joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

1/15/2020

CVE-2020-0601–PATCH YOUR 2016/2019 DOMAIN CONTROLLERS!

by @ 1:07 am. Filed under tech

While Microsoft put a weak “important’ rating on CVE-2020-0601 the NSA (yes that NSA) has called it critical and severe. And since they found it, I am going to lay my bets with them.

Microsoft’s bulletin says it is code signing issues, NSA and others in the social media circles says it is much deeper.

Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

NSA: https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF

Key bit from the NSA release, note that domain controllers are specifically and purposely listed.

SNAGHTML71eaabccAgain… Patch now.

  joe

Rating 4.33 out of 5

1/13/2020

AdFind V01.52.00… Part Deux…

by @ 7:25 pm. Filed under tech, updates

So try two… When I updated the web pages last night, I apparently updated a page that didn’t have the newer download mechanism in it so ended up breaking the download for AdFind. So you have gotten to experience a nice unhappy face page instead when trying to download. That was corrected a few hours ago and I am just now getting a chance to write a QnD blog post to say I humbly apologize. If you still have issues, let me know. Smile 

   joe

Rating 4.33 out of 5

1/12/2020

AdFind V01.52.00 released

by @ 9:19 pm. Filed under tech, updates

The latest version of AdFind, V01.52.00, is now released. You can find it at

http://www.joeware.net/freetools/tools/adfind/

If the website shows V01.51.00 then use CTRL-F5 to update your local browser cache. Smile 

File information

[Sat 01/11/2020 21:17:29.63]+
E:\DEV\cpp\vs\AdFind\Release>filever adfind.exe
—– W32i   APP ENU     1.52.0.5064 shp  1,619,968 01-11-2020 adfind.exe

[Sat 01/11/2020 21:17:40.58]+
E:\DEV\cpp\vs\AdFind\Release>adfind -appver
AdFind V01.52.00cpp Joe Richards (support@joeware.net) January 2020
  BUILD    : 1.52.0.5064
  BUILDDATE: 20200111-21:15:50 x86 VS2019

Digest information

[Sat 01/11/2020 21:17:48.44]+
E:\DEV\cpp\vs\AdFind\Release>joewaredigest adfind.exe

joewaredigest V01.00.00pl  joe@joeware.net  November 2012

adfind.exe      12011c44955fd6631113f68a99447515        4f4f8cf0f9b47d0ad95d159201fe7e72fbc8448d

Command Completed.

I have upgraded to Visual Studio 2019 and there are a slew of bug fixes, new 2019 decodes, new shortcuts, and a good selection of new switches (you know you wanted more!). Details of the changes including new switches are on the adfind usage pages which can also be found at

http://www.joeware.net/freetools/tools/adfind/usage.htm

Specific things I want to call out.

New switch –hint

This is something I wanted particularly for working with ADAM/LDS and third party LDAP servers. While you can use –e or the joeware-default environment variables to really help with making working with ADAM/LDS easier, this is for the random ad hoc query where you stream the output from adfind to adfind or to the not yet released new version of admod. This switch outputs a header string with key fields that can be picked up out of the stream and give the next tool in line hints on what to connect to and how.

The output of the header has several switch values passed into the first call to adfind separated by “~~~X~~~”.

The specific switches are: –h , –p , –u , –up , –simple (0 or 1) , –hh , –url

Since that might be difficult to visualize the use case, here is an example:

[Fri 01/10/2020 22:40:35.48]+
E:\DEV\cpp\vs\AdFind\Release>adfind -hh .:389 -f objectclass=group -dsq  | adfind objectguid

AdFind V01.52.00cpp Joe Richards (support@joeware.net) January 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)

ldap_get_next_page_s: [LO-DC4.lockout.test.loc] Error 0x1 (1) – Operations Error

ldap_get_next_page_s: [LO-DC4.lockout.test.loc] Error 0x1 (1) – Operations Error

ldap_get_next_page_s: [LO-DC4.lockout.test.loc] Error 0x1 (1) – Operations Error

0 Objects returned

[Fri 01/10/2020 22:40:47.44]+
E:\DEV\cpp\vs\AdFind\Release>adfind -hh .:389 -f objectclass=group -dsq -hint | adfind objectguid

AdFind V01.52.00cpp Joe Richards (support@joeware.net) January 2020

Using server: jwp51:389
Directory: Windows Server 2019 (10.0.18362.1) ADLDS

dn:CN=Administrators,CN=Roles,O=BASIC
> objectGUID: {9A1C288D-2360-4A47-8115-39D7A978CD0F}

dn:CN=Users,CN=Roles,O=BASIC
> objectGUID: {E5DD9FEE-9F13-44F5-B504-B9BF4345E84B}

dn:CN=Readers,CN=Roles,O=BASIC
> objectGUID: {4FB18B14-D5D5-4E99-82AB-0C4D0AD9977B}

3 Objects returned

New switch –pause

This is for those folks who slap adfind into a for /f loop with a do start and fire multiple process windows at once instead of running the commands serially. With this switch adfind will pause before exiting so you can look at the output of each instance that was spawned.

