joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

2/3/2009

Monday Morning Quarterback

by @ 9:19 am. Filed under general

Random super bowl thoughts…

1. Boring Springsteen put on a poor half time show.

2. Not sure why he wouldn’t have closed with Born in the USA with red white and blue fireworks. Likely would have been huge right now.

3. Cardinals did not deserve to win.

4. Cardinals offense and defense both were explosive at times but mostly they were inconsistent.

5. The 100 yard dash was just hilarious to me. That poor guy was at the 50 yard line thinking, why hasn’t anyone tackled me yet, I have to keep running????

6. The penalties were just getting stupid. Especially the unnecessary roughness / unsportsmanlike conduct

7. This is the first super bowl I remember that I didn’t come away thinking, wow the commercials were amazing, most just made me sort of chuckle.

8. First super bowl that I remember, including the one that I actually attended in Pasadena back in the 90’s (I won the tickets) that I actually sort of tracked what happened in the game.

9. Again, the 100 yard dash was just hilarious to me.

10. Some Comcast customers in Arizona got some porn instead of part of the 4th quarter – http://news.bbc.co.uk/2/hi/entertainment/7864733.stm

11. I am a Comcast customer and I noticed they were inserting in their own local commercials for themselves and companies I don’t think could ever afford a superbowl spot.

12. The bud light skiing commercial was pretty funny.

13. The bud Clydesdale fetch commercial was pretty funny.

14. A very funny super bowl commercial I didn’t get to see (I think local Comcast programming overwrite it), found it on a super bowl commercial web site was the e-Trade baby out takes commercial – http://www.superbowl-commercials.org/299.html

15. The Pedigree Dog commercial made me chuckle. This was the one with the random wild animals as pets instead of dogs.

16. The Bridgestone tire commercial with the guys hot-rodding around some moon somewhere and coming back to their car on blocks was pretty funny.

17. The insects stealing the Coca Cola was probably the only one that got close to the normal quality of super bowl commercials for me.

18. The Audi car chase through the decades was probably the next best in terms of quality. I was impressed with how they showed each decade with the appropriate filming quality and style.

19. The Pepsi “I’m Good” commercial made me chuckle.

20. The bud light meeting made me chuckle slightly.

21. The bud Clydesdale lover boy horse commercial was pretty good.

22. The bud Clydesdale immigrant commercial had me talking in a poor Scottish brogue for a bit…

23. This is probably my favorite commercial of the night because I was laughing all the way through it, Career Builder If you hate going to work – http://www.superbowl-commercials.org/276.html

Rating 3.00 out of 5

1/29/2009

From the mailbag – Trouble with LDAP filters with embedded backslash literals

by @ 4:37 am. Filed under tech

I received an email this evening that I swore I had previously wrote something up on the blog for and didn’t, so I will share…

The email

From: xxx@domain.gov
Sent: Wednesday, January 28, 2009 7:28 PM
To: ‘joe@joeware.net’
Subject: Adfind piped into admod question

Good evening Joe,

First I’d like to commend you on your books, website, and apps, I use many of them almost on a daily basis. 

So here it is:

We have users who’s home folders are being moved from \\xxx-home to \\abc-xxx
now \\abc-xxx and \\xxx-home aren’t the only home servers so it’s not like i can replace them all so I’ve written this script to test it out. In the servers OU I placed a user account and have populated the home directory as \\xxx-home2\joesmith$…again this account is just for testing.

run this script

adfind -b “ou=xxx,dc=domain,dc=gov” -f “(&(objectcategory=person)(objectclass=user)(homedirectory=\\xxx-home*))” samaccountname -adcsv | admod -unsafe homedirectory::\\abc-xxx.domain.gov\%username%$

the script runs just fine and updates joesmith’s home directory to \\abc-xxx.domain.gov\joesmith$ which was anticipated.
So this works all fine and dandy, where the problem is, is if down the road we want to utilize this again it doesn’t work. so for instance:
user account joesmith who’s home directory is now \\abc-xxx.domain.gov\joesmith$ (home directory was changed with utilizing the above script)
if \\abc-xxx was being retired and we were putting \\abc-home10 in it’s place. If you adjust the script find homedirectory=\\abc-xxx* it wont find anything to alter. The only way to make it find something is to tell it to find homedirectory=*

At first I thought it was because of AD replication (that is all DC’s aren’t up to date with the correct information), but I checked all our DC and it was updated before I ran the 2nd update.  Then I thought well what if there was a space before the \\ so I opened up ADUC and ADSedit and verified there wasn’t s space in the homedirectory attribute.  
Any clue why it wouldn’t update the 2nd time around?  Also what does the -adcsv –dsq switch do? Tried to find some documentation on it but there was little.

