joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

1/16/2012

Windows Server 8 Developer Preview RootDSE

by @ 12:07 am. Filed under tech

F:\dev\cpp\AdFind\Release>adfind -rootdse

AdFind V01.46.00cpp **BETA** Joe Richards (joe@joeware.net) January 2012

Using server: WIN8Dom-DC1.win8dom.loc:389
Directory: Windows Server 8 Developer Preview

dn:
>currentTime: 20120116035246.0Z
>subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=win8dom,DC=loc
>dsServiceName: CN=NTDS Settings,CN=WIN8DOM-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=win8dom,DC=loc
>namingContexts: DC=win8dom,DC=loc
>namingContexts: CN=Configuration,DC=win8dom,DC=loc
>namingContexts: CN=Schema,CN=Configuration,DC=win8dom,DC=loc
>defaultNamingContext: DC=win8dom,DC=loc
>schemaNamingContext: CN=Schema,CN=Configuration,DC=win8dom,DC=loc
>configurationNamingContext: CN=Configuration,DC=win8dom,DC=loc
>rootDomainNamingContext: DC=win8dom,DC=loc
>supportedControl: 1.2.840.113556.1.4.319 [LDAP_PAGED_RESULT_OID_STRING]
>supportedControl: 1.2.840.113556.1.4.801 [LDAP_SERVER_SD_FLAGS_OID]
>supportedControl: 1.2.840.113556.1.4.473 [LDAP_SERVER_SORT_OID]
>supportedControl: 1.2.840.113556.1.4.528 [LDAP_SERVER_NOTIFICATION_OID]
>supportedControl: 1.2.840.113556.1.4.417 [LDAP_SERVER_SHOW_DELETED_OID]
>supportedControl: 1.2.840.113556.1.4.619 [LDAP_SERVER_LAZY_COMMIT_OID]
>supportedControl: 1.2.840.113556.1.4.841 [LDAP_SERVER_DIRSYNC_OID]
>supportedControl: 1.2.840.113556.1.4.529 [LDAP_SERVER_EXTENDED_DN_OID]
>supportedControl: 1.2.840.113556.1.4.805 [LDAP_SERVER_TREE_DELETE_OID]
>supportedControl: 1.2.840.113556.1.4.521 [LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID]
>supportedControl: 1.2.840.113556.1.4.970 [LDAP_SERVER_GET_STATS_OID]
>supportedControl: 1.2.840.113556.1.4.1338 [LDAP_SERVER_VERIFY_NAME_OID]
>supportedControl: 1.2.840.113556.1.4.474 [LDAP_SERVER_RESP_SORT_OID]
>supportedControl: 1.2.840.113556.1.4.1339 [LDAP_SERVER_DOMAIN_SCOPE_OID]
>supportedControl: 1.2.840.113556.1.4.1340 [LDAP_SERVER_SEARCH_OPTIONS_OID]
>supportedControl: 1.2.840.113556.1.4.1413 [LDAP_SERVER_PERMISSIVE_MODIFY_OID]
>supportedControl: 2.16.840.1.113730.3.4.9 [LDAP_CONTROL_VLVREQUEST]
>supportedControl: 2.16.840.1.113730.3.4.10 [LDAP_CONTROL_VLVRESPONSE]
>supportedControl: 1.2.840.113556.1.4.1504 [LDAP_SERVER_ASQ_OID]
>supportedControl: 1.2.840.113556.1.4.1852 [LDAP_SERVER_QUOTA_CONTROL_OID]
>supportedControl: 1.2.840.113556.1.4.802 [LDAP_SERVER_RANGE_OPTION_OID]
>supportedControl: 1.2.840.113556.1.4.1907 [LDAP_SERVER_SHUTDOWN_NOTIFY_OID]
>supportedControl: 1.2.840.113556.1.4.1948 [LDAP_SERVER_RANGE_RETRIEVAL_NOERR]
>supportedControl: 1.2.840.113556.1.4.1974 [LDAP_SERVER_FORCE_UPDATE]
>supportedControl: 1.2.840.113556.1.4.1341 [RODC_DCPROMO]
>supportedControl: 1.2.840.113556.1.4.2026 [LDAP_SERVER_DN_INPUT_OID]
>supportedControl: 1.2.840.113556.1.4.2064 [LDAP_SERVER_SHOW_RECYCLED_OID]
>supportedControl: 1.2.840.113556.1.4.2065 [LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID]
>supportedControl: 1.2.840.113556.1.4.2066 [LDAP_SERVER_POLICY_HINTS_OID]
>supportedLDAPVersion: 3
>supportedLDAPVersion: 2
>supportedLDAPPolicies: MaxPoolThreads
>supportedLDAPPolicies: MaxDatagramRecv
>supportedLDAPPolicies: MaxReceiveBuffer
>supportedLDAPPolicies: InitRecvTimeout
>supportedLDAPPolicies: MaxConnections
>supportedLDAPPolicies: MaxConnIdleTime
>supportedLDAPPolicies: MaxPageSize
>supportedLDAPPolicies: MaxQueryDuration
>supportedLDAPPolicies: MaxTempTableSize
>supportedLDAPPolicies: MaxResultSetSize
>supportedLDAPPolicies: MinResultSets
>supportedLDAPPolicies: MaxResultSetsPerConn
>supportedLDAPPolicies: MaxNotificationPerConn
>supportedLDAPPolicies: MaxValRange
>highestCommittedUSN: 13591
>supportedSASLMechanisms: GSSAPI
>supportedSASLMechanisms: GSS-SPNEGO
>supportedSASLMechanisms: EXTERNAL
>supportedSASLMechanisms: DIGEST-MD5
>dnsHostName: WIN8Dom-DC1.win8dom.loc
>ldapServiceName: win8dom.loc:win8dom-dc1$@WIN8DOM.LOC
>serverName: CN=WIN8DOM-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=win8dom,DC=loc
>supportedCapabilities: 1.2.840.113556.1.4.800 [LDAP_CAP_ACTIVE_DIRECTORY_OID]
>supportedCapabilities: 1.2.840.113556.1.4.1670 [LDAP_CAP_ACTIVE_DIRECTORY_V51_OID]
>supportedCapabilities: 1.2.840.113556.1.4.1791 [LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID]
>supportedCapabilities: 1.2.840.113556.1.4.1935 [LDAP_CAP_ACTIVE_DIRECTORY_V61_OID]
>supportedCapabilities: 1.2.840.113556.1.4.2080 [LDAP_CAP_ACTIVE_DIRECTORY_V61_R2_OID]
>dsSchemaAttrCount: 1404
>dsSchemaClassCount: 255
>dsSchemaPrefixCount: 39
>isSynchronized: TRUE
>isGlobalCatalogReady: TRUE
>supportedConfigurableSettings: DynamicObjectDefaultTTL
>supportedConfigurableSettings: DynamicObjectMinTTL
>supportedConfigurableSettings: DisableVLVSupport
>supportedConfigurableSettings: ADAMDisablePasswordPolicies
>supportedConfigurableSettings: ADAMDisableLogonAuditing
>supportedConfigurableSettings: ADAMLastLogonTimestampWindow
>supportedConfigurableSettings: RequireSecureSimpleBind
>supportedConfigurableSettings: RequireSecureProxyBind
>supportedConfigurableSettings: MaxReferrals
>supportedConfigurableSettings: ReferralRefreshInterval
>supportedConfigurableSettings: SelfReferralsOnly
>supportedConfigurableSettings: ADAMAllowADAMSecurityPrincipalsInConfigPartition
>supportedConfigurableSettings: ADAMDisableSPNRegistration
>supportedConfigurableSettings: ADAMDisableSSI
>supportedExtension: 1.3.6.1.4.1.1466.20037 [LDAP_SERVER_START_TLS_OID]
>supportedExtension: 1.3.6.1.4.1.1466.101.119.1 [LDAP_TTL_REFRESH_OID]
>supportedExtension: 1.2.840.113556.1.4.1781 [LDAP_SERVER_FAST_BIND_OID]
>supportedExtension: 1.3.6.1.4.1.4203.1.11.3 [LDAP_SERVER_WHO_AM_I_OID]
>domainFunctionality: 4 [Windows Server 2008 R2 Domain Mode]
>forestFunctionality: 4 [Windows Server 2008 R2 Forest Mode]
>domainControllerFunctionality: 5 [Windows Server 8 Developer Preview]
>validFSMOs: CN=Schema,CN=Configuration,DC=win8dom,DC=loc
>validFSMOs: CN=Partitions,CN=Configuration,DC=win8dom,DC=loc
>validFSMOs: DC=win8dom,DC=loc
>validFSMOs: CN=Infrastructure,DC=win8dom,DC=loc
>validFSMOs: CN=RID Manager$,CN=System,DC=win8dom,DC=loc
>tokenGroups: S-1-5-21-2633680875-3286336108-926348340-1000
>tokenGroups: S-1-5-21-2633680875-3286336108-926348340-513
>tokenGroups: S-1-1-0
>tokenGroups: S-1-5-32-544
>tokenGroups: S-1-5-32-545
>tokenGroups: S-1-5-32-554
>tokenGroups: S-1-5-2
>tokenGroups: S-1-5-11
>tokenGroups: S-1-5-15
>tokenGroups: S-1-5-21-2633680875-3286336108-926348340-512
>tokenGroups: S-1-5-21-2633680875-3286336108-926348340-518
>tokenGroups: S-1-5-21-2633680875-3286336108-926348340-519
>tokenGroups: S-1-5-21-2633680875-3286336108-926348340-572
>tokenGroups: S-1-5-64-10
>dsaVersionString: 6.2.8102.0 (winmain_win8m3.110823-1455)
>serviceAccountInfo: replAuthenticationMode=1
>serviceAccountInfo: accountType=domain
>serviceAccountInfo: systemAccount=true
>serviceAccountInfo: domainType=domainWithKerb
>serviceAccountInfo: machineDomainName=WIN8DOM
>msDS-PrincipalName: WIN8DOM\$joe
>msDS-PortLDAP: 389
>msDS-PortSSL: 636
>spnRegistrationResult: 0

