joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

1/21/2009

Does this excite anyone? AdFind V01.40.00 sneak peek…

by @ 4:53 am. Filed under tech

Example 1: Get tokenGroups attribute for every direct member of the domain admins group.

F:\Dev\Current\CPP\AdFind\Release>adfind -default -f name="domain admins" member -list | adfind -s base tokengroups -resolvesids

AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003

dn:CN=TestAdminClone,OU=Users,OU=TestOU,DC=test,DC=loc
>tokenGroups: BUILTIN\Users
>tokenGroups: BUILTIN\Administrators
>tokenGroups: TEST\DnsAdmins
>tokenGroups: TEST\Domain Users
>tokenGroups: TEST\Domain Admins

dn:CN=$joe,OU=Users,OU=My,DC=test,DC=loc
>tokenGroups: BUILTIN\Users
>tokenGroups: BUILTIN\Administrators
>tokenGroups: TEST\DnsAdmins
>tokenGroups: TEST\Schema Admins
>tokenGroups: TEST\Enterprise Admins
>tokenGroups: TEST\Domain Users
>tokenGroups: TEST\Domain Admins

dn:CN=Administrator,CN=Users,DC=test,DC=loc
>tokenGroups: BUILTIN\Users
>tokenGroups: BUILTIN\Administrators
>tokenGroups: TEST\DnsAdmins
>tokenGroups: TEST\Schema Admins
>tokenGroups: TEST\Enterprise Admins
>tokenGroups: TEST\Domain Users
>tokenGroups: TEST\Group Policy Creator Owners
>tokenGroups: TEST\Domain Admins

3 Objects returned

 

Example 2a: Get sAMAccountName for all direct members of Domain Admins group

F:\Dev\Current\CPP\AdFind\Release>adfind -default -f name="domain admins" member -list | adfind -s base samaccountname

AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003

dn:CN=TestAdminClone,OU=Users,OU=TestOU,DC=test,DC=loc
>sAMAccountName: TestAdminClone

dn:CN=$joe,OU=Users,OU=My,DC=test,DC=loc
>sAMAccountName: $joe

dn:CN=Administrator,CN=Users,DC=test,DC=loc
>sAMAccountName: Administrator

3 Objects returned

 

Example 2b: Get sAMAccountName for all direct members of Domain Admins group (alternate method using attribute scoped query)

F:\Dev\Current\CPP\AdFind\Release>adfind -default -f name="domain admins" -dsq | adfind -s base -asq member samaccountname

AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003

dn:CN=Administrator,CN=Users,DC=test,DC=loc
>sAMAccountName: Administrator

dn:CN=$joe,OU=Users,OU=My,DC=test,DC=loc
>sAMAccountName: $joe

dn:CN=TestAdminClone,OU=Users,OU=TestOU,DC=test,DC=loc
>sAMAccountName: TestAdminClone

3 Objects returned

 

Example 3: Dump the serviceBindingInformation attribute for any ADAM serviceConnectionPoint objects that belong to Windows XP Professional machines. And no, this isn’t contrived, this is something I have wanted to do a few times to find people playing with ADAM on workstation class machines as well as something I have been asked how to do in the past… Normally this would take a script.

F:\Dev\Current\CPP\AdFind\Release>adfind -default -f "&(objectcategory=computer)(operatingsystem=Windows XP Professional)" -dsq | adfind -s one -f "&(objectcategory=serviceconnectionpoint)(serviceclassname=LDAP)" servicebindinginformation

AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) January 2009

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003

dn:CN={cb226d48-e9a7-420a-bce0-98edcc6b8cf2},CN=SFMXP64,CN=Computers,DC=test,DC=loc
>serviceBindingInformation: ldaps://sfmxp64.test.loc:636
>serviceBindingInformation: ldap://sfmxp64.test.loc:389

dn:CN={e4756748-fc8b-4166-8b7b-498bd97c9949},CN=SFMXP64,CN=Computers,DC=test,DC=loc
>serviceBindingInformation: ldaps://sfmxp64.test.loc:636
>serviceBindingInformation: ldap://sfmxp64.test.loc:389

dn:CN={3991aa1d-c87d-46cd-a08c-c52af9ae168e},CN=SFMXP32,CN=Computers,DC=test,DC=loc
>serviceBindingInformation: ldaps://sfmxp32.test.loc:636
>serviceBindingInformation: ldap://sfmxp32.test.loc:389

dn:CN={d3c0e3ee-d888-496d-acf0-6e4078052476},CN=HOMEXP,CN=Computers,DC=test,DC=loc
>serviceBindingInformation: ldaps://homexp.test.loc:636
>serviceBindingInformation: ldap://homexp.test.loc:389

