joeware - never stop exploring... :)
Information about joeware mixed with wild and crazy opinions...
11/12/2010
11/11/2010
The Active Directory SWAG attribute…
The other day I had an IM conversation that went sort of like:
AD Engineer [12:37 PM]:
I’ve got a puzzler here… you around? I know it’s lunchtime
Richards, Joe (Active Directory) [12:37 PM]:
what up dog?
AD Engineer [12:38 PM]:
lol
k in ADUC, tool of champions, I see a count
Richards, Joe (Active Directory) [12:38 PM]:
What is this ADUC that you speak of?
AD Engineer [12:38 PM]:
COMPANY.COM\OU1\OU2 has contacts, sync’d from Lotus notes
so…
filter is set to 2000 objects by default
Richards, Joe (Active Directory) [12:39 PM]:
k
AD Engineer [12:39 PM]:
click the OU, and it shows 2000 of 15048
Richards, Joe (Active Directory) [12:39 PM]:
k
AD Engineer [12:39 PM]:
use adfind -b ou=OU2,ou=OU1,dc=company,dc=com -h dc01 -sc adobjcnt
and I get 8264
Raise your hand if you think AdFind has the right count.
Ok.
Raise your hand if you think ADUC has the right count.
Ok.
Anyone encounter this before?
Likely anyone who has more than 2000 objects in any container in their directory that they have looked at in ADUC has seen this situation whether they knew it or not.
Sometime after Windows 2000, Microsoft decided that there were containers with lots of objects in them and that GUIs likely needed to make decisions about how to best display the information based on the number of objects in the containers. For example, if you know a container has around 10 objects in it, there is no real performance hit to grab them all and display them. However, if the container has 10,000 objects in it, there could be a serious impact to performance and you could lock a GUI up waiting for the objects to get pulled across the network and populated. So Microsoft added a new attribute in Windows Server 2003 (and ADAM) to address this need.
The attribute is called msDS-Approx-Immed-Subordinates. The documentation on the attribute is here.The attribute is a constructed attribute built on the fly every time you ask for it. It is a rough order of magnitude hip shot SWAG for the number of child objects in a container. The value could be close or it could be pretty far off, the more objects, the more “off” it will likely be. The idea is to give you a rough order of magnitude so you can make some decisions on how you want to access and display the data.
Here are some examples:
[Wed 11/10/2010 22:38:43.00]
C:\>adfind -schema -s base msDS-Approx-Immed-Subordinates -list
2254[Wed 11/10/2010 22:40:35.23]
C:\>adfind -schema -s one -c -list3992 Objects returned
[Wed 11/10/2010 22:40:41.40]
C:\>adfind -default -s base msDS-Approx-Immed-Subordinates -list
186[Wed 11/10/2010 22:41:39.81]
C:\>adfind -default -s one -c -list39 Objects returned
[Wed 11/10/2010 22:41:49.01]
C:\>adfind -config -s base msDS-Approx-Immed-Subordinates -list
12[Wed 11/10/2010 22:44:23.68]
C:\>adfind -config -s one -c -list10 Objects returned
You will notice that the smaller the true number, the closer the SWAG is.
So now here is a nice side use of the attribute if you need to find any empty OU’s so you can clean up your environment (we all need a little bit of cleanup right?) quick and easy like…
adfind -default msDS-Approx-Immed-Subordinates -f objectcategory=organizationalunit -csv | findstr \"0\"
That will give you a listing of all OU’s that have no objects in them.
Cool?
joe
11/10/2010
If you ever wanted to buy the book that taught me LDAP programming… Now is your chance…
For the longest time Gil’s book Active Directory Programming has been out of print and to buy it would cost you a couple of hundred dollars… That is pretty steep for the book although it is a good book. Well I just looked on Amazon today for someone else and found that there are several used copies of it up on Amazon now for less than $20… So go get that book. Then take it to TEC and have Gil sign it!!!
I actually bought myself another one just to have a spare. Not sure why, but it felt like the right thing to do. In fact, that is a great thing to do… So everyone out there should maybe buy a spare of my book too – Active Directory for Totally Cool People. 
joe
Emails like this irk me…
From: Nxxxxx Jxx [mailto:xxxx@24hourfit.com]
Sent: Tuesday, November 09, 2010 5:53 PM
To: joe@joeware.net
Subject: AD accounts
Importance: HighHi,
I have a project assigned. In this project I have to find the inactive accounts (user and computers). Move them to a disabled account OU (DISABLED ACCOUNT). Please let me know soon.