New Switches –incllike / –excllike

Have you ever wanted to output only a certain group of attributes but don’t want to name all of them but perhaps they all have a similar format, for example say you have 15 attributes with your company prefix like jw-attr1, jw-attr2, jw-attr3, jw-attrN that is populated on every object of type X and you want just that info output. You simply add –incllike jw- and voila, only the jw-* attributes will be displayed. Note that all of the data will be returned that would normally be returned, it simply won’t be displayed. Unfortunately there is no way to tell AD to return attributes “like”, so this is the next best thing. Or alternately if there attributes you want to not display, you can use –excllike. Both of those switches take semicolon delimited lists of strings.

New Switch –sddlpsflag

This is a fun one that I have wanted for some time. Have you ever looked at the Security Descriptor output and want to quickly highlight or filter for the ACEs that have property sets, this switch prefixes the property sets with [PS]. This allows for quick and easy filtering with grep or find or whatever or with the SDDL filtering built into AdFind by default.

Again since this may not be easy to visualize, here is an example (you may want to make your browser window wider to more easily see this):

[Fri 01/10/2020 22:44:00.67]+
E:\DEV\cpp\vs\AdFind\Release>adfind -jsdnlb ;;;[PS] -sddlpsflag

AdFind V01.52.00cpp Joe Richards (support@joeware.net) January 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: DC=lockout,DC=test,DC=loc

dn:DC=lockout,DC=test,DC=loc
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]Account Restrictions;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]Account Restrictions;user;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]Logon Information;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]Logon Information;user;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]Group Membership;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]Group Membership;user;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]General Information;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]General Information;user;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]Remote Access Information;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]Remote Access Information;user;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;;[READ PROP];[PS]Domain Password & Lockout Policies;;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;;[READ PROP];[PS]Other Domain Parameters (for use by SAM);;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;;[READ PROP];[PS]Other Domain Parameters (for use by SAM);;NT AUTHORITY\Authenticated Users
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP][WRT PROP][CTL];[PS]Private Information;;NT AUTHORITY\SELF

1 Objects returned

New Switch –rawsddlexpl

As you may or may not know, if you want to use AdMod to set a Security Descriptor (currently) you must provide the SDDL string for it. This can be painful (and yes I know how painful and hate it and am working on it) so I came up with a way to help make it less painful. When you apply the SDDL string it doesn’t need all of the inherited ACEs which is what usually makes the SDDL strings crazy long and painful. This switch nibbles the SDDL down to just the explicit ACEs that matter when you need to apply to something.

Again, here is an example, this will be long though not anywhere as long as what you see in many domains where people weren’t properly controlling stupid ACE bloat or had to install Exchange which is a whole other level of stupid ACE bloat that could only be accomplished by people who truly have no clue how to properly secure AD.

[Fri 01/10/2020 23:33:57.04]+
E:\DEV\cpp\vs\AdFind\Release>adfind -f name=testuser1 ntsecuritydescriptor -rawsddl

AdFind V01.52.00cpp Joe Richards (support@joeware.net) January 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: DC=lockout,DC=test,DC=loc

dn:CN=testuser1,OU=TESTUSERS,DC=lockout,DC=test,DC=loc
> nTSecurityDescriptor: [SDDL] O:S-1-5-21-3057091654-2329156990-3385121676-512G:S-1-5-21-3057091654-2329156990-3385121676-512D:AI(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3057091654-2329156990-3385121676-517)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;RP;77b5b886-944a-11d1-aebd-0000f80367c1;;AU)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;AU)(OA;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b2-9455-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b3-9455-11d1-aebd-0000f80367c1;;PS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3057091654-2329156990-3385121676-512)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AO)(A;;RC;;;AU)(A;;LCRPLORC;;;PS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-3057091654-2329156990-3385121676-526)(OA;CIID;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-3057091654-2329156990-3385121676-527)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIOID;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;OICIID;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3057091654-2329156990-3385121676-519)(A;CIID;LC;;;RU)(A;CIID;CCLCSWRPWPLOCRSDRCWDWO;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)

1 Objects returned

[Fri 01/10/2020 23:34:08.33]+
E:\DEV\cpp\vs\AdFind\Release>adfind -f name=testuser1 ntsecuritydescriptor -rawsddlexpl

AdFind V01.52.00cpp Joe Richards (support@joeware.net) January 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: DC=lockout,DC=test,DC=loc

dn:CN=testuser1,OU=TESTUSERS,DC=lockout,DC=test,DC=loc
> nTSecurityDescriptor: [SDDL_EXPLICIT] O:S-1-5-21-3057091654-2329156990-3385121676-512G:S-1-5-21-3057091654-2329156990-3385121676-512D:AI(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3057091654-2329156990-3385121676-517)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;RP;77b5b886-944a-11d1-aebd-0000f80367c1;;AU)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;AU)(OA;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b2-9455-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b3-9455-11d1-aebd-0000f80367c1;;PS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3057091654-2329156990-3385121676-512)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AO)(A;;RC;;;AU)(A;;LCRPLORC;;;PS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:AI

1 Objects returned

New Switches –ldapping / –ldappingex / –netlogonexdc

I posted a series of blog posts on DC Locator and ldap ping. Adding ldap ping to AdFind is another thing that I have wanted for some time. It shoots over the proper query to retrieve the LDAP Ping info which will tell you what AD site your machine is in per the DC’s decision processes and the querying machine’s IP address. It will also show you next closest site, no you don’t have to enable anything for that to work, it is always there, the client just has to know how to ask for it. Most folks will likely want to use –ldappingex as that is the easiest to read. It is effectively the –ldapping and –netlogonexdc switches together. Why did I do it that way? Why do I have the –netlogonexdc switch at all??? For people who know how to formulate the different acceptable ldap ping queries manually and want the extended output instead of the normal output. Note that this is COMPLETELY anonymous. You don’t have to have a valid ID in the domain to perform this operation.