4 Objects returned

 

When working on fixing several typos and mistakes in V01.39.00 I realized I had figured out a way to handle the piping from one instance of AdFind to another. I am still looking for holes but it looks good thus far. This is something I have wanted for some time but couldn’t see how to handle it with the current framework. Well out of the blue while looking at part of the code it struck me how to pull it off so I added it. Aside from that are the correction of some typos folks reported to me as well as adding some Windows 7 support (i.e. decoding some of the Windows 7 attribute values and support for the new object deletion/recycling capabilities).

   joe

Rating 3.00 out of 5

Future History

by @ 3:17 am. Filed under general

Ok so how about we let the future decide on what is and isn’t history and how about we get to work on getting our collective asses out of the hole we put ourselves in. I would much rather put my time and focus and energy on that versus getting sprained elbows patting ourselves on the back talking about how we are making history. Failure to do so will have a future that records history as “…and then they all constantly celebrated about how they made history and quickly plunged the country into an even darker place because they spent all their time talking about how they made history instead of working on the problems they needed to solve for the future….”

Someone on ActiveDir Org list compared what happened with the presidency to Landing on the Moon. Fine, great. What does that do for us today? We haven’t been back to the moon in how many years? The 40th anniversary of the first manned moon landing is coming up on July 20… Six visits total. Last visit was Apollo 17  on December 14, 1972. That’s how long…

All the moon landings did was prove it *could be* done, they didn’t make it a daily reality. In fact, we still have a percentage of the population of the country who don’t even believe we went to the moon. So, all in all, how successful and historic and life changing was our landing on the moon? Really?

Rating 3.00 out of 5

1/13/2009

What does it take to get someone from SE Michigan off their butt and out into 6-9 inches of snow???

by @ 12:54 am. Filed under general

Apparently a new Sonic Drive-In… This last weekend we had 6-9 inches of snow in the Mt. Clemens area of Michigan. At the same time a new Sonic has opened up here (probably only 4-5 inches by the point these pics were taken). The traffic to this place is unbelievable. The nearest Sonic to this one is in SouthGate which is quite a ways away… But still the roads were horrendous.

 

The Sonic is Open!

SonicIsOpen

SonicIsOpen2

SonicIsOpen3

 

Proceed to Staging Area????

StagingArea

StagingArea2

StagingArea3

Seriously???

StagingArea4

StagingArea5

StagingArea6

 

Is Sonic really that good? Anyone?

   joe

Rating 3.00 out of 5

1/10/2009

AdFind V01.39.00 Released

by @ 2:08 pm. Filed under updates

AdFind V01.39.00 is now released. This is the first public release of AdFind since V01.37.00 in June 2007. V01.38.00 was never publicly released.

One of the biggest changes with this version is that I moved to a new compiler. V01.37.00 was compiled with Borland C++ Builder 6 (released in 2002).  V01.39.00 was compiled with Code Gear C++ Builder 2009 (released in 2008). I haven’t done extensive testing but the new executable appears to be faster and it is substantially smaller, about 40% smaller to be exact.

It feels good to finally get this version out there for you all to use. Please let me know any thoughts you have or issues that you encounter. I have been using this version with this compiler for some time internally and haven’t run into anything odd but there are so many of you out there using it now, there is always a possibility you will hit something that I haven’t. 