1 Objects returned

 

Rating 4.40 out of 5

1/13/2012

I like the subway but this is the only part of Metro I like… ;)

by @ 7:05 pm. Filed under general

Windows Server 8 Developer Preview is in the joeware labs… Updating AdFind for any new decodes that will be needed…

 

image

Rating 4.00 out of 5

1/12/2012

Changed AdFind shortcut -sc adobjcnt for V01.46.00…

by @ 8:18 pm. Filed under tech

So unfortunately I had to make a change that I very much try to avoid making with my utilities, I modified the core behavior of one of the shortcuts. Certainly this is much less painful than changing core behavior of a switch but it is still painful.

First… why do I avoid making core behavior changes to switches, et alii? Anyone who has written a script or batch file likely knows… The reason is because you have scripts and batch files that are written that depend on the tools and if you change the default core behavior of the underlying tool, you need to relook at scripts.

So what did I change and why… I changed the shortcut -sc adobjcnt. The change was absolutely required because the shortcut is actually broken for specific scenarios. Broken you say?? No way joe, I use it regularly, it works like a champ. And yes I thought the same thing… Right up until I got a few emails from people who use their root domain in a multi-domain forest for more than an empty placeholder[1][2]… If they actually want to count the objects in the parent domain *and just* the parent domain then there is an issue. The issue being that I, in my infinite lack of omniscience, had set the -gc switch as one of the switches in the shortcut. I did it because I thought I was going to help people out. If you want to get a user count of say your Asia domain and you are sitting in Iowa, why not hit a Global Catalog that is 100 feet away instead of a Domain Controller on the other side of the world for that information? Much much faster that way and doesn’t require the admin to have a full understanding of how the AD world works in order to be a little more (hopefully) productive.