Here is an example:

[Fri 01/10/2020 23:55:42.28]+
E:\DEV\cpp\vs\AdFind\Release>adfind -hh k16tst.test.loc -ldappingex

AdFind V01.52.00cpp Joe Richards (support@joeware.net) January 2020

Using server: K16TST-SCDC1.k16tst.test.loc:389
Directory: Windows Server 2016

dn:
> OpCode: 0x18
> Flags: 0x1F1FC
> Flags: DS_GC_FLAG
> Flags: DS_LDAP_FLAG
> Flags: DS_DS_FLAG
> Flags: DS_KDC_FLAG
> Flags: DS_TIMESERV_FLAG
> Flags: DS_CLOSEST_FLAG
> Flags: DS_WRITABLE_FLAG
> Flags: DS_FULL_SECRET_DOMAIN_6_FLAG
> Flags: DS_WS_FLAG
> Flags: DS_DS_8_FLAG
> Flags: DS_DS_9_FLAG
> Flags: DS_DS_10_FLAG
> DomainGuid: {98FD1190-E167-4734-A585-7981238A135E}
> DnsForestName: k16tst.test.loc
> DnsDomainName: k16tst.test.loc
> DnsHostName: K16TST-SCDC1.k16tst.test.loc
> NetbiosDomainName: K16TST
> NetbiosComputerName: K16TST-SCDC1
> UserName: [EMPTY]
> DcSiteName: Default-First-Site-Name
> ClientSiteName: joenetlogontestsite
> NextClosestSiteName: Default-First-Site-Name

1 Objects returned

Filter intelligence enhancement – AKA the AJ Fix.

I have a friend that I worked with at my last day job employer that I dragged over to my current day job employer named AJ. AJ is more of an architecture type person who had to come in and actually do real work, ops type work. I mean architecture is real work but I don’t have a lot of respect or need for pure architects, if you cannot sit down and do daily support work as well as design infrastructures you are pretty worthless in my eyes. Anyway, AJ is now doing ops work in the IDM team (one of the leaders of that team now in fact) and learning a lot about how to do things in AD. Slowly more and more he started seeing the light about why AdFind blows other things (like ADUC, ADAC, PowerShell AD Cmdlets) out of the water and I would have a constantly running Zoom chat window with him asking questions. Well very often, especially one really bad week he would post a command string and say why isn’t this working or why it was spitting out so much information that he didn’t ask for (is AD broken?)… And the reason was usually the query looked something like

adfind "&(objectclass=user)(samaccountname=someid)" pwdlastset –tdcda

or something like that. Of course the issue is that he specified a filter without actually specifying the –f switch to tell AdFind, hey AdFind, this is a filter to submit for me. AdFind sees that command and treats the filter as an argument instead of a switch so by default it used a query of objectclass=* and of course that filter doesn’t exist as an attribute. So now I added some parameter logic to look for mistakes like this and it will throw what I call an AJ error and in fact in the initial betas with the functionality the error message was quite funny and named AJ by name. Open-mouthed smile 

This is what the error message looks like:

ERROR:
ERROR: Specified attribute contains ‘=’, did you perhaps mean this as an LDAP filter and forgot -f?
ERROR: Argument in question [&(objectclass=user)(samaccountname=someid)]
ERROR:

Type AdFind /help or AdFind /? for usage assistance.

or in the case where you have a filter but don’t specify what looks like a filter you get this:

ERROR:
ERROR: Filter missing ‘=’.
ERROR: Filter value [objectclass]
ERROR:

Type AdFind /help or AdFind /? for usage assistance.

So if you know AJ, go ahead and razz him. This fix has probably saved me about 500 questions a year. Hot smile

Another fun change that I have wanted for some time is auto-decode of attributeSecurityGUID in the Schema output. It is always a pain to chase that manually and doing this is likely going to save me a lot of time every year as well.