Any information you could provide would be much appreciated.

Thanks again,

     xxx

I get questions like this pretty regularly which is why I guess I thought I blogged about it before, but I couldn’t find a blog entry for it so here was my response

Hey xxx, glad you like the tools, book, et al. 🙂

First off, I wanted to point something out… This first command

adfind -b “ou=xxx,dc=domain,dc=gov” -f “(&(objectcategory=person)(objectclass=user)(homedirectory=\\xxx-home*))” samaccountname -adcsv | admod -unsafe homedirectory::\\abc-xxx.domain.gov\%username%$

has an issue with the admod portion. Specifically the %username% won’t work. That will decode to the current environment variable for username which should be your current logon account. That little shortcut in ADUC is just that, a shortcut in ADUC, it isn’t a global AD thing. I think what you would really want would be

adfind -b “ou=xxx,dc=domain,dc=gov” -f “(&(objectcategory=person)(objectclass=user)(homedirectory=\\xxx-home*))” samaccountname -adcsv | admod -unsafe homedirectory::\\abc-xxx.domain.gov\{{samaccountname}}$

That will take the samaccountname that is returned from the query and piped across to admod and use that to populate the username piece of the share name so it would be specific to every user queried, it wouldn’t set the value to your current username environment variable for every account returned.

Second, the issue you see with the \\abc-xxx… is doing something you probably don’t expect… In an LDAP query, the backslash (\) character is an escape character. It tells LDAP that something special is coming – specifically a hex character sequence like \2a for example. This is generally not a problem and it all sorts itself out so you likely never have an issue using \\someserver… However if you follow a backslash with character that is a valid HEX character the escape and the HEX character are taken together… In that case, the proper way to search for a value that has embedded back slash literals is to use \5c for each backslash, so it would be \5c\5cabc-xxx. You can check out http://msdn.microsoft.com/en-us/library/ms675768(VS.85).aspx which discusses this and more about creating query filters.

    joe

And then I realized I didn’t answer his last two questions so I added

Sorry, didn’t answer the other questions:

-adcsv : As the adfind usage indicates, it is a special CSV mode that embeds some extra info in the CSV for AdMod or whatever tool being piped to to better understand the request, for example some things that can get embedded would be hostname, userid, password, etc used in the adfind query.

   -adcsv xxx    Special CSV mode for interacting with other joeware tools.
                 xxx is an optional string that specifies value to use for
                 use for empty attribs.

-dsq : This is simply quoted DN output like DSQuery outputs.

  -dsq          DSQuery style quoted DN output

   joe

 

So a little more discussion on the embedded backslashes, as the MSDN article above discusses the following characters all need to be escaped with “need” being a little more loosely defined for the backslash character itself than the other characters.

* \2a
( \28
) \29
\ \5c
NUL \00

 

So now I know at least one or two of you are thinking… wow… so joe, why don’t you just help the guy out and likely help me out too and just make AdFind smart enough to do that embedding work for me… Well I could try… But I really really try hard not to mess with the actual LDAP query that is entered. The minimal amount I do for -bit to do a find/replace on some specific strings is fired off by the actual -bit switch. If people have to specify a switch to encode backslashes why don’t they just instead encode the backslashes themselves since it isn’t that much more and I don’t have to try and guess which backslashes should and shouldn’t be encoded. But joe… \5c is a pain in the butt to remember… Yes, for me too… The way I remember it when I need to is to query for the object I know that has one of the troublesome homedirectories in it and then tell AdFind to return the homedirectory value in binary so I can quickly see the HEX characters I need to enter. Like so

[Thu 01/29/2009  3:32:04.61]
G:\new1\Dev\Current\CPP\AdFind\Release>adfind -default -f “&(name=someuser)(homedirectory=*)” homedirectory

AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

dn:CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc
>homeDirectory: \\abc-xxx\someuser$

1 Objects returned

[Thu 01/29/2009  3:32:06.72]
G:\new1\Dev\Current\CPP\AdFind\Release>adfind -default -f “&(name=someuser)(homedirectory=*)” homedirectory;binary

AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

dn:CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc
>homeDirectory;binary: 5C5C 6162 632D 7878 785C 736F 6D65 7573 6572 24

