February 2016
Using server: K16TST-DC1.k16tst.test.loc:389
Directory: Windows Server 2016
Base DN: CN=Partitions,CN=Configuration,DC=k16tst,DC=test,DC=loc
dn:CN=Partitions,CN=Configuration,DC=k16tst,DC=test,DC=loc
>uPNSuffixes: cloud.joeware.org
1 Objects returned
Further if you want to add an additional (or alternate) UPN Suffix from the command line you can rather simply accomplish that with AdMod like so:
[Mon 02/13/2017 19:30:26.77]
E:\DEV>admod -h k16tst.test.loc -partitions upnsuffixes:+:cloud.joeware.net
AdMod V01.18.00cpp Joe Richards (joe@joeware.net) March 2012
DN Count: 1
Using server: K16TST-DC1.k16tst.test.loc:389
Directory: Windows Server 2008 R2
Base DN: CN=Partitions,CN=Configuration,DC=k16tst,DC=test,DC=loc
Modifying specified objects…
DN: CN=Partitions,CN=Configuration,DC=k16tst,DC=test,DC=loc…
The command completed successfully
And holy crap I just realized I haven’t released a new version of AdMod in 5 years. Ugh.
Anyway now it looks like:
[Mon 02/13/2017 19:34:54.22]
E:\DEV\>adfind -h k16tst.test.loc -partitions -s base upnsuffixes
AdFind V01.50.00.00cpp VS BETA Joe Richards (joe@joeware.net) February 2016
Using server: K16TST-DC1.k16tst.test.loc:389
Directory: Windows Server 2016
Base DN: CN=Partitions,CN=Configuration,DC=k16tst,DC=test,DC=loc
dn:CN=Partitions,CN=Configuration,DC=k16tst,DC=test,DC=loc
>uPNSuffixes: cloud.joeware.net
>uPNSuffixes: cloud.joeware.org
1 Objects returned
And in domain.msc
So what does it look like when you want to create a new user in ADUC (dsa.msc) now?
It looks like this:
Wow totally cool right? 
But wait, I don’t see why anything above could possibly be wrong per your earlier parenthetical declaration.
So a little known fact and likely even less used (probably a good thing) configuration you can put into place is to set the additional (or alternate) UPN Suffixes at the OU level and have those additional (or alternate) UPN Suffixes only “take effect” in ADUC at that one and only level of the OU hierarchy in the forest. It will actually override the forest level additional (or alternate) UPN Suffixes that are displayed in in ADUC.
Though you can still use a tool that lets you specify an arbitrary UPN to set it to anything you choose, this configuration only forces validation within ADUC’s main user creation/modification forms and not within the Directory Service itself.
For example:
[Mon 02/13/2017 19:36:04.17]
E:\DEV>admod -h k16tst.test.loc -default -rb ou=users2,ou=testou upnsuffixes:+:deviantsoftware.net
AdMod V01.18.00cpp Joe Richards (joe@joeware.net) March 2012
DN Count: 1
Using server: K16TST-DC1.k16tst.test.loc:389
Directory: Windows Server 2008 R2
Base DN: ou=users2,ou=testou,DC=k16tst,DC=test,DC=loc
Modifying specified objects…
DN: ou=users2,ou=testou,DC=k16tst,DC=test,DC=loc…
The command completed successfully
[Mon 02/13/2017 19:37:45.50]
E:\DEV>adfind -h k16tst.test.loc -default -rb ou=users2,ou=testou upnsuffixes
AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015
Using server: K16TST-DC1.k16tst.test.loc:389
Directory: Windows Server Threshold
Base DN: ou=users2,ou=testou,DC=k16tst,DC=test,DC=loc
dn:OU=Users2,OU=TestOU,DC=k16tst,DC=test,DC=loc
>uPNSuffixes: deviantsoftware.net
1 Objects returned
Here is what it looks like when you try to create a user via ADUC in that specific OU.
But here is what happens if you go to a subOU of the OU that you set the additional (or alternative) UPN Suffix value. Note that the additional (or alternative) OU specific UPN Suffixes are not displayed.
Again, though you can still use a tool that lets you specify an arbitrary UPN to set it to anything you choose, this configuration only forces validation within ADUCs main user creation/modification forms and not within the Directory Service itself.
You may recall, as it was only seconds ago for you, that I mentioned that you can set the UPN Suffix on a user’s UPN to ANY value you choose. That is generally true but isn’t correct in all use cases. It works perfectly in a single forest where you are not expecting anyone to use the values outside of that forest – say in the case of a cross forest trust. In a cross forest trust the external forests need to know where to route the userid authentication requests to and it does that via the domain names combined with the registrations of the UPN Suffixes on the Partitions object in the Configuration container. Anything NOT listed there will not be able to be used across a cross-forest trust.
