joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

3/19/2015

30 Second Admin – Default Domain Password Policies for Entire Forest

by @ 6:16 pm. Tags: ,
Filed under tech

Your boss walks into your cube with a harried look on her face… Hey ADMIN dude or dudette… The Security people are asking for the Default Domain Password Policies for all of the domains in the forest for an audit and I need it in the next 30 seconds because I am already late…

Ok…

[Thu 03/12/2015 15:34:06.57]
C:\>for /f %i in (‘adfind -sc domainlist’) do @adfind -hh %i -sc dompol -dloid

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

Using server: server1.americas.company.net:389
Directory: Windows Server 2012
Base DN: DC=americas,DC=company,DC=net

dn:DC=americas,DC=company,DC=net
>forceLogoff: -9223372036854775808 [undefined/never/forever]
>lockoutDuration: -18000000000 [-30.00 minutes(s)]
>lockOutObservationWindow: -9000000000 [-15.00 minutes(s)]
>lockoutThreshold: 6
>maxPwdAge: -77760000000000 [-90.00 day(s)]
>minPwdAge: -864000000000 [-1.00 day(s)]
>minPwdLength: 8
>pwdProperties: 1 [DOMAIN_PASSWORD_COMPLEX(1)]
>pwdHistoryLength: 6
>ms-DS-MachineAccountQuota: 0

1 Objects returned

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

Using server: server2.asiapacific.company.net:389
Directory: Windows Server 2008 R2
Base DN: DC=asiapacific,DC=company,DC=net

dn:DC=asiapacific,DC=company,DC=net
>forceLogoff: -9223372036854775808 [undefined/never/forever]
>lockoutDuration: -18000000000 [-30.00 minutes(s)]
>lockOutObservationWindow: -9000000000 [-15.00 minutes(s)]
>lockoutThreshold: 6
>maxPwdAge: -77760000000000 [-90.00 day(s)]
>minPwdAge: -864000000000 [-1.00 day(s)]
>minPwdLength: 8
>pwdProperties: 1 [DOMAIN_PASSWORD_COMPLEX(1)]
>pwdHistoryLength: 6
>ms-DS-MachineAccountQuota: 0

1 Objects returned

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

Using server: server0.company.net:389
Directory: Windows Server 2008 R2
Base DN: DC=company,DC=net

dn:DC=company,DC=net
>forceLogoff: -9223372036854775808 [undefined/never/forever]
>lockoutDuration: -18000000000 [-30.00 minutes(s)]
>lockOutObservationWindow: -9000000000 [-15.00 minutes(s)]
>lockoutThreshold: 6
>maxPwdAge: -77760000000000 [-90.00 day(s)]
>minPwdAge: -864000000000 [-1.00 day(s)]
>minPwdLength: 8
>pwdProperties: 1 [DOMAIN_PASSWORD_COMPLEX(1)]
>pwdHistoryLength: 6
>ms-DS-MachineAccountQuota: 0

1 Objects returned

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

Using server: server3.emea.company.net:389
Directory: Windows Server 2008 R2
Base DN: DC=emea,DC=company,DC=net

dn:DC=emea,DC=company,DC=net
>forceLogoff: -9223372036854775808 [undefined/never/forever]
>lockoutDuration: -18000000000 [-30.00 minutes(s)]
>lockOutObservationWindow: -9000000000 [-15.00 minutes(s)]
>lockoutThreshold: 6
>maxPwdAge: -77760000000000 [-90.00 day(s)]
>minPwdAge: -864000000000 [-1.00 day(s)]
>minPwdLength: 8
>pwdProperties: 1 [DOMAIN_PASSWORD_COMPLEX(1)]
>pwdHistoryLength: 6
>ms-DS-MachineAccountQuota: 0

1 Objects returned

[Thu 03/12/2015 15:34:21.62]

Highlight in command prompt window, copy, CTL-V paste into notepad. CTL-P ALT-P. Tell her to go to the printer.

If you have an LPT defined in the command prompt it is even faster.

[Thu 03/12/2015 15:35:53.67]
C:\>for /f %i in (‘adfind -sc domainlist’) do @adfind -hh %i -sc dompol > LPT1

[Thu 03/12/2015 15:36:08.56]

She wasn’t really thinking you could do it in 30 seconds, she was trying to give you a sense of urgency… But you were able to do it anyway. Great job! 🙂