Example 1: Single Domain Forest – not a problem with the current shortcut

F:\dev\cpp\>adfind -gc -root -s one -dn

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: DC1.dom1.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=dom1,DC=loc

dn:CN=Builtin,DC=dom1,DC=loc
dn:CN=Computers,DC=dom1,DC=loc
dn:OU=Domain Controllers,DC=dom1,DC=loc
dn:CN=ForeignSecurityPrincipals,DC=dom1,DC=loc
dn:CN=Infrastructure,DC=dom1,DC=loc
dn:CN=LostAndFound,DC=dom1,DC=loc
dn:CN=Managed Service Accounts,DC=dom1,DC=loc
dn:CN=NTDS Quotas,DC=dom1,DC=loc
dn:CN=Program Data,DC=dom1,DC=loc
dn:CN=System,DC=dom1,DC=loc
dn:CN=Users,DC=dom1,DC=loc

11 Objects returned

 

Example 2: Non-standard Multi-Domain Forest – Multiple Domain Trees – not a problem with the current shortcut (NOT RECOMMENDED!!!!)

F:\dev\cpp\>adfind -gc -root -s one -dn

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: DC1.dom1.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=dom1,DC=loc

dn:CN=Builtin,DC=dom1,DC=loc
dn:CN=Computers,DC=dom1,DC=loc
dn:OU=Domain Controllers,DC=dom1,DC=loc
dn:CN=ForeignSecurityPrincipals,DC=dom1,DC=loc
dn:CN=Infrastructure,DC=dom1,DC=loc
dn:CN=LostAndFound,DC=dom1,DC=loc
dn:CN=Managed Service Accounts,DC=dom1,DC=loc
dn:CN=NTDS Quotas,DC=dom1,DC=loc
dn:CN=Program Data,DC=dom1,DC=loc
dn:CN=System,DC=dom1,DC=loc
dn:CN=Users,DC=dom1,DC=loc

11 Objects returned

But if you back up a level…

F:\dev\cpp\>adfind -gc -b dc=loc -s one -dn

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: DC1.dom1.loc:389
Directory: Windows Server 2008 R2

dn:DC=dom1,DC=loc
dn:DC=dom2,DC=loc
dn:DC=dom3,DC=loc

3 Objects returned

 

Example 3: Standard Multi-Domain Forest – Single Domain Tree – this is a problem when non-empty root

F:\dev\cpp\>adfind -gc -root -s one -dn

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: DC1.dom1.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=dom1,DC=loc

dn:CN=Builtin,DC=dom1,DC=loc
dn:DC=child1,DC=dom1,DC=loc
dn:DC=child2,DC=dom1,DC=loc
dn:DC=child3,DC=dom1,DC=loc
dn:CN=Computers,DC=dom1,DC=loc
dn:OU=Domain Controllers,DC=dom1,DC=loc
dn:CN=ForeignSecurityPrincipals,DC=dom1,DC=loc
dn:CN=Infrastructure,DC=dom1,DC=loc
dn:CN=LostAndFound,DC=dom1,DC=loc
dn:CN=Managed Service Accounts,DC=dom1,DC=loc
dn:CN=NTDS Quotas,DC=dom1,DC=loc
dn:CN=Program Data,DC=dom1,DC=loc
dn:CN=System,DC=dom1,DC=loc
dn:CN=Users,DC=dom1,DC=loc

14 Objects returned

The issue crops up, like I said, when you have a parent domain in a multi-domain forest. When you specify -gc the children of the parent domain all become available and are just normal branches in the LDAP tree so AD returns all of the objects meeting the LDAP Filter from those branches as well as the area that you really want.

I have been working through this for a while now trying to figure out the best way to fix it as again, I didn’t want to make behavior changes. But none of the excuses I can come up with about what users could or should do when using the utility seem to allow me to NOT change it. I don’t mind making users do their work when using my utilities but when they have to hop on one foot and balance a flaming can of gasoline I figure that is a bit extreme.

So it is with regret that I have to announce that the -sc adobjcnt shortcuts will no longer specify the -gc switch for you. If you in actuality want to hit the GC then you will need to specify the -gc switch separately. I know I know, not very painful but I am sure someone somewhere won’t read this nor the release notes that will come out for V01.46.00 until after something bad has happened based on the new count values being returned and I will get a nice nasty gram about it. So be it, when you have done it and have written me and complained and then I have sent a link to this blog post and you have read know that "I told you so!". ;)  Anyway, if you have the -sc adobjcnt switch specified in some batch files, just do a nice find and replace of "-sc adobjcnt" with "-gc -sc adobjcnt" and that should take care of it nicely for you.

 

   joe

 

[1] Wild but true, there are indeed people who have non-empty root multi-domain forests… When I see them I am sometimes thinking "So you could argue the point about not having an empty root but couldn’t go the step further and argue just having a single domain forest model?"

[2] It will also have issues if you have grandchildren domains as well. But I don’t like to mention grandchildren domains because they make me itch. If you have grandchildren domains you almost certainly turned left at the wrong time along the AD design process. I can’t say I have ever, in my more than a decade of working on Active Directories around the world, walked into a facility and said either of "Oh you have (multiple domain trees | grandchildren domains)[3]!!! Great idea!"

[3] Perl regex expression there, means either string in parens.

Rating 3.00 out of 5

1/11/2012

Did you know? AdFind shortcuts made with FOR /F specifically in mind and why that is could be useful…

by @ 8:39 pm. Filed under tech

There are a whole slew of AdFind shortcuts added the last few versions specifically to assist people in using AdFind in FOR /F loops. Some of those shortcuts are dclist, gclist, domainlist, domainncssl, apppartsl, etc.

