joeware - never stop exploring... :)

I received an email this evening that I swore I had previously wrote something up on the blog for and didn’t, so I will share…

The email

From: xxx@domain.gov
Sent: Wednesday, January 28, 2009 7:28 PM
To: ‘joe@joeware.net’
Subject: Adfind piped into admod question

Good evening Joe,

First I’d like to commend you on your books, website, and apps, I use many of them almost on a daily basis. 

So here it is:

We have users who’s home folders are being moved from \\xxx-home to \\abc-xxx
now \\abc-xxx and \\xxx-home aren’t the only home servers so it’s not like i can replace them all so I’ve written this script to test it out. In the servers OU I placed a user account and have populated the home directory as \\xxx-home2\joesmith$…again this account is just for testing.

run this script

adfind -b “ou=xxx,dc=domain,dc=gov” -f “(&(objectcategory=person)(objectclass=user)(homedirectory=\\xxx-home*))” samaccountname -adcsv | admod -unsafe homedirectory::\\abc-xxx.domain.gov\%username%$

the script runs just fine and updates joesmith’s home directory to \\abc-xxx.domain.gov\joesmith$ which was anticipated.
So this works all fine and dandy, where the problem is, is if down the road we want to utilize this again it doesn’t work. so for instance:
user account joesmith who’s home directory is now \\abc-xxx.domain.gov\joesmith$ (home directory was changed with utilizing the above script)
if \\abc-xxx was being retired and we were putting \\abc-home10 in it’s place. If you adjust the script find homedirectory=\\abc-xxx* it wont find anything to alter. The only way to make it find something is to tell it to find homedirectory=*

At first I thought it was because of AD replication (that is all DC’s aren’t up to date with the correct information), but I checked all our DC and it was updated before I ran the 2nd update.  Then I thought well what if there was a space before the \\ so I opened up ADUC and ADSedit and verified there wasn’t s space in the homedirectory attribute.  
Any clue why it wouldn’t update the 2^nd time around?  Also what does the -adcsv –dsq switch do? Tried to find some documentation on it but there was little.

Any information you could provide would be much appreciated.

Thanks again,

     xxx

I get questions like this pretty regularly which is why I guess I thought I blogged about it before, but I couldn’t find a blog entry for it so here was my response

Hey xxx, glad you like the tools, book, et al. 🙂

First off, I wanted to point something out… This first command

adfind -b “ou=xxx,dc=domain,dc=gov” -f “(&(objectcategory=person)(objectclass=user)(homedirectory=\\xxx-home*))” samaccountname -adcsv | admod -unsafe homedirectory::\\abc-xxx.domain.gov\%username%$

has an issue with the admod portion. Specifically the %username% won’t work. That will decode to the current environment variable for username which should be your current logon account. That little shortcut in ADUC is just that, a shortcut in ADUC, it isn’t a global AD thing. I think what you would really want would be

adfind -b “ou=xxx,dc=domain,dc=gov” -f “(&(objectcategory=person)(objectclass=user)(homedirectory=\\xxx-home*))” samaccountname -adcsv | admod -unsafe homedirectory::\\abc-xxx.domain.gov\{{samaccountname}}$

That will take the samaccountname that is returned from the query and piped across to admod and use that to populate the username piece of the share name so it would be specific to every user queried, it wouldn’t set the value to your current username environment variable for every account returned.

Second, the issue you see with the \\abc-xxx… is doing something you probably don’t expect… In an LDAP query, the backslash (\) character is an escape character. It tells LDAP that something special is coming – specifically a hex character sequence like \2a for example. This is generally not a problem and it all sorts itself out so you likely never have an issue using \\someserver… However if you follow a backslash with character that is a valid HEX character the escape and the HEX character are taken together… In that case, the proper way to search for a value that has embedded back slash literals is to use \5c for each backslash, so it would be \5c\5cabc-xxx. You can check out http://msdn.microsoft.com/en-us/library/ms675768(VS.85).aspx which discusses this and more about creating query filters.

    joe

And then I realized I didn’t answer his last two questions so I added

Sorry, didn’t answer the other questions:

-adcsv : As the adfind usage indicates, it is a special CSV mode that embeds some extra info in the CSV for AdMod or whatever tool being piped to to better understand the request, for example some things that can get embedded would be hostname, userid, password, etc used in the adfind query.

