Active Directory is now an adult. It RTM’ed 18 years ago today, December 15th 1999.
Information about joeware mixed with wild and crazy opinions...
Active Directory is now an adult. It RTM’ed 18 years ago today, December 15th 1999.
As I find myself digging through the AdMod source code adding functionality and fixing small bugs here and there I realize that someone much smarter than I wrote the original version. And paradoxically I am the only one who has ever seen, let alone touch, this source code…
Back when writing a lot of this code I got to spend 4-5 hours a night for weeks on end working on it so I could become one with the code. That is much more difficult now as I have moved up the in responsibility for work and added additional home tasks.
All in all… It is quite amazing what the ability to focus on something for an extended time can do for your intelligence level regarding that something.
I am kind of in awe of the power I put into the tool if you really are familiar with the switches etc. Especially all of the CSV/Variable Expansion stuff. It is so rare that I even use it to the full level that it is capable.
joe
AdMod work is coming along nicely…
E:\DEV\cpp\vs\AdMod\Debug>adfind -hh . -partitions -s base -alldc
AdFind V01.51.00cpp Joe Richards (support@joeware.net) October 2017
Using server: elitebook:389
Directory: Windows Server 2016 ADLDS
Base DN: CN=Partitions,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
dn:CN=Partitions,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
> objectClass: top
> objectClass: crossRefContainer
> cn: Partitions
> distinguishedName: CN=Partitions,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
> instanceType: 4 [WRITABLE(4)]
> whenCreated: 2017/02/05-15:56:25 Eastern Standard Time
> whenChanged: 2017/11/11-20:37:43 Eastern Standard Time
> uSNCreated: 4112
> uSNChanged: 94236
> showInAdvancedViewOnly: TRUE
> name: Partitions
> objectGUID: {9F28B3F2-2E0A-4814-B94A-E0D0825DE4CC}
> fSMORoleOwner: CN=NTDS Settings,CN=ELITEBOOK$BASIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
> systemFlags: -2147483648 [NO_DELETE(2147483648)]
> objectCategory: CN=Cross-Ref-Container,CN=Schema,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
> dSCorePropagationData: 1601/01/01-00:00:00 UTC
> msDS-Behavior-Version: 3 [Windows Server 2008 Mode]
1 Objects returned
[Sat 11/11/2017 20:40:27.31]
E:\DEV\cpp\vs\AdMod\Debug>adfind -hh . -partitions -s base -dsq | admod -hh . msDS-Behavior-Version::7 -exterr
Visual Leak Detector read settings from: E:\DEV\cpp\vs\AdMod\Debug\vld.ini
AdMod V01.20.00cpp **BETA** Joe Richards (support@joeware.net) November 2017
DN Count: 1
Using server: elitebook:389
Directory: Windows Server 2016 ADLDS
Modifying specified objects…
DN: CN=Partitions,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}…
The command completed successfully
[Sat 11/11/2017 20:40:39.19]
E:\DEV\cpp\vs\AdMod\Debug>adfind -hh . -partitions -s base -alldc
AdFind V01.51.00cpp Joe Richards (support@joeware.net) October 2017
Using server: elitebook:389
Directory: Windows Server 2016 ADLDS
Base DN: CN=Partitions,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
dn:CN=Partitions,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
> objectClass: top
> objectClass: crossRefContainer
> cn: Partitions
> distinguishedName: CN=Partitions,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
> instanceType: 4 [WRITABLE(4)]
> whenCreated: 2017/02/05-15:56:25 Eastern Standard Time
> whenChanged: 2017/11/11-20:40:38 Eastern Standard Time
> uSNCreated: 4112
> uSNChanged: 94237
> showInAdvancedViewOnly: TRUE
> name: Partitions
> objectGUID: {9F28B3F2-2E0A-4814-B94A-E0D0825DE4CC}
> fSMORoleOwner: CN=NTDS Settings,CN=ELITEBOOK$BASIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
> systemFlags: -2147483648 [NO_DELETE(2147483648)]
> objectCategory: CN=Cross-Ref-Container,CN=Schema,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
> dSCorePropagationData: 1601/01/01-00:00:00 UTC
> msDS-Behavior-Version: 7 [Windows Server 2016 Mode]
1 Objects returned
[Sat 11/11/2017 20:40:41.18]
E:\DEV\cpp\vs\AdMod\Debug>admod -hh . -sc enablerecyclebin
Visual Leak Detector read settings from: E:\DEV\cpp\vs\AdMod\Debug\vld.ini
AdMod V01.20.00cpp **BETA** Joe Richards (support@joeware.net) November 2017
Modifying ROOTDSE…
DN Count: 1
Using server: elitebook:389
Directory: Windows Server 2016 ADLDS
Modifying specified objects…
DN: ROOTDSE…
The command completed successfully
[Sat 11/11/2017 20:41:14.03]