1 Objects returned

Note the 5C5C right there at the front…

 

    joe

Rating 3.00 out of 5

1/26/2009

TEC / DEC 2009

by @ 12:51 pm. Filed under general

The conference formerly known as The Directory Experts Conference (DEC) and now known as The Experts Conference (TEC) For Directory & Identity is now on my itinerary for March. I really didn’t think I was going to be able to pull it off this year and by some spit, luck, and a miracle I was able to do so. This will set me back a pretty penny since this isn’t a work related trip at all (You know how companies are cutting back) but I do want to touch base with everyone as this is my main chance to see the “joeware” fans and the global AD crowd once a year.

So if you are booked and going, make sure you look me up when you are there. If you aren’t booked to go… why not? Hands down this is the best general public event for Active Directory and this year, Brett Shirley and Dmitri Gavrilov are speaking and seriously, I can’t wait to sit in on their sessions to learn from them and I have no doubt I will. I believe Dean will be speaking as well in his new Microsoft PM role. I will certainly be there to heckle him and cheer him on to success in his new Evil Empire role….  What was it again… Emperor Palpa-Deano?

    joe

Rating 3.00 out of 5

1/21/2009

Does this excite anyone? AdFind V01.40.00 sneak peek…

by @ 4:53 am. Filed under tech

Example 1: Get tokenGroups attribute for every direct member of the domain admins group.

F:\Dev\Current\CPP\AdFind\Release>adfind -default -f name="domain admins" member -list | adfind -s base tokengroups -resolvesids

AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003

dn:CN=TestAdminClone,OU=Users,OU=TestOU,DC=test,DC=loc
>tokenGroups: BUILTIN\Users
>tokenGroups: BUILTIN\Administrators
>tokenGroups: TEST\DnsAdmins
>tokenGroups: TEST\Domain Users
>tokenGroups: TEST\Domain Admins

dn:CN=$joe,OU=Users,OU=My,DC=test,DC=loc
>tokenGroups: BUILTIN\Users
>tokenGroups: BUILTIN\Administrators
>tokenGroups: TEST\DnsAdmins
>tokenGroups: TEST\Schema Admins
>tokenGroups: TEST\Enterprise Admins
>tokenGroups: TEST\Domain Users
>tokenGroups: TEST\Domain Admins

dn:CN=Administrator,CN=Users,DC=test,DC=loc
>tokenGroups: BUILTIN\Users
>tokenGroups: BUILTIN\Administrators
>tokenGroups: TEST\DnsAdmins
>tokenGroups: TEST\Schema Admins
>tokenGroups: TEST\Enterprise Admins
>tokenGroups: TEST\Domain Users
>tokenGroups: TEST\Group Policy Creator Owners
>tokenGroups: TEST\Domain Admins

3 Objects returned

 

Example 2a: Get sAMAccountName for all direct members of Domain Admins group

F:\Dev\Current\CPP\AdFind\Release>adfind -default -f name="domain admins" member -list | adfind -s base samaccountname

AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003

dn:CN=TestAdminClone,OU=Users,OU=TestOU,DC=test,DC=loc
>sAMAccountName: TestAdminClone

dn:CN=$joe,OU=Users,OU=My,DC=test,DC=loc
>sAMAccountName: $joe

dn:CN=Administrator,CN=Users,DC=test,DC=loc
>sAMAccountName: Administrator

3 Objects returned

 

Example 2b: Get sAMAccountName for all direct members of Domain Admins group (alternate method using attribute scoped query)

F:\Dev\Current\CPP\AdFind\Release>adfind -default -f name="domain admins" -dsq | adfind -s base -asq member samaccountname

AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003

dn:CN=Administrator,CN=Users,DC=test,DC=loc
>sAMAccountName: Administrator

dn:CN=$joe,OU=Users,OU=My,DC=test,DC=loc
>sAMAccountName: $joe

dn:CN=TestAdminClone,OU=Users,OU=TestOU,DC=test,DC=loc
>sAMAccountName: TestAdminClone

3 Objects returned

 

Example 3: Dump the serviceBindingInformation attribute for any ADAM serviceConnectionPoint objects that belong to Windows XP Professional machines. And no, this isn’t contrived, this is something I have wanted to do a few times to find people playing with ADAM on workstation class machines as well as something I have been asked how to do in the past… Normally this would take a script.