If you have a single domain forest this can be reduced further to simply

[Thu 03/12/2015 15:37:04.26]
C:\>adfind -sc dompol -dloid

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

Using server: server1.americas.company.net:389
Directory: Windows Server 2012
Base DN: DC=americas,DC=company,DC=net

dn:DC=americas,DC=company,DC=net
>forceLogoff: -9223372036854775808 [undefined/never/forever]
>lockoutDuration: -18000000000 [-30.00 minutes(s)]
>lockOutObservationWindow: -9000000000 [-15.00 minutes(s)]
>lockoutThreshold: 6
>maxPwdAge: -77760000000000 [-90.00 day(s)]
>minPwdAge: -864000000000 [-1.00 day(s)]
>minPwdLength: 8
>pwdProperties: 1 [DOMAIN_PASSWORD_COMPLEX(1)]
>pwdHistoryLength: 6
>ms-DS-MachineAccountQuota: 0

1 Objects returned

[Thu 03/12/2015 15:37:10.74]

You don’t need the -dloid switch but it does make it faster when you know for a fact that you don’t have to decode any special attributes. That switch disables a dynamic search of the Schema to find time/sid/guid type attributes for intelligent decoding. Since the attributes used for this are long time known attributes they are actually hard coded into some tables in AdFind for decoding.

    joe

P.S. All of these commands were run as a normal userid, not an admin ID. In most AD Forests much if not most information is readily available to normal users so if you are simply querying, you may only need to be a normal user. So yes, your manager could have gotten the information herself, not to mention those Security people could have gotten it as well…

Rating 4.25 out of 5

3/9/2015

AdFind For The Win! :)

by @ 6:53 pm. Filed under general

Even the folks at Microsoft know which command line Active Directory LDAP Query tool is the best for professionals… 🙂

 

https://technet.microsoft.com/en-us/library/dn535775.aspx#BKMK_LDAPQuery

 

image

Rating 4.67 out of 5

2/28/2015

AdFind V01.49.00 Released

by @ 4:45 pm. Filed under updates

I found a bug in –dloid functionality so I have corrected the bug and re-release AdFind with a new version number – V01.49.00.

http://www.joeware.net/freetools/tools/adfind/

If you are unfamiliar with –dloid it tells AdFind to NOT download a partial schema to get the OID/Type info for attributes to decode special attributes such as GUIDs and SIDs etc. There are some hardcoded attributes that I will still decode but anything dynamically added won’t be in there. This can cut a second or two off of the run time of the tool which doesn’t matter all that much for when you run the command directly but if you have a script that calls adfind over and over again it can be significant savings.

Note that one fix in V01.48.00 was for AdFind to automatically enable this for non-MSFT directories. That is how I broke the actual switch when specified. My bad. Smile

   joe

Rating 4.50 out of 5

2/26/2015

Never….

by @ 8:41 am. Filed under quotes

Never attribute to malice that which is adequately explained by stupidity.

  – Robert J Hanlon

Rating 4.00 out of 5

2/19/2015

…who in the AD world doesn’t use ADFIND…

by @ 12:57 pm. Filed under general

I love getting emails that contain stuff like this from Microsoft Employees:

Second, who in the AD world doesn’t use ADFIND. I know lots of people dump native MS tools for your tool :). BTW, I owned Active Directory 4rd and 5th editions and I wanted to tell you that you did an awesome job on those books.

Rating 4.50 out of 5

1/27/2015

Princess you are killing me…

by @ 12:18 am. Filed under general

Princess (https://jorgequestforknowledge.wordpress.com/) you are killing me. You keep posting these "Finding Attributes…" posts and in every one you are specifying the long way with AdFind with no mention of the shortcuts. I keep adding comments that remain un-moderated. Please start specifying the shortcuts too. Thanks!

Anyone that sees this post and knows Princess please let him know. Thanks! 🙂

    joe

Rating 4.50 out of 5

1/17/2015

AdFind V01.48.00 Released

by @ 1:11 pm. Filed under tech, updates

It has been over two years since V01.47.00 was released but finally AdFind V01.48.00 has been released. I have no excuses other than allowing my day job to completely overrun my personal life. I would love to spend my days working on building and releasing tools but financially it just isn’t feasible at this time. 🙂 I do apologize for the extended period of inactivity. I do intend to do things differently this year and have some exciting thoughts around some tools. This is the year I tackle ESE coding and going directly into the AD Database tables. I have been looking to do that for some time as I have been intrigued by ESE coding from long conversations with Brett Shirley (one of the few ESE Devs at Microsoft and someone I am proud to have as a friend).

Anyway… I started updating the code base almost exactly a year ago and fixed bugs and added features in bursts throughout the year when I found time. At the very least you will find a bunch of new decodes built in for Windows Server 2012, Windows Server 2012 R2, and Windows Server Threshold but hopefully you will find the bug fixes and new features useful as well.