For example:

[Sat 01/11/2020  0:15:41.68]+
E:\DEV\cpp\vs\AdFind\Release>adfind -sc s:* -af attributesecurityguid=* ldapdisplayname attributesecurityguid -maxe 5

AdFind V01.52.00cpp Joe Richards (support@joeware.net) January 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc

dn:CN=Account-Expires,CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc
> lDAPDisplayName: accountExpires
> attributeSecurityGUID: {4C164200-20C0-11D0-A768-00AA006E0529} [Account Restrictions]

dn:CN=Admin-Description,CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc
>lDAPDisplayName: adminDescription
> attributeSecurityGUID: {59BA2F42-79A2-11D0-9020-00C04FC2D3CF} [General Information]

dn:CN=Allowed-Attributes,CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc
> lDAPDisplayName: allowedAttributes
> attributeSecurityGUID: {E48D0154-BCF8-11D1-8702-00C04FB96050} [Public Information]

dn:CN=Allowed-Attributes-Effective,CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc
> lDAPDisplayName: allowedAttributesEffective
> attributeSecurityGUID: {E48D0154-BCF8-11D1-8702-00C04FB96050} [Public Information]

dn:CN=Allowed-Child-Classes,CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc
>lDAPDisplayName: allowedChildClasses
>attributeSecurityGUID: {E48D0154-BCF8-11D1-8702-00C04FB96050} [Public Information]

5 Objects returned

And the last few things I am going to mention that are kind of cool are some beta features that I know still need more work but wanted to get this out there… Regular Expression capability for filtering output and outputting MSA/gMSA passwords. I don’t have much to say other than it is there but is still a work in progress. There is a new usage page for regular expressions that you access with “–regex?”.If you find something that isn’t working or something that could be done in a different way to make it more useful please email me at support@joeware.net and let me know.

   joe

Rating 3.50 out of 5

1/5/2020

AdFind V01.52.00… It is almost time…

by @ 2:33 pm. Tags:
Filed under tech, updates

Image may contain: meme and text

I have stripped out the debugdebugs and the expiration code as I am thinking at the moment that this will be the last build of V01.52.00 barring any bug reports that are serious enough to deal with… I will use it at work for a week and see if there are any issues and if not it will be the actual release version.

I will not be updating the daily build on the ftp site for this as the beta expiration is stripped out. That being said, the current daily is VERY close to this final version so that is good enough for testing.

SNAGHTML414bd5d8

   joe

Rating 4.00 out of 5

1/4/2020

WHOA!

by @ 11:59 am. Filed under general

Looks like wordpress updated something… Everything has gone cuckoo!

Edit: For some reason the color schemes and some of the displayed stuff is different for a logged in user versus a guest. Trying to sort it out. 🙂

Edit2: This should be all sorted out now, if things look weird, comment here.

Rating 4.33 out of 5

12/28/2019

AdFind V01.52.00…

by @ 12:48 am. Filed under tech, updates

AdFind V01.52.00 is close to release. It went slow because I finally worked on integrating boost::regex functionality into AdFind. Including both match and substitute functionality. The regex components will be considered beta for a few versions as there is a lot to figure out here and how people will use it. Also it isn’t my code, I am just pulling in the boost functionality. It is pretty close to perl regular expressions but not exactly.

If you want to play with the release candidate beta, you can find it at https://www.joeware.net/downloads/beta/rc

List of fixes/updates:

//* V01.52.00  2019.0514      o 05/14   Convert to VS 2019                  *
//*                                     Add 2K19 RootDSE decodes            *
//*                                     Change all rootdse to have nopaging *
//*                                     Alias expandfilter 4 filterbreakdown*
//*                                     Add more usage for -mvfilter *,?    *
//*                                     Fixed stupid MSFT LDAP URL format   *
//*                           o 05/20   BUGFIX: -e base override            *
//*                                     BUGFIX: jcsv changed to jcsv2       *
//*                                     BUGFIX: otherWellKnownObjects       *
//*                                     BUGFIX: Shortcut doc bug            *
//*                                     BUGFIX: -metamvcsv \0x01\0x01       *
//*                                     BUGFIX: Bug in remove attribs- func *
//*                                     BUGFIX: -sc psomgr sort&displayname *
//*                                     BUGFIX: usage missing -(s)elapsedms *
//*                                     BUGFIX: sddl(not)filter – -> ~      *
//*                                     BUGFIX: Invalid format -tdc(s)fmt   *
//*                           o 05/21   BUGFIX: Fixed usage for tdctzstr    *
//*                                     BUGFIX: -alldc binary attrib decode *
//*                           o 05/23   BUGFIX: LDS appnc user error fix    *
//*                           o 05/26   BUGFIX: crash bug LDS tokengroups   *
//*                                     Added Special base MSA              *
//*                                     BUGFIX: MSDS-Cached-Membership resol*
//*                                     BUGFIX: currenttime preload gtime   *
//*                                     BUGFIX: -fgpp missing usage info    *
//*                           o 05/27   BUGFIX: Fix multiple special bases  *
//*                                     Added -jsd(e)nlb switches           *
//*                                     BUGFIX: SC sitelinkdmp no site speci*
//*                                     BUGFIX: Removed "non-specific" for  *
//*                                             for domain admins, et ali   *
//*                           o 05/29   BUGFIX: added options to sitelinkdmp*
//*                                     BUGFIX: Removed forced base on      *
//*                                             following shortcuts:        *
//*                                               sddldump,getacl           *
//*                                               caclnoinherit,aclnoinherit*
//*                                               cexplaces,explaces        *
//*                           o 05/30   BUGFIX: Bug in jsd(e)nlb with filter*
//*                                     BUGFIX: Add O=* to structure filter *
//*                           o 05/31   BUGFIX: Allow specify position for  *
//*                                               _OBJECT_OWNER "attrib" CSV*
//*                                     BUGFIX: -owneronly not in CSV output*
//*                                     BUGFIX: Added sddl_explicit to allow*
//*                                             for use of -jsde* w/ notfilt*
//*                                     BUGFIX: Fixed nasty silent crash bug*
//*                                             in -decsddlacl, what a PITA *
//*                                     NOTE: All of the SDDL/SD/ACL/SACL/  *
//*                                          SID resolve code ispissingmeoff*
//*                           o 06/01   BUGFIX: Password prompt going into  *
//*                                          CSV output when prompted -up * *
//*                                     BUGFIX: Added -hh / -url to adcsv   *
//*                           o 06/02   FEATUREFIX: Changed mv(not)filter to*
//*                                         to allow multiple values for    *
//*                                         one attr to be specified like   *
//*                                         attr1=val1;val2;val3 instead of *
//*                                         attr1=val1;attr1=val2;attr1=val3*
//*                                     BUGFIX: Fixed non-rfc -url default  *
//*                                     =======LET THE DCRS BEGIN=======    *
//*                                     Added -x (HINT MODE) switch         *
//*                           o 06/03   Added AJ FIX                        *
//*                           o 06/16   Allowed filterbreakdown to use -f   *
//*                                     Alert on -f with no =               *
//*                                     Added -pause                        *
//*                                     Added -norrerr (range retr no err)  *
//*                           o 06/18   ldap SID resolve was broken, fixed  *
//*                           o 06/24   Added msDS-TrustForestTrustInfo to  *
//*                                                -sc trustdmp             *
//*                                     Added addtl trustAttribute decodes  *
//*                                     BUGFIX: Fixed trustType decode MIT  *
//*                                     Changed -ownercsv to not be special *
//*                                     Added -recmutedsq                   *
//*                                     Added -incllike,-excllike           *
//*                                     Added -bb xx  (scope base -b xx)    *
//*                                     Added Replica Set/GUID to -extsrvinf*
//*                           o 06/26   Added -sddlpsflag                   *
//*                                     BUGFIX: non-specific SID resolve for*
//*                                              defaultsecuritydescriptors *
//*                           o 06/28   Added additional OID decodes        *
//*                                     Identify more non-MSFT directories  *
//*                           o 07/01   BUGFIX: Bug in new filter explicits *
//*                           o 07/07   Added -rawsddlexpl                  *
//*                                     Added -rawsddlnl                    *
//*                           o 07/08   Updated how -sddl_epxlicit works,   *
//*                                       uses the -rawsddlnl functiounality*
//*                                     BUGFIX: -nopagingcheck              *
//*                                     Added -alldcd, -alldc + tdcda       *
//*                           o 07/09   BUGFIX: Fixed -bit DNWDATA          *
//*                           o 07/18   BUGFIX: Fixed bug in exterr info for*
//*                                              initial bind functions as  *    
//*                                              well as switching to stdout*
//*                           o 07/20   Added -noerr, when stdout redirect  *
//*                                       will prevent errors going to file *
//*                           o 07/21   Added staticly defined GUIDs that   *
//*                                       MSFT screwed up in schema.        *
//*                                     Started work on MSA password decode *
//*                           o 07/29   BUGFIX: Fixed bug in SID preload w/ *
//*                                       built in mnemonic SIDs            *
//*                           o 08/12   msDS-ManagedPassword decode, not    *
//*                                        sure if it works right lol       *
//*                                     BUGFIX: -ic with -excldn/-incldn    *
//*                           o 8/13    Added -encguidtohex,-dechextoguid   *
//*                                     Added -encsidtohex, -dechextosid    *
//*                           o 08/21   Added noroot param on -sc domainlist*
//*                                     Added -metas, metasl, metasnl       *
//*                           o 09/20   BUGFIX: Decode of oMObjectClass     *
//*                                     INFO: Don’t forget -x with -dsq     *
//*                                     Added -dsnq (-dsq with no quotes)   *
//*                           o 09/21   Updated dsheuristics to show char#s *   
//*                           o 09/22   Decoding of netlogon -ldapping debug*
//*                           o 09/28   Decoding of netlogon completed uses *
//*                                       either -samdc or -rootdsedc       *
//*                                     Switches -ldapping / -ldappingex    *
//*                                         -netlogonexdc (special output)  *
//*                           o 09/29  Bug fix in explicit ACE stripping   *
//*                           o 09/30  BUGFIX: No port listed when -udp     *
//*                                    Added more usage info around -url    *
//*                           o 10/01  Added -acecount                      *
//*                                    Added -fl – formatted list jtsv2 nodn*
//*                                    BUGFIX: Fixed -ef parsing of quotes  *
//*                                    Added :report for -sc fgpps/psos     *
//*                           o 10/04  Added -attrvaldelim, -attrprefix     *
//*                           o 10/06  Updated stdin pipein functionality   *
//*                                    to handle quoted CSV/TSV and filter  *
//*                                    out more garbage fed through the pipe*
//*                                    Add -recmutedsq to usage!!!          *
//*                                    BIN: for password                    *
//*                           o 10/07  Added -dnbreakout <dn>:<tag>         *
//*                           o 10/10  Added -decdelta                      *
//*                           o 10/11  Added currenttime to -extsrvinfo     *
//*                                    Fixed -nirs and nirsx                *
//*                           o 10/12  Added -dpcanonical, -cva             *
//*                           o 10/13  Added !closest to -ldapping/ex       *
//*                                    Added findpropsetrg alias of permguid*
//*                                    Removed -sc domainlist:canonicalname *
//*                                      as it makes no sense at all        *
//*                                    Added -sc domainlist:short option    *
//*                           o 10/14  Added displayname to findpropsetrg   *
//*                           o 10/17  Fixed -nirs/nirsx for real this time *
//*                                    Fixed Garbage DN parsing to handle   *
//*                                      single label domains / ADLDS       *
//*                                    Renamed -x to -hint                  *
//*                           o 10/19  Decode attributesecurityguid with    *
//*                                        -schdc decode switch             *
//*                                    Decode appliesto on controlAccessRght*
//*                                       objects with added -configdc      *
//*                           o 10/20  Added do/do+ alias delobjs/delobjs+  *
//*                                    Allow user to specify parentdn or    *
//*                                      parentcanonical to place anywhere  *
//*                                      within CSV, no need for -p switches*
//*                                    BUGFIX: Detection of config/schema   *
//*                                      partition DNs was broken for cross *
//*                                      forest situations.                 *
//*                           o 10/21  Add -samdc if -netlogonexdc          *
//*                                    Added -xmod (manual admod)           *
//*                                    Added -sc userinfo                   *
//*                           o 10/22  Added shortcuts ldsldapurl:xx,       *
//*                                      ldsldapurl:xx, ldsinstances:xx     *
//*                                    Allow specifying * for -mvsort and   *
//*                                      -mvrsort to sort all MV attribs    *
//*                                    Added -ddo                           *
//*                                    Added -rootdseinternals              *
//*                                    Added virtual LDAPURL/LDAPSURL to    *
//*                                      CRootDSE Class                     *
//*                           o 10/23  BUGFIX: Fixed new bug in CRootDSE 😉 *
//*                           o 10/26  Added jwregex_match function, not    *
//*                                       hooked into anything but -joetest *
//*                           o 11/01  Added -CSVFinalCount                 *
//*                                                                         *
//*                           o 11/02  Moved more errors from stderr>stdout *
//*                                    Fixed filter counts for CSVFinalCount*
//*                           o 11/15  Fixed case insensitive for regex     *
//*                                    Adding regex functionality to all    *
//*                                      DisplayXXX functions               *
//*                           o 11/20  Added more regex functionality       *
//*                                    Fixed some output bugs from regexfunc*
//*                           o 12/11  Moved oid gather details to -d2      *
//*                           o 12/16  Implemented SD regex                 *
//*                                    Updated -jsd* shortcuts to accept    *
//*                                      long form regex m// , s///         *
//*                           o 12/20  RegEx for SDs for CSV mode           *
//*                           o 12/22  Added -sdcsvsingle                   *
//*                           o 12/24  Added better regex input parsing     *
//*                                    Fixed -noerr for STDOUT/ERR          *
//*                                    Added new usage for switches and scs *
//*                                    BUGFIX: empty regex SD showed {SD}   *
//*                           o 12/27  Added -regex?                        *