For example… You need to loop through all of the DCs of your domain to execute an ldap query looking for last logon time and last bad logon time for an account on each DC…

for /f %i in (‘adfind -sc dclist’) do @adfind -hh %i -f name=$joe dc:%i samaccountname lastlogon badpasswordtime -nodn -csv -csvnoheader -tdcs

That output looks like

"K8R2Dom-DC1.k8r2dom.loc","$joe","2012/01/09-14:34:10 Eastern Standard Time","2011/12/06-13:08:07 Eastern Standard Time"
"K8R2DOM-DC2.k8r2dom.loc","$joe","2012/01/03-14:31:15 Eastern Standard Time","0000/00/00-00:00:00 "
"K8R2DOM-DC3.k8r2dom.loc","$joe","2012/01/06-12:11:06 Eastern Standard Time",""

Alternately if you don’t want it in CSV mode you could use the command

for /f %i in (‘adfind -e -sc dclist’) do @adfind -hh %i -f name=$joe samaccountname lastlogon badpasswordtime -tdcs

which has output like

AdFind V01.46.00cpp **BETA** Joe Richards (joe@joeware.net) January 2012

Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=k8r2dom,DC=loc

dn:CN=$joe,CN=Users,DC=k8r2dom,DC=loc
>badPasswordTime: 2011/12/06-13:08:07 Eastern Standard Time
>lastLogon: 2012/01/09-14:34:10 Eastern Standard Time
>sAMAccountName: $joe

1 Objects returned

AdFind V01.46.00cpp **BETA** Joe Richards (joe@joeware.net) January 2012

Using server: K8R2DOM-DC2.k8r2dom.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=k8r2dom,DC=loc

dn:CN=$joe,CN=Users,DC=k8r2dom,DC=loc
>badPasswordTime: 0000/00/00-00:00:00
>lastLogon: 2012/01/03-14:31:15 Eastern Standard Time
>sAMAccountName: $joe

1 Objects returned

AdFind V01.46.00cpp **BETA** Joe Richards (joe@joeware.net) January 2012

Using server: K8R2Dom-DC3.k8r2dom.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=k8r2dom,DC=loc

dn:CN=$joe,CN=Users,DC=k8r2dom,DC=loc
>lastLogon: 2012/01/06-12:11:06 Eastern Standard Time
>sAMAccountName: $joe

1 Objects returned

I sometimes use something like that when just trying to wade through information on different DCs and am not really sure what I am looking for so CSV may be a little confusing to look at initially. Where a lot of people immediately start thinking, oh my, we need to write a script I start thinking about command chaining and FOR /F.

 

Here is a useful little one liner I have used on many occasions… easily ascertain schema version on all DCs.

F:\dev\cpp\AdFind\Release>for /f %i in (‘adfind -e -sc domainlist’) do @for /f %j in (‘adfind -h %i -sc dclist’) do @adfind -hh %j dc:%j -sc schver -csv -csvnoheader -nodn
"K8R2DOM-DC3.k8r2dom.loc","47 [Windows Server 2008 R2]"
"K8R2Dom-DC1.k8r2dom.loc","47 [Windows Server 2008 R2]"
"K8R2DOM-DC2.k8r2dom.loc","47 [Windows Server 2008 R2]"

F:\dev\cpp\AdFind\Release>

 

or if you need more details schema details such as attribute/class/prefix counts…

F:\dev\cpp\AdFind\Release>for /f %i in (‘adfind -e -sc domainlist’) do @for /f %j in (‘adfind -h %i -sc dclist’) do @adfind -hh %j dc:%j -rootdse dsSchemaClassCount dsSchemaAttrCount dsSchemaPrefixCount -csv –
csvnoheader -nodn
"K8R2DOM-DC3.k8r2dom.loc","234","1314","39"
"K8R2Dom-DC1.k8r2dom.loc","234","1314","39"
"K8R2DOM-DC2.k8r2dom.loc","234","1314","39"

F:\dev\cpp\AdFind\Release>

Or say you need the DSA Version String for each DC…

F:\dev\cpp\AdFind\Release>for /f %i in (‘adfind -e -sc domainlist’) do @for /f %j in (‘adfind -h %i -sc dclist’) do @adfind -hh %j dc:%j -rootdse dsaVersionString -csv -csvnoheader -nodn
"K8R2DOM-DC3.k8r2dom.loc","6.1.7601.17514 (win7sp1_rtm.101119-1850)"
"K8R2Dom-DC1.k8r2dom.loc","6.1.7600.16385 (win7_rtm.090713-1255)"
"K8R2DOM-DC2.k8r2dom.loc","6.1.7601.17514 (win7sp1_rtm.101119-1850)"

F:\dev\cpp\AdFind\Release>

So just a few simple, non-scripting methods to get some pretty cool and interesting information. Works without any special Web Services, etc running. 😉

   joe

Rating 4.00 out of 5

Hilarious!

by @ 8:38 pm. Filed under humour

http://www.youtube.com/watch?v=KC8lt–rEEo

Rating 4.33 out of 5

1/10/2012

Sending AdFind (and Other Command Line Tool) Output to a File

by @ 11:39 pm. Filed under tech

I have been seeing a disturbing trend in email requests for help lately, well I should say the continuation of a disturbing trend I have been seeing in general the last few years. In particular, in the last couple of weeks I have seen no less than 6 or 7 questions of "How do I send the AdFind -csv output to a CSV file?". Perhaps I shouldn’t be disturbed but when I get clusters in a single type of question it tends to stick out and it bothers me that people don’t have enough of an understanding of the command prompt that they don’t know how to perform redirection or perhaps know how to do it but don’t think of it as a solution. At the very least this post gives me a link to point people to instead of answering each email individually. Anyway a few quick words on the subject.

Q: How do I send output from AdFind (and other command line tools) to a file?

A: Via the operating system standard console redirection (aka command line redirection or file redirection) capability. See http://technet.microsoft.com/en-us/library/bb490982.aspx

Really quickly you could do something like

adfind -default -f "&(objectcategory=person)(objectclass=user)(department=human resources)" name displayname samaccountname -csv > hr_dept.csv

   joe

Rating 4.50 out of 5

1/6/2012

NASA Open Source Software

by @ 7:26 pm. Filed under tech

http://www.zdnet.com/blog/open-source/nasa-opens-it-open-source-code-doors/10094

Rating 3.00 out of 5

Free Microsoft Flight simulator… eventually!

by @ 7:24 pm. Filed under general

http://www.theregister.co.uk/2012/01/06/microsoft_flight_sim_free/

Rating 3.00 out of 5

1/5/2012

So we watched Food, Inc…

by @ 7:59 pm. Filed under rants

So after several years of many people saying "You have got to watch Food, Inc." Tracy, Ashley, and I sat down and watched it last night through my brand spanking new Roku XS via streaming from Amazon (totally free because I am an Amazon Prime member).