And that also means the additional (or alternate) UPN Suffixes ONLY stamped on OUs cannot be routed across a forest trust either. In fact when you try to establish a trust after you have set some suffixes up as we did here in this post, you will see a message like this:
Note the lack of the extra additional (or alternate) UPN Suffix I had assigned to the OU?
If you need the routing you can set the additional (or alternate) UPN Suffix on the Partitions container AND on the OU. The setting at the OU level tells ADUC (or any tool smart enough to look for that attribute on the OU) to limit the UPN Suffix display and the setting on the Partitions container tells the rest of the world who has a forest trust where to go to resolve the ID to a principal to perform the authentication.
But joe, you say fervently and with no trust, what if you just deleted that extra OU level additional (or alternate) UPN Suffix prior to creating that trust and we just didn’t see that step? Well you have to trust me that I didn’t. Alternately I guess I can show you let see what AdFind says because, you know, trust but verify…
[Tue 02/14/2017 8:01:05.20]
E:\DEV>adfind -h k16tst.test.loc –gcb -f upnsuffixes=* upnsuffixes -e ad
AdFind V01.50.00.00cpp VS BETA Joe Richards (joe@joeware.net) February 2016
Using server: K16TST-DC1.k16tst.test.loc:3268
Directory: Windows Server 2016
Base DN: DC=k16tst,DC=test,DC=loc
0 Objects returned
Err wait… what?? Maybe I did lie!!! Or wait, maybe AD is lying???
How about this then…
[Tue 02/14/2017 8:06:12.55]
E:\DEV>adfind -h k16tst.test.loc -prb -f upnsuffixes=* upnsuffixes
AdFind V01.50.00.00cpp VS BETA Joe Richards (joe@joeware.net) February 2016
Using server: K16TST-DC1.k16tst.test.loc:389
Directory: Windows Server 2016
Base DN:
dn:CN=Partitions,CN=Configuration,DC=k16tst,DC=test,DC=loc
>uPNSuffixes: cloud.joeware.net
>uPNSuffixes: cloud.joeware.org
dn:OU=Users2,OU=TestOU,DC=k16tst,DC=test,DC=loc
>uPNSuffixes: deviantsoftware.net
2 Objects returned
If you don’t have AdFind V01.50.00 VS BETA which is everyone but me as I write this then you can use -pr with -null in the place of -prb.
Did you catch that?
In the category of leaving them wanting more… I will now end this post. The –pr(b) switch vs the –gc(b) switch is a good discussion for later. 
joe
p.s. It is nice to knock the rust off and get the old blog post fingers running again.
2/12/2017
Hello World! Part Deux
I started working for Hewlett-Packard in 2004 and it went very well for a long time. It was the second time I worked for Hewlett-Packard but the first time I was an FTE for them. Initially I was an Expert in Residence and was almost exclusively technical and spent a great deal of my time:
- Solving technical issues
- Writing white papers
- Creating and then fixing problems in the lab
- Finding new and interesting solutions to old and new problems
- Finding and fixing issues people didn’t even know they had
- Generally helping people get out of the holes they were in which really contributed to what I could do here at joeware.net as well.
However once HP bought EDS in 2007/8 things took a massive turn for the worse as we tried to swallow EDS. In effect I was no longer working for Hewlett-Packard Managed Services, I was now working for “EDS, an HP Company” which later became the Enterprise Services Division which eventually became the primary component of Hewlett Packard Enterprise when it split from HP Inc.
It primarily was not and still mostly is not the old HP, it is in great part still the old EDS. When the spin off of Enterprise Services to CSC completes in April then the Hewlett-Packard Enterprise that is left will be closer to the old HP I worked for in the fact that the vast majority of EDS (in particular upper management) will be gone. I suspect there will be a dramatic and hopefully very positive culture shift back to the older model, at least I hope so for my friends that are still there. I have no clue what will happen to the Enterprise Services group that was sold to CSC but from the things I have heard of CSC I have concerns for my friends still in Enterprise Services, both from legacy HP and legacy EDS.