E:\DEV\cpp\vs\AdMod\Debug>adfind -hh . -partitions -s base -alldc
AdFind V01.51.00cpp Joe Richards (support@joeware.net) October 2017
Using server: elitebook:389
Directory: Windows Server 2016 ADLDS
Base DN: CN=Partitions,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
dn:CN=Partitions,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
> objectClass: top
> objectClass: crossRefContainer
> cn: Partitions
> distinguishedName: CN=Partitions,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
> instanceType: 4 [WRITABLE(4)]
> whenCreated: 2017/02/05-15:56:25 Eastern Standard Time
> whenChanged: 2017/11/11-20:41:13 Eastern Standard Time
> uSNCreated: 4112
> uSNChanged: 94239
> showInAdvancedViewOnly: TRUE
> name: Partitions
> objectGUID: {9F28B3F2-2E0A-4814-B94A-E0D0825DE4CC}
> fSMORoleOwner: CN=NTDS Settings,CN=ELITEBOOK$BASIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
> systemFlags: -2147483648 [NO_DELETE(2147483648)]
> objectCategory: CN=Cross-Ref-Container,CN=Schema,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
> dSCorePropagationData: 1601/01/01-00:00:00 UTC
>msDS-Behavior-Version: 7 [Windows Server 2016 Mode]
> msDS-EnabledFeature: CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
1 Objects returned
…AdMod just compiled start to finish under Visual Studio 2017…
Only 3 evenings of fixing compiler errors and linker errors!
I mean the code base is a lot smaller than AdFind (I like it smaller because it is doing more critical things, naming changing stuff in AD), but still I expected at least a full week of evenings before a successful compile.
joe
Started the port of AdMod from C++ Builder to Visual Studio 2017… This will be much more difficult and involved than AdFind, no room for mistakes in AdMod since it actually changes things. I need to get this done though, using DSACLS to update security descriptors in AD pisses me off every single time I do it which is way too much right now.
//* V01.20.00 2017.10.31 10/31 o Started port to Visual Studio *
I have released AdFind V01.51.00.
This release has a group of bug fixes and memory leaks that I found over the last couple of months related to the port/conversion to Visual Studio C++.
In addition I have added quite a few attributes to the list of decoded attributes including wellKnownObjects, dSASignature, several Exchange attributes, and msDS-TrustForestTrustInfo which I previously reported helped me find a bug in NETDOM.
I have worked to squeeze some more speed out of it for larger directory queries and around SID resolution which seems to be especially noticeable over slow VPN connections. If you ever resolve the SIDs in the tokengroups attribute you should find a considerable increase in performance. Using this daily I have seen very large tokengroups lists go from taking a couple of minutes to resolve over VPN to taking only seconds.
Kind of a funny item that I “fixed” that I never expected to get the email volume I have received was for the main ICON for the application. When I switched to Visual Studio the main ICON that was used for the executable in the past changed from the previous ICON (auto inserted by C++ Builder) to a generic application ICON. I have dug the main ICON out of V01.49.00 and added it to the application again so please no more emails about the missing ICON.
I have added several new switches including:
-ametanl, –vmetanl : metadata switches to control how the output looks
-metamvcsv, -metamvcsva, –metamvcsvv : switches to further control metadata output allowing you to specify which fields and outputs in MV CSV format.
-jsd, -jsdnl, -jsde, –jsdenl, -sddl+++/-sddc+++, –sddl3 : Security Descriptor decode switches.
-adminrootdse : Additional rootdse attributes that are only available to admins.
Added several shortcuts including:
cexplaces,caclnoinherit: Security Descriptor shortcuts (guess what I have been doing a lot of lately?)
structdmp/dump : Best effort dump of general AD container structure.
fgpps/psos : Dump Password Settings Objects
Get AdFind V01.51.00 at http://www.joeware.net/freetools/tools/adfind
joe
…AdFind V01.51.00.
Visual Leak Detector is very cool. Great open source project. It is on CodePlex (https://vld.codeplex.com/) but since that is shutting down it appears to have moved to GIT (https://github.com/developkits/VisualLeakDetector).
The latest version (2.5.1) didn’t originally work fully with Visual Studio. BY default it only listed offsets versus full function names and line numbers.
