joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

2/7/2009

More AdFind V01.40.00 sneak peek…

by @ 6:48 pm. Filed under tech

Back on Jan 21 I tipped my hand on a new capability in AdFind which for many people is extremely exciting based on the feedback in my inbox. To refresh your memory, that was the ability for AdFind to take in a list of Base DN’s to execute queries against. For short we will say piping AdFind into AdFind though you could, if for whatever reason gripped you, pipe dsquery into AdFind.

Well in a follow up conversation with my friend and co-Author Brian Desmond, he asked “How do I pipe DNs from AdFind into AdFind and then get counts for the number of users under each of those DN’s?” My response was… well you can’t. The whole counting mechanism is based on the number of objects AdFind returns period… But then I thought, I hacked in CSV when I didn’t think I could… then I hacked in the piping in multiple DNs when I didn’t think I could, let me give this a try before totally saying no… So voila, a new switch because you just know there aren’t enough switches in AdFind yet…. The new switch is -ic… where -c stands for count, -ic stands for intermediate count… That lets you do something like….

G:\>adfind -default -f ou=* -dsq | adfind -sc adobjcnt:user

AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) February 2009

Using server: r2dc1.test.loc:3268
Directory: Windows Server 2003

BaseDN: OU=CharTests,OU=TestOU,DC=test,DC=loc
1 intermediate objects returned

BaseDN: OU=createtest,OU=TestOU,DC=test,DC=loc
10 intermediate objects returned

BaseDN: OU=Deleted,OU=XXXTest,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=XXXTest,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=Domain Controllers,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=Email,OU=My,DC=test,DC=loc
1 intermediate objects returned

BaseDN: OU=GPOTest,OU=TestOU,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=Groups,OU=My,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=Groups,OU=TestOU,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=HideTest,OU=TestOU,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=joeperm,OU=TestOU,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=My,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=oneleveldown,OU=createtest,OU=TestOU,DC=test,DC=loc
1 intermediate objects returned

BaseDN: OU=Outlook,OU=TestOU,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=permtest,OU=TestOU,DC=test,DC=loc
2 intermediate objects returned

BaseDN: OU=PoSTest,DC=test,DC=loc
700001 intermediate objects returned

BaseDN: OU=Skip,OU=TestXXX,OU=XXXTest,DC=test,DC=loc
1 intermediate objects returned

BaseDN: OU=TestXXX,OU=XXXTest,DC=test,DC=loc
4 intermediate objects returned

BaseDN: OU=TestDisable,OU=XXXTest,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=TestOU,DC=test,DC=loc
6 intermediate objects returned

BaseDN: OU=Users,OU=My,DC=test,DC=loc
2 intermediate objects returned

BaseDN: OU=Users,OU=TestOU,DC=test,DC=loc
10 intermediate objects returned

700039 Objects returned

Anyone think that is pretty handy??? If so, you can thank Brian, he asked the right question at the right time… I modified the adobjcnt shortcut such that when it detects it is in multi-DN mode it will also insert the -ic switch as well as set the search scope to one-level. If you wanted counts of all of the users in each OU but you wanted the counts to roll up to the higher OU’s as well you would simply add the -s sub or -s subtree switch to your command.

But then I thought, while that is useful, it would be even more useful if I could somehow get that in a CSV format so I could use this more easily from scripts when trying to get a snapshot of an environment… I looked and there was just no way I could get it into the CSV code path. When you do CSV the whole counting section isn’t used and even if it were, it is outside of the location where the CSV code is and in order to try and get it in there would cause me to use some wholly unnatural global variables and other things that just made me go, no, I will not go there, that is too ugly, too inelegant… I know I do some bad things in code, but I don’t want to do THAT bad of things in code.