Rating 4.50 out of 5

8/15/2019

Complexity

by @ 7:27 am. Filed under general, quotes, tech

After, more than <cough>two decades<cough> in a professional role of some sort of ops, engineer, architect, dev ops person in IT or Information Security in very large multinational Fortune 1-50 sized companies I have grown to dislike complexity in a way that some people without my experience may think is unnatural if not completely unhealthy. I have two complexity quotes that I came up with that I like to use and I use them often or very often when I am talking to third party outside consultants or vendors…

1. Complexity kills and scale is a complexity multiplier.

2. Complexity breeds insecurity.

And a third that I didn’t come up with but love and have as one of my primary email signatures at work…

3. A complex system that works is invariably found to have evolved from a simple system that worked. The inverse proposition also appears to be true: A complex system designed from scratch never works and cannot be made to work. You have to start over, beginning with a working simple system.

The last is known as John Gall’s Law or more simply as Gall’s Law[1].

These all feed the corollary which is often stated as K.I.S.S.. Keep It Simple Stupid.

When I am called in to look at problems, the more complexity that is there, generally the worse the problem is. The more unstable it is. The more likely it is to break. The less likely the people supporting it understand it well enough to properly support or in fact, support at all – mostly they just let it run and do a lot of burning of incense around server racks to appease the IT gods. But seriously, the more complex the system, the less likely ANYONE ANYWHERE understands it. 