You can get AdFind V01.39.00 here —> http://www.joeware.net/freetools/tools/adfind/index.htm

You can get the new usage screens by typing adfind /? or looking here —> http://www.joeware.net/freetools/tools/adfind/usage.htm

 

List of the specific changes for AdFind, to get more info on the switches, shortcuts, etc, check out the usage screens.

o Changed longhorn references to Windows Server 2008
o Updated decoded attributes to account for Windows Server 2008 values
o More decoded attributes
o Documented decoded attributes in usage
o Multiple bug fixes
o Multiple usage screen fixes
o Multiple shortcut fixes
o -csv now also sets -noctl
o -sc sdump sorts multivalue attributes
o Arbitrary text mode for -csv which allows an attribute of header:value
o -rawsddl no longer requires -sddl
o Auto Ranging disabled for any attributes that are specified with a specific range.
o If no base is specified, assume -default
o mvfilter matching will be made without any modifier on the attribute
o All multiple values for a single attribute for -mvfilter/-mvnotfilter
o -binenc now does CURRENT encoding
o Added more attribs to -fullrootdse

o New Switches
   * rootdseanon
   * nirs
   * nirsx
   * writeable
   * sslignoresrvcert
   * mvsort
   * mvrsort
   * filterbreakdown
   * enccurrent
   * tdcd
   * inputdn

o New Shortcuts
   * admincountdmp
   * xrdump
   * dcdmp
   * adobjcnt
   * adamobjcnt
   * alldc+
   * users_disabled
   * users_nonexpiring
   * users_pwdnotreqd
   * users_accexpired
   * computers_disabled
   * computers_pwdnotreqd
   * computers_active
   * computers_inactive
   * schver
   * spn:xx
   * email:xx
   * site:xx
   * subnet:xx
   * syscrit
   * rodc_cachable
   * policies

Rating 3.00 out of 5

1/8/2009

Windows Server 2008 AD Issue for NSPI

by @ 1:54 am. Filed under tech

Not really an issue or at least it shouldn’t be, if something is generating more than 50 concurrent NSPI connections, it likely needs to be checked out anyway…

 

NSPI connections from Microsoft Outlook to a Windows Server 2008-based domain controller may fail with an error code: “MAPI_E_LOGON_FAILED”

This behavior occurs because Windows Server 2008 only allows for a default maximum of 50 concurrent NSPI connections per user to any domain controller. Additional NSPI connections are rejected with a MAPI_E_LOGON_FAILED error code.

See the whole support KB here —> http://support.microsoft.com/kb/949469

Rating 3.00 out of 5

Update to Grandma’s Chocolate Syrup Recipe

by @ 1:41 am. Filed under recipes

My Grandma was shooting from the hip when I asked for this recipe

http://blog.joeware.net/2008/12/23/1554/

She found the “real” recipe and sent it along…

 

1 stick of oleo or butter
1/2 cup cocoa powder
2 cups of sugar
1 large can of carnation milk

 

Melt together oleo (or butter) & cocoa powder.
Add 2 cups sugar & a large can of carnation milk.
Cook at a slow boil about 10 min. or until thick. store in frig.
If you save jam or jelly jars & lids you can boil them turn upside down on towel to dry.
Pour hot fudge in & tighten lids will keep quite awhile.

Rating 3.00 out of 5

1/2/2009

Metadata info in AdFind

by @ 7:03 pm. Filed under tech

My recent post about getting Active Directory replication Meta Data has spawned a considerable number of emails. I wanted to take a moment and remind everyone of the help switch specifically talking about the replication metadata info. This usage provided in AdFind tells you your sort options available for each metadata attribute and what info is contained in each of the columns.

You can get that help by typing

adfind /meta?

Here is the latest version of that output…

F:\Dev\Current\CPP\AdFind\Debug>adfind /meta?

AdFind V01.39.00cpp ***BETA*** Joe Richards (joe@joeware.net) January 2009

-help         Basic help.
-?            Basic help.
-??           Advanced/Expert help.
-????         Shortcut help.
-sc?          Shortcut help.
-meta?        Metadata help.

Usage:
AdFind [switches] [-b basedn] [-f filter] [attr list]

   basedn        RFC 2253 DN to base search from.
                 If no base specified, defaults to default NC.
   filter        RFC 2254 LDAP filter.
                 If no filter specified, defaults to objectclass=*.
   attr list     List of specific attributes to return, if nothing specified
                 returns ‘default’ attributes, aka * set.