   -adcsv xxx    Special CSV mode for interacting with other joeware tools.
                 xxx is an optional string that specifies value to use for
                 use for empty attribs.

-dsq : This is simply quoted DN output like DSQuery outputs.

  -dsq          DSQuery style quoted DN output

   joe

 

So a little more discussion on the embedded backslashes, as the MSDN article above discusses the following characters all need to be escaped with “need” being a little more loosely defined for the backslash character itself than the other characters.

*	\2a
(	\28
)	\29
\	\5c
NUL	\00

 

So now I know at least one or two of you are thinking… wow… so joe, why don’t you just help the guy out and likely help me out too and just make AdFind smart enough to do that embedding work for me… Well I could try… But I really really try hard not to mess with the actual LDAP query that is entered. The minimal amount I do for -bit to do a find/replace on some specific strings is fired off by the actual -bit switch. If people have to specify a switch to encode backslashes why don’t they just instead encode the backslashes themselves since it isn’t that much more and I don’t have to try and guess which backslashes should and shouldn’t be encoded. But joe… \5c is a pain in the butt to remember… Yes, for me too… The way I remember it when I need to is to query for the object I know that has one of the troublesome homedirectories in it and then tell AdFind to return the homedirectory value in binary so I can quickly see the HEX characters I need to enter. Like so

[Thu 01/29/2009  3:32:04.61]
G:\new1\Dev\Current\CPP\AdFind\Release>adfind -default -f “&(name=someuser)(homedirectory=*)” homedirectory

AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

dn:CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc
>homeDirectory: \\abc-xxx\someuser$

1 Objects returned

[Thu 01/29/2009  3:32:06.72]
G:\new1\Dev\Current\CPP\AdFind\Release>adfind -default -f “&(name=someuser)(homedirectory=*)” homedirectory;binary

AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

dn:CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc
>homeDirectory;binary: 5C5C 6162 632D 7878 785C 736F 6D65 7573 6572 24

1 Objects returned

Note the 5C5C right there at the front…

 

    joe

Example 1: Get tokenGroups attribute for every direct member of the domain admins group.

F:\Dev\Current\CPP\AdFind\Release>adfind -default -f name="domain admins" member -list | adfind -s base tokengroups -resolvesids

AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003

dn:CN=TestAdminClone,OU=Users,OU=TestOU,DC=test,DC=loc
>tokenGroups: BUILTIN\Users
>tokenGroups: BUILTIN\Administrators
>tokenGroups: TEST\DnsAdmins
>tokenGroups: TEST\Domain Users
>tokenGroups: TEST\Domain Admins

dn:CN=$joe,OU=Users,OU=My,DC=test,DC=loc
>tokenGroups: BUILTIN\Users
>tokenGroups: BUILTIN\Administrators
>tokenGroups: TEST\DnsAdmins
>tokenGroups: TEST\Schema Admins
>tokenGroups: TEST\Enterprise Admins
>tokenGroups: TEST\Domain Users
>tokenGroups: TEST\Domain Admins

dn:CN=Administrator,CN=Users,DC=test,DC=loc
>tokenGroups: BUILTIN\Users
>tokenGroups: BUILTIN\Administrators
>tokenGroups: TEST\DnsAdmins
>tokenGroups: TEST\Schema Admins
>tokenGroups: TEST\Enterprise Admins
>tokenGroups: TEST\Domain Users
>tokenGroups: TEST\Group Policy Creator Owners
>tokenGroups: TEST\Domain Admins

3 Objects returned

 

Example 2a: Get sAMAccountName for all direct members of Domain Admins group

F:\Dev\Current\CPP\AdFind\Release>adfind -default -f name="domain admins" member -list | adfind -s base samaccountname

AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003

dn:CN=TestAdminClone,OU=Users,OU=TestOU,DC=test,DC=loc
>sAMAccountName: TestAdminClone

dn:CN=$joe,OU=Users,OU=My,DC=test,DC=loc
>sAMAccountName: $joe

dn:CN=Administrator,CN=Users,DC=test,DC=loc
>sAMAccountName: Administrator

3 Objects returned

 

Example 2b: Get sAMAccountName for all direct members of Domain Admins group (alternate method using attribute scoped query)

F:\Dev\Current\CPP\AdFind\Release>adfind -default -f name="domain admins" -dsq | adfind -s base -asq member samaccountname

AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003

dn:CN=Administrator,CN=Users,DC=test,DC=loc
>sAMAccountName: Administrator

dn:CN=$joe,OU=Users,OU=My,DC=test,DC=loc
>sAMAccountName: $joe

dn:CN=TestAdminClone,OU=Users,OU=TestOU,DC=test,DC=loc
>sAMAccountName: TestAdminClone

3 Objects returned

 

Example 3: Dump the serviceBindingInformation attribute for any ADAM serviceConnectionPoint objects that belong to Windows XP Professional machines. And no, this isn’t contrived, this is something I have wanted to do a few times to find people playing with ADAM on workstation class machines as well as something I have been asked how to do in the past… Normally this would take a script.

F:\Dev\Current\CPP\AdFind\Release>adfind -default -f "&(objectcategory=computer)(operatingsystem=Windows XP Professional)" -dsq | adfind -s one -f "&(objectcategory=serviceconnectionpoint)(serviceclassname=LDAP)" servicebindinginformation

AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003

dn:CN={cb226d48-e9a7-420a-bce0-98edcc6b8cf2},CN=SFMXP64,CN=Computers,DC=test,DC=loc
>serviceBindingInformation: ldaps://sfmxp64.test.loc:636
>serviceBindingInformation: ldap://sfmxp64.test.loc:389

dn:CN={e4756748-fc8b-4166-8b7b-498bd97c9949},CN=SFMXP64,CN=Computers,DC=test,DC=loc
>serviceBindingInformation: ldaps://sfmxp64.test.loc:636
>serviceBindingInformation: ldap://sfmxp64.test.loc:389

dn:CN={3991aa1d-c87d-46cd-a08c-c52af9ae168e},CN=SFMXP32,CN=Computers,DC=test,DC=loc
>serviceBindingInformation: ldaps://sfmxp32.test.loc:636
>serviceBindingInformation: ldap://sfmxp32.test.loc:389

dn:CN={d3c0e3ee-d888-496d-acf0-6e4078052476},CN=HOMEXP,CN=Computers,DC=test,DC=loc
>serviceBindingInformation: ldaps://homexp.test.loc:636
>serviceBindingInformation: ldap://homexp.test.loc:389

4 Objects returned

 

When working on fixing several typos and mistakes in V01.39.00 I realized I had figured out a way to handle the piping from one instance of AdFind to another. I am still looking for holes but it looks good thus far. This is something I have wanted for some time but couldn’t see how to handle it with the current framework. Well out of the blue while looking at part of the code it struck me how to pull it off so I added it. Aside from that are the correction of some typos folks reported to me as well as adding some Windows 7 support (i.e. decoding some of the Windows 7 attribute values and support for the new object deletion/recycling capabilities).

   joe

Not really an issue or at least it shouldn’t be, if something is generating more than 50 concurrent NSPI connections, it likely needs to be checked out anyway…

 

NSPI connections from Microsoft Outlook to a Windows Server 2008-based domain controller may fail with an error code: “MAPI_E_LOGON_FAILED”

This behavior occurs because Windows Server 2008 only allows for a default maximum of 50 concurrent NSPI connections per user to any domain controller. Additional NSPI connections are rejected with a MAPI_E_LOGON_FAILED error code.

