Information about joeware mixed with wild and crazy opinions...
Ten years ago today Active Directory was made publically available[1]. Been a long ten years and we have seen some cool/wonderful things and some sad/horrible things. Overall, looking good AD. š
joe
[1] RTM was December 15, 1999.
The betrunkener Schmetterling releases of AdFind and AdMod have been posted to the website.
You can find AdFind V01.41.00 here —> http://www.joeware.net/freetools/tools/adfind/index.htm
You can find the new usage here —> http://www.joeware.net/freetools/tools/adfind/usage.htm
You can find AdMod V01.12.00 here —> http://www.joeware.net/freetools/tools/admod/index.htm
You can find the new usage here —> http://www.joeware.net/freetools/tools/admod/usage.htm
You had to expect something was going to hit the joeware free tools website, we are again coming up to The Experts Conference (aka DEC) timeframe and I always try to push something out the door for DEC err TEC. Unfortunately as mentioned earlier, I will not be at TEC this year but I expect a few laptops running my utilities will be there which is almost as good. š
I tried something different this time. I worked on updating AdFind and AdMod at the same time. I usually donāt like doing that because my focus can drift but it worked out very well in this case as changes I made to AdFind to get it to compile with Code Gear C++ Builder 2009 were needed for AdMod as well and I also took the opportunity to collapse some of the common functions. Not all of them, lots more can be done in that area but that is for me and not you because it doesnāt do anything for you. For me it means less places to look for changes and a change in one makes the change in both.
The AdFind updates that you will notice are mostly pretty small, various bug fixes and some more attributes decoded properly for Windows Server 2008 R2 (thanks to everyone who emails me items that could be decoded or arenāt decoded properly BTW) and a few new switches.
Probably the most āwantedā addition I have added to AdFind are the ātdcfmt and ātdcsfmt switches. These switches allow you to change the output of the time decoding done with the various ātdc* switches. I had lots of people who wanted to set up their own custom time formats and others who wanted me to localize the output. I figured out of the two, allowing someone to set their own format was the more flexible for them and the least amount of work for me. š So now if you want to output the time like DAY/MONTH/YEAR or even MONTH-YEAR you are welcome to do so. More on that below in the full detailed list of updates.
The AdMod updates are a collection of updates made since V01.10.00 was released back in February 2007. I jumped straight to V01.12.00 as I had stopped working on AdMod for some time and just used V01.11.00 myself to work out some really nasty bugs I somehow inserted into it. š Then when I started working on it again I needed to rev the version number. So no, you didnāt have a black out, V01.11.00 was never publicly available.
There are a ton of changes in AdMod. Its not a major version release but it is definitely two minor releases in terms of bug fixes aloneā¦ The first big change is that I converted it to Code Gear C++ Builder 2009 like I did for AdFind. Most folks found tremendous speed increases between the old and new version of AdFind when I switched compilers and I have been seeing the same results with AdMod. Another big change is that AdMod will now encode SDDL strings into Security Descriptors. This is done like encoding GUIDs or SIDs but instead with a prefix of SD#. In the same encoding portion of the code I also added time string encoding as well with UTC##, LOCAL##, and CURRENT##. There are some neat tricks you will be able to pull off with those. One of the final big changes is to allow CSV mode āimport switch works in update mode, not just add mode. However, in the interest of data safety, the import mode will NOT overwrite current values, it will only ADD values. So if you have a single valued attribute that is already populated, āimport will not overwrite that value. It will bail with an already exists error. If you want that value overwritten, you need to specify the proper attribute operation like description::{{.}} as you did before. I initially set it up with an override switch to allow overwrites, but then saw someone do something that changed my mind.
As always, if you run into issues or just have thoughts, questions, please send me an email. I hope you find the updates to be useful for you. People keep telling me that AdFind/AdMod arenāt needed anymore because PowerShell can do it all but
1) That hasnāt been my experience in any company I have looked at
2) I still get flooded with email requests for new features and how to questions
so I feel the tools are still relevant and useful and will keep them available.
As I mentioned in another blog post, I am considering writing a book on LDAP, AD, ADAM, and AdFind/AdMod and actually started generating a draft table of contents last night while watching Survivor. I think it will be useful and I am, I expect, the best person to write it. š
ADFIND UPDATE DETAILS
* Lots of bug fixes in logic, switch processing, shortcuts, and the usage.
* Added decodes for
* Updated some other decoded attributes to include Windows Server 2008 R2
* Did some work on the āe and āef functionality. These switches enable environment variables or switches from a file to allow you to āhardcodeā certain switches into your commands without typing them each time. Also added/updated functionality around a default switch file for each program that is always read in case you have something that you always want done, say like ātdcs or one of the new time formatting switches. Note that the default file is read from the current working directory. This was a purposeful decision.
* Added the following new switches
* Added the following shortcuts
* Updated the āsc s: and āsc sl: shortcuts to allow you to append ;class or ;attr to focus only on returning classes or attributes.
