joeware - never stop exploring... :)

In one of my old posts (September 2005) I had some vbscript code to convert an octet string GUID to a friendly GUID string. Well I recently received an email from fellow MVP Michael Smith letting me know he found a bug and a new function that was corrected.

First thought in my mind was… NFW. I am exceedingly careful about things I post, especially code/scripts. But I knew that I had a good function because I used it all over the place and it always aligned with AdFind output…

So I copied from the blog entry and mine and his function into a script and fired in an octet string GUID and sure enough, my function screwed up and his worked…

So I went to one of my scripts that used this function heavily and was used Active Directory Third Edition for decoding Security Descriptors because by darn, if my function was broken that meant that was wrong in the book too which would REALLY SUCK.

I ran the sdlist.vbs script and it worked perfectly fine… So I look again at my function in the test script and I look at the function in sdlist.vbs and they looked the same for all of the logic… wtf…

I copy both functions into separate text files and run windiff against them and get

And think well shoot, so my spacing is off… I see that all the time when doing compares like that… So who cares that isn’t going to hurt the script so I go over the logic in the script line by line and the logic is identical…. <BLINK>IDENTICAL</BLINK>.

I start getting very frustrated because I figure I am not seeing something obvious because of a massive headache I have been fighting off all day…

On the third pass through the script I notice one small thing… the function I posted previously had this line

str = “”

the function in sdlist.vbs had this line

str = ” “

Do you see it??? One bloody space character…. ASCII 32/0x20…. $^%$#^&*(@%$#

What difference does that single space make?

G:\Temp>guidc1
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Object DN     : OU=Users,OU=My,DC=test,DC=loc
String GUID   : ba1ee8b7248b34408c34841740211a81
BLOG POST Func: {728BEEA1-B348-0844-C348-41740211A81}
Michael Func  : {B7E81EBA-8B24-4034-8C34-841740211A81}
sdlist Func   : {B7E81EBA-8B24-4034-8C34-841740211A81}

and here is the actual answer

G:\Temp>adfind -b OU=Users,OU=My,DC=test,DC=loc objectguid -s base

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003

dn:OU=Users,OU=My,DC=test,DC=loc
>objectGUID: {B7E81EBA-8B24-4034-8C34-841740211A81}

1 Objects returned

 

So here is the updated and correct script, this time copied and pasted straight out of sdlist.vbs which is on page 649 of Active Directory Third Edition.

‘****************************************************************************
‘Convert a binary GUID to a string GUID
‘   Convert GUID octet string to Hex characters then arrange in proper order
‘   and add brackets {}
‘****************************************************************************
Function GuidToStr(Guid)
  Dim i, str
  str = ” “
  For i = 1 To Lenb(Guid)
    str = str & Right(“0” & Hex(Ascb(Midb(Guid, i, 1))), 2)
  Next
  GuidToStr = “{“
  For i = 1 to 4
    GuidToStr = GuidToStr & Mid(str,10-(i*2),2)
  Next
  GuidToStr = GuidToStr & “-“
  For i = 1 to 2
    GuidToStr = GuidToStr & Mid(str,14-(i*2),2)
  Next
  GuidToStr = GuidToStr & “-“
  For i = 1 to 2
    GuidToStr = GuidToStr & Mid(str,18-(i*2),2)
  Next
  GuidToStr = GuidToStr & “-“
  For i = 1 to 2
    GuidToStr = GuidToStr & Mid(str,16+(i*2),2)
  Next
  GuidToStr = GuidToStr & “-“
  For i = 1 to 6
    GuidToStr = GuidToStr & Mid(str,20+(i*2),2)
  Next
  GuidToStr = GuidToStr & “}”
End Function

For completeness and since he went through the trouble of figuring it out and sending it to me… here is Michael’s version as well. You will note he solved it by changing the start points of the MID function in each line. Both solutions work equally well. I would say I probably prefer his version. Less chance for mistake obviously. 🙂

‘****************************************************************************
‘Convert a binary GUID to a string GUID
‘   Convert GUID octet string to Hex characters then arrange in proper order
‘   and add brackets {}
‘****************************************************************************

