joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

8/20/2009

Dear joe… how do I find old trusts…

by @ 6:00 am. Filed under tech

I recently received an email asking how to find old trusts. I sent back an AdFind query that will list all trusts and when they last had a password change. That query is

adfind -default -rb cn=users -f "&(objectcategory=person)(name=*$)" pwdlastset -tdcd -sort pwdlastset

The command looks in the user’s container of the default domain and looks for any user’s with a name that ends in $ which will be your trusts unless you have monkeyed around with placing $ on the end of user names and keep them in your user’s container. It then outputs the pwdlastset attribute with my delta format output which looks like…

pwdLastSet: 2009/08/16-17:18:18 Eastern Daylight Time (-3 days 21 hours 17 minutes 47 seconds)

In this example, the password was changed almost 4 days ago.

 

Next I added a switch to force a sort on the attribute so that things come out in sorted order oldest to newest.

 

Anything that is older than 30 days is an old trust that is not being maintained as the passwords should be updated at least every 30 days.

As I write this, I realize I could have given an even better answer by having the LDAP query filter out any trusts with a password that was newer than 30 days like so…

adfind -default -rb cn=users –binenc -f "&(objectcategory=person)(name=*$)(pwdlastset<={{CURRENT:-31d}})" pwdlastset -tdcd -sort pwdlastset

 

Which adds another switch, –binenc which tells AdFind to look at the LDAP query and make some mods based on string matches and also added in another component of the filter to specify I want passwords that are newer than 31 days ago.

If you need to look at a specific domain, add –h domainname to the command and it will go to that domain instead.

 

      joe

Rating 3.00 out of 5

8/19/2009

Pessimism…

by @ 8:27 am. Filed under quotes

Don’t ever become a pessimist… a pessimist is correct oftener than an optimist, but an optimist has more fun, and neither can stop the march of events.

    – Robert Heinlein

Rating 3.00 out of 5

8/18/2009

Spiraling out of control…

by @ 11:29 am. Filed under humour

I got this humorous email from one of my relatives (for those who know my family… Bill C.), it cracked me up… I understand it, too many mechanisms for communication anymore with real communication completely dying at the same time. I don’t tie my work email to my mobile. I rarely give out my mobile number. If my mobile rings I look at it with disdain and shock unless it is ringing with my g/f’s ringtone. The chances of me actually answering the phone is an equation that looks like one of the infinity limit problems from Calculus. Except for her, I likely wouldn’t use mobiles for much more than the GPS functionality, checking the stock market, or the weather. I think texting is evil. Can’t recall the number of times now I have heard people getting all pissed off at their significant other because of this that or the other thing sent in a text. You can’t actually explain what you truly are thinking in a text unless you are trying to say you are laughing in a loud fashion or really don’t like someone.

I think my buddy Dean once called me a phone-tard techno-tard[1]. I truly am, if I can figure out how to take a picture with my phone then I am having a good day with the phone…  Or maybe more truly from my standpoint a bad day, phones are for talking to people, not taking pictures, my camera would be jealous as I don’t make phone calls from it. I find email to be much more civilized because I can ignore it at my own pace or respond at my own pace and people don’t expect immediate responses and if they do… oh well, I can live with their misunderstanding just fine. ;o)

Enough from me… I am just talkative as I finished up a vacation and diving back into things… If you have sent me an email and I haven’t responded, I wasn’t ignoring, I barely touched my computer over the vacation other than to play on POGO.COM or look at the news.

 

Things are spiraling out of control. I think I have become lost in a world of electronic madness.

One of my sons informed me this week that my cell phone has become obsolete and I must head down to the cell phone store and get a phone that is contemporary with the time.

I pointed out that the fancy razor/slim line phone with camera built in that he made me trade my perfectly good flip-top Motorola cell phone for two years ago still works perfectly fine. Well, except for the camera thing Never could figure that out. Even the few times I actually did take pictures I couldn’t figure what to do with them and gave up. That is except when I would push the wrong button and take a video of the ceiling or my feet.

