joeware - never stop exploring... :)

The betrunkener Schmetterling releases of AdFind and AdMod have been posted to the website.

You can find AdFind V01.41.00 here —>  http://www.joeware.net/freetools/tools/adfind/index.htm

You can find the new usage here —> http://www.joeware.net/freetools/tools/adfind/usage.htm

 

You can find AdMod V01.12.00 here —>  http://www.joeware.net/freetools/tools/admod/index.htm

You can find the new usage here —> http://www.joeware.net/freetools/tools/admod/usage.htm

 

You had to expect something was going to hit the joeware free tools website, we are again coming up to The Experts Conference (aka DEC) timeframe and I always try to push something out the door for DEC err TEC. Unfortunately as mentioned earlier, I will not be at TEC this year but I expect a few laptops running my utilities will be there which is almost as good. 🙂

 

I tried something different this time. I worked on updating AdFind and AdMod at the same time. I usually don’t like doing that because my focus can drift but it worked out very well in this case as changes I made to AdFind to get it to compile with Code Gear C++ Builder 2009 were needed for AdMod as well and I also took the opportunity to collapse some of the common functions. Not all of them, lots more can be done in that area but that is for me and not you because it doesn’t do anything for you. For me it means less places to look for changes and a change in one makes the change in both.

 

The AdFind updates that you will notice are mostly pretty small, various bug fixes and some more attributes decoded properly for Windows Server 2008 R2 (thanks to everyone who emails me items that could be decoded or aren’t decoded properly BTW) and a few new switches.

Probably the most “wanted” addition I have added to AdFind are the –tdcfmt and –tdcsfmt switches. These switches allow you to change the output of the time decoding done with the various –tdc* switches. I had lots of people who wanted to set up their own custom time formats and others who wanted me to localize the output. I figured out of the two, allowing someone to set their own format was the more flexible for them and the least amount of work for me. 🙂 So now if you want to output the time like DAY/MONTH/YEAR or even MONTH-YEAR you are welcome to do so. More on that below in the full detailed list of updates.

 

The AdMod updates are a collection of updates made since V01.10.00 was released back in February 2007. I jumped straight to V01.12.00 as I had stopped working on AdMod for some time and just used V01.11.00 myself to work out some really nasty bugs I somehow inserted into it. 🙂 Then when I started working on it again I needed to rev the version number. So no, you didn’t have a black out, V01.11.00 was never publicly available.

There are a ton of changes in AdMod. Its not a major version release but it is definitely two minor releases in terms of bug fixes alone… The first big change is that I converted it to Code Gear C++ Builder 2009 like I did for AdFind. Most folks found tremendous speed increases between the old and new version of AdFind when I switched compilers and I have been seeing the same results with AdMod. Another big change is that AdMod will now encode SDDL strings into Security Descriptors. This is done like encoding GUIDs or SIDs but instead with a prefix of SD#. In the same encoding portion of the code I also added time string encoding as well with UTC##, LOCAL##, and CURRENT##. There are some neat tricks you will be able to pull off with those. One of the final big changes is to allow CSV mode –import switch works in update mode, not just add mode. However, in the interest of data safety, the import mode will NOT overwrite current values, it will only ADD values. So if you have a single valued attribute that is already populated, –import will not overwrite that value. It will bail with an already exists error. If you want that value overwritten, you need to specify the proper attribute operation like description::{{.}} as you did before. I initially set it up with an override switch to allow overwrites, but then saw someone do something that changed my mind.

As always, if you run into issues or just have thoughts, questions, please send me an email. I hope you find the updates to be useful for you. People keep telling me that AdFind/AdMod aren’t needed anymore because PowerShell can do it all but

1) That hasn’t been my experience in any company I have looked at

2) I still get flooded with email requests for new features and how to questions

so I feel the tools are still relevant and useful and will keep them available.

As I mentioned in another blog post, I am considering writing a book on LDAP, AD, ADAM, and AdFind/AdMod and actually started generating a draft table of contents last night while watching Survivor. I think it will be useful and I am, I expect, the best person to write it. 🙂

 

 

ADFIND UPDATE DETAILS

* Lots of bug fixes in logic, switch processing, shortcuts, and the usage.

* Added decodes for

• linkID
• msDS-OptionalFeatureFlags
• msDS-RequiredForestBehaviorVersion
• msDS-RequiredDomainBehaviorVersion

* Updated some other decoded attributes to include Windows Server 2008 R2

* Did some work on the –e and –ef functionality. These switches enable environment variables or switches from a file to allow you to “hardcode” certain switches into your commands without typing them each time. Also added/updated functionality around a default switch file for each program that is always read in case you have something that you always want done, say like –tdcs or one of the new time formatting switches. Note that the default file is read from the current working directory. This was a purposeful decision.