So without further adieu… Here is the general list of changes

Added many Windows Server 2012, Windows Server 2012 R2, and Windows Server Threshold Decodes

Added "mode decodes" for versions > Threshold as Windows Server Threshold+. I kept finding I was annoyed when newer versions of the OS modes that weren’t decoded properly defaulted to the most recent decoded version. I.E. Windows Server Threshold will decode as Windows Server 2012 in V01.47.00 whereas the version after Threshold will decode as Windows Server Threshold+ in V01.48.00. I intend to get out a quick update to change the decodes from Windows Server Threshold to whatever it formally becomes when it becomes it. 😉

Added a bunch more decodes for various attributes. New values that have been added, additional attributes, etc.

Tweaked a bunch of shortcuts so they are more intelligent with base selection, GC use, and enabling -dloid to speed up queries when possible, etc.

Added new features and modifiers for several shortcuts.

In one of the previous versions I changed how AdFind handled what happens when you specify the same attribute multiple times and had it normalize down to a single attribute so that the output was consistent between CSV and non-CSV output. Non-CSV output will always only show the attribute once, CSV output would populate two fields with the attribute. Apparently some folks used that functionality so I changed it back so that you can specify a single attribute multiple times and it will show up in the CSV output.

I ran into some cases where I needed to specify IPv6 IP addresses and the -h option got confused by that (it was parsing the string on colons to retrieve the port) so I updated the code so that it can handle IPv6 format addresses. I.E. [2001:0:5ef5:79fb:45:32c6:94fa:def9]:389.

To better support non-Microsoft LDAP Directories I have set AdFind up to auto-detect if a Directory is paging-capable and if not it will disable its use of paged queries. 

To give more options for cmd piping scenarios I have changed the -b switch and STDIN stream reading to allow for SIDs, GUIDs, and IIDs. The code will detect the base type in the background and then properly wrap the string in the appropriate formatting. For example, SIDs will be changed from S-1-x-xxx-xxx-xxx to <SID=S-1-x-xxx-xxx-xxx>, GUIDs will be changed from 9AF9CD11-9AB3-44DF-B014-8673F3C562C6 or {9AF9CD11-9AB3-44DF-B014-8673F3C562C6} to <GUID=9AF9CD11-9AB3-44DF-B014-8673F3C562C6>. IIDs which are objectGUIDs that are BASE64 encoded and used in AzureAD are converted from BASE64 and then encoded as a GUID. Note that these queries may be a little slower than using a normal base because of the overhead AD has in locating the objects.

I have added several more constants for -replacedn

Added :dnwdata:= matching rule for -bit in filters.

Added BASE64 for -binenc.

Added HEX/BASE64 options for -guidbinout and -sidbinout. For example:

[Tue 01/13/2015 23:02:09.22]
F:\Dev\cpp\AdFind\Release>adfind -hh thr-dc1 -s base -b {9AF9CD11-9AB3-44DF-B014-8673F3C562C6} objectguid -guidbinout base64

AdFind V01.48.00.00cpp Joe Richards (joe@joeware.net) January 2015

Using server: THR-DC1.threshold.loc:389
Directory: Windows Server Threshold

dn:DC=threshold,DC=loc
>objectGUID: Ec35mrOa30SwFIZz88Vixg==

1 Objects returned

And you may realize… Voila that is the IID for that object. Which, in review you could also do the following then

[Tue 01/13/2015 23:07:28.41]
F:\Dev\cpp\_old\OLD\AdFind\Release>adfind -hh thr-dc1 -s base -b Ec35mrOa30SwFIZz88Vixg== objectguid

AdFind V01.48.00.00cpp Joe Richards (joe@joeware.net) January 2015

Using server: THR-DC1.threshold.loc:389
Directory: Windows Server Threshold

dn:DC=threshold,DC=loc
>objectGUID: {9AF9CD11-9AB3-44DF-B014-8673F3C562C6}

1 Objects returned

Added several special bases: -sitelinks, -legacydns, -quotas.

Added two new shortcuts: -sc sitelinkdmp and -scsitelinkdmpl. You specify the site short name with the shortcut and it will dump the links for that site ex: -sc sitelinkdmp:site2

Several new switches:

-exclrepl : For some reason MSFT didn’t think to not return some of the AD Replication Metadata in the star (*) default attribute set so in larger environments you can literally get screens of output when just dumping the NC Head object that you pretty much won’t care about. This switch is like a shortcut switch in that it simply adds several attributes to the -excl switch in the background.

-ametal/-vmetal: Versions of -ameta and -vmeta with -list enabled too.

-encguidtoiid: Encode a GUID to an IID. Doesn’t need to talk to AD to do this.

-deciidtoguid: Decode an IID to a GUID. Doesn’t need to talk to AD to do this.