Seems the issue is that I am unable to text with the tiny little 3 character buttons. "Hi, son," would come out looking like, "Gh Qmo." My grandkids have even spoken to my wife about Poppa’s crazy text messages. Give me a break. Whatever happened to actually talking on a phone? Isn’t that what they were invented for?

They want me to get one of those phones that you can turn upside down and sideways and has a typewriter keyboard with keys about one-eighth the size of my pinky finger.

One of my four sons is a realtor whose real occupation is fly fishing. "Way to go, son." Or in my text language, "Xbz um Io, rmo." We were floating the Yakima River in his guide-quality drift boat south of Ellensburg , Washington . We were miles from anything remotely resembling civilization. Rock canyon walls were on either side of us. Bear with me as I try to explain this strange thing.

His "Blackberry" rang. It was blue and I asked him why it wasn’t called a Blueberry. He shook his head with that "dealing with an elder" despair look I get a lot these days. It was another realtor who called to say that the sellers he represented had agreed to my son’s client’s changes and he had the signed documents in hand.

My son told him to FAX the papers to his office and he would get them signed and faxed back to close the deal that morning. A minute later the phone rang and he hit a few buttons and looked over the FAX, now on the Yakima River with us.

He then called his clients and told them he was faxing the papers to them to sign and asked them to FAX them back to his office. While he was waiting, he hooked into a fat rainbow and was just releasing this 22-inch beauty as his phone rang again with the signed FAX from his clients.

He called the other realtor and told him he was sending the signed papers back by FAX. The deal was closed. He smiled and just said, "You are a little behind the times, Dad." I guess I am.

I thought about the sixty million dollar a year business I ran with 1800 employees, all without a Blackberry that played music, took videos, pictures and communicated with Facebook and Twitter.

I signed up under duress for Twitter and Facebook, so my seven kids, their spouses, 13 grandkids and 2 great grand kids could communicate with me in the modern way. I figured I could handle something as simple as Twitter with only 140 characters of space. That was before one of my grandkids hooked me up for Tweeter, Tweetree, Twhirl, Twitterfon, Tweetie and Twittererific Tweetdeck, Twitpix and something that sends every message to my cell phone and every other program within the texting world.

My phone was beeping every three minutes with the details of everything except the bowel movements of the entire next generation. I am not ready to live like this. I keep my cell phone in the garage in my golf bag.

The kids bought me a GPS for my last birthday because they say I get lost every now and then going over to the grocery store or library. I keep that in a box under my tool bench with the Bluetooth [it’s red] phone I am supposed to use when I drive. I wore it once and was standing in line at Barnes and Nobles talking to my wife as everyone in the nearest 50 yards was glaring at me. Seems I have to take my hearing aid out to use it and got a little loud.

I mean the GPS looked pretty smart on my dash board, but the lady inside was the most annoying, rudest person I had run into in a long time. Every 10 minutes, she would sarcastically say, "Re-calc-ul- ating." You would think that she could be nicer. It was like she could barely tolerate me. She would let go with a deep sigh and then tell me to make a U-turn at the next light. Then when I would make a right turn instead, it was not good. When I get really lost now, I call my wife and tell her the name of the cross streets and while she is starting to develop the same tone as Gypsy, the GPS lady, at least she loves me.

To be perfectly frank, I am still trying to learn how to use the cordless phones in our house. We have had them for 4 years, but I still haven’t figured out how I can lose three phones all at once and have to run around digging under chair cushions and checking bathrooms and the dirty laundry baskets when the phone rings.

The world is just getting too complex for me. They even mess me up every time I go to the grocery store. You would think they could settle on something themselves but this sudden "paper or plastic?" every time I check out just knocks me for a loop. I bought some of those cloth re-usable bags to avoid looking confused but never remember to take them in with me.

Now I toss it back to them. When they ask me, "paper or plastic?" I just say, "Doesn’t matter to me. I am bi-sacksual. " Then it’s their turn to stare at me with a blank look.