Function GuidToStr(Guid)
  Dim i, str
  str = “”
  For i = 1 To Lenb(Guid)
    str = str & Right(“0” & Hex(Ascb(Midb(Guid, i, 1))), 2)
  Next
  GuidToStr = “{“
  For i = 1 to 4
    GuidToStr = GuidToStr & Mid(str,9-(i*2),2)
  Next
  GuidToStr = GuidToStr & “-“
  For i = 1 to 2
    GuidToStr = GuidToStr & Mid(str,13-(i*2),2)
  Next
  GuidToStr = GuidToStr & “-“
  For i = 1 to 2
    GuidToStr = GuidToStr & Mid(str,17-(i*2),2)
  Next
  GuidToStr = GuidToStr & “-“
  For i = 1 to 2
    GuidToStr = GuidToStr & Mid(str,15+(i*2),2)
  Next
  GuidToStr = GuidToStr & “-“
  For i = 1 to 6
    GuidToStr = GuidToStr & Mid(str,19+(i*2),2)
  Next
  GuidToStr = GuidToStr & “}”
End Function

 

   joe

In my previous article on DN formats (http://blog.joeware.net/2008/05/03/1226/) I talked about the various Base DN shortcut formats available and hinted that AdFind has some shortcuts of its own. To me these are all, well they aren’t even second nature because I use them almost exclusively. I am bringing it up because even people who use AdFind a lot have watched me or my friends use AdFind and see them and say “Wow I had no idea… AdFind is cool.” Indeed. 🙂

The idea behind the shortcut bases was to be able to write generic scripts where I didn’t have to first work out the DNs so submit the AdFind queries. This way I can tell someone, well I need to see what your uPNSuffixes attribute looks like, run this command

adfind -partitions -s base upnsuffixes

and it will work in every forest period. I know there are consultants and support professionals everywhere that love me for that one… It can literally save a 5 minute conversation on how to find that spot in the directory.

So here are the shortcuts currently in the publicly available version of AdFind (V01.37.00) from the usage screen (adfind /??)

-null         Use null base.
-root         Determine and use root partition for BaseDN.
-config       Determine and use configuration partition for BaseDN.
-schema       Determine and use schema partition for BaseDN.
-default      Determine and use default partition for BaseDN.
-rb xx        Relative Base, use with special BaseDN’s above.
                  So you could specify -default and -rb cn=users.
-forestdns    Use ForestDNS NDNC for base.
-domaindns    Use DomainDNS NDNC for base.
-dcs          Use Domain Controllers container of default domain for base.
-gpo          Use System Policies container of default domain for base.
-psocontainer Use PSO Container of default domain for base.
-ldappolicy   Use Ldap Query Policies container for base.
-xrights      Use Extended Rights container for base.
-partitions   Use Partitions container for base.
-sites        Use Sites container for base.
-subnets      Use Subnets container for base.
-exch         Use Exchange Services container for base.
-fsps         Use Foreign Security Principals container for base.

Quick descriptions

-null : Null base or Base = “”

-root : DN to the root domain of the forest

-config : DN to the configuration container of the forest

– schema : DN to the schema container of the forest

-default : DN to the default domain for the DC contacted. For ADAM this will select the first App Partition unless a default app partition is defined in ADAM (see msDS-defaultNamingContext).

-rb xx : Now this is a cool little feature that lets you specify a special shortcut base but then prepend some more onto the DN that is used for that. So for example say I want the domain controllers OU of the default domain I would specify -default -rb “OU=Domain Controllers” and AdFind will determine the default domain DN and then prepend “OU=Domain Controllers,” to is to you get the whole DN to the Domain Controllers OU. 

-forestdns : DN to the ForestDNS Application Partition

-domaindns : DN to the DomainDNS Application Partition

-dcs : DN to the Domain Controllers OU – so you don’t have to type that long -default -rb “OU=Domain Controllers” mentioned above. 😉

-gpo : DN to the System Policies Container

-psocontainer : DN to the Password Settings Object Container (Windows Server 2008 obviously…)

-ldappolicy : DN to the LDAP Query Policies container in the configuration partition

-xrights : DN to the Extended Rights container in the configuration partition

-partitions : DN to the partitions container in the configuration partition

-sites : DN to the sites container in the configuration partition

-subnets : DN to the subnets container in the configuration partition

-exch : DN to the Exchange container in the configuration partition

-fsps : DN for the Foreign Security Principals container  

 

There is also a special shortcut base I have that doesn’t fit exactly in with the above, that is -gcb. That is the combination of the -gc and -null switches so it sets you up to search the GC at the base of the forest.

Cool right?