  Switches: (designated by – or /)

   MetaData Help
   =============
   AdFind has the ability to decode various metadata type attributes. These
   attributes can give information about replication status of the server
   itself or replication metadata for individual objects.

   These special attributes are normally returned from Active Directory in
   XML format. This is a bit bulky and can be tough to read without cleanup
   so I have added the ability decode the attributes and cut down the amount
   of data passed over the wire. Using the ;binary option when specifying an
   attribute causes AD to reformat certain attributes and send them across as
   binary blocks of data. When requesting the meta attributes outlined below
   if you do not specify the ;binary option, they will be returned in the
   native format, if you add the ;binary option, they will be returned in the
   alternate format and AdFind will decode the strings to its format.

   To further assist the ease of retrieving this information, see the shortcut
   usage menu via adfind /sc?

   MetaData Attributes
   ——————-
   msDS-ReplQueueStatistics  – RootDSE attribute
       Replication queue statistics. Output is labeled. No sort options.

   msDS-ReplPendingOps – RootDSE attribute
       Any replications operations currently in progress. Output is labeled.
       Default sort order is server return order. Sort options – dsa,date

   msDS-ReplConnectionFailures – RootDSE attribute
   msDS-ReplLinkFailures – RootDSE attribute
       Replication failure information. Output is labeled. Default sort order
       is by DSA. Sort options – dsa,date

   msDS-ReplAllInboundNeighbors – RootDSE attribute
   msDS-ReplAllOutboundNeighbors – RootDSE attribute
       Replication info for all direct neighbors. Output is labeled. Default
       sort order is by DSA. Sort options – dsa,date,nc,err

   msDS-TopQuotaUsage – RootDSE attribute
       Indicates the top object owners on a given server. Output is labeled.
       Default sort order is server return order. Sort options – nc,owner.

   msDS-NCReplInboundNeighbors – Naming Context attribute
   msDS-NCReplOutboundNeighbors – Naming Context attribute
       Replication for all direct neighbors for the specific NC. Output is
       labeled. Default sort order is by DSA. Sort options – dsa,date,nc,err

   msDS-NCReplCursors – Naming Context attribute
       Replication cursors by DSA by context. Output format:
            HighestUSN LastSyncTime DSA
       Default sort order is last sync time. Sort options – lastsync,dsa

   msDS-ReplAttributeMetaData – Object Level attribute
       Replication metadata for object. Output format:
             USNLocal DSA USNOrig Date/Time Version Attribute
       Default sort order is attribute. Sort options – DSA,date,usnloc,usnorig,ver

   msDS-ReplValueMetaData – Object Level attribute (FFL2+ only – i.e. LVR Replication)
       Replication value metadata for object. Output format:
             attribute USNLocal DSA USNOrig Date/Time Version State ObjectDN
       Default sort order is date. Sort options – attrib,obj,DSA,state,date,usnloc,usnorig,ver

   Sort Options
   ————
   The decoded output for most of the metadata attributes can be sorted to various
   fields in the output. The specific fields for each attribute are listed with
   the description of the attributes. In order to change the sort field, use the
   -metasort switch. Specify the switch combined with the options specified above
   to change the sort order. If value has a dash (-) appended, the search order
   is reversed.

  Ex1:
    adfind -rootdse msDS-TopQuotaUsage;binary
      Get top 10 quota users in decoded format

  Ex2:
    adfind -b cn=someobject,ou=someou,dc=test,dc=loc -s base msDS-ReplAttributeMetaData;binary
      Get attribute metadata for specified object in decoded format

This software is Freeware. Use at your own risk.
I do not warrant this software to be fit for any purpose or use and
I do not guarantee that it will not damage or destroy your system.
Contact joe@joeware.net via email for licensing information to package
this utility in commercial products.

See full Warranty documentation on www.joeware.net.

If you have improvement ideas, bugs, or just wish to say Hi, I
receive email 24×7 and read it in a semi-regular timeframe.
You can usually find me at joe@joeware.net

Rating 3.00 out of 5

Cool AdFind feature #49216

by @ 2:28 pm. Filed under tech

This is a new feature that I added to AdFind on this last version. Sometimes you look at a record and you want to quickly know the delta time between now and the time listed. I have added the –tdcd option to do that. By default it will handle the int8 values, but if you add the –tdcgt or –tdcgts switch it will also handle generalized time as well.