Luckily I found a real useful post on CodePlex that explained how to “fix” it at https://vld.codeplex.com/discussions/662076.
Basically you need to copy the new VS2017 dbghelp.dll files to the proper folders.
Specifically look in the folder
%ProgramFiles(x86)%\Microsoft Visual Studio\2017\<VERSION>\Common7\IDE\CommonExtensions\Microsoft\TestWindow\Extensions\CppUnitFramework
for dbghelp.dll (32 bit version) and x64\dbghelp.dll (64 bit version)
and copy them to
%ProgramFiles(x86)%\Visual Leak Detector\bin\Win32 (32 bit version)
and
%ProgramFiles(x86)%\Visual Leak Detector\bin\Win64 (64 bit version)
DO NOT DO IT!
JUST STOP!
DON’T!!!
NO!!!
It is such a bad idea and it isn’t security. You want security, clean up access rights so the wrong people can’t modify the groups in the first place. If you don’t trust your admins, you need to fire them and get admins you do trust.
Here is what Microsoft has to say about it:
Managing membership of Domain Groups by using Restricted Groups
Microsoft does not support using Restricted Groups in this scenario. Restricted Groups is a client configuration means and cannot be used with Domain Groups. Restricted Groups is designed specifically to work with Local Groups. Domain objects have to be managed within traditional AD tools. Therefore, we do not plan currently to add or support using Restricted Groups as a way to manage Domain Groups.
https://support.microsoft.com/en-us/help/279301/description-of-group-policy-restricted-groups
Seriously… Don’t do it.
joe
A bit of a bug there Microsoft…
[Fri 09/22/2017 22:50:53.57]
C:\>netdom trust k16tst.test.loc /namesuffixes:k16tst2.test.loc
Name, Type, Status, Notes
1. *.hello.k16tst2.test.loc, Exclusion
2. *.k16tst2.test.loc, Name Suffix, Admin-Disabled
3. k16tst2.test.loc, Domain DNS name, Enabled
4. K16TST2, Domain NetBIOS name, Admin-Disabled, For k16tst2.test.loc
5. s-1-5-21-2034487785–2134286760–1379125265, Domain SID, Admin-Disabled, For k16tst2.test.loc
The command completed successfully.
VERSUS
[Fri 09/22/2017 22:26:24.74]+
E:\DEV\cpp\vs\AdFind>release\adfind -f objectclass=trusteddomain msds-trustforesttrustinfo -samdc
AdFind V01.51.00cpp (beta) Joe Richards (support@joeware.net) September 2017
Using server: K16TST-DC1.k16tst.test.loc:389
Directory: Windows Server 2016
Base DN: DC=k16tst,DC=test,DC=loc
dn:CN=k16tstchld.k16tst.test.loc,CN=System,DC=k16tst,DC=test,DC=loc
dn:CN=k16tst2.test.loc,CN=System,DC=k16tst,DC=test,DC=loc
> msDS-TrustForestTrustInfo: Version=1 Entries=3
> msDS-TrustForestTrustInfo: Record=0 Type=TLN_EXCL Flags=0 TopLevelName=hello.k16tst2.test.loc
> msDS-TrustForestTrustInfo: Record=1 Type=TLN_INCL Flags=2 TopLevelName=k16tst2.test.loc [TLN_DISABLED_ADMIN]
> msDS-TrustForestTrustInfo: Record=2 Type=DOMINF Flags=5 DNSName=k16tst2.test.loc NetBIOSName=K16TST2 [NB_DISABLED_ADMIN] SID=S-1-5-21-2034487785-2160680536-2915842031 [SID_DISABLED_ADMIN]
2 Objects returned
Where do you ask??
5. s-1-5-21-2034487785–2134286760–1379125265, Domain SID, Admin-Disabled, For k16tst2.test.loc
>msDS-TrustForestTrustInfo: Record=2 Type=DOMINF Flags=5 DNSName=k16tst2.test.loc NetBIOSName=K16TST2 [NB_DISABLED_ADMIN] SID=S-1-5-21-2034487785-2160680536-2915842031 [SID_DISABLED_ADMIN]
[Fri 09/22/2017 22:26:40.65]+
E:\DEV\cpp\vs\AdFind>sidtoname S-1-5-21-2034487785-2160680536-2915842031 k16tst.test.loc
SidToName V02.00.00cpp Joe Richards (joe@joeware.net) March 2003
[Domain]: K16TST2
The command completed successfully.
[joeware – never stop exploring… :) is proudly powered by WordPress.]