So when I am called in to sort something out or come up with some sort of initial design, usually my solutions are based on the simple concept, “How do I make this simpler?” or “How do I do this in the most simple way possible?” I visualize supporting it for 5 or 10 or 15 years and what will make this painful if not done properly? When I am called at 2AM to work on it after 2 days of no sleep and I finally got to sleep at 1AM, can I quickly and easily fix it and go back to sleep? And while the generic concept is simple to say (or write), it isn’t always simple to make things simpler, it can, in fact, be very very VERY hard. Like they say, if it were simple, everyone would be doing it. But as hard as it may be, the payoff is the investment in an environment or system that is easier to understand, easier to support, and quite frankly, less likely to break in the first place. The goal of all designers and architects and operational staff and really anyone building any kind of system should be to keep it simple…

Again, repeat it with me, Keep It Simple Stupid.

   joe

[1] https://en.wikiquote.org/wiki/John_Gall

Rating 4.83 out of 5

6/4/2019

Immortalizing AJ Plichta :)

by @ 8:41 am. Filed under general

I have a friend at work named AJ, AJ Plichta, if you must know. Yes, THAT AJ.

AJ likes to type AdFind commands without specifying –f before the filter.

Now for most, this isn’t a huge deal, but when you consider our main work forest has around 2.5 million users this can be a rather cumbersome query to run and usually doesn’t result in the output that he wants and he pings me in Zoom or Jabber and says hey what is wrong with my command?

I then look at the command and smile and laugh out loud and then I type LOL.

For AJ, I agreed to looking into adding something to AdFind to help with this. He asked to please not use his name for the switch… I have acquiesced to his desire, there is not a switch with his name in it…

This fix in the upcoming release of AdFind is for AJ. Open-mouthed smile 

    joe

Comment

//*                           o 06/03   Added AJ FIX                        *

Output…

[Tue 06/04/2019  8:33:43.36]
E:\DEV\cpp\vs\AdFind\Debug>adfind -default "objectclass=user" -dsq

ERROR:
ERROR: Specified attribute contains ‘=’, did you perhaps mean this as an LDAP filter and forgot -f?
ERROR: Argument in question [objectclass=user]
ERROR:

Type AdFind /help or AdFind /? for usage assistance.

Rating 4.50 out of 5

5/16/2019

Working on AdFind V01.52.00 BETA and…

by @ 12:02 am. Filed under tech

For Windows Server 2019 and newer OSes I have decided to add in the numeric portion of the DSA Version String to the “Directory” string that is listed at the top of every run in the header…

Any thoughts, comments, and/or feedback before I lock into the decision?

[Wed 05/15/2019 23:59:16.85]
E:\DEV\cpp\vs\AdFind\Debug>adfind -rootdse -hh lo-dc1.lockout.test.loc dsaversionstring

AdFind V01.52.00cppBETA Joe Richards (support@joeware.net) May 2019

Using server: LO-DC1.lockout.test.loc:389
Directory: Windows Server 2008 R2

dn:
> dsaVersionString: 6.1.7601.23840 (win7sp1_ldr.170610-0600)

1 Objects returned

[Wed 05/15/2019 23:59:21.03]
E:\DEV\cpp\vs\AdFind\Debug>adfind -rootdse -hh lo-dc2.lockout.test.loc dsaversionstring

AdFind V01.52.00cppBETA Joe Richards (support@joeware.net) May 2019

Using server: LO-DC2.lockout.test.loc:389
Directory: Windows Server 2012 R2

dn:
> dsaVersionString: 6.3.9600.19130 (winblue_ltsb_escrow.180823-1003)

1 Objects returned

[Wed 05/15/2019 23:59:29.34]
E:\DEV\cpp\vs\AdFind\Debug>adfind -rootdse -hh lo-dc3.lockout.test.loc dsaversionstring

AdFind V01.52.00cppBETA Joe Richards (support@joeware.net) May 2019

Using server: LO-DC3.lockout.test.loc:389
Directory: Windows Server 2016

dn:
> dsaVersionString: 10.0.14393.2828 (rs1_release_inmarket.190216-1457)

1 Objects returned

[Wed 05/15/2019 23:59:40.54]
E:\DEV\cpp\vs\AdFind\Debug>adfind -rootdse -hh lo-dc4.lockout.test.loc dsaversionstring

AdFind V01.52.00cppBETA Joe Richards (support@joeware.net) May 2019

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)

dn:
> dsaversionstring: 10.0.17134.1 (WinBuild.160101.0800)

1 Objects returned

[Wed 05/15/2019 23:59:50.50]
E:\DEV\cpp\vs\AdFind\Debug>adfind -rootdse -hh lo-mk19.lockout.test.loc dsaversionstring

AdFind V01.52.00cppBETA Joe Richards (support@joeware.net) May 2019

Using server: LO-MK19.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17763.1) ADLDS

dn:
> dsaversionstring: 10.0.17763.1 (WinBuild.160101.0800)

1 Objects returned

[Thu 05/16/2019  0:00:02.93]
E:\DEV\cpp\vs\AdFind\Debug>adfind -rootdse -hh lo-ms1903.lockout.test.loc dsaversionstring

AdFind V01.52.00cppBETA Joe Richards (support@joeware.net) May 2019

Using server: LO-MS1903.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.18362.1) ADLDS

dn:
> dsaversionstring: 10.0.18362.1 (WinBuild.160101.0800)

1 Objects returned

[Thu 05/16/2019  0:00:11.75]
E:\DEV\cpp\vs\AdFind\Debug>

Rating 4.00 out of 5

4/2/2019

jwDCLocator.pl *nix/Windows Sample DC Locator Sample Perl Script

by @ 5:03 am. Filed under perl, tech

I have had quite a few people ask me to get to the getting and get the jwDCLocator.pl script made available for them to start looking at it.