Regards,
Nxxxx Jxxx
The first thing that bothers me is “Importance: High”… Seriously? If I get an email with Importance: High set, I expect to see something in the body of the email that makes me nearly jump out of my seat or at least the hair stand up on my arms. Telling me that you were assigned a project doesn’t even make the hair on my toes stand up.
Next is the whole body… Confusing and I have no clue what you are looking for. Do you want me to feel sorry for you? Do you want me to cheer for you? Do you want me to validate that you should do that assignment… If you don’t know what you are doing say… “I don’t know what I am doing…” and then remove my address from the TO: and add your bosses email address to the TO: line as he would be more interested in that fact that I am.
My personal opinion here after reading that email is that it is a plea from someone to tell them how to do their job. They have been assigned something that they have no clue how to do and they seem to have no desire to figure it out on their own. Sorry, I am not here to spoon feed you. As I see more and more friends lose their jobs to low cost centers around the world, I expect I will find myself being less and less helpful to these very generic “I don’t know how to do my job” requests.
If you desire help from someone who you think can help you, at least try to figure out the problem yourself and then explain what you have tried to do and why you feel it isn’t successful.
My response to the email:
From: joe [mailto:joe@joeware.net]
Sent: Tuesday, November 09, 2010 3:11 PM
To: Nxxxxx Jxx
Subject: RE: AD accountsLet you know what?
—
O’Reilly Active Directory Fourth Edition – http://www.joeware.net/win/ad4e.htm
Blog: http://blog.joeware.net
I figured I would give the person a chance to explain what they needed. I wasn’t disappointed.
From: Nxxx Jxx [mailto:xxxx@24hourfit.com]
Sent: Tuesday, November 09, 2010 6:29 PM
To: joe
Subject: RE: AD accountsCan u let me know about the solution of my issue?
And my response:
From: joe [mailto:joe@joeware.net]
Sent: Wednesday, November 10, 2010 5:29 PM
To: ‘Nxxxxx Jxx’
Subject: RE: AD accountsIf you want me to tell you exactly what to do, please send me a blank check and I will fill it out for you, cash it, and then assist.
Alternately, click on this link
http://lmgtfy.com/?q=find+inactive+accounts+in+active+directory
or buy this book
joe
Granted, this person could have oldcmp in front of them and it isn’t working properly[1]. But if you can’t tell me that you are at least that far along, don’t expect me to try and help. Seriously, my time is just as valuable as the next person. If I am at the job that I am actually paid a salary to do, I will walk junior admins through their tasks, I am not going to do it for other companies that don’t have the sense to have senior admins to help their junior admins or their senior admins are in reality junior admins.
joe
[1] Ok slight chance…
11/2/2010
Congratulations ISS!
10/15/2010
Free PowerShell PDF Book from Don Jones
http://nexus.realtimepublishers.com/accwp.php?ref=dj4
The book does require registration, but there’s no corporate sponsor – so there’s no associated spamming
10/13/2010
Go Apple…
I think this could seriously rock.
http://www.appleinsider.com/articles/10/10/13/apples_anti_sexting_patent_generating_big_buzz.html
Apple patents are a dime a dozen but one discovered this week is grabbing the attention of even the largest media conglomerates because it appears as if it could be used by parents to prevent their children from participating in sexually-explicit text message conversations.
10/2/2010
The HP Way
It is a people-oriented approach to business that considers the employees of the company its most valuable asset. In “Origins” Emery Rogers, the First Executive Director of the Hewlett-Packard Company Foundation explains it this way: “The essence of the HP Way, plain and simple; top management sets the overall objective and then gets out of the way and lets the people do it.” It emphasizes that decisions should be made at the lowest possible level.
-Origins (http://www.hp.com/hpinfo/abouthp/histnfacts/origins/)
10/1/2010
Re-Awarded the Microsoft MVP for Directory Services. :)
I have been re-awarded and that makes me very happy. The MVP program is something I am quite proud to be part of and very appreciative of the resources it makes available to me such as Windows Source Code, Microsoft Product Group folks, and other MVPs. I have met a lot of great people through the program that I might not otherwise have met. :)
Dear joe,
Congratulations! We are pleased to present you with the 2010 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Directory Services technical communities during the past year.
joe
[joeware – never stop exploring… :) is proudly powered by WordPress.]