All hope is not lost however. I decided to add… yes… another switch. I know I know, another one truly isn’t needed but I wanted this functionality and if you don’t like it, just ignore the fact that it is there. This switch is not a very flexible switch, there are no modifiers for it. It is called -ictsv and it simply takes the -ic output and makes it into a TAB Delimited format output. This isn’t going to be tweaked to allow different delimiters or anything like that. It is a hack completely outside the normal CSV routines which have all that flexibility. I chose tab delimited because DNs have commas and it is unlikely (impossible? I don’t know, didn’t test) to see a tab in a DN and to be honest, I like tab delimited output. I usually use TABs for my delimiters for CSV output. Anyway that output looks like…

G:\>adfind -default -f ou=* -dsq | adfind -sc adobjcnt:user -ictsv
OU=CharTests,OU=TestOU,DC=test,DC=loc   1
OU=createtest,OU=TestOU,DC=test,DC=loc  10
OU=Deleted,OU=XXXTest,DC=test,DC=loc 0
OU=XXXTest,DC=test,DC=loc    0
OU=Domain Controllers,DC=test,DC=loc    0
OU=Email,OU=My,DC=test,DC=loc   1
OU=GPOTest,OU=TestOU,DC=test,DC=loc     0
OU=Groups,OU=My,DC=test,DC=loc  0
OU=Groups,OU=TestOU,DC=test,DC=loc      0
OU=HideTest,OU=TestOU,DC=test,DC=loc    0
OU=joeperm,OU=TestOU,DC=test,DC=loc     0
OU=My,DC=test,DC=loc    0
OU=oneleveldown,OU=createtest,OU=TestOU,DC=test,DC=loc  1
OU=Outlook,OU=TestOU,DC=test,DC=loc     0
OU=permtest,OU=TestOU,DC=test,DC=loc    2
OU=PoSTest,DC=test,DC=loc       700001
OU=Skip,OU=TestXXX,OU=XXXTest,DC=test,DC=loc      1
OU=TestXXX,OU=XXXTest,DC=test,DC=loc      4
OU=TestDisable,OU=XXXTest,DC=test,DC=loc     0
OU=TestOU,DC=test,DC=loc        7
OU=Users,OU=My,DC=test,DC=loc   2
OU=Users,OU=TestOU,DC=test,DC=loc       10

Pretty cool huh… Anyone think that is handy? If so… well you are welcome… But something still bothers me about that output… Anyone else bothered by it? It could be just me but I kind of like seeing things that normally have a hierarchical form to be displayed that way. I don’t mean in the white space, but instead, I mean I don’t want to see something like

OU=Outlook,OU=TestOU,DC=test,DC=loc     0
OU=permtest,OU=TestOU,DC=test,DC=loc    2
OU=TestOU,DC=test,DC=loc        7

I want to see the TestOU first and then its sub-OU’s after… I tried modifying my search to see if I could force AD to return the info in that order but quite frankly, AD truly isn’t hierarchical, it just appears that way. It is actually a flat database. The idea of hierarchy is imposed on it for LDAP purposes. So I thought, I really need to do something about this… This will drive me nuts. However, trying to retrieve all of the information and maintain it in memory so I can then sort it is ridiculous, might as well just write this thing in PowerShell or .NET… (count it…) if I do it in such a silly way… Then I thought, wait, I already have what I need in memory to sort it hierarchically after the DNs have been piped in so I added, yes thankyou, another switch called -stdinsort. Why did I do this with a switch? Because I didn’t want to assume someone would want it sorted like I would and I didn’t want to assume I would always want it sorted. Also I wanted to give myself the ability to sort it hierarchically as well as alphabetically both case sensitive and case insensitive, so it is a switch with a default sort order of hierarchical but you can add cialpha or csalpha to get the other types of sort… Now that output looks like

G:\>adfind -default -f ou=* -dsq | adfind -sc adobjcnt:user -ictsv -stdinsort
OU=Domain Controllers,DC=test,DC=loc    0
OU=My,DC=test,DC=loc    0
OU=Email,OU=My,DC=test,DC=loc   1
OU=Groups,OU=My,DC=test,DC=loc  0
OU=Users,OU=My,DC=test,DC=loc   2
OU=PoSTest,DC=test,DC=loc       700001
OU=TestOU,DC=test,DC=loc        7
OU=CharTests,OU=TestOU,DC=test,DC=loc   1
OU=createtest,OU=TestOU,DC=test,DC=loc  10
OU=oneleveldown,OU=createtest,OU=TestOU,DC=test,DC=loc  1
OU=GPOTest,OU=TestOU,DC=test,DC=loc     0
OU=Groups,OU=TestOU,DC=test,DC=loc      0
OU=HideTest,OU=TestOU,DC=test,DC=loc    0
OU=joeperm,OU=TestOU,DC=test,DC=loc     0
OU=Outlook,OU=TestOU,DC=test,DC=loc     0
OU=permtest,OU=TestOU,DC=test,DC=loc    2
OU=Users,OU=TestOU,DC=test,DC=loc       10
OU=XXXTest,DC=test,DC=loc       0
OU=Deleted,OU=XXXTest,DC=test,DC=loc    0
OU=TestDisable,OU=XXXTest,DC=test,DC=loc        0
OU=TestXXX,OU=XXXTest,DC=test,DC=loc    4
OU=Skip,OU=TestXXX,OU=XXXTest,DC=test,DC=loc    1