F:\Dev\Current\CPP\AdFind\Release>adfind -default -f "&(objectcategory=computer)(operatingsystem=Windows XP Professional)" -dsq | adfind -s one -f "&(objectcategory=serviceconnectionpoint)(serviceclassname=LDAP)" servicebindinginformation

AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003

dn:CN={cb226d48-e9a7-420a-bce0-98edcc6b8cf2},CN=SFMXP64,CN=Computers,DC=test,DC=loc
>serviceBindingInformation: ldaps://sfmxp64.test.loc:636
>serviceBindingInformation: ldap://sfmxp64.test.loc:389

dn:CN={e4756748-fc8b-4166-8b7b-498bd97c9949},CN=SFMXP64,CN=Computers,DC=test,DC=loc
>serviceBindingInformation: ldaps://sfmxp64.test.loc:636
>serviceBindingInformation: ldap://sfmxp64.test.loc:389

dn:CN={3991aa1d-c87d-46cd-a08c-c52af9ae168e},CN=SFMXP32,CN=Computers,DC=test,DC=loc
>serviceBindingInformation: ldaps://sfmxp32.test.loc:636
>serviceBindingInformation: ldap://sfmxp32.test.loc:389

dn:CN={d3c0e3ee-d888-496d-acf0-6e4078052476},CN=HOMEXP,CN=Computers,DC=test,DC=loc
>serviceBindingInformation: ldaps://homexp.test.loc:636
>serviceBindingInformation: ldap://homexp.test.loc:389

4 Objects returned

 

When working on fixing several typos and mistakes in V01.39.00 I realized I had figured out a way to handle the piping from one instance of AdFind to another. I am still looking for holes but it looks good thus far. This is something I have wanted for some time but couldn’t see how to handle it with the current framework. Well out of the blue while looking at part of the code it struck me how to pull it off so I added it. Aside from that are the correction of some typos folks reported to me as well as adding some Windows 7 support (i.e. decoding some of the Windows 7 attribute values and support for the new object deletion/recycling capabilities).

   joe

Rating 3.00 out of 5

Future History

by @ 3:17 am. Filed under general

Ok so how about we let the future decide on what is and isn’t history and how about we get to work on getting our collective asses out of the hole we put ourselves in. I would much rather put my time and focus and energy on that versus getting sprained elbows patting ourselves on the back talking about how we are making history. Failure to do so will have a future that records history as “…and then they all constantly celebrated about how they made history and quickly plunged the country into an even darker place because they spent all their time talking about how they made history instead of working on the problems they needed to solve for the future….”

Someone on ActiveDir Org list compared what happened with the presidency to Landing on the Moon. Fine, great. What does that do for us today? We haven’t been back to the moon in how many years? The 40th anniversary of the first manned moon landing is coming up on July 20… Six visits total. Last visit was Apollo 17  on December 14, 1972. That’s how long…

All the moon landings did was prove it *could be* done, they didn’t make it a daily reality. In fact, we still have a percentage of the population of the country who don’t even believe we went to the moon. So, all in all, how successful and historic and life changing was our landing on the moon? Really?

Rating 3.00 out of 5

1/13/2009

What does it take to get someone from SE Michigan off their butt and out into 6-9 inches of snow???

by @ 12:54 am. Filed under general

Apparently a new Sonic Drive-In… This last weekend we had 6-9 inches of snow in the Mt. Clemens area of Michigan. At the same time a new Sonic has opened up here (probably only 4-5 inches by the point these pics were taken). The traffic to this place is unbelievable. The nearest Sonic to this one is in SouthGate which is quite a ways away… But still the roads were horrendous.

 

The Sonic is Open!

SonicIsOpen

SonicIsOpen2

SonicIsOpen3

 

Proceed to Staging Area????

StagingArea

StagingArea2

StagingArea3

Seriously???

StagingArea4

StagingArea5

StagingArea6

 

Is Sonic really that good? Anyone?

   joe

Rating 3.00 out of 5

1/10/2009

AdFind V01.39.00 Released

by @ 2:08 pm. Filed under updates

AdFind V01.39.00 is now released. This is the first public release of AdFind since V01.37.00 in June 2007. V01.38.00 was never publicly released.

One of the biggest changes with this version is that I moved to a new compiler. V01.37.00 was compiled with Borland C++ Builder 6 (released in 2002).  V01.39.00 was compiled with Code Gear C++ Builder 2009 (released in 2008). I haven’t done extensive testing but the new executable appears to be faster and it is substantially smaller, about 40% smaller to be exact.