While I met a lot of amazing people (techies and some managers) due to the merger with EDS, overall the merger was a failure for HP and it also did nothing to help me stay relevant in the tech world as I got further and further away from being where I really wanted to be – deep in the tech focused and sorting things out. Any long-time joeware fans likely noticed that I substantially dropped how much I was doing in the blog and in the tool updates and new releases. This really hurt me personally because I love working on this stuff and sharing it with others so they are more effective and capable and empowered. However as I look back now I realize I spent so much time on work and it was so taxing it killed my creativity and my desire to do much on computers outside of work. The creative spark was quite dim and anything I did come up with I really didn’t have any time to focus on it and develop the spark into a flame. That was due, in great part, IMO, to a once great company which has been stripped down to the bone and forcing people to do way too much way too fast for way too little. We were all doing what absolutely needed to be done to get by day to day which didn’t leave a lot of time for the things that really should have been done though some of us would try to do that as well which caused even more burn out. There is only so much you can do in a day and if the company doesn’t have your back, you are not destined to win no matter how good you are or how badly you want to make things succeed.
Cut to last summer / fall when I was approached about joining another company. It looked very interesting. I went through the interview process and in one phone call where I thought I was going to talk to a couple of managers about the position it ended up being a panel based tech interview and I was super whacked out on cold meds. I know I got answers wrong because while I could barely recall the interview I did recall a couple of things when the cold meds wore off that I got wrong although I knew the right answers to the questions such as mixing up asymmetric encryption with hashes … The power of Sudafed D with some other OTC stuff stacked up and KO’ed my brain. I also recalled that I really enjoyed talking to the people and was tickled to be in a technical interview because I wasn’t expecting it and I hadn’t actually had a technical interview since the 90s. Every job I had since 1996 was somehow related to a previous job and the people knew who I was and had some idea of what I was capable of. Anyway, even though I felt I had blown the tech interview they still were interested and after some discussions I ended up accepting an offer from them.
I have been in that job since early December and even though I didn’t get the last few weeks of December off like I usually do I still have more energy and desire to build things now than I have had in many years. I am slowly getting stuff done around the house that I have been neglecting and better, the creative juices are coming back with a vengeance and I am working on joeware utilities again and have ideas for about 10 or 15 blog posts to put together and this is with me getting absolutely pounded at work trying to spin up on a completely new and different environment that definitely has a lot of systemic and emergent issues. This new job is far more technical than what I was doing and closer to what I did when I first returned to HP. I am solving problems and sorting out how to best move forward in the future for a company that isn’t currently, but wants to become a well known tech giant and I absolutely believe they can accomplish it.
Where I am working now and what I am doing isn’t important here, the fact that I am working on something that has reignited my technical and creative drive is important and the blog and the tools download section should start reflecting that more and more as time goes on. If anyone needs to know what my new job is, I take a cue from my good friend Brett Shirley who shares his job as “Building 7 Garage Door Operator”. My new job is Walmart Greeter Store #3487. Greeter isn’t entirely out of my wheelhouse because Greeters are part of Security. They see everything coming in.
I held off on writing about this new position and its impact on what I do here for joeware because I wanted to see if my guesses were correct and they seem to be. Over the last couple of weeks I have started re-organizing and rebuilding my test labs. Additionally I built a new dev laptop and dug out the source code for AdFind and the associated supporting code modules for it and started working on converting it from Borland C++ Builder to Visual Studio. Note this is something that I have wanted to do and have actually tried to do a couple of times over the last 6 or so years but I finally now accomplished it. It only took 3 or 4 evenings once my brain was de-saturated and I finally had a version of AdFind running that was compiled from Visual Studio.
The results for the VS compiled version currently appear to be showing parity for the side by side output tests I have been running between it and V01.49.00. What isn’t par is that the new VS compiled version is substantially faster than the Borland C++ Builder compiled version; I am seeing it is give results between 25%-50% faster. The binary is also half the size because, I believe, it doesn’t need all of the Borland VCL addon stuff for it. Additionally I converted the char* functions from the older styles to the newer _s (safe) versions which I expected would slow things down. not speed it up. I haven’t released an update for AdFind since two years ago so this is pretty exciting for me. Additionally I have a ton of ideas of things to put into it that have come to me in the last month or so. In fact I have probably had five times the ideas for updates in the last month than I had in the prior two years. I already know that not every mod will make the next release because I want to get V01.50.00 out relatively soon because Windows Server 2016 is available now and I dislike seeing “Threshold” for OS version. That being said, it won’t be another two years after that for V01.51.00. I am expecting that I will be putting a lot of extra new functionality in around ACLs etc and also making it even faster for larger scale environments. If you have ideas of things you would like to see go into AdFind, please feel free to email at joe@joeware.net.
joe
2/11/2017
Cool Fish Aquarium Controller Software
I know a lot of IT folks who like to read this blog (when I actually write something) also are into aquariums so I thought I would share this cool Aquarium Controller software a friend of mine has put together.
Check it out!
[joeware – never stop exploring… :) is proudly powered by WordPress.]