Much better… ;o)

This and more in the new version of AdFind… AdFind V01.40.00 is expected to emerge from the cocoon on Feb 13, 2009.

     joe

Rating 3.00 out of 5

2/3/2009

Peanut Butter Recall List

by @ 10:31 pm. Filed under general

So wow, looked at this list of recalled Peanut Butter products for the first time today…

http://www.accessdata.fda.gov/scripts/peanutbutterrecall/index.cfm

Rating 3.00 out of 5

Monday Morning Quarterback

by @ 9:19 am. Filed under general

Random super bowl thoughts…

1. Boring Springsteen put on a poor half time show.

2. Not sure why he wouldn’t have closed with Born in the USA with red white and blue fireworks. Likely would have been huge right now.

3. Cardinals did not deserve to win.

4. Cardinals offense and defense both were explosive at times but mostly they were inconsistent.

5. The 100 yard dash was just hilarious to me. That poor guy was at the 50 yard line thinking, why hasn’t anyone tackled me yet, I have to keep running????

6. The penalties were just getting stupid. Especially the unnecessary roughness / unsportsmanlike conduct

7. This is the first super bowl I remember that I didn’t come away thinking, wow the commercials were amazing, most just made me sort of chuckle.

8. First super bowl that I remember, including the one that I actually attended in Pasadena back in the 90’s (I won the tickets) that I actually sort of tracked what happened in the game.

9. Again, the 100 yard dash was just hilarious to me.

10. Some Comcast customers in Arizona got some porn instead of part of the 4th quarter – http://news.bbc.co.uk/2/hi/entertainment/7864733.stm

11. I am a Comcast customer and I noticed they were inserting in their own local commercials for themselves and companies I don’t think could ever afford a superbowl spot.

12. The bud light skiing commercial was pretty funny.

13. The bud Clydesdale fetch commercial was pretty funny.

14. A very funny super bowl commercial I didn’t get to see (I think local Comcast programming overwrite it), found it on a super bowl commercial web site was the e-Trade baby out takes commercial – http://www.superbowl-commercials.org/299.html

15. The Pedigree Dog commercial made me chuckle. This was the one with the random wild animals as pets instead of dogs.

16. The Bridgestone tire commercial with the guys hot-rodding around some moon somewhere and coming back to their car on blocks was pretty funny.

17. The insects stealing the Coca Cola was probably the only one that got close to the normal quality of super bowl commercials for me.

18. The Audi car chase through the decades was probably the next best in terms of quality. I was impressed with how they showed each decade with the appropriate filming quality and style.

19. The Pepsi “I’m Good” commercial made me chuckle.

20. The bud light meeting made me chuckle slightly.

21. The bud Clydesdale lover boy horse commercial was pretty good.

22. The bud Clydesdale immigrant commercial had me talking in a poor Scottish brogue for a bit…

23. This is probably my favorite commercial of the night because I was laughing all the way through it, Career Builder If you hate going to work – http://www.superbowl-commercials.org/276.html

Rating 3.00 out of 5

1/29/2009

From the mailbag – Trouble with LDAP filters with embedded backslash literals

by @ 4:37 am. Filed under tech

I received an email this evening that I swore I had previously wrote something up on the blog for and didn’t, so I will share…

The email

From: xxx@domain.gov
Sent: Wednesday, January 28, 2009 7:28 PM
To: ‘joe@joeware.net’
Subject: Adfind piped into admod question

Good evening Joe,

First I’d like to commend you on your books, website, and apps, I use many of them almost on a daily basis. 