It feels good to finally get this version out there for you all to use. Please let me know any thoughts you have or issues that you encounter. I have been using this version with this compiler for some time internally and haven’t run into anything odd but there are so many of you out there using it now, there is always a possibility you will hit something that I haven’t. 

You can get AdFind V01.39.00 here —> http://www.joeware.net/freetools/tools/adfind/index.htm

You can get the new usage screens by typing adfind /? or looking here —> http://www.joeware.net/freetools/tools/adfind/usage.htm

 

List of the specific changes for AdFind, to get more info on the switches, shortcuts, etc, check out the usage screens.

o Changed longhorn references to Windows Server 2008
o Updated decoded attributes to account for Windows Server 2008 values
o More decoded attributes
o Documented decoded attributes in usage
o Multiple bug fixes
o Multiple usage screen fixes
o Multiple shortcut fixes
o -csv now also sets -noctl
o -sc sdump sorts multivalue attributes
o Arbitrary text mode for -csv which allows an attribute of header:value
o -rawsddl no longer requires -sddl
o Auto Ranging disabled for any attributes that are specified with a specific range.
o If no base is specified, assume -default
o mvfilter matching will be made without any modifier on the attribute
o All multiple values for a single attribute for -mvfilter/-mvnotfilter
o -binenc now does CURRENT encoding
o Added more attribs to -fullrootdse

o New Switches
   * rootdseanon
   * nirs
   * nirsx
   * writeable
   * sslignoresrvcert
   * mvsort
   * mvrsort
   * filterbreakdown
   * enccurrent
   * tdcd
   * inputdn

o New Shortcuts
   * admincountdmp
   * xrdump
   * dcdmp
   * adobjcnt
   * adamobjcnt
   * alldc+
   * users_disabled
   * users_nonexpiring
   * users_pwdnotreqd
   * users_accexpired
   * computers_disabled
   * computers_pwdnotreqd
   * computers_active
   * computers_inactive
   * schver
   * spn:xx
   * email:xx
   * site:xx
   * subnet:xx
   * syscrit
   * rodc_cachable
   * policies

Rating 3.00 out of 5

1/8/2009

Windows Server 2008 AD Issue for NSPI

by @ 1:54 am. Filed under tech

Not really an issue or at least it shouldn’t be, if something is generating more than 50 concurrent NSPI connections, it likely needs to be checked out anyway…

 

NSPI connections from Microsoft Outlook to a Windows Server 2008-based domain controller may fail with an error code: “MAPI_E_LOGON_FAILED”

This behavior occurs because Windows Server 2008 only allows for a default maximum of 50 concurrent NSPI connections per user to any domain controller. Additional NSPI connections are rejected with a MAPI_E_LOGON_FAILED error code.

See the whole support KB here —> http://support.microsoft.com/kb/949469

Rating 3.00 out of 5

Update to Grandma’s Chocolate Syrup Recipe

by @ 1:41 am. Filed under recipes

My Grandma was shooting from the hip when I asked for this recipe

http://blog.joeware.net/2008/12/23/1554/

She found the “real” recipe and sent it along…

 

1 stick of oleo or butter
1/2 cup cocoa powder
2 cups of sugar
1 large can of carnation milk

 

Melt together oleo (or butter) & cocoa powder.
Add 2 cups sugar & a large can of carnation milk.
Cook at a slow boil about 10 min. or until thick. store in frig.
If you save jam or jelly jars & lids you can boil them turn upside down on towel to dry.
Pour hot fudge in & tighten lids will keep quite awhile.

Rating 3.00 out of 5

1/2/2009

Metadata info in AdFind

by @ 7:03 pm. Filed under tech

My recent post about getting Active Directory replication Meta Data has spawned a considerable number of emails. I wanted to take a moment and remind everyone of the help switch specifically talking about the replication metadata info. This usage provided in AdFind tells you your sort options available for each metadata attribute and what info is contained in each of the columns.

You can get that help by typing

adfind /meta?

Here is the latest version of that output…

F:\Dev\Current\CPP\AdFind\Debug>adfind /meta?

AdFind V01.39.00cpp ***BETA*** Joe Richards (joe@joeware.net) January 2009

-help         Basic help.
-?            Basic help.
-??           Advanced/Expert help.
-????         Shortcut help.
-sc?          Shortcut help.
-meta?        Metadata help.