[1] Dean emailed me and said… “That’s “Techno-tard” :)”

Rating 3.00 out of 5

8/13/2009

Goodbye Les… and thanks!

by @ 5:45 pm. Filed under general

http://www.rollingstone.com/rockdaily/index.php/2009/08/13/les-paul-guitar-legend-dead-at-94/

 

Les Paul, one of the most revered guitarists in history and the father of the electric guitar, passed away last night, August 12th at the age of 94. Paul’s manager confirmed to Rolling Stone that cause of death was respiratory failure, and a statement from Gibson indicates Paul was suffering from severe pneumonia and died at a hospital in White Plains, New York.

Rating 3.00 out of 5

Automatic Domain Controller Metadata cleanup via ADUC in Windows Server 2008

by @ 3:25 pm. Filed under tech

Just saw this in one of the private listservs that Microsoft DS PG and DS MVPs chat on, they said it could be shared…

 

Windows Server 2008 and Windows Server 2008 R2 Automate Metadata Cleanup

Metadata cleanup is a required procedure after a forced removal of Active Directory Domain Services (AD DS). You perform metadata cleanup on a domain controller in the domain of the domain controller that you forcibly removed. Metadata cleanup removes data from AD DS that identifies a domain controller to the replication system. Metadata cleanup also removes File Replication Service (FRS) and Distributed File System (DFS) Replication connections and attempts to transfer or seize any operations master (also known as flexible single master operations or FSMO) roles that the retired domain controller holds. These additional processes are performed automatically. You can use this procedure to clean up server metadata for a domain controller from which you have forcibly removed AD DS.

On domain controllers that are running Windows Server 2008, you can use Active Directory Users and Computers to clean up server metadata. In this procedure, deleting the computer object in the Domain Controllers organizational unit (OU) initiates the cleanup process, which proceeds automatically.

http://technet.microsoft.com/en-us/library/cc816907%28WS.10%29.aspx.

Rating 3.00 out of 5

8/7/2009

Blog software updated…

by @ 3:38 pm. Filed under general

I have updated the wordpress software for this blog, if you experience issues, please let me know.

    joe

 

P.S. I love the WordPress automatic upgrade process. 30 seconds and the blog software is updated and the plugins that have updates are updated as well. 🙂

Rating 3.00 out of 5

OldCMP and the dreaded LDAP Error 0x50 “OTHER”

by @ 3:27 pm. Filed under tech

Just a quick blog post. I am on vacation which is just a way of saying I am doing a whole ton of yard work around my place. I need a big front loader with a back hoe if anyone is feeling particularly giving. Or a bulldozer would be nice as well…  😀

 

Anyway, a common email for me to see in my inbox is…

 

Dear joe, oldcmp rocks but I keep getting this 0x50 error and it sucks because I can’t find any info on it…

Yes that error does suck, it is the LDAP “OTHER” error.

 

G:\>err 0x50
# for hex 0x50 / decimal 80 :
  PAGE_FAULT_IN_NONPAGED_AREA                                   bugcodes.h
  MSG_E_CERT_PUBLICATION_HOST_NAME                              certlog.mc
# Certificate Services could not publish a Certificate for
# request %1 to the following location on server %4: %2.
# %3.%5%6
  LLC_STATUS_CCB_POINTER_FIELD                                  dlcapi.h
  NMERR_IP_ADDRESS_NOT_FOUND                                    netmon.h
  TLS1_ALERT_INTERNAL_ERROR                                     schannel.h
# error
  ERROR_FILE_EXISTS                                             winerror.h
# The file exists.
 
LDAP_OTHER                                                    winldap.h
# 7 matches found for "0x50"

I wasn’t bright enough at the time to add the –exterr switch I have in AdFind which gives you the “good” error message that tells you what might be really happening. Of course you can always just do a network packet capture and you will see the error as well but most people, even admins sadly. don’t know how to do a packet capture so they are stuck.

No fear, of the 1000 or so times I have looked into this, I was keeping count and roughly every single one of them was due to someone specifying an invalid DN for the new parent parameter. They were missing a comma, spelling OU with a zero, or specified an OU that didn’t actually exist. So if you got the dreaded 0x50 LDAP error in OldCmp, and you googled and you found this posting. Hopefully you now know to look at your new parent DN and validate that it really exists. How do you do that you ask? Well use AdFind!

