joeware - never stop exploring... :)

I am working on a little side project for an old British friend of mine (his name starts with a D and ends with an ean). In the process of working on it I found a bug in AdFind. That bug was based on an assumption, an assumption, on reflection, I really shouldn’t have made. An assumption I made, oh, about a decade ago in one of the very first revs of AdFind and it has been lurking there ever since.

Inside of AdFind there is a small table of hardcoded values for SIDs and GUIDs. This is because initially, that is how I determined what attributes should be handled as SIDs and which should be handled as GUIDs. After a while I got sick of maintaining the table so found some creative ways of dynamically working out what was a SID and what was a GUID; I started reading the schema. Now one problem though, the SIDs have a special attributeSyntax saying they are SIDs, GUIDs are not so lucky. So I perform some basic logic and work out what binary attributes are *possibly* GUIDs[1].

In the meanwhile I left that little hardcoded table in place and it gets loaded every time you start AdFind though mostly it is for when you use –dloid. That switch forces AdFind to NOT load the schema for whatever reason you wanted but I still want to be able to decode certain attributes as SIDs/GUIDs. Now I am reviewing whether or not I still think that is a good idea. In terms of performance, it really doesn’t add any impact, but from the standpoint of “is it a good idea” – that is something that I have to think about.

Anyway the specific issue…. When I built that original table back then I looked at the attribute called oMTIndxGuid which could be up to the size of a GUID structure and had GUID in the name so I assumed it was a GUID. That assumption has gone unnoticed for a decade. Well for whatever reason, I still haven’t figured out why yet, but when querying a directory with the –objfilefolder switch enabled the decoding of that attribute which was previously being incorrectly done as a mostly empty GUID started crashing instead.

Anyway, this assumption will be fixed one way or another in V01.46.00.

   joe

[1] Note the same type of issue also exists with INT8 (FILETIME) timestamp attributes. That is also something I am working on for V01.46.00. Actually, I think the fixes there are pretty locked down, it looks for INT8 attributes that have time in the name or adminDescription combined with yes… a hard coded table. Actually there are a couple of tables, one for known INT8 time attributes, one for known INT8 interval attributes. Also there will be a new switch to allow you to specify additional INT8 time attributes as it has been a long time pain for me when I make a new INT8 time attribute and it doesn’t decode that way with my own utility.

I found a forum that referenced your adfind utility. I’m looking to get a list of all users in AD that have the “Password Never Expires” set on their account. Can you help with this?

xxxx

Network Administrator

yyyy

nnn – o

nnn – m

<Certified Mac Technician Logo>

<Microsoft Certified Systems Administrator Logo>

Various options available:

1. Use google/bing to search internet for examples

2. Buy and read the O’Reilly book “Active Directory Cookbook 3rd Edition”

3. Buy and read the O’Reilly book “Active Directory”

4. Follow item #3 on http://blog.joeware.net/2011/04/14/2238/

I received the following email last month and figured it was worth writing up because it involves an LDAP query and Generalized Time which I don’t believe I have previously written about. Also part of this email made me chuckle, I won’t indicate which part.

From: xxxxx
Sent: Thursday, March 03, 2011 7:30 PM
To: joe@joeware.net
Subject: Help Please

Hi Joe,
Can you help me? I am looking to use ADFind.exe to locate all users in the GC that were created on a specific date range based no the whenCreated attribute and export the name, userprincipalname, samaccountname and whencreated attributes to a CSV.

Is this possible with your utility? If so, can you show me the syntax?

I have written a .NET application to gather this info but it is just too slow.

Thanks in advance,
xxxxx

This query is pretty basic for AdFind and I have spoken at length about how to specify bases and returning attributes etc so the piece I will discuss here will be the LDAP filter and specifically, the pieces specific to the time.

Generalized Time is one of the ways that time is represented in Active Directory. Certain attributes like whenCreated and whenChanged use this format which looks like:

>whenCreated: 20110323183100.0Z

If you look closely you can see that the format is

“YYYYMMDDHHMMSS.0Z”

• YYYY – Four digit year
• MM – two digit month
• DD – two digit day
• HH – two digit military time format hour
• MM – two digit minute
• SS – two digit second
• .0Z which stands for ZULU time, i.e. UTC.

When creating queries with Generalized Time you can use

• an EXISTS query (i.e. attribute=* or the NOT of that)
• an EQUALS query (i.e. attribute=somevalue)
• a RANGE query (i.e attribute>=somevalue or attribute<=somevalue or some combination)

EXISTS and EQUALS queries are pretty rare in my opinion for Generalized Time attributes. When you perform an EQUALS query, the value has to be exactly correct. If you are looking for something, you usually won’t have a value down to the second unless you are trying to find everything that was created at the same time something else was created and use that object’s whenCreated value. RANGE based queries, on the other hand, are common. When performing those queries you can “zero out’ pieces of the time format. For example, you don’t have to specify hours, minutes or seconds so the actual value could look something like 20110401000000.0Z to indicate the very beginning of April 1, 2011.

