http://www.engadget.com/2011/05/19/battery-powered-black-current-vw-beetle-flaunts-itself-in-drag/
Information about joeware mixed with wild and crazy opinions...
http://www.crunchgear.com/2011/05/17/developers-prefer-gpl-enterprises-prefer-apache/
The big takeaway is that developers generally prefer the GNU General Public License while their enterprise employers prefer the Apache Software License. There are a number of ways to interpret this data.
I am working on a little side project for an old British friend of mine (his name starts with a D and ends with an ean). In the process of working on it I found a bug in AdFind. That bug was based on an assumption, an assumption, on reflection, I really shouldn’t have made. An assumption I made, oh, about a decade ago in one of the very first revs of AdFind and it has been lurking there ever since.
Inside of AdFind there is a small table of hardcoded values for SIDs and GUIDs. This is because initially, that is how I determined what attributes should be handled as SIDs and which should be handled as GUIDs. After a while I got sick of maintaining the table so found some creative ways of dynamically working out what was a SID and what was a GUID; I started reading the schema. Now one problem though, the SIDs have a special attributeSyntax saying they are SIDs, GUIDs are not so lucky. So I perform some basic logic and work out what binary attributes are *possibly* GUIDs[1].
In the meanwhile I left that little hardcoded table in place and it gets loaded every time you start AdFind though mostly it is for when you use –dloid. That switch forces AdFind to NOT load the schema for whatever reason you wanted but I still want to be able to decode certain attributes as SIDs/GUIDs. Now I am reviewing whether or not I still think that is a good idea. In terms of performance, it really doesn’t add any impact, but from the standpoint of “is it a good idea” – that is something that I have to think about.
Anyway the specific issue…. When I built that original table back then I looked at the attribute called oMTIndxGuid which could be up to the size of a GUID structure and had GUID in the name so I assumed it was a GUID. That assumption has gone unnoticed for a decade. Well for whatever reason, I still haven’t figured out why yet, but when querying a directory with the –objfilefolder switch enabled the decoding of that attribute which was previously being incorrectly done as a mostly empty GUID started crashing instead.
Anyway, this assumption will be fixed one way or another in V01.46.00.
joe
[1] Note the same type of issue also exists with INT8 (FILETIME) timestamp attributes. That is also something I am working on for V01.46.00. Actually, I think the fixes there are pretty locked down, it looks for INT8 attributes that have time in the name or adminDescription combined with yes… a hard coded table. Actually there are a couple of tables, one for known INT8 time attributes, one for known INT8 interval attributes. Also there will be a new switch to allow you to specify additional INT8 time attributes as it has been a long time pain for me when I make a new INT8 time attribute and it doesn’t decode that way with my own utility.
I just saw this on a show on Speed network about EV’s… I was drooling.
a four-cylinder, turbocharged petrol engine, which will aid the four electric motors (one attached to each wheel). Don’t worry, though, this tweak has actually made the C-X75 accelerate even faster, as it’s now rated to go from 0 to 60mph in under three seconds
http://www.engadget.com/2011/05/06/jaguar-will-actually-build-million-dollar-c-x75-hybrid-supercar
I found a forum that referenced your adfind utility. I’m looking to get a list of all users in AD that have the “Password Never Expires” set on their account. Can you help with this?
xxxx
Network Administrator
yyyy
nnn – o
nnn – m
<Certified Mac Technician Logo>
<Microsoft Certified Systems Administrator Logo>
Various options available:
1. Use google/bing to search internet for examples
2. Buy and read the O’Reilly book “Active Directory Cookbook 3rd Edition”
3. Buy and read the O’Reilly book “Active Directory”
4. Follow item #3 on http://blog.joeware.net/2011/04/14/2238/
I received the following email last month and figured it was worth writing up because it involves an LDAP query and Generalized Time which I don’t believe I have previously written about. Also part of this email made me chuckle, I won’t indicate which part.
From: xxxxx
Sent: Thursday, March 03, 2011 7:30 PM
To: joe@joeware.net
Subject: Help PleaseHi Joe,
Can you help me? I am looking to use ADFind.exe to locate all users in the GC that were created on a specific date range based no the whenCreated attribute and export the name, userprincipalname, samaccountname and whencreated attributes to a CSV.Is this possible with your utility? If so, can you show me the syntax?