So Active Directory can do some cool things around distinguishedNames (DNs) that many developers even this long into the availability of the product don’t know or take advantage of. I mention this because yet again I ran into a case where some developer/application integrator was unhappy about how easy it is to move users around in the hierarchy of Active Directory because it made it difficult to bind to the userid…

Now I expect most AD Admins probably don’t think twice about this but anyone who has come from other LDAP directory platforms have a more “that DN better not EVER change” attitude… Why? Because for their bind IDs they need to know the exact DN or else they can’t bind. Trouble that eh?

Bind Formats

So the first thing we will discuss is the “DN” formats available for binding. AD only offers one format that could honestly be called a DN format, but since the term most often used in applications and in general discussion is Bind DN I will stick with the “DN Format” label.

 

Format 1:

An actual real live DN in the normal DN format like CN=joe,OU=Users,OU=My,DC=test,DC=loc. Canonically that looks like test.loc/My/Users/joe. For those who like pretty pics it is this user…

With AdFind you could specify this bind DN like so

adfind -default -f name=joe -u cn=joe,ou=users,ou=my,dc=test,dc=loc -up SomePassword123!

Various other programs would have other methods of specifying it, if you use those programs, you should be able to work out the method.

This is the most used/widespread bind DN format for directories and hence applications. For Active Directory it is pretty much your worse choice because it is the most susceptible to breaking. I don’t like to be too direct with things like this but if you don’t know what you are doing, just don’t use this format. It will save you issues later.

 

Format 2:

This is a very familiar format to Windows users and admins as they have lived with it for 15 or more years… However, anyone from some other directory environment will probably look at you in disgust if you mention it… The format is Domain\UserId; this is the standard Windows NT format. So for the previous example the ID would be test\joe. Not only is that shorter, but it has no dependence on the location in the directory where the userID is located, at least within the domain. I could move “joe” to the Domain Controllers OU (not that I normally would) and no programs nor scripts nor tools nor anything else using that Bind DN format would need to be changed.

With AdFind you could specify this bind DN like so

adfind -default -f name=joe -u test\joe -up SomePassword123!

 

Note: If you have but a single domain, it is also safe to omit the [domain\] from the bind DN.

 

Format 3:

This is newer format that neither the old Windows folks nor the old other platform directory folks likely are familiar with. We call it the UPN format because it utilizes the userPrincipalName attribute of the userid. Now this attribute may or may not be populated but whether it is or not, all user’s have a UPN. If nothing specific is specified for a userid, the UPN is their sAMAccountName followed by an @ symbol followed by the domain in dot format. So for the previous example… joe@test.loc. One nice thing about this format is that it *should* work uniquely across an entire forest. So if you move a user even between domains it could be configured to still be fine. But joe… you said it had the domain in the attribute, wouldn’t that change? Well yes reader, if you stick with the default if I move my userid joe from test.loc to child.test.loc then my default UPN will then become joe@child.test.loc but you don’t have to leave the default, you can set what you want… For instance I could set my UPN to actually just be joe@test.loc and regardless of the domain moved to it would stay that way. I could even set it to joe@tracysbarandgrill.com if I wanted to. Of course if you set that value you should also set the allowed (or alternate) UPN Suffixes in the forest to allow for it. That way people can set that suffix in ADUC and so other things with forest trusts all work properly. Strictly speaking for use within a single forest though you don’t need it. You can set the allowed UPN suffixes with domain.msc or you can just go straight to the source and stick it into the uPNSuffixs attribute of CN=Partitions,CN=Configuration,[ROOT DOMAIN DN]

Like so

Or better

G:\>adfind -partitions -s base upnsuffixes

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: r2dc1.test.loc:389
Directory: Windows Server 2003
Base DN: cn=partitions,CN=Configuration,DC=test,DC=loc

dn:cn=partitions,CN=Configuration,DC=test,DC=loc
>uPNSuffixes: tracysbarandgrill.com

1 Objects returned

 

So how do you use this format bind DN in AdFind???

adfind -default -f name=joe -u joe@test.loc -up SomePassword123!

 

Note: While Active Directory enforces you to use an email style (RFC 822) format string for the UPN, ADAM (Active Directory Application Mode) does not enforce the same standard. You can use single part strings just fine there such as just joe or joeuser or joe.user.

 

Search Base Formats

Now it is time to discuss the various “DN” formats that can be used for your search base in Active Directory. As you probably know an LDAP query requires you to tell it where in the directory tree to start the search, that is the search base. Most people think you can only specify a DN for this. Normally that may be true but Microsoft was kind enough to give some shortcuts and anyone familiar with AdFind know that I gave more shortcuts but my shortcuts are not the same as the MSFT shortcuts…

 

Format 1:

The first format for the Base DN is, well, not to surprise you too much, but an actual real live DN. This takes the form of any old DN like… to reuse an example… CN=joe,OU=Users,OU=My,DC=test,DC=loc. But since this is about search bases it could be an OU such as OU=Users,OU=My,DC=test,DC=loc.