So with the understanding that you must always use >= or <= versus > and < and the Generalized Time Format listed above combined with the possible values it is pretty easy to build your LDAP queries. To specify an object creation range of say the month of April 2011, the query would be

(&(whencreated>=20110401000000.0Z)(whencreated<=20110501000000.0Z))

If you need to know what objects were created within a certain hour or range of hours, this is a little more tricky UNLESS you know the actual UTC values to specify. Generalized Time allows you to specify something other than ZULU / UTC time, specifically, you can specify a time with offset, that looks like “YYYYMMDDHHMMSS.0[+/-]HHMM”. A simple example to return the objects created between 1PM and 5PM UTC on April 1 would be

(&(whencreated>=20110401130000.0Z)(whencreated<=20110401170000.0Z))

Of course unless you want every single object class that could have been created in the search scope for the given time range, you will want to specify an objectCategory or some other indexed attribute.

Before I close this post out, let me add one little note… The note is about whenChanged. While whenCreated is a replicated attribute and will be the same for a given object across all DCs, whenChanged is NOT replicated, repeat it is NOT replicated. This means that while you can successfully use whenCreated to search for objects created in a specific range, using whenChanged may not be as helpful especially if you are querying different DCs at different times. Since whenChanged isn’t replicated, the value will be based on when the actual change got to that actual DC, not when it was mastered on some other DC.

Don’t believe me… The Active Directory schema says the same thing…

F:\Dev\cpp\AdFind>adfind -sc s:whenchanged

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2
Base DN: CN=Schema,CN=Configuration,DC=k8r2dom,DC=loc

dn:CN=When-Changed,CN=Schema,CN=Configuration,DC=k8r2dom,DC=loc
>objectClass: top
>objectClass: attributeSchema
>cn: When-Changed
>distinguishedName: CN=When-Changed,CN=Schema,CN=Configuration,DC=k8r2dom,DC=loc
>instanceType: 4 [WRITABLE(4)]
>whenCreated: 20090211173717.0Z
>whenChanged: 20090211173717.0Z
>uSNCreated: 1197
>attributeID: 1.2.840.113556.1.2.3
>attributeSyntax: 2.5.5.11 [STRING (UTC/GENERALIZED-TIME)]
>isSingleValued: TRUE
>mAPIID: 12296
>uSNChanged: 1197
>showInAdvancedViewOnly: TRUE
>adminDisplayName: When-Changed
>adminDescription: When-Changed
>oMSyntax: 24 [STRING (GENERALIZED-TIME)]
>searchFlags: 0 []
>lDAPDisplayName: whenChanged
>name: When-Changed
>objectGUID: {1431D635-9F30-488F-A0BE-86FB07149487}
>schemaFlagsEx: 1 [FLAG_ATTR_IS_CRITICAL(1)]
>schemaIDGUID: {BF967A77-0DE6-11D0-A285-00AA003049E2}
>systemOnly: TRUE
>systemFlags: 19 [NOT REPLICATED(1);PAS-ATTR(2);CAT-1(16)]
>isMemberOfPartialAttributeSet: TRUE
>objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=k8r2dom,DC=loc
>dSCorePropagationData: 16010101000000.0Z

1 Objects returned

   joe

Yes that was a dramatic title, but I wanted you to read this.

I love Active Directory Application Mode and everyone who reads this blog knows it. However, I was let down today. I was automating the creation of an NC in a way that I hadn’t previously done. Actually it was automation of several NCs all for a single data management/reporting function and it will in the end, hopefully be a cookie cutter thing that I can deploy and redeploy as necessary. But enough about that…

So I built the initial NC manually, a series of AdMod commands and some scripts that built out the structures via more AdMod commands. Then I exported the structures with AdFind to a CSV file. Then I tried to import that CSV file and KahBlammie… It blows up on the first line which is the NC instantiation itself…

Basically I tried to create with the following (this isn’t in CSV Mode, this manual troubleshooting mode):

admod -hh . -add -b cn=ADAMRocks objectclass:++:top;container instancetype::5 –exterr

All seems ok with that though it is a little different than if I had typed it out by hand, more on that in a bit.

The error you ask?

DN: cn=ADAMRocks…: [DellLT17] Error 0x35 (53) – Unwilling To Perform

Extended Error: 00002079: SvcErr: DSID-03330A1A, problem 5003 (WILL_NOT_PERFORM), data 0

Error 2079…

  ERROR_DS_BAD_INSTANCE_TYPE                                    winerror.h
# The specified instance type is not valid.

Huh?

As I mentioned above, the command used followed what I was doing in CSV from an export, it differs slightly in what I would do normally if I typed the command manually and that is:

admod -hh . -add -b cn=ADAMRocks objectclass::container instancetype::5 –exterr

So I tried that and voila it worked. The whole issue is simply around how objectClass is being processed for the root object for the naming context. Once that one object is in place properly, the rest of the import for all of the other objects works perfect and they ALL have objectclass specified as a multi-value attribute.

So I didn’t see anything else I could do other than to tweak the CSV file. I am certainly not going to modify AdMod to try and account for this as that is getting a bit too touchy feeling with modifying what someone types in[1].

Anyway, I thought I would document it here so the next time I forget about it and hit it I can come back here to my long term memory store and read about what I did the last time. In the meanwhile, perhaps it will be useful to someone else as well.

    joe

[1] Yeah there is some sort of balance I am trying to keep in place between what the user types and what the user might possibly intend.