Examples:

F:\Dev\Current\CPP\AdFind\Debug>adfind -e -default -f name=administrator -tdcd badpwasswordtime lastlogon lastlogoff pwdlastset lastlogontimestamp whencreated whenchanged

AdFind V01.39.00cpp ***BETA*** Joe Richards (joe@joeware.net) January 2009

Using server: TROUBLE-DC1.trouble.loc:389
Directory: Windows Server 2008
Base DN: DC=trouble,DC=loc

dn:CN=Administrator,CN=Users,DC=trouble,DC=loc
>whenCreated: 20080619161006.0Z
>whenChanged: 20081230012257.0Z
>lastLogoff: 0000/00/00-00:00:00 (UNDEFINED)
>lastLogon: 2008/12/30-11:06:29 Eastern Standard Time (-3 days 2 hours 17 minutes 47 seconds)
>pwdLastSet: 2008/12/29-20:22:57 Eastern Standard Time (-3 days 17 hours 1 minutes 20 seconds)
>lastLogonTimestamp: 2008/12/27-11:08:55 Eastern Standard Time (-6 days 2 hours 15 minutes 22 seconds)

1 Objects returned

and with Generalized time decoded as well

 

F:\Dev\Current\CPP\AdFind\Debug>adfind -e -default -f name=administrator -tdcgts -tdcd badpwasswordtime lastlogon lastlogoff pwdlastset lastlogontimestamp whencreated whenchanged

AdFind V01.39.00cpp ***BETA*** Joe Richards (joe@joeware.net) January 2009

Using server: TROUBLE-DC1.trouble.loc:389
Directory: Windows Server 2008
Base DN: DC=trouble,DC=loc

dn:CN=Administrator,CN=Users,DC=trouble,DC=loc
>whenCreated: 2008/06/19-11:10:06 Eastern Standard Time (-197 days 2 hours 14 minutes 26 seconds)
>whenChanged: 2008/12/29-20:22:57 Eastern Standard Time (-3 days 17 hours 1 minutes 35 seconds)
>lastLogoff: 0000/00/00-00:00:00 (UNDEFINED)
>lastLogon: 2008/12/30-11:06:29 Eastern Standard Time (-3 days 2 hours 18 minutes 3 seconds)
>pwdLastSet: 2008/12/29-20:22:57 Eastern Standard Time (-3 days 17 hours 1 minutes 35 seconds)
>lastLogonTimestamp: 2008/12/27-11:08:55 Eastern Standard Time (-6 days 2 hours 15 minutes 37 seconds)

1 Objects returned

Rating 4.00 out of 5

So where is AdFind???

by @ 2:19 pm. Filed under tech

Sorry folks, haven’t released adfind yet, still testing and checking it out. Amongst other things, I have found some new constants in some of the binary flags to decode for Windows Server 2008 when I was testing that I needed to get into the tool because I hate seeing things like

F:\Dev\Current\CPP\AdFind\Debug>adfind -rootdse msds-replallinboundneighbors;binary -h trouble-rodc1