I have written a .NET application to gather this info but it is just too slow.
Thanks in advance,
xxxxx
This query is pretty basic for AdFind and I have spoken at length about how to specify bases and returning attributes etc so the piece I will discuss here will be the LDAP filter and specifically, the pieces specific to the time.
Generalized Time is one of the ways that time is represented in Active Directory. Certain attributes like whenCreated and whenChanged use this format which looks like:
>whenCreated: 20110323183100.0Z
If you look closely you can see that the format is
“YYYYMMDDHHMMSS.0Z”
When creating queries with Generalized Time you can use
EXISTS and EQUALS queries are pretty rare in my opinion for Generalized Time attributes. When you perform an EQUALS query, the value has to be exactly correct. If you are looking for something, you usually won’t have a value down to the second unless you are trying to find everything that was created at the same time something else was created and use that object’s whenCreated value. RANGE based queries, on the other hand, are common. When performing those queries you can “zero out’ pieces of the time format. For example, you don’t have to specify hours, minutes or seconds so the actual value could look something like 20110401000000.0Z to indicate the very beginning of April 1, 2011.
So with the understanding that you must always use >= or <= versus > and < and the Generalized Time Format listed above combined with the possible values it is pretty easy to build your LDAP queries. To specify an object creation range of say the month of April 2011, the query would be
(&(whencreated>=20110401000000.0Z)(whencreated<=20110501000000.0Z))
If you need to know what objects were created within a certain hour or range of hours, this is a little more tricky UNLESS you know the actual UTC values to specify. Generalized Time allows you to specify something other than ZULU / UTC time, specifically, you can specify a time with offset, that looks like “YYYYMMDDHHMMSS.0[+/-]HHMM”. A simple example to return the objects created between 1PM and 5PM UTC on April 1 would be
(&(whencreated>=20110401130000.0Z)(whencreated<=20110401170000.0Z))
Of course unless you want every single object class that could have been created in the search scope for the given time range, you will want to specify an objectCategory or some other indexed attribute.
Before I close this post out, let me add one little note… The note is about whenChanged. While whenCreated is a replicated attribute and will be the same for a given object across all DCs, whenChanged is NOT replicated, repeat it is NOT replicated. This means that while you can successfully use whenCreated to search for objects created in a specific range, using whenChanged may not be as helpful especially if you are querying different DCs at different times. Since whenChanged isn’t replicated, the value will be based on when the actual change got to that actual DC, not when it was mastered on some other DC.
Don’t believe me… The Active Directory schema says the same thing…
F:\Dev\cpp\AdFind>adfind -sc s:whenchanged
AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011
Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2
Base DN: CN=Schema,CN=Configuration,DC=k8r2dom,DC=locdn:CN=When-Changed,CN=Schema,CN=Configuration,DC=k8r2dom,DC=loc
>objectClass: top
>objectClass: attributeSchema
>cn: When-Changed
>distinguishedName: CN=When-Changed,CN=Schema,CN=Configuration,DC=k8r2dom,DC=loc
>instanceType: 4 [WRITABLE(4)]
>whenCreated: 20090211173717.0Z
>whenChanged: 20090211173717.0Z
>uSNCreated: 1197
>attributeID: 1.2.840.113556.1.2.3
>attributeSyntax: 2.5.5.11 [STRING (UTC/GENERALIZED-TIME)]
>isSingleValued: TRUE
>mAPIID: 12296
>uSNChanged: 1197
>showInAdvancedViewOnly: TRUE
>adminDisplayName: When-Changed
>adminDescription: When-Changed
>oMSyntax: 24 [STRING (GENERALIZED-TIME)]
>searchFlags: 0 []
>lDAPDisplayName: whenChanged
>name: When-Changed
>objectGUID: {1431D635-9F30-488F-A0BE-86FB07149487}
>schemaFlagsEx: 1 [FLAG_ATTR_IS_CRITICAL(1)]
>schemaIDGUID: {BF967A77-0DE6-11D0-A285-00AA003049E2}
>systemOnly: TRUE
>systemFlags: 19 [NOT REPLICATED(1);PAS-ATTR(2);CAT-1(16)]
>isMemberOfPartialAttributeSet: TRUE
>objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=k8r2dom,DC=loc
>dSCorePropagationData: 16010101000000.0Z1 Objects returned
joe
I hope no one feels they can honestly argue the point, but as a general rule I feel I truly like to help people; I would think that should be obvious based on the last decade of tools I have made freely available, the sharing of tons of possibly quite valuable information on this blog and other public forums, and who knows how many unsolicited direct emails I have received and responded to over the last 10-15 years.