See the whole support KB here —> http://support.microsoft.com/kb/949469

My recent post about getting Active Directory replication Meta Data has spawned a considerable number of emails. I wanted to take a moment and remind everyone of the help switch specifically talking about the replication metadata info. This usage provided in AdFind tells you your sort options available for each metadata attribute and what info is contained in each of the columns.

You can get that help by typing

adfind /meta?

Here is the latest version of that output…

F:\Dev\Current\CPP\AdFind\Debug>adfind /meta?

AdFind V01.39.00cpp ***BETA*** Joe Richards (joe@joeware.net) January 2009

-help         Basic help.
-?            Basic help.
-??           Advanced/Expert help.
-????         Shortcut help.
-sc?          Shortcut help.
-meta?        Metadata help.

Usage:
AdFind [switches] [-b basedn] [-f filter] [attr list]

   basedn        RFC 2253 DN to base search from.
                 If no base specified, defaults to default NC.
   filter        RFC 2254 LDAP filter.
                 If no filter specified, defaults to objectclass=*.
   attr list     List of specific attributes to return, if nothing specified
                 returns ‘default’ attributes, aka * set.

  Switches: (designated by – or /)

   MetaData Help
   =============
   AdFind has the ability to decode various metadata type attributes. These
   attributes can give information about replication status of the server
   itself or replication metadata for individual objects.

   These special attributes are normally returned from Active Directory in
   XML format. This is a bit bulky and can be tough to read without cleanup
   so I have added the ability decode the attributes and cut down the amount
   of data passed over the wire. Using the ;binary option when specifying an
   attribute causes AD to reformat certain attributes and send them across as
   binary blocks of data. When requesting the meta attributes outlined below
   if you do not specify the ;binary option, they will be returned in the
   native format, if you add the ;binary option, they will be returned in the
   alternate format and AdFind will decode the strings to its format.

   To further assist the ease of retrieving this information, see the shortcut
   usage menu via adfind /sc?

   MetaData Attributes
   ——————-
   msDS-ReplQueueStatistics  – RootDSE attribute
       Replication queue statistics. Output is labeled. No sort options.

   msDS-ReplPendingOps – RootDSE attribute
       Any replications operations currently in progress. Output is labeled.
       Default sort order is server return order. Sort options – dsa,date

   msDS-ReplConnectionFailures – RootDSE attribute
   msDS-ReplLinkFailures – RootDSE attribute
       Replication failure information. Output is labeled. Default sort order
       is by DSA. Sort options – dsa,date

   msDS-ReplAllInboundNeighbors – RootDSE attribute
   msDS-ReplAllOutboundNeighbors – RootDSE attribute
       Replication info for all direct neighbors. Output is labeled. Default
       sort order is by DSA. Sort options – dsa,date,nc,err

   msDS-TopQuotaUsage – RootDSE attribute
       Indicates the top object owners on a given server. Output is labeled.
       Default sort order is server return order. Sort options – nc,owner.

   msDS-NCReplInboundNeighbors – Naming Context attribute
   msDS-NCReplOutboundNeighbors – Naming Context attribute
       Replication for all direct neighbors for the specific NC. Output is
       labeled. Default sort order is by DSA. Sort options – dsa,date,nc,err

   msDS-NCReplCursors – Naming Context attribute
       Replication cursors by DSA by context. Output format:
            HighestUSN LastSyncTime DSA
       Default sort order is last sync time. Sort options – lastsync,dsa

   msDS-ReplAttributeMetaData – Object Level attribute
       Replication metadata for object. Output format:
             USNLocal DSA USNOrig Date/Time Version Attribute
       Default sort order is attribute. Sort options – DSA,date,usnloc,usnorig,ver

   msDS-ReplValueMetaData – Object Level attribute (FFL2+ only – i.e. LVR Replication)
       Replication value metadata for object. Output format:
             attribute USNLocal DSA USNOrig Date/Time Version State ObjectDN
       Default sort order is date. Sort options – attrib,obj,DSA,state,date,usnloc,usnorig,ver

   Sort Options
   ————
   The decoded output for most of the metadata attributes can be sorted to various
   fields in the output. The specific fields for each attribute are listed with
   the description of the attributes. In order to change the sort field, use the
   -metasort switch. Specify the switch combined with the options specified above
   to change the sort order. If value has a dash (-) appended, the search order
   is reversed.