ADMOD UPDATE DETAILS
* Converted to CodeGear C++ Builder 2009
* Lots and Lots of bug fixes in logic, switch processing, shortcuts, and the usage.
* Added CSV variable expansion modifiers __lc, __uc, __spec, __hex, __num, *origdn*.
* Added SD## to allow for SDDL encoding to modify Security Descriptors
* Added UTC##, LOCAL##, CURRENT## to allow for int8 time encoding.
* Like with AdFind, worked on the āe and āef switches and functionality.
* Warn if no redirection is detected and no base is specified.
* Error out if a bad DN is detected in stdin redirection mode.
* Allow non-CSV mode expansion capability. Gives limited variable expansion functionality.
* The āimport switch now works with updates as well as adds. Will not overwrite existing values!
* āCSV specified with no arguments enables āimport
* Added new switches:
* Added new shortcuts
Last time I looked, the Daemon ISO Mounting Tool didnāt work for Windows 7, just looked again today and now Windows 7 is supported and it actually works:
http://www.disk-tools.com/download/daemon
When I was 13 I knew it allā¦
When I was 16 I realized I didnāt know it all at 13 because I now knew it allā¦
At 19 I realized I didnāt know so much when I was 16 because I really knew it all then.
At 21 I finally got the point and knew that I previously knew very little and that teenagers were stupid and shouldnāt be allowed to make decisions because I finally had all knowledge.
At 25 I realized that I really didnāt know very much.
At 33 I admitted it out loud.
At 40 I started forgetting what little I did knowā¦ š
– me
If you donāt know joeās tools, are you really into AD?
– Florian Frommherz (http://www.frickelsoft.net/blog/?p=180)
People like to think they know more than they do, especially the ones that know the least.
– me
Unfortunately this year I wonāt be attending the Microsoft MVP Global Summit in Seattle nor The Experts Conference. Things didnāt work out properly for me to pull it off. I will greatly miss seeing my friends at Microsoft at the summit as well as the other MVPs.
I will also (as will my g/f) miss the fun at The Experts Conference (TEC aka DEC) in Los Angeles. It will be sad not seeing Christine, Stella, and Gil like I did every year for some time now as well as all the other regular attendees. I hope that the folks who get to go have lots of fun and take advantage of all of the knowledge sharing that is so deeply embedded in the TEC experience.
Have fun everyone who gets to goā¦. š
If you see any of these errors
You cannot open this document because we cannot set up your computer to open documents that have restricted permission.
The Rights Management client returned the following result code: 0x80004005(-2147467259).
The Rights Management client returned the following result code: E_DRM_SERVICE_NOT_FOUND.
The Rights Management client returned the following result code: E_DRM_BIND_VALIDITY_TIME_VIOLATED.
Check out http://support.microsoft.com/?kbid=979099
ā¦what would you guys like to see in it?
I am once again thinking about writing a book for AdFind and AdMod coupled with LDAP basics, Active Directory basics, and ADAM / ADLDS Basics. Then maybe some discussion on how to use all of the above mentioned products. Basic guidelines I give folks when I asked. Top questions I am asked and the responses I give, etc.
The idea would be to do some sort of self publishing with this through Amazon or something like that so anyone anywhere can order it and get it.
Thoughts?
There is an article on TechNet about the forestās tombstone lifetime for Active Directory (http://technet.microsoft.com/en-us/library/cc784932(WS.10).aspx) that was discussed on an internal MSFT DS Team / MSFT MVP email list. The discussion pointed out that there is a little confusion around the article.
Specifically the confusion can come up around step 8
Note the value in the Value column. If the value is <not set>, the default value is in effect as follows:
- On a domain controller in a forest that was created on a domain controller running Windows Server 2003 with Service Pack 1 (SP1), Windows Server 2003 with Service Pack 2 (SP2), Windows Server 2008, or Windows Server 2008 R2, the default value is 180 days.
- On a domain controller in a forest that was created on a domain controller running Windows 2000 Server, Windows Server 2003, or Windows Server 2003 R2, the default value is 60 days.
The question came upā¦ and a good question I might addā¦ āWhat if you donāt know what version of the OS was used to initially build the forest?ā
If this confusion exists for Directory Service MVPs, then it probably exists for some other folks as well.
There is a very easy (for now) way to ascertain what the tombstone lifetime is.
But joe, doesnāt the OS version matter? No. The reason it doesnāt matter is that the default didnāt change in the source code for the different OS versions. What changed was a line in a file called schema.ini which sets the value of tombstoneLifetime to whatever other value so if the value isnāt set it is the AD default 60 days.
The section of the schema.ini file we are talking about is
; Explict TSL default set in W2K3 SP1 to increase shelf-life of backups and allow longer
; disconnection times.
tombstoneLifetime=180
joe
[joeware – never stop exploring… :) is proudly powered by WordPress.]