That being said, it isn’t all an act of altruistic servitude. In part, receiving and responding to the emails has been fun for me and I used to often learn new things from the emails to boot. I can’t count the number of times someone would explain a situation to me and I would sit back and think, there is no way it works like that, only to test it and see that indeed, it does work like that whether that it was one of my utilities or more often, a Microsoft product I am familiar with.
To me, learning is always fun except when it involves learning from bad experiences like “Hey if you hit a sheet of ice when your car is traveling at 60 MPH the outcome is not generally good” or “don’t loan money to a friend because they are fairly likely to take advantage of you“. That learning and fun and just touching base with people around the world who have similar interests has always been enjoyable for me. That joy has value to me. Makes the time spent reading and responding worth it versus spending the time on other things.
Unfortunately, a trend in email question quality I started detecting maybe 5 years ago has been accelerating at a fierce rate the last couple of years and it has gotten to the point that a vast number of the emails I am receiving now are more irksome than happy making for me and pretty much a waste of time.
Those long time followers of this blog and anyone who has spoken to me in person is aware of this trend and my thoughts on it. But for the rest… The trend is people asking very basic questions that they could easily boogle[1] for the answer or asking me how to do their job properly when their boss gives them an assignment to figure something out or several other things that truly have no value to me at all, simply someone who doesn’t or can’t put in the work and are using me as their phone a friend.
As many of you know, I already have a job in IT, I don’t need to be doing other people’s jobs for free. Especially, and this may sound mean spirited but isn’t intended to be, but especially I don’t need to be spending my valuable spare time doing for free the job of people who have taken the jobs of friends and future friends of mine who did a better job but cost more. I won’t speak any more on that specific topic other than quality workers can and should cost a company some quality money. Don’t go into Morton’s Steakhouse, order a steak, and then demand McDonald’s pricing – you won’t get it. Alternately, don’t walk into McDonald’s and order a cheeseburger and then try to demand Morton’s quality – you won’t get it. If you want McDonald’s pricing, you get McDonald’s quality. That may work for you, it may not. But if it isn’t what you wanted in the long run, you can look in the mirror to see who to blame.
With all of that being said, below are the changes I am implementing. Note that these changes are, like everything involved with joeware, completely and utterly up to my final discretion. I make the tools, I do the work, I define the results. I am open to people stating other opinions and may even change future directions based on those opinions but, in the end, if you come to me, you are asking me to be the sole arbiter of anything that I do for you. That is the most succinct way of stating the EULA’s of most if not every company out there. Don’t believe me, go into any Burger King (which does it your way) and ask for a Coca Cola without High Fructose Corn Syrup and a turkey burger with sliced kohlrabi chips and see how far you get.
joeware support policy change
I have wide discretionary powers in what I will and won’t deem poor quality and what I will and won’t deal with. Even before this “policy change” if the email was poor enough, I would only be helpful enough to send back a response that would be useful to someone who could and would try to figure something out. This just solidifies my stance, makes it public, and offers a mechanism to change my mind on what kind of response I would like to produce.
For everything else…
If you have found a bug in one of the tools, please email me. If you have an idea on something to make one of the tools better, please email me. If you have an idea of a new tool that needs to be written, please email me. Note that all of those emails and the associated ideas become MY property the instant they hit my inbox. You can tell anyone you like that you made the suggestion but for all legal and fiscal intents and purposes, they are my intellectual property.
Finally if you just want to say hi and/or that you found the tools or information or whatever useful or humourous or has made your life better, definitely feel free to email me – and don’t forget the tip jar. ;o)
joe
[1] The term boogle is what I use to describe using either Bing or Google to search for something. Yes I realize there is a website out there called boogle.com which just does a Google search but I think boogle sounds better than ging.
[2] I get about 10-15 of these a month. If people want to donate the right amount for this, then hey, I can retire and spend full time on joeware.
[joeware – never stop exploring… :) is proudly powered by WordPress.]