Food, Inc Streaming on Amazon oh and here is the Roku XS

 

Quite frankly, and sadly, there wasn’t a lot in there that surprised me. Much of it I knew of through news reports or had made educated assumptions about based on the news reports or my own occasional investigations into food in the stores. My mind doesn’t just try to work out issues around Active Directory, Windows or even just computers, anytime I hear any kind of issue my brain goes off on its own and tries to work out how the issue could have occurred and what could have been done to prevent it.

However, I was completely shocked by the statistic that in the 70s the FDA performed on the order of 50,000 inspections of meat facilities but by the 90’s that had reduced to somewhere south of 10,000 with the idea that the companies could be "self-policing". Poppycock. Doveryai, no proveryai. The other big shock was over the part about the patenting of Soy Bean seeds and how one company pretty much owns all soy beans grown now. That not only shocked me but was outright ridiculous. Just plain stupid in fact. Then on top of it laws that prevent citizens from actually speaking their opinion on foods in states like Colorado? Hello? People bitching all over about what our current president is doing yet no major focus on issues we have had for years that have far more dire and direct consequence?

The piece on Kevin’s law which would give the FDA the right to shut a facility down that actively needs to be shut down and the fact that it keeps getting introduced in congress and never gets out of committee really pissed me off. Again, this doesn’t surprise me, I think government is one of the main sources of scoundrels and corrupt human beings but hearing of this absolutely common sense item being blocked for so long is insane. The fact that I can tell you the movie stars who got divorced this last month and who is going to what bowl games but had no clue this important legislation was being blocked for so long tells you how bad our "news and media" is in terms of reporting what is actually important. The whole country is being slowly poisoned by our food supply and we are more worried (or at least told by the press that we are more worried) about some nitwit nobody person who is famous for being famous marrying some noodle head basketball player who is now famous for being married and divorced from the person who is famous for being famous. Sigh.

Back to the soybeans… Monsanto was just doing what it could do to try and make money and get ahead in its business, you can’t fault them for that unless you feel that companies should be looking out for the welfare of our population which if that is the case, what color is the sky in your world because that certainly isn’t the world we live in. No, it was our government’s job to look out for our welfare and to stop the BS that Monsanto pulled off on the farmers. The government failed on a massive scale. Crap like that is the kind of thing that could get me to one day choose to run for office and try to find a way to stop the stupid stuff that gets through. In order to do it, it would require fixing how congress works at a fundamental level.

Now don’t think I am all "crazy" against everything the movie said I should be against. I didn’t agree with all of the points stated either.

The first thing I didn’t agree with was that they seemed to imply at one point that if this very low income family would simply switch to eating "good food" from the crap fast food then the husband/father’s Type 2 diabetes would magically clear up and all would be good and they would have to spend a couple of hundred dollars a month on medicine. This is a chicken and egg problem though. The family with their current level of knowledge can’t just switch and spend the money on the good food and hope dad makes it through the period "getting healthy" period alive or at least not blind without his meds. Though I also didn’t agree that fast food was always the cheapest food. Is it cheaper than the processed foods in the stores, almost certainly. But you can get unprocessed staple items for a lot cheaper than the special pears they were trying to compare the fast food to. Obviously one of the complaints was they didn’t have enough time to cook good food as well… That excuse doesn’t work for me, if you don’t work on eating better you won’t have any time for anything – you will likely be dead or in a hospital. 

The next thing I didn’t agree with was the implication that if everyone just stopped buying the "bad food" and only bought from local organic farmers everything would be magically fixed. This is completely unreasonable from two viewpoints in my mind. The first being simple economics and the second being scale of operations.

First the economics… Have you looked at the cost of organic food? I looked up the yogurt mentioned in the show, Yobaby yogurt. That yogurt on Amazon (Walmart doesn’t carry it within 50 miles of my house) was $19.14 + $13.41 shipping and handling for six 4 oz containers. We eat a lot of yogurt, eat it daily, in fact I am eating a nice Yoplait Mountain Blueberry yogurt as I write this. I can tell you, I couldn’t fit that organic yogurt cost into my weekly or even monthly food budget with all the other stuff I am paying for (like my old house that I couldn’t sell in this market for anywhere near what I owe if my life depended on it thanks to the lack of real oversight by the government into the banks making crappy loans) and I make pretty good money – while I’m not in the "infamous" 1% I am not anywhere near the bottom either. If that were the cost of the only yogurt ever available again I wouldn’t have another bite of yogurt again which means some other possibly less healthy snack choice.

Another economic issue is with the CSAs (Community Supported Agriculture). I took the time to look at a CSA farm that is about 15 miles from my house this morning. They want you to pay a subscription every year for 16-18 weeks of vegetables during the summer. The cheapest membership that gives you vegetables (and vegetables only) on a weekly basis was $600.00. Note that there is no guarantee of quality or quantity or that you will ever get ANY product at all, you as a member assume all risk. You pay the money, they try to produce something, whatever if anything they harvest you get a portion of if you come pick it up. I happen to have had the foresight and capital to buy a house in a relatively rural area so I have several local farms around me that I use extensively in the summer and I can tell you that even shopping at them multiple times a week I don’t even come close to spending $600, a more realistic amount is likely $360-$400 for GUARANTEED quality and quantity as I pick out exactly what I want before I pay for it and I get the type and quantity of the items that I want. Perhaps this week I want a bunch of radishes and corn but no peppers. Next week the opposite.  I do not understand how anyone can think that that CSA makes sense other than the people collecting the money. Sorry, that model will not ever work in any significant way at those types of prices and the risk being solely assumed by the consumers. The other reason everyone switching to local organic isn’t going to work is sheer scale. The movie actually stated the problem but failed to recognize it and question the guy who was stating that buying local organic was the answer to everything. The problem is that farmers cannot scale to the volume required without themselves becoming a giant farm that they were pointing at as the bad guys. It was stated that a classic farmer could feed in the single or low teen digits numbers of people. Certainly that is higher with machinery but I do not believe for a moment that they are going to reach the volume the "big farms" can attain measured in the hundreds of people without the same shortcuts and pesticides, etc. Ditto all of that for local organic meat suppliers. Just thinking about the feeding of the cows alone and the amount of land it would require to expand the farms out to so that the cows could constantly get fresh grass is unrealistic.