  Ex1:
    adfind -rootdse msDS-TopQuotaUsage;binary
      Get top 10 quota users in decoded format

  Ex2:
    adfind -b cn=someobject,ou=someou,dc=test,dc=loc -s base msDS-ReplAttributeMetaData;binary
      Get attribute metadata for specified object in decoded format

This software is Freeware. Use at your own risk.
I do not warrant this software to be fit for any purpose or use and
I do not guarantee that it will not damage or destroy your system.
Contact joe@joeware.net via email for licensing information to package
this utility in commercial products.

See full Warranty documentation on www.joeware.net.

If you have improvement ideas, bugs, or just wish to say Hi, I
receive email 24×7 and read it in a semi-regular timeframe.
You can usually find me at joe@joeware.net

This is a new feature that I added to AdFind on this last version. Sometimes you look at a record and you want to quickly know the delta time between now and the time listed. I have added the –tdcd option to do that. By default it will handle the int8 values, but if you add the –tdcgt or –tdcgts switch it will also handle generalized time as well.

Examples:

F:\Dev\Current\CPP\AdFind\Debug>adfind -e -default -f name=administrator -tdcd badpwasswordtime lastlogon lastlogoff pwdlastset lastlogontimestamp whencreated whenchanged

AdFind V01.39.00cpp ***BETA*** Joe Richards (joe@joeware.net) January 2009

Using server: TROUBLE-DC1.trouble.loc:389
Directory: Windows Server 2008
Base DN: DC=trouble,DC=loc

dn:CN=Administrator,CN=Users,DC=trouble,DC=loc
>whenCreated: 20080619161006.0Z
>whenChanged: 20081230012257.0Z
>lastLogoff: 0000/00/00-00:00:00 (UNDEFINED)
>lastLogon: 2008/12/30-11:06:29 Eastern Standard Time (-3 days 2 hours 17 minutes 47 seconds)
>pwdLastSet: 2008/12/29-20:22:57 Eastern Standard Time (-3 days 17 hours 1 minutes 20 seconds)
>lastLogonTimestamp: 2008/12/27-11:08:55 Eastern Standard Time (-6 days 2 hours 15 minutes 22 seconds)

1 Objects returned

and with Generalized time decoded as well

 

F:\Dev\Current\CPP\AdFind\Debug>adfind -e -default -f name=administrator -tdcgts -tdcd badpwasswordtime lastlogon lastlogoff pwdlastset lastlogontimestamp whencreated whenchanged

AdFind V01.39.00cpp ***BETA*** Joe Richards (joe@joeware.net) January 2009

Using server: TROUBLE-DC1.trouble.loc:389
Directory: Windows Server 2008
Base DN: DC=trouble,DC=loc

dn:CN=Administrator,CN=Users,DC=trouble,DC=loc
>whenCreated: 2008/06/19-11:10:06 Eastern Standard Time (-197 days 2 hours 14 minutes 26 seconds)
>whenChanged: 2008/12/29-20:22:57 Eastern Standard Time (-3 days 17 hours 1 minutes 35 seconds)
>lastLogoff: 0000/00/00-00:00:00 (UNDEFINED)
>lastLogon: 2008/12/30-11:06:29 Eastern Standard Time (-3 days 2 hours 18 minutes 3 seconds)
>pwdLastSet: 2008/12/29-20:22:57 Eastern Standard Time (-3 days 17 hours 1 minutes 35 seconds)
>lastLogonTimestamp: 2008/12/27-11:08:55 Eastern Standard Time (-6 days 2 hours 15 minutes 37 seconds)

1 Objects returned