* Added the following new switches

• -arecex : this enables A Record Exclusive mode. When you specify a host and this switch together, the underlying API will only look at the A record for the name, it will not try to guess if it is a domain. This can dramatically speed up bind times when you specify a host.
• -hh : this is a shortcut for –h and –arecex together. I sort of look at –hh as meaning, no I really mean this server name, don’t try to look at domain names.
• -hd: this was a request from a friend of mine, he wanted a shortcut for –h and –default.
• -digest : Digest authentication
• -this : Shortcut for –s base
• -jtsv : Joe’s TSV mode, sets up a couple of options I often use with in CSV mode
• -users : Shortcut base to cn=users,<domainDN>
• -displayspecifiers : Shortcut base to the display specifiers container in the configuration container.
• -nocsvq : alias for –csvnoq
• -csvnoheader : alias for nocsvheader
• -tdcfmt/-tdcsfmt : These allow you to modify the time format output of the various –tdc* switches. Specifically you get to specify the normal time format and the “sortable” time format. The format for each is specified with a string with replaceable parameters.

• The default format for –tdc is %MM%/%DD%/%YYYY%-%HH%:%mm%:%ss% %TZ%
• The default format for –tdcs is %YYYY%/%MM%/%DD%-%HH%:%mm%:%ss% %TZ%
• The parameters are:

• %MM%    – 2 digit month
• %DD%    – 2 digit day
• %YYYY%  – 4 digit year
• %HH%    – 2 digit hour (24 hour format)
• %mm%    – 2 digit minute
• %ss%    – 2 digit second
• %ms%    – 2 digit millisecond
• %TZ%    – Time Zone string
• %%      – Percent symbol

* Added the following shortcuts

• -sc replstat – Combines several switches to retrieves replication cursors (excluding deleted DSAs) for the configuration NC which can give you a quick view on forest wide replication status.
• -sc getacl – Combines several switches to get the ACL of a specific object.
• -sc getacls – Combines several switches to get ACLs on all objects returned.

* Updated the –sc s: and –sc sl: shortcuts to allow you to append ;class or ;attr to focus only on returning classes or attributes.

 

 

ADMOD UPDATE DETAILS

* Converted to CodeGear C++ Builder 2009

* Lots and Lots of bug fixes in logic, switch processing, shortcuts, and the usage.

* Added CSV variable expansion modifiers __lc, __uc, __spec, __hex, __num, *origdn*.

* Added SD## to allow for SDDL encoding to modify Security Descriptors

* Added UTC##, LOCAL##, CURRENT## to allow for int8 time encoding.

* Like with AdFind, worked on the –e and –ef switches and functionality.

* Warn if no redirection is detected and no base is specified.

* Error out if a bad DN is detected in stdin redirection mode.

* Allow non-CSV mode expansion capability. Gives limited variable expansion functionality.

* The –import switch now works with updates as well as adds. Will not overwrite existing values!

* –CSV specified with no arguments enables –import

* Added new switches:

• -log : Logs AdMod operation info to a file
• -forestdns : Shortcut Base like in AdFind
• -domaindns : Shortcut Base like in AdFind
• -dcs : Shortcut Base like in AdFind
• -fsps : Shortcut Base like in AdFind
• -gpo : Shortcut Base like in AdFind
• -ldappolicy : Shortcut Base like in AdFind
• -psocontainer : Shortcut Base like in AdFind
• -xrights : Shortcut Base like in AdFind
• -partitions : Shortcut Base like in AdFind
• -sites : Shortcut Base like in AdFind
• -subnets : Shortcut Base like in AdFind
• -exch : Shortcut Base like in AdFind
• -users : Shortcut Base like in AdFind
• -displayspecifiers : Shortcut Base like in AdFind
• -stdinadd : Allows you to redirect quoted DNs from STDIN into a multivalue attribute.
• -stdinrm : Allows you to redirect quoted DNs from STDIN to remove from a multivalue attribute.
• -stdinreplace : Allows you to redirect quoted DNs from STDIN to replace the values in a multivalue attribute.
• -csvfile : Read CSV stream from a file
• -tmpobj : Create an dynamic object (i.e. object with a TTL).
• -optenc : Alias for –kerbenc
• -digest : Digest authentication
• -arecex : this enables A Record Exclusive mode. When you specify a host and this switch together, the underlying API will only look at the A record for the name, it will not try to guess if it is a domain. This can dramatically speed up bind times when you specify a host.
• -hh : this is a shortcut for –h and –arecex together. I sort of look at –hh as meaning, no I really mean this server name, don’t try to look at domain names.
• -hd: this was a request from a friend of mine, he wanted a shortcut for –h and –default.
• digest : Digest authentication

* Added new shortcuts

• -sc phantomgc : doGarbageCollectionPhantomsNow
• -sc igcc : invalidateGCConnection
• -sc rsc : renewServerCertificate
• -sc rodcpurge : rODCPurgeAccount
• -sc runpag : runProtectAdminGroupsTask
• -sc runsamupg : runSamUpgradeTasks
• -sc rsos : replicateSingleObject – SECRETS_ONLY