-objcnterrlevel: This one is an often requested switch… Dear joe, please output the returned object count in the errorlevel attribute… Well since I already populate the errorlevel attribute for status of the execution I had to think long and hard about doing this. I finally decided to add the switch. Note I didn’t perform comprehensive tests for this one. As always, if you see issues, please let me know.

-stripdn: This was a customer request as well, it simply strips DNs down to the most relevant RDN for all normal DN type attributes (based on attribute syntax)… For example:

[Tue 01/13/2015 23:24:30.34]
F:\Dev\cpp\AdFind\Release>adfind -hh thr-dc1 -default -s one -dn -stripdn

AdFind V01.48.00.00cpp Joe Richards (joe@joeware.net) January 2015

Using server: THR-DC1.threshold.loc:389
Directory: Windows Server Threshold
Base DN: DC=threshold,DC=loc

dn:Builtin
dn:Computers
dn:Domain Controllers
dn:ForeignSecurityPrincipals
dn:Infrastructure
dn:LostAndFound
dn:Managed Service Accounts
dn:NTDS Quotas
dn:Program Data
dn:System
dn:TPM Devices
dn:Users

12 Objects returned

That may not look interesting but this may look more interesting:

[Tue 01/13/2015 23:28:51.19]
F:\Dev\cpp\AdFind\Release>adfind -hh thr-dc1 -config -f objectclass=sitelink sitelist -stripdn -list
Site3
Site2
Default-First-Site-Name

-fdnx: This allows DN Expansion for some common base DNs within a filter. This is so you can come up with a general query command that could work in multiple environments or so you can type less. It is actually put into place to help with the two new shortcuts.

[Tue 01/13/2015 23:33:29.74]
F:\Dev\cpp\AdFind\Release>adfind -hh thr-dc1 -sc sitelinkdmpl:site3 -po
Selected Switches
    -alldc
    -arecex
    -config
    -f (&(objectclass=sitelink)(sitelist=CN=site3,CN=Sites,[CONFIG]))
    -fdnx
    -flagdc
    -h thr-dc1
    -hh thr-dc1
    -list
    -po
    -rb CN=Inter-Site Transports,CN=Sites
    -rootdsedc
    -s subtree
    -samdc
    -sc sitelinkdmpl:site3
    -schdc
    -sitelinks
    -sitenamedc
    -sites
    -tdcas
    -utc

Selected Attributes
    name

DEFAULTIPSITELINK

Note the filter "-f (&(objectclass=sitelink)(sitelist=CN=site3,CN=Sites,[CONFIG]))"

 

I usually release a new version of AdMod with AdFind but I didn’t want to hold AdFind back any longer so AdMod will be released at some later date.

You can find AdFind V01.48.00 at http://www.joeware.net/freetools/tools/adfind. Feel free to check out the sponsored link when you are there. 🙂

 

   joe

Rating 4.83 out of 5

1/13/2015

Finally… AdFind V01.48.00 coming soon…

by @ 1:58 am. Filed under general

[Tue 01/13/2015  0:45:05.80]
F:\Dev\cpp\AdFind\Release>adfind -hh thr-dc1 -rootdse currenttime -extsrvinfo

AdFind V01.48.00.00cpp Joe Richards (joe@joeware.net) January 2015

Using server: THR-DC1.threshold.loc:389
Directory: Windows Server Threshold
Domain Mode: Windows Server 2012 R2 Domain Mode
Forest Mode: Windows Server 2012 R2 Forest Mode
Site Name: Default-First-Site-Name
Options: GC
Security Principal: THRESHOLD\AdFindTestID1
DSA Version: 6.4.9841.0 (fbl_release.140912-1613)

dn:
>currentTime: 20150113054931.0Z

1 Objects returned

 

Rating 4.75 out of 5

1/9/2015

…extraordinarily intelligent people are not literal minded…

by @ 7:09 pm. Filed under quotes

"I think the central problem of any religion is that the founders of religion are always extraordinarily intelligent people.  And what you notice as you get older, is that extraordinarily intelligent people are not literal minded.  And the great problem with religion is when what is said by the founder of the religion, which was supposed to be taken metaphorically, is taken literally.  And that’s when you get complete nonsense being made of what the founder of the religion said – and indeed people claiming, more or less, that the founder of the religion said the opposite of what they believe, except they haven’t realized that."

  – John Cleese

Rating 4.33 out of 5

12/17/2014

FitDesk For The Desktop Jockeys

by @ 6:54 pm. Filed under general

I just got this set up at home and it rocks.

I got in 12 miles the last two days that I otherwise wouldn’t have been able to do because of my work schedule.

Rating 4.00 out of 5
« Older Entries
Newer Entries »

[joeware – never stop exploring… :) is proudly powered by WordPress.]