AdFind Examples:

adfind -b ou=users,ou=my,dc=test,dc=loc -f name=joe

adfind -b cn=joe,ou=users,ou=my,dc=test,dc=loc -s base

 

Format 2:

The next format is the GUID of the object. This is a nice format to use if you are tracking an object and want to be able to go to it wherever it might be moved to within the forest. You specify the base in a special format – <GUID=9e0645e9c606d14295ac153d5076d897>.

AdFind Examples

adfind -b “<GUID=ba1ee8b7248b34408c34841740211a81>” -f name=joe

adfind -b “<GUID=9e0645e9c606d14295ac153d5076d897>” -s base

Those two queries correspond to the queries in the Format 1 examples above.

Note: I had to put quotes around the “DN” because if the great than and less than symbols. Those mean something in the command interpreter and I need them to be passed into AdFind unharmed (see http://blog.joeware.net/2008/03/27/1109/).

 

Format 3

The next format is the SID of the object. This is similar to the GUID format but using SIDs.

AdFind Examples

this space intentionally not an adfind command

adfind -b “<SID=010500000000000515000000aa867905c1c5484bba6236d557040000>” -s base

alternately with any version of Active Directory beyond Windows 2000 you can use

this space intentionally not an adfind command

adfind -b “<SID=S-1-5-21-91850410-1263060417-3577111226-1111>” -s base

 

As you can see, I don’t have a base DN format with the SID specified that I can use for the OU… why you ask? OU’s aren’t security principals and don’t have SIDs (yes I know this pissed you Novell people off – I get it. heh). So no SID, no way to address the OU by SID. As you can also see there are two different SID formats. I won’t go much into this other than yes there are two formats you can use. Most people, if they do this at all, will likely use the second friendly format and not the HEX format.

 

SideBar

There is a little sidebar we can take here now related to these Base DN formats. Microsoft was very kind to allow us to output DNs in such a way that these formats are exposed to us… This is called the extended DN format. It is enabled by turning on the proper LDAP control in the LDAP request, for information see http://msdn.microsoft.com/en-us/library/aa366980(VS.85).aspx or search for LDAP_SERVER_EXTENDED_DN_OID when MSDN breaks that link for me… 😉

So what does that look like you ask?

AdFind Examples

G:\>adfind -default -f name=joe -dn -extname

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

dn:<GUID=9e0645e9c606d14295ac153d5076d897>;<SID=010500000000000515000000aa867905c1c5484bba6236d557040000>;CN=joe,OU=Users,OU=My,DC=test,DC=loc

1 Objects returned

And cooler, as you can see, ANY DN format attributes (not to be confused with string attributes that hold DNs) will get output this way…

G:\>adfind -default -f name=joe memberof directreports managedobjects -extname

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

dn:<GUID=9e0645e9c606d14295ac153d5076d897>;<SID=010500000000000515000000aa867905c1c5484bba6236d557040000>;CN=joe,OU=Users,OU=My,DC=test,DC=loc
>memberOf: <GUID=f8fcc524dba94047ac67e36d72195747>;<SID=010500000000000515000000aa867905c1c5484bba6236d578060000>;CN=joegroup,OU=joeperm,OU=TestOU,DC=test,DC=loc
>directReports: <GUID=7806a7be8d6d094b9f9750143cc5151a>;<SID=010500000000000515000000aa867905c1c5484bba6236d5f4010000>;CN=Administrator,CN=Users,DC=test,DC=loc
>managedObjects: <GUID=6186a268b84c374c8563baf56e387d3f>;<SID=010500000000000515000000aa867905c1c5484bba6236d505020000>;CN=Cert Publishers,CN=Users,DC=test,DC=loc

1 Objects returned

And here is an example of the same output for an OU, note the lack of the SID field

G:\>adfind -default -f ou=users -dn -extname

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

dn:<GUID=ba1ee8b7248b34408c34841740211a81>;OU=Users,OU=My,DC=test,DC=loc
dn:<GUID=d64d7146973a5a4b928403fba911fb63>;OU=Users,OU=TestOU,DC=test,DC=loc

2 Objects returned