So here it is:

We have users who’s home folders are being moved from \\xxx-home to \\abc-xxx
now \\abc-xxx and \\xxx-home aren’t the only home servers so it’s not like i can replace them all so I’ve written this script to test it out. In the servers OU I placed a user account and have populated the home directory as \\xxx-home2\joesmith$…again this account is just for testing.

run this script

adfind -b “ou=xxx,dc=domain,dc=gov” -f “(&(objectcategory=person)(objectclass=user)(homedirectory=\\xxx-home*))” samaccountname -adcsv | admod -unsafe homedirectory::\\abc-xxx.domain.gov\%username%$

the script runs just fine and updates joesmith’s home directory to \\abc-xxx.domain.gov\joesmith$ which was anticipated.
So this works all fine and dandy, where the problem is, is if down the road we want to utilize this again it doesn’t work. so for instance:
user account joesmith who’s home directory is now \\abc-xxx.domain.gov\joesmith$ (home directory was changed with utilizing the above script)
if \\abc-xxx was being retired and we were putting \\abc-home10 in it’s place. If you adjust the script find homedirectory=\\abc-xxx* it wont find anything to alter. The only way to make it find something is to tell it to find homedirectory=*

At first I thought it was because of AD replication (that is all DC’s aren’t up to date with the correct information), but I checked all our DC and it was updated before I ran the 2nd update.  Then I thought well what if there was a space before the \\ so I opened up ADUC and ADSedit and verified there wasn’t s space in the homedirectory attribute.  
Any clue why it wouldn’t update the 2nd time around?  Also what does the -adcsv –dsq switch do? Tried to find some documentation on it but there was little.

Any information you could provide would be much appreciated.

Thanks again,

     xxx

I get questions like this pretty regularly which is why I guess I thought I blogged about it before, but I couldn’t find a blog entry for it so here was my response

Hey xxx, glad you like the tools, book, et al. 🙂

First off, I wanted to point something out… This first command

adfind -b “ou=xxx,dc=domain,dc=gov” -f “(&(objectcategory=person)(objectclass=user)(homedirectory=\\xxx-home*))” samaccountname -adcsv | admod -unsafe homedirectory::\\abc-xxx.domain.gov\%username%$

has an issue with the admod portion. Specifically the %username% won’t work. That will decode to the current environment variable for username which should be your current logon account. That little shortcut in ADUC is just that, a shortcut in ADUC, it isn’t a global AD thing. I think what you would really want would be

adfind -b “ou=xxx,dc=domain,dc=gov” -f “(&(objectcategory=person)(objectclass=user)(homedirectory=\\xxx-home*))” samaccountname -adcsv | admod -unsafe homedirectory::\\abc-xxx.domain.gov\{{samaccountname}}$

That will take the samaccountname that is returned from the query and piped across to admod and use that to populate the username piece of the share name so it would be specific to every user queried, it wouldn’t set the value to your current username environment variable for every account returned.

Second, the issue you see with the \\abc-xxx… is doing something you probably don’t expect… In an LDAP query, the backslash (\) character is an escape character. It tells LDAP that something special is coming – specifically a hex character sequence like \2a for example. This is generally not a problem and it all sorts itself out so you likely never have an issue using \\someserver… However if you follow a backslash with character that is a valid HEX character the escape and the HEX character are taken together… In that case, the proper way to search for a value that has embedded back slash literals is to use \5c for each backslash, so it would be \5c\5cabc-xxx. You can check out http://msdn.microsoft.com/en-us/library/ms675768(VS.85).aspx which discusses this and more about creating query filters.

    joe

And then I realized I didn’t answer his last two questions so I added

Sorry, didn’t answer the other questions:

-adcsv : As the adfind usage indicates, it is a special CSV mode that embeds some extra info in the CSV for AdMod or whatever tool being piped to to better understand the request, for example some things that can get embedded would be hostname, userid, password, etc used in the adfind query.

   -adcsv xxx    Special CSV mode for interacting with other joeware tools.
                 xxx is an optional string that specifies value to use for
                 use for empty attribs.

-dsq : This is simply quoted DN output like DSQuery outputs.

  -dsq          DSQuery style quoted DN output

   joe

 

So a little more discussion on the embedded backslashes, as the MSDN article above discusses the following characters all need to be escaped with “need” being a little more loosely defined for the backslash character itself than the other characters.