There was more but I am done typing. If you haven’t seen the movie I do recommend it. It is likely to be extremely eye opening to many people. Perhaps if enough people watched it and responded to it the bitching about the government would be about things we could fix by removing the corruption versus the talking points politicians choose to throw out there as topics they want to talk about.

   joe

Rating 4.00 out of 5

1/4/2012

sAMAccountName is always unique in a Windows domain… or is it?

by @ 7:33 pm. Filed under tech

So while chatting with an admin this week he mentioned that his company synced data from their single domain forest into an external database with a primary key of sAMAccountName. This was a topic of interest for him because they had just learned it was possible to have two different objects in Active Directory with the same sAMAccountName value. They learned this little known but important piece of information through direct experience as it actually happened to them. When something like that happens, it kind of messes with any external systems that are using sAMAccountName as a unique key causing varying levels of chaos and disaster and really isn’t all that great for the AD Admins either because it is likely to cause some level of authentication issues for whomever is duplicated.

I know what you are thinking, "but joe… while SAM Names aren’t unique within a multi-domain forest,  they are supposed to be unique within a domain!!!" And that is absolutely correct, they are *supposed* to be unique in a domain[1]. That is, however, a far cry from being guaranteed to be unique.  What’s the difference you ask? The difference is this… If something is supposed to be unique, some decent but reasonable amount of work will be put into play to produce a method that will be used to try to reach a state where you are generally going to have a unique value. If something is guaranteed to be unique, whatever amount of work is necessary to assure that there is no way you can duplicate values no matter what you do is used instead. The sAMAccountName attribute falls squarely into the *supposed* to be unique category.  Microsoft gives it the old college try to work towards uniqueness but don’t go whole hog and absolutely make sure it isn’t possible.

Those of us who have been around since the NT4 days or perhaps those who do a lot of work with the SAM DB on non-domain controllers (member servers, standalone servers, and client machines) are quite used to and expectant of the ability to have unique sAMAccountNames. Since you have but a single SAM DB (aka a portion of the registry) that can be updated at any given moment, that SAM DB is going to be able to enforce uniqueness. Once we moved into the world of Active Directory and a loosely consistent multi-master replication model things changed and the lines blurred a little.

Creating objects with duplicate sAMAccountName attributes method 1 – loosely consistent multi-master replication

The first method to produce objects with duplicate sAMAccountNames that cropped up, a side effect really of the new cool "loosely consistent" replication engine coupled with the multi-master approach to directories, was the day Windows 2000 was released. As soon as you have more than one domain controller for a given domain, you have the ability to create objects that break the uniqueness rule for sAMAccountName. It is quite simple to accomplish, you simply create an object on two different domain controllers inside of the replication convergence period for those DCs. If the DCs are in the same site, that means you have seconds or possibly minutes for convergence, if the DCs are in different sites then you could have hours or days to accomplish the task.

For example, you take a simple script like

admod -hh joeware-dc1 -add -b cn=testcase1,ou=usersample,dc=joeware,dc=local objectclass::user samaccountname::testcase1
admod -hh joeware-dc2 -add -b cn=testcase1,ou=test,dc=joeware,dc=local objectclass::user samaccountname::testcase1

and run it and it is pretty likely you will generate two different user objects with the same sAMAccountName after replication convergence. Like so:

C:\temp>adfind -default -f name=testcase1

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: JOEWARE-DC1.joeware.local:389
Directory: Windows Server 2003
Base DN: DC=joeware,DC=local

dn:CN=testcase1,OU=usersample,DC=joeware,DC=local
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: testcase1
>distinguishedName: CN=testcase1,OU=usersample,DC=joeware,DC=local
>instanceType: 4
>whenCreated: 20120103220701.0Z
>whenChanged: 20120103220701.0Z
>uSNCreated: 1011021
>uSNChanged: 1011022
>name: testcase1
>objectGUID: {85FF63EE-EF50-4EDB-8414-445ECEBB320A}
>userAccountControl: 546
>badPwdCount: 0
>codePage: 0
>countryCode: 0
>badPasswordTime: 0
>lastLogoff: 0
>lastLogon: 0
>pwdLastSet: 0
>primaryGroupID: 513
>objectSid: S-1-5-21-3641047700-3957557241-2644433309-7689
>accountExpires: 9223372036854775807
>logonCount: 0
>sAMAccountName: testcase1
>sAMAccountType: 805306368
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=joeware,DC=local

dn:CN=testcase1,OU=test,DC=joeware,DC=local
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: testcase1
>distinguishedName: CN=testcase1,OU=test,DC=joeware,DC=local
>instanceType: 4
>whenCreated: 20120103220702.0Z
>whenChanged: 20120103220717.0Z
>uSNCreated: 1011023
>uSNChanged: 1011023
>name: testcase1
>objectGUID: {8C815AFB-42E1-4A0F-84AD-D0ABC0228F88}
>userAccountControl: 546
>codePage: 0
>countryCode: 0
>pwdLastSet: 0
>primaryGroupID: 513
>objectSid: S-1-5-21-3641047700-3957557241-2644433309-8111
>accountExpires: 9223372036854775807
>sAMAccountName: testcase1
>sAMAccountType: 805306368
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=joeware,DC=local

2 Objects returned

 

"but joe… what about the collision detection logic?"

admod -hh joeware-dc1 -add -b cn=testcase3,ou=usersample,dc=joeware,dc=local objectclass::user samaccountname::testcase3
admod -hh joeware-dc2 -add -b cn=testcase3,ou=usersample,dc=joeware,dc=local objectclass::user samaccountname::testcase3