AdFind V01.39.00cpp ***BETA*** Joe Richards (joe@joeware.net) January 2009

Using server: TROUBLE-RODC1.trouble.loc:389
Directory: Windows Server 2008

dn:
>msDS-ReplAllInboundNeighbors;binary: ConsecFails: 0      LastResult: 0      LastAttempt: 2009/01/02-10:46:20       LastSuccess: 2009/01/02-10:46:20      DSA: Default-First-Site-Name\TROUBLE-DC2 NC: CN=Configuration,DC=trouble,DC=loc Flags: 805311552 [SCHEDULED(64),COMPRESS(268435456),NO_CHG_NOTIFY(536870912),UNKNOWN(5120)] Address: b044ea44-36db-4c43-805b-8c38fb10fb71._msdcs.trouble.loc LastError: "The operation completed successfully."
>msDS-ReplAllInboundNeighbors;binary: ConsecFails: 0      LastResult: 0      LastAttempt: 2009/01/02-10:46:20       LastSuccess: 2009/01/02-10:46:20      DSA: Default-First-Site-Name\TROUBLE-DC2 NC: CN=Schema,CN=Configuration,DC=trouble,DC=loc Flags: 805311552 [SCHEDULED(64),COMPRESS(268435456),NO_CHG_NOTIFY(536870912),UNKNOWN(5120)] Address: b044ea44-36db-4c43-805b-8c38fb10fb71._msdcs.trouble.loc LastError: "The operation completed successfully."
>msDS-ReplAllInboundNeighbors;binary: ConsecFails: 0      LastResult: 0      LastAttempt: 2009/01/02-10:46:20       LastSuccess: 2009/01/02-10:46:20      DSA: Default-First-Site-Name\TROUBLE-DC2 NC: DC=trouble,DC=loc Flags: 805311552 [SCHEDULED(64),COMPRESS(268435456),NO_CHG_NOTIFY(536870912),UNKNOWN(5120)] Address: b044ea44-36db-4c43-805b-8c38fb10fb71._msdcs.trouble.loc LastError: "The operation completed successfully."

1 Objects returned

I much prefer

F:\Dev\Current\CPP\AdFind\Debug>adfind -rootdse msds-replallinboundneighbors;binary -h trouble-rodc1

AdFind V01.39.00cpp ***BETA*** Joe Richards (joe@joeware.net) January 2009

Using server: TROUBLE-RODC1.trouble.loc:389
Directory: Windows Server 2008

dn:
>msDS-ReplAllInboundNeighbors;binary: ConsecFails: 0      LastResult: 0      LastAttempt: 2009/01/02-10:46:20       LastSuccess: 2009/01/02-10:46:20      DSA: Default-First-Site-Name\TROUBLE-DC2 NC: CN=Configuration,DC=trouble,DC=loc Flags: 805311552 [SCHEDULED(64),FULL_REPLICA(1024),SELECT_SECRETS(4096),COMPRESS(268435456),NO_CHG_NOTIFY(536870912)] Address: b044ea44-36db-4c43-805b-8c38fb10fb71._msdcs.trouble.loc LastError: "The operation completed successfully."
>msDS-ReplAllInboundNeighbors;binary: ConsecFails: 0      LastResult: 0      LastAttempt: 2009/01/02-10:46:20       LastSuccess: 2009/01/02-10:46:20      DSA: Default-First-Site-Name\TROUBLE-DC2 NC: CN=Schema,CN=Configuration,DC=trouble,DC=loc Flags: 805311552 [SCHEDULED(64),FULL_REPLICA(1024),SELECT_SECRETS(4096),COMPRESS(268435456),NO_CHG_NOTIFY(536870912)] Address: b044ea44-36db-4c43-805b-8c38fb10fb71._msdcs.trouble.loc LastError: "The operation completed successfully."
>msDS-ReplAllInboundNeighbors;binary: ConsecFails: 0      LastResult: 0      LastAttempt: 2009/01/02-10:46:20       LastSuccess: 2009/01/02-10:46:20      DSA: Default-First-Site-Name\TROUBLE-DC2 NC: DC=trouble,DC=loc Flags: 805311552 [SCHEDULED(64),FULL_REPLICA(1024),SELECT_SECRETS(4096),COMPRESS(268435456),NO_CHG_NOTIFY(536870912)] Address: b044ea44-36db-4c43-805b-8c38fb10fb71._msdcs.trouble.loc LastError: "The operation completed successfully."

1 Objects returned

Don’t worry… it is coming soon. 🙂

 

   joe

Rating 3.00 out of 5

1/1/2009

Happy New Year!

by @ 3:04 am. Filed under general

Happy New Year everyone.

Let’s hope for a much better year this year than the last. 🙂

and just think… Next year it will be 2010… Unbelievable to me… I still feel like the year 2000 vigil just happened and that was so long ago…

Rating 3.00 out of 5
« Older Entries
Newer Entries »

[joeware – never stop exploring… :) is proudly powered by WordPress.]