* \2a
( \28
) \29
\ \5c
NUL \00

 

So now I know at least one or two of you are thinking… wow… so joe, why don’t you just help the guy out and likely help me out too and just make AdFind smart enough to do that embedding work for me… Well I could try… But I really really try hard not to mess with the actual LDAP query that is entered. The minimal amount I do for -bit to do a find/replace on some specific strings is fired off by the actual -bit switch. If people have to specify a switch to encode backslashes why don’t they just instead encode the backslashes themselves since it isn’t that much more and I don’t have to try and guess which backslashes should and shouldn’t be encoded. But joe… \5c is a pain in the butt to remember… Yes, for me too… The way I remember it when I need to is to query for the object I know that has one of the troublesome homedirectories in it and then tell AdFind to return the homedirectory value in binary so I can quickly see the HEX characters I need to enter. Like so

[Thu 01/29/2009  3:32:04.61]
G:\new1\Dev\Current\CPP\AdFind\Release>adfind -default -f “&(name=someuser)(homedirectory=*)” homedirectory

AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

dn:CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc
>homeDirectory: \\abc-xxx\someuser$

1 Objects returned

[Thu 01/29/2009  3:32:06.72]
G:\new1\Dev\Current\CPP\AdFind\Release>adfind -default -f “&(name=someuser)(homedirectory=*)” homedirectory;binary

AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

dn:CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc
>homeDirectory;binary: 5C5C 6162 632D 7878 785C 736F 6D65 7573 6572 24

1 Objects returned

Note the 5C5C right there at the front…

 

    joe

Rating 3.00 out of 5

1/26/2009

TEC / DEC 2009

by @ 12:51 pm. Filed under general

The conference formerly known as The Directory Experts Conference (DEC) and now known as The Experts Conference (TEC) For Directory & Identity is now on my itinerary for March. I really didn’t think I was going to be able to pull it off this year and by some spit, luck, and a miracle I was able to do so. This will set me back a pretty penny since this isn’t a work related trip at all (You know how companies are cutting back) but I do want to touch base with everyone as this is my main chance to see the “joeware” fans and the global AD crowd once a year.

So if you are booked and going, make sure you look me up when you are there. If you aren’t booked to go… why not? Hands down this is the best general public event for Active Directory and this year, Brett Shirley and Dmitri Gavrilov are speaking and seriously, I can’t wait to sit in on their sessions to learn from them and I have no doubt I will. I believe Dean will be speaking as well in his new Microsoft PM role. I will certainly be there to heckle him and cheer him on to success in his new Evil Empire role….  What was it again… Emperor Palpa-Deano?

    joe

Rating 3.00 out of 5

1/21/2009

Does this excite anyone? AdFind V01.40.00 sneak peek…

by @ 4:53 am. Filed under tech

Example 1: Get tokenGroups attribute for every direct member of the domain admins group.

F:\Dev\Current\CPP\AdFind\Release>adfind -default -f name="domain admins" member -list | adfind -s base tokengroups -resolvesids

AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003

dn:CN=TestAdminClone,OU=Users,OU=TestOU,DC=test,DC=loc
>tokenGroups: BUILTIN\Users
>tokenGroups: BUILTIN\Administrators
>tokenGroups: TEST\DnsAdmins
>tokenGroups: TEST\Domain Users
>tokenGroups: TEST\Domain Admins

dn:CN=$joe,OU=Users,OU=My,DC=test,DC=loc
>tokenGroups: BUILTIN\Users
>tokenGroups: BUILTIN\Administrators
>tokenGroups: TEST\DnsAdmins
>tokenGroups: TEST\Schema Admins
>tokenGroups: TEST\Enterprise Admins
>tokenGroups: TEST\Domain Users
>tokenGroups: TEST\Domain Admins

dn:CN=Administrator,CN=Users,DC=test,DC=loc
>tokenGroups: BUILTIN\Users
>tokenGroups: BUILTIN\Administrators
>tokenGroups: TEST\DnsAdmins
>tokenGroups: TEST\Schema Admins
>tokenGroups: TEST\Enterprise Admins
>tokenGroups: TEST\Domain Users
>tokenGroups: TEST\Group Policy Creator Owners
>tokenGroups: TEST\Domain Admins

3 Objects returned

 

Example 2a: Get sAMAccountName for all direct members of Domain Admins group

F:\Dev\Current\CPP\AdFind\Release>adfind -default -f name="domain admins" member -list | adfind -s base samaccountname

AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003

dn:CN=TestAdminClone,OU=Users,OU=TestOU,DC=test,DC=loc
>sAMAccountName: TestAdminClone

dn:CN=$joe,OU=Users,OU=My,DC=test,DC=loc
>sAMAccountName: $joe

dn:CN=Administrator,CN=Users,DC=test,DC=loc
>sAMAccountName: Administrator

3 Objects returned

 

Example 2b: Get sAMAccountName for all direct members of Domain Admins group (alternate method using attribute scoped query)

F:\Dev\Current\CPP\AdFind\Release>adfind -default -f name="domain admins" -dsq | adfind -s base -asq member samaccountname

AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003

dn:CN=Administrator,CN=Users,DC=test,DC=loc
>sAMAccountName: Administrator

dn:CN=$joe,OU=Users,OU=My,DC=test,DC=loc
>sAMAccountName: $joe

dn:CN=TestAdminClone,OU=Users,OU=TestOU,DC=test,DC=loc
>sAMAccountName: TestAdminClone

3 Objects returned

 

Example 3: Dump the serviceBindingInformation attribute for any ADAM serviceConnectionPoint objects that belong to Windows XP Professional machines. And no, this isn’t contrived, this is something I have wanted to do a few times to find people playing with ADAM on workstation class machines as well as something I have been asked how to do in the past… Normally this would take a script.

F:\Dev\Current\CPP\AdFind\Release>adfind -default -f "&(objectcategory=computer)(operatingsystem=Windows XP Professional)" -dsq | adfind -s one -f "&(objectcategory=serviceconnectionpoint)(serviceclassname=LDAP)" servicebindinginformation

AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003

dn:CN={cb226d48-e9a7-420a-bce0-98edcc6b8cf2},CN=SFMXP64,CN=Computers,DC=test,DC=loc
>serviceBindingInformation: ldaps://sfmxp64.test.loc:636
>serviceBindingInformation: ldap://sfmxp64.test.loc:389

dn:CN={e4756748-fc8b-4166-8b7b-498bd97c9949},CN=SFMXP64,CN=Computers,DC=test,DC=loc
>serviceBindingInformation: ldaps://sfmxp64.test.loc:636
>serviceBindingInformation: ldap://sfmxp64.test.loc:389

dn:CN={3991aa1d-c87d-46cd-a08c-c52af9ae168e},CN=SFMXP32,CN=Computers,DC=test,DC=loc
>serviceBindingInformation: ldaps://sfmxp32.test.loc:636
>serviceBindingInformation: ldap://sfmxp32.test.loc:389

dn:CN={d3c0e3ee-d888-496d-acf0-6e4078052476},CN=HOMEXP,CN=Computers,DC=test,DC=loc
>serviceBindingInformation: ldaps://homexp.test.loc:636
>serviceBindingInformation: ldap://homexp.test.loc:389

4 Objects returned

 

When working on fixing several typos and mistakes in V01.39.00 I realized I had figured out a way to handle the piping from one instance of AdFind to another. I am still looking for holes but it looks good thus far. This is something I have wanted for some time but couldn’t see how to handle it with the current framework. Well out of the blue while looking at part of the code it struck me how to pull it off so I added it. Aside from that are the correction of some typos folks reported to me as well as adding some Windows 7 support (i.e. decoding some of the Windows 7 attribute values and support for the new object deletion/recycling capabilities).

   joe

Rating 3.00 out of 5

Future History

by @ 3:17 am. Filed under general

Ok so how about we let the future decide on what is and isn’t history and how about we get to work on getting our collective asses out of the hole we put ourselves in. I would much rather put my time and focus and energy on that versus getting sprained elbows patting ourselves on the back talking about how we are making history. Failure to do so will have a future that records history as “…and then they all constantly celebrated about how they made history and quickly plunged the country into an even darker place because they spent all their time talking about how they made history instead of working on the problems they needed to solve for the future….”

Someone on ActiveDir Org list compared what happened with the presidency to Landing on the Moon. Fine, great. What does that do for us today? We haven’t been back to the moon in how many years? The 40th anniversary of the first manned moon landing is coming up on July 20… Six visits total. Last visit was Apollo 17  on December 14, 1972. That’s how long…

All the moon landings did was prove it *could be* done, they didn’t make it a daily reality. In fact, we still have a percentage of the population of the country who don’t even believe we went to the moon. So, all in all, how successful and historic and life changing was our landing on the moon? Really?