C:\temp>adfind -default -f name=testcase3*

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: JOEWARE-DC1.joeware.local:389
Directory: Windows Server 2003
Base DN: DC=joeware,DC=local

dn:CN=testcase3,OU=usersample,DC=joeware,DC=local
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: testcase3
>distinguishedName: CN=testcase3,OU=usersample,DC=joeware,DC=local
>instanceType: 4
>whenCreated: 20120103221530.0Z
>whenChanged: 20120103221530.0Z
>uSNCreated: 1011039
>uSNChanged: 1011040
>name: testcase3
>objectGUID: {DFA20362-6899-41F6-94F2-3B7D5924FB41}
>userAccountControl: 546
>badPwdCount: 0
>codePage: 0
>countryCode: 0
>badPasswordTime: 0
>lastLogoff: 0
>lastLogon: 0
>pwdLastSet: 0
>primaryGroupID: 513
>objectSid: S-1-5-21-3641047700-3957557241-2644433309-7691
>accountExpires: 9223372036854775807
>logonCount: 0
>sAMAccountName: testcase3
>sAMAccountType: 805306368
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=joeware,DC=local

dn:CN=testcase3\0ACNF:c928020b-f156-4e08-8e87-314eb8817a2a,OU=usersample,DC=joeware,DC=local
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: testcase3\0ACNF:c928020b-f156-4e08-8e87-314eb8817a2a
>distinguishedName: CN=testcase3\0ACNF:c928020b-f156-4e08-8e87-314eb8817a2a,OU=usersample,DC=joeware,DC=local
>instanceType: 4
>whenCreated: 20120103221530.0Z
>whenChanged: 20120103221546.0Z
>uSNCreated: 1011041
>uSNChanged: 1011041
>name: testcase3\0ACNF:c928020b-f156-4e08-8e87-314eb8817a2a
>objectGUID: {C928020B-F156-4E08-8E87-314EB8817A2A}
>userAccountControl: 546
>codePage: 0
>countryCode: 0
>pwdLastSet: 0
>primaryGroupID: 513
>objectSid: S-1-5-21-3641047700-3957557241-2644433309-8113
>accountExpires: 9223372036854775807
>sAMAccountName: testcase3
>sAMAccountType: 805306368
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=joeware,DC=local

2 Objects returned

As you can clearly see, collision logic absolutely works for duplicated RDNs… but there is nothing around checking for duplication of sAMAccountName when replicating in objects from another DC. The only check in place for duplicate sAMAccountName attributes is on object instantiation when the SAM Rules code is called to validate the attribute settings for a given object.

 

Creating objects with duplicate sAMAccountName attributes method 2 – tombstone reanimation

The second method for creating objects with duplicate sAMAccountName attributes surfaced, again as a side effect, in Windows Server 2003 with the release of the new tombstone reanimation functionality. This is the functionality that gave you a basic object "undelete" capability in Active Directory. Prior to 2003 if you deleted something and needed it back, well you better have functioning backups. With Windows Server 2003 the AD team gave us the ability to recover the tombstones so they could be used again (YEAH![2]). This functionality is not all that well known and even some of the people who know about it don’t really know how to accomplish it so in most shops this method for duplicating the sAMAccountName attribute is not as likely[3].

So for example, here I will create a user object, delete it, create another user object with the same SAM Name and then recover the original user object’s tombstone.

C:\>admod -b CN=testcase5,CN=Users,DC=k8r2dom,DC=loc -add objectclass::user samaccountname::testcase5

AdMod V01.16.00cpp Joe Richards (joe@joeware.net) March 2011

DN Count: 1
Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2

Adding specified objects…
   DN: CN=testcase5,CN=Users,DC=k8r2dom,DC=loc…

The command completed successfully

C:\>adfind -showdel -default -f name=testcase5* samaccountname

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=k8r2dom,DC=loc

dn:CN=testcase5,CN=Users,DC=k8r2dom,DC=loc
>sAMAccountName: testcase5

1 Objects returned

C:\>adfind -default -f name=testcase5* -dsq | admod -del

AdMod V01.16.00cpp Joe Richards (joe@joeware.net) March 2011

DN Count: 1
Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2

Deleting specified objects…
   DN: CN=testcase5,CN=Users,DC=k8r2dom,DC=loc…

The command completed successfully

C:\>admod -b CN=testcase5,ou=testou,DC=k8r2dom,DC=loc -add objectclass::user samaccountname::testcase5

AdMod V01.16.00cpp Joe Richards (joe@joeware.net) March 2011

DN Count: 1
Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2

Adding specified objects…
   DN: CN=testcase5,ou=testou,DC=k8r2dom,DC=loc…

The command completed successfully

C:\>adfind -showdel -default -f name=testcase5* samaccountname

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=k8r2dom,DC=loc

dn:CN=testcase5,OU=testOU,DC=k8r2dom,DC=loc
>sAMAccountName: testcase5

dn:CN=testcase5\0ADEL:9a4e0a1f-4498-4ef3-aa1e-76bf0c69c61e,CN=Deleted Objects,DC=k8r2dom,DC=loc
>sAMAccountName: testcase5

2 Objects returned

C:\>adfind -showdel -default -rb "cn=deleted objects" -f name=testcase5* -dsq | admod -undel

AdMod V01.16.00cpp Joe Richards (joe@joeware.net) March 2011

DN Count: 1
Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2

Undeleting specified objects…
   DN: CN=testcase5\0ADEL:9a4e0a1f-4498-4ef3-aa1e-76bf0c69c61e,CN=Deleted Objects,DC=k8r2dom,DC=loc…