So to help those folks out, I am going to do a “quick release” from the Blog and follow up with a release more similar to how I usually release tools on the main website.

You can now find the perl script in a 7zip archive at

https://www.joeware.net/downloads/sharedsource

Note: I have provided a link to the folder itself and enabled indexing so that people can see the whole folder and not think there is something else hidden in there where they can get source code to the other tools, which with the exception of rdp-sec-check (another perl script), is 100% absolutely positively NOT available[1].  I don’t provide source code for the stuff writtin in c/c++, don’t bother asking. I might change my mind in the future but it will be me changing my mind, not someone coercing or convincing me to change my mind.

As of right now, take a look at the usage in the script

jwDCLocator.pl /?

Or look at the code itself. You can run with an INI config file or with command line options. The simplest examples of running the script are

perl jwdclocator.pl /domain:k16tst.test.loc

and

perl jwdclocator.pl /domain:k16tst.test.loc /gclist

I have tested on CentOS7 and FreeBSD12 as well as Windows Server 2012 R2, Windows 10 1809, Windows Server 2016, and Windows Server 2019. For Windows Server both full and core.

For CentOS7 and FreeBSD12 I had to upgrade from perl V5.14 to perl 5.26 (or newer). There is some hashing functionality in the initial script that needs the alias/reference stuff in 5.26. Stuff that was apparently there before in older versions of perl that I swear I had used back in the 90’s for some monitoring scripts (I need to go look closer at those old scripts) but it seemed to have been lost along the way. I also needed to install Net::DNS and Net::LDAP.

For Windows I had to install perl 5.26 (or newer – usually Strawberry 5.28). Same reason for versioning as mentioned above. I also had to install Net::LDAP, Net::DNS was already there.

Mini-FAQ:

Q: Hey dude, I am getting weird results…

A: Feel free to run with the /verbose and /debug switches and then send me a text capture (not image) of the run screen including the command and all files created if you want me to look at it. If you have modified the script, share with me exactly what you did. As per my normal joeware warranty, I will try to look at it when I can, I may or may not fix it. 

Q: Hey joe, where you going with that gun in your hand?

A: Haha. Excellent, never heard that one before…

Q: When will you release this in other script languages?

A: Maybe never. If you want it in another language, feel free to do it and then you can send it to me and I may (or may not) put it in the 7zip file with the perl script. I have to look at the code and feel comfortable with it if I am going to share it on my site. You understand of course.

Q: Can I incorporate this intellectual property in my program?

A: ABSOLUTELY YES. You have unrestricted rights to use anything in this script in any code you write nor and forever.

That is the whole point behind WHY I spent nights working on this so that I could make it hopefully simple to read and understand so that people would use this knowledge and understanding and actually implement this functionality in their code. Please acknowledge me somewhere saying hey, this dude really helped us out to make our product better but even that isn’t a requirement. I JUST WANT THE CODE OUT THERE IN THE WILD RELATED TO ACTIVE DIRECTORY TO GET BETTER. I truly love this technology and think MSFT changed the world with it and I have had 20 years of salary directly related to it. I expect to have many more. And if people start writing code to properly use it, well my life and the lives of many friends and many tens of thousands of people I have never met get better. This will help, hopefully, to remove some stupid from the world.

Too many companies out there pretend to be AD integrated or AD compatible when what they really mean is that they simply have an LDAP interface. I’m sorry to burst your bubble, that doesn’t make you AD integrated or AD compatible. You have multiple bars there, you can do LDAP? Great, that means you can see AD, that doesn’t mean you are integrated or compatible. You need to be able to find domain controllers properly with actual redundancy/high availability, you need to understand multiple domains in a single forest, you need to understand Global Catalog versus Domain. If I ask you about redundancy and availability and your response is something like give me a VIP/Load Balancer to point at I will look at you in disdain. If you want to use AD and you want to use LDAP, in particular, to hit AD. Do it right because you aren’t doing anyone any favors otherwise. I am looking at you IBM and your WebSphere product line in particular (which I pointed out to your ridiculously priced internal consultants all the way back in 2001 sucked and how you could fix it when I was at Ford Motor and your consultants were trying to say AD was failing), I am looking at you VMware, I am looking at you Splunk, so many companies, so little time. 

If you think wow, this was really helpful and will make our product or my code or my scripts or whatever better, please consider the donate button up in the corner. Or not. That is entirely up to you. It is just a form of recognition and a statement to the value you think this stuff brings you. I am not starving but I won’t snub my nose at financial forms of appreciation either. Open-mouthed smile 

That’s it for now. More later. I have a new script I am working on specifically for *nix machines now to help further the admins/support teams in that space.

   joe

[1] Well I did share the source code to one small tool to Kevin Mitnick (yes that Kevin Mitnick – and you all thought I was boring…) a few years back. Hackers seem to love me. Sometimes I wonder if I wasted my life being on the good side of IT and Security instead of being on the shadier side. Winking smile

Rating 4.75 out of 5

[joeware – never stop exploring… :) is proudly powered by WordPress.]