Rating 3.00 out of 5

1/13/2009

What does it take to get someone from SE Michigan off their butt and out into 6-9 inches of snow???

by @ 12:54 am. Filed under general

Apparently a new Sonic Drive-In… This last weekend we had 6-9 inches of snow in the Mt. Clemens area of Michigan. At the same time a new Sonic has opened up here (probably only 4-5 inches by the point these pics were taken). The traffic to this place is unbelievable. The nearest Sonic to this one is in SouthGate which is quite a ways away… But still the roads were horrendous.

 

The Sonic is Open!

SonicIsOpen

SonicIsOpen2

SonicIsOpen3

 

Proceed to Staging Area????

StagingArea

StagingArea2

StagingArea3

Seriously???

StagingArea4

StagingArea5

StagingArea6

 

Is Sonic really that good? Anyone?

   joe

Rating 3.00 out of 5

1/10/2009

AdFind V01.39.00 Released

by @ 2:08 pm. Filed under updates

AdFind V01.39.00 is now released. This is the first public release of AdFind since V01.37.00 in June 2007. V01.38.00 was never publicly released.

One of the biggest changes with this version is that I moved to a new compiler. V01.37.00 was compiled with Borland C++ Builder 6 (released in 2002).  V01.39.00 was compiled with Code Gear C++ Builder 2009 (released in 2008). I haven’t done extensive testing but the new executable appears to be faster and it is substantially smaller, about 40% smaller to be exact.

It feels good to finally get this version out there for you all to use. Please let me know any thoughts you have or issues that you encounter. I have been using this version with this compiler for some time internally and haven’t run into anything odd but there are so many of you out there using it now, there is always a possibility you will hit something that I haven’t. 

You can get AdFind V01.39.00 here —> http://www.joeware.net/freetools/tools/adfind/index.htm

You can get the new usage screens by typing adfind /? or looking here —> http://www.joeware.net/freetools/tools/adfind/usage.htm

 

List of the specific changes for AdFind, to get more info on the switches, shortcuts, etc, check out the usage screens.

o Changed longhorn references to Windows Server 2008
o Updated decoded attributes to account for Windows Server 2008 values
o More decoded attributes
o Documented decoded attributes in usage
o Multiple bug fixes
o Multiple usage screen fixes
o Multiple shortcut fixes
o -csv now also sets -noctl
o -sc sdump sorts multivalue attributes
o Arbitrary text mode for -csv which allows an attribute of header:value
o -rawsddl no longer requires -sddl
o Auto Ranging disabled for any attributes that are specified with a specific range.
o If no base is specified, assume -default
o mvfilter matching will be made without any modifier on the attribute
o All multiple values for a single attribute for -mvfilter/-mvnotfilter
o -binenc now does CURRENT encoding
o Added more attribs to -fullrootdse

o New Switches
   * rootdseanon
   * nirs
   * nirsx
   * writeable
   * sslignoresrvcert
   * mvsort
   * mvrsort
   * filterbreakdown
   * enccurrent
   * tdcd
   * inputdn

o New Shortcuts
   * admincountdmp
   * xrdump
   * dcdmp
   * adobjcnt
   * adamobjcnt
   * alldc+
   * users_disabled
   * users_nonexpiring
   * users_pwdnotreqd
   * users_accexpired
   * computers_disabled
   * computers_pwdnotreqd
   * computers_active
   * computers_inactive
   * schver
   * spn:xx
   * email:xx
   * site:xx
   * subnet:xx
   * syscrit
   * rodc_cachable
   * policies

Rating 3.00 out of 5

1/8/2009

Windows Server 2008 AD Issue for NSPI

by @ 1:54 am. Filed under tech

Not really an issue or at least it shouldn’t be, if something is generating more than 50 concurrent NSPI connections, it likely needs to be checked out anyway…

 

NSPI connections from Microsoft Outlook to a Windows Server 2008-based domain controller may fail with an error code: “MAPI_E_LOGON_FAILED”

This behavior occurs because Windows Server 2008 only allows for a default maximum of 50 concurrent NSPI connections per user to any domain controller. Additional NSPI connections are rejected with a MAPI_E_LOGON_FAILED error code.

See the whole support KB here —> http://support.microsoft.com/kb/949469

Rating 3.00 out of 5

[joeware – never stop exploring… :) is proudly powered by WordPress.]