joeware - never stop exploring... :)

As mentioned previously, AdFind V01.43.00 had some issues with non-Microsoft LDAP directories due to a check I added to detect if paging was available[1]. I mistakenly assumed that RootDSE’s would all return the supportedControl attribute by default. I fixed that. 🙂 In the meanwhile I took the time to work on a few other things as well that I didn’t have time to get to before in the prior release,overall though, the main changes are in AdMod.

AdFind Update Summary

As mentioned, I fixed the paging check issue. I also set up some decodes of RootDSE OIDs for OpenLDAP. I also added a –nopagingcheck just in case a directory supports the paging control but for whatever reason isn’t returning it in the RootDSE request. Look at me worrying about non-Microsoft directories. ;o)

I fixed an output bug I introduced in V01.43.00 around value metadata output.

I tweaked the attributes in the –sc export_* shortcuts.

I put in a hard block and error message when you specify a special base and the –b switch. I call this the Burbidge update.

I modified the –sc dclist shortcut. I made it more flexible so that it can be used for all DCs in the forest or just the DCs in a single forest. Also you can now specify RODCs only. At the same time I also decided to add –sc gclist and –sc !gclist. These should all be really useful for FOR /F looping in Batch. I intend to write up a blog entry or two on this because it is tremendously useful if you need to quickly gather info across all of your DCs and everyone is telling you that you need to write a script to do it.

I added another similar shortcut, –sc domainlist which gives you DNS Names (dNSRoot attribute of NC Partition object) of all Domains in the forest.

AdMod Update Summary

Main changes in AdMod are that I was finally able to duplicate and find some long running –CSV and –Import issues. I had been getting sporadic reports of issues for some time and I could never narrow the problem down but finally got a break in the troubleshooting and sorted it out. I spent hours most nights since the last release stepping through the code line by line for various CSV files keeping manual tables of what should be happening, reminded me exercises from computer science classes back in the 80’s. 

I also took this time to add some other useful features to the import functionality to make it more friendly for imports including having AdMod look at the destination directory schema and automatically filtering out any attributes from the import that don’t exist in the destination directory. I also added two new import modes, importpass1 and importpass2. This is to help deal with DN attributes that may have references that aren’t already defined when the object is created. The idea is that you run the CSV file in ADD mode with importpass1 and it creates all of the objects with the DN attributes filtered out. Then you run the same CSV file through in update mode with importpass2 and it populates just the DN attributes. It worked really well in my limited tests and I think it is pretty cool but I look forward to the comments from the field… from you guys and gals. Oh I also added an –sc importschema switch that will also be the topic of a future blog entry.

I fixed a couple of bugs, the first was around the GUID## encoding mechanism with the braces. The second is with the –hd switch.

Anyway, I hope folks find the changes useful, as always, any bugs or suggestions, email me at joe@joeware.net

See the AdFind update info at http://www.joeware.net/freetools/tools/adfind/index.htm

See the AdMod update info at http://www.joeware.net/freetools/tools/admod/index.htm

    joe

[1] This was a self-preservation change. By far the biggest “AdFind is broken” email I get is due to people querying non-MSFT directories that don’t support paging and currently AdFind uses paging queries exclusively. This is something I have on the list to change someday, but today isn’t that day. ;)  Anyway, this change should make it clear to people why AdFind is not returning data when they query LDAP directory XYZ that doesn’t support paging.

I had an email from someone who needed to expire a bunch of userids immediately. They wanted to expire the accounts instead of disabling the accounts because they wanted the change to be “self-documenting” in terms of when it occurred. They also wanted to expire the accounts instead of the passwords because they didn’t want the users to be able to use the accounts and by default, of you expire the password, the user can just change the password, not to mention expiring the passwords wouldn’t be “self-documenting” since when you force a password to be expired you change pwdLastSet to 0. While you could look at the metadata, 90% of your AD admins don’t know that and even still it is more painful and you can’t search on the metadata.[1]

You can easily do this by generating the proper int8 value, searching for the objects with adfind (it was all accounts in a specific OU), and then applying the int8 value to accountExpires attribute of the objects.

Something like

F:\Dev\Current\CPP\AdFind\Release>adfind -enccurrent 0

AdFind V01.43.00cpp **BETA** Joe Richards (joe@joeware.net) February 2011

129416142148710000

and then performing the find and replace…

adfind –default –rb ou=disabletheseusers –s one –f objectclass=user –dsq | admod accountexpires::129416142148710000 –unsafe

There is another way of accomplishing this that has one less step and more generic… Just switch to CSV mode and use the *now_int8* expansion variable.

adfind –default –rb ou=disabletheseusers –s one –f objectclass=user –csv | admod –csv –expand accountexpires::{*now_int8*} –unsafe

This will stamp the users in the OU with the current time as of the running of the command.

What if you wanted these accounts to expire in 14 days instead?

adfind –default –rb ou=disabletheseusers –s one –f objectclass=user –csv | admod –csv –expand accountexpires::{*now_int8*:+d:14} –unsafe

Hope that is useful for you. 🙂

     joe

[1] I will write about this more later I think. There is a new feature in the beta of AdFind that I intend to release in the next week that can put you into a position where you can search on metadata though it won’t be real time…

I was running Process Explorer and on an idle system I noticed that my CPU was bumping around a lot more than I would expect for an idle system. Pulled up SysInternals Process Explorer and saw that the Aliph Jawbone updater tool was the one eating CPU. I killed it and set it to not auto-start and now my system truly acts like it is idle when it is idle.