 

adfind –b “new parent DN” –s base –dn –exterr

 

 

   joe

Rating 3.00 out of 5

8/2/2009

Fun update for AdMod… Alternate working title, long overdue update for AdMod…

by @ 8:45 am. Filed under tech

This is an update I just added this week to AdMod that people may be interested in… Nope, sorry no scheduled release date though.

 

[Sat 08/01/2009 14:14:22.31]
F:\Dev\Current\CPP\AdMod\Debug>adfind -e -default -f name=admod_test_group member

AdFind V01.40.00cpp Joe Richards (joe@joeware.net) February 2009

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

dn:CN=admod_test_group,OU=admod_test,OU=TestOU,DC=test,DC=loc

1 Objects returned

[Sat 08/01/2009 14:17:25.00]
F:\Dev\Current\CPP\AdMod\Debug>adfind -e -default -rb ou=admod_test,ou=testou -f objectclass=user -dsq |admod -e -stdinadd member -b CN=admod_test_group,ou=admod_test,OU=TestOU,DC=test,DC=loc

AdMod V01.12.00cpp ##BETA## Joe Richards (joe@joeware.net) July 2009

DN Count: 1
Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003

Modifying specified objects…
   DN: CN=admod_test_group,ou=admod_test,OU=TestOU,DC=test,DC=loc…

The command completed successfully

[Sat 08/01/2009 14:18:52.78]
F:\Dev\Current\CPP\AdMod\Debug>adfind -e -default -f name=admod_test_group member

AdFind V01.40.00cpp Joe Richards (joe@joeware.net) February 2009

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

dn:CN=admod_test_group,OU=admod_test,OU=TestOU,DC=test,DC=loc
>member: CN=testusera_4,OU=admod_test,OU=TestOU,DC=test,DC=loc
>member: CN=testusera_3,OU=admod_test,OU=TestOU,DC=test,DC=loc
>member: CN=testusera_2,OU=admod_test,OU=TestOU,DC=test,DC=loc
>member: CN=testusera_1,OU=admod_test,OU=TestOU,DC=test,DC=loc
>member: CN=testusera_0,OU=admod_test,OU=TestOU,DC=test,DC=loc
>member: CN=testuser_4,OU=admod_test,OU=TestOU,DC=test,DC=loc
>member: CN=testuser_3,OU=admod_test,OU=TestOU,DC=test,DC=loc
>member: CN=testuser_2,OU=admod_test,OU=TestOU,DC=test,DC=loc
>member: CN=testuser_1,OU=admod_test,OU=TestOU,DC=test,DC=loc
>member: CN=testuser_0,OU=admod_test,OU=TestOU,DC=test,DC=loc

1 Objects returned

So what you are seeing is the results of one query for users being slapped into the group membership of a specified group. The parameterization is still not as clean as I want but cleaner than the ideas I had before. I may change it around a little again. But the base functionality is now in there.

There are obviously some other things in there, like with AdFind, I switched the compiler to a the latest CodeGear C++ Builder 2009 compiler which has results in a smaller binary and faster execution. I have also added the ability to updated security descriptors which is a long time requested update. It isn’t at the “cool” stage yet though, it is still kind of clunky so I am tweaking that and have some ideas of some other cool things to do with it to make it very useful. Also on the stdin redirect piece I had several requests to add some DN validation so working on adding that in. It will slow things down a hair but it will be better than trying to do work against improperly formed DNs.

Other changes in there and still coming.

Rating 3.00 out of 5

7/30/2009

Vision…

by @ 11:13 am. Filed under quotes

“They’ve got the vision of Stevie Wonder without the creativity.”

    – Donald Livengood

Rating 3.00 out of 5

7/29/2009

Minibuilding made with earthbags

by @ 4:11 pm. Filed under alternatives

http://www.motherearthnews.com/Do-It-Yourself/Earthbag-Building-Garden-Shed.aspx?utm_content=07.29.09+DIY&utm_campaign=DIY&utm_source=iPost&utm_medium=email

 

Rating 3.00 out of 5

[joeware – never stop exploring… :) is proudly powered by WordPress.]