Usage:
AdFind [switches] [-b basedn] [-f filter] [attr list]

   basedn        RFC 2253 DN to base search from.
                 If no base specified, defaults to default NC.
   filter        RFC 2254 LDAP filter.
                 If no filter specified, defaults to objectclass=*.
   attr list     List of specific attributes to return, if nothing specified
                 returns ‘default’ attributes, aka * set.

  Switches: (designated by – or /)

   MetaData Help
   =============
   AdFind has the ability to decode various metadata type attributes. These
   attributes can give information about replication status of the server
   itself or replication metadata for individual objects.

   These special attributes are normally returned from Active Directory in
   XML format. This is a bit bulky and can be tough to read without cleanup
   so I have added the ability decode the attributes and cut down the amount
   of data passed over the wire. Using the ;binary option when specifying an
   attribute causes AD to reformat certain attributes and send them across as
   binary blocks of data. When requesting the meta attributes outlined below
   if you do not specify the ;binary option, they will be returned in the
   native format, if you add the ;binary option, they will be returned in the
   alternate format and AdFind will decode the strings to its format.

   To further assist the ease of retrieving this information, see the shortcut
   usage menu via adfind /sc?

   MetaData Attributes
   ——————-
   msDS-ReplQueueStatistics  – RootDSE attribute
       Replication queue statistics. Output is labeled. No sort options.

   msDS-ReplPendingOps – RootDSE attribute
       Any replications operations currently in progress. Output is labeled.
       Default sort order is server return order. Sort options – dsa,date

   msDS-ReplConnectionFailures – RootDSE attribute
   msDS-ReplLinkFailures – RootDSE attribute
       Replication failure information. Output is labeled. Default sort order
       is by DSA. Sort options – dsa,date

   msDS-ReplAllInboundNeighbors – RootDSE attribute
   msDS-ReplAllOutboundNeighbors – RootDSE attribute
       Replication info for all direct neighbors. Output is labeled. Default
       sort order is by DSA. Sort options – dsa,date,nc,err

   msDS-TopQuotaUsage – RootDSE attribute
       Indicates the top object owners on a given server. Output is labeled.
       Default sort order is server return order. Sort options – nc,owner.

   msDS-NCReplInboundNeighbors – Naming Context attribute
   msDS-NCReplOutboundNeighbors – Naming Context attribute
       Replication for all direct neighbors for the specific NC. Output is
       labeled. Default sort order is by DSA. Sort options – dsa,date,nc,err

   msDS-NCReplCursors – Naming Context attribute
       Replication cursors by DSA by context. Output format:
            HighestUSN LastSyncTime DSA
       Default sort order is last sync time. Sort options – lastsync,dsa

   msDS-ReplAttributeMetaData – Object Level attribute
       Replication metadata for object. Output format:
             USNLocal DSA USNOrig Date/Time Version Attribute
       Default sort order is attribute. Sort options – DSA,date,usnloc,usnorig,ver

   msDS-ReplValueMetaData – Object Level attribute (FFL2+ only – i.e. LVR Replication)
       Replication value metadata for object. Output format:
             attribute USNLocal DSA USNOrig Date/Time Version State ObjectDN
       Default sort order is date. Sort options – attrib,obj,DSA,state,date,usnloc,usnorig,ver

   Sort Options
   ————
   The decoded output for most of the metadata attributes can be sorted to various
   fields in the output. The specific fields for each attribute are listed with
   the description of the attributes. In order to change the sort field, use the
   -metasort switch. Specify the switch combined with the options specified above
   to change the sort order. If value has a dash (-) appended, the search order
   is reversed.

  Ex1:
    adfind -rootdse msDS-TopQuotaUsage;binary
      Get top 10 quota users in decoded format

  Ex2:
    adfind -b cn=someobject,ou=someou,dc=test,dc=loc -s base msDS-ReplAttributeMetaData;binary
      Get attribute metadata for specified object in decoded format

This software is Freeware. Use at your own risk.
I do not warrant this software to be fit for any purpose or use and
I do not guarantee that it will not damage or destroy your system.
Contact joe@joeware.net via email for licensing information to package
this utility in commercial products.

See full Warranty documentation on www.joeware.net.

If you have improvement ideas, bugs, or just wish to say Hi, I
receive email 24×7 and read it in a semi-regular timeframe.
You can usually find me at joe@joeware.net

Rating 3.00 out of 5

[joeware – never stop exploring… :) is proudly powered by WordPress.]