The command completed successfully

C:\>adfind -showdel -default -f name=testcase5

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=k8r2dom,DC=loc

dn:CN=testcase5,CN=Users,DC=k8r2dom,DC=loc
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: testcase5
>distinguishedName: CN=testcase5,CN=Users,DC=k8r2dom,DC=loc
>instanceType: 4
>whenCreated: 20120104214547.0Z
>whenChanged: 20120104214802.0Z
>uSNCreated: 498225
>uSNChanged: 498257
>name: testcase5
>objectGUID: {9A4E0A1F-4498-4EF3-AA1E-76BF0C69C61E}
>userAccountControl: 546
>badPwdCount: 0
>codePage: 0
>countryCode: 0
>badPasswordTime: 0
>lastLogoff: 0
>lastLogon: 0
>pwdLastSet: 0
>primaryGroupID: 513
>operatorCount: 0
>objectSid: S-1-5-21-1767008341-141532995-3086693677-62124
>adminCount: 0
>accountExpires: 0
>logonCount: 0
>sAMAccountName: testcase5
>sAMAccountType: 805306368
>lastKnownParent: CN=Users,DC=k8r2dom,DC=loc
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=k8r2dom,DC=loc
>dSCorePropagationData: 20120104214802.0Z
>dSCorePropagationData: 16010101000000.0Z

dn:CN=testcase5,OU=testOU,DC=k8r2dom,DC=loc
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: testcase5
>distinguishedName: CN=testcase5,OU=testOU,DC=k8r2dom,DC=loc
>instanceType: 4
>whenCreated: 20120104214650.0Z
>whenChanged: 20120104214650.0Z
>uSNCreated: 498237
>uSNChanged: 498238
>name: testcase5
>objectGUID: {05C87B3D-DFED-4740-9E6E-7F82BC499F82}
>userAccountControl: 546
>badPwdCount: 0
>codePage: 0
>countryCode: 0
>badPasswordTime: 0
>lastLogoff: 0
>lastLogon: 0
>pwdLastSet: 0
>primaryGroupID: 513
>objectSid: S-1-5-21-1767008341-141532995-3086693677-62125
>accountExpires: 9223372036854775807
>logonCount: 0
>sAMAccountName: testcase5
>sAMAccountType: 805306368
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=k8r2dom,DC=loc
>dSCorePropagationData: 16010101000000.0Z

2 Objects returned

C:\>

As you can see, we once again have two user objects in the same domain with the same sAMAccountName attribute values. A good argument could be put together that perhaps a validation of the SAM Name should be made in this case but like with replication, it just wasn’t something they wanted to put the extra work into as, again like replication, it is a pretty small edge case.

 

$DUPLICATE-<hexchars> for sAMAccountName???

"Ok joe… so while I don’t like it, it makes sense, but I swear I have seen $DUPLICATE-<hexchars> for a user or (more likely) computer objects in AD before so I thought that there was conflict resolution to handle these things for sAMAccountName like RDNs and (effectively) DNs???"

Yes it is definitely possible you saw this, but that conflict resolution did not occur during either of the processes above. It occurred later when someone tried to create yet another new object with the duplicated name or when someone tries to authenticate using the duplicated SAM Name.

Example 1 – creating a new object with the same duplicated SAM Name

C:\>admod -b CN=testcase5,cn=computers,DC=k8r2dom,DC=loc -add objectclass::user samaccountname::testcase5

AdMod V01.16.00cpp Joe Richards (joe@joeware.net) March 2011

DN Count: 1
Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2

Adding specified objects…
   DN: CN=testcase5,cn=computers,DC=k8r2dom,DC=loc…: [K8R2Dom-DC1.k8r2dom.loc] Error 0x44 (68) – Already Exists

ERROR: Too many errors encountered, terminating…

The command did not complete successfully

C:\>adfind -showdel -default -f name=testcase5 samaccountname

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=k8r2dom,DC=loc

dn:CN=testcase5,CN=Users,DC=k8r2dom,DC=loc
>sAMAccountName: $DUPLICATE-f2ac

dn:CN=testcase5,OU=testOU,DC=k8r2dom,DC=loc
>sAMAccountName: testcase5

2 Objects returned

 

Example 2 – trying to authenticate to the duplicated SAM Name

C:\>adfind -showdel -default -f name=testcase1 samaccountname

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=k8r2dom,DC=loc

dn:CN=testcase1,CN=Users,DC=k8r2dom,DC=loc
>sAMAccountName: testcase1

dn:CN=testcase1,OU=testOU,DC=k8r2dom,DC=loc
>sAMAccountName: testcase1

2 Objects returned

C:\>adfind -default -s base -dn -u k8r2dom\testcase1 -p password -exterr

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

LDAP_BIND: [] Error 0x31 (49) – Invalid Credentials
Extended Error: No extended error info available.
Terminating program.

C:\>adfind -showdel -default -f name=testcase1 samaccountname

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=k8r2dom,DC=loc

dn:CN=testcase1,CN=Users,DC=k8r2dom,DC=loc
>sAMAccountName: $DUPLICATE-f2aa

dn:CN=testcase1,OU=testOU,DC=k8r2dom,DC=loc
>sAMAccountName: testcase1

2 Objects returned

 

This concludes this blog post. I hope that it was informative and I hope to bring a lot more like this to the blog again this year. Once again I apologize for my relative absence last year. 🙂

 

   joe

 

 

[1] This is obviously about Active Directory Domain Services, ADAM or ADLDS can have duplicate sAMAccountName attributes all day assuming you have sAMAccountName defined in the schema. There is absolutely NOTHING in place to assure or guarantee anything for it.

[2] Anything that helps me avoid authoritative restores is a YEAH! type of thing. 🙂

[3] The main reason for the lack of knowing is likely that Microsoft never produced any kind of "reanimate" GUI interface which effectively prevented some 90% of the Windows admins out there from ever knowing about it and probably even more from using it. A second "strike", if you will, was that a tombstone object didn’t normally have all of the attributes that were populated on the object prior to deletion so even if you knew how to perform the reanimation, you may end up performing a restore of the object anyway to get all of the info for the object. Now if you knew about the functionality and you knew how to take advantage of it it likely was very useful for you when absolutely needed and you didn’t want to fuss around with an authoritative restore (again [2]). Of course now we have recycle bin so we are many steps beyond tombstone reanimation now (or have the capability to be…) but in terms of this blog post, tombstone reanimation gave us a new method to duplicate a sAMAccountName.

Rating 4.50 out of 5
« Older Entries
Newer Entries »

[joeware – never stop exploring… :) is proudly powered by WordPress.]