[ActiveDir] ADFIND is updated and his sister is born.....

joe Mon, 05 Jul 2004 20:55:40 -0700

Because I like you guys I thought I would give you heads up that ADFIND has gotten a little bit of an update. After the last update of adding stats and extended error info I realized that I put some bugs in by mistake (I call them Easter Eggs for myself). I also wanted to mention that with the interest rates going up and the cost of petrol going up and being out of work I had to raise the price of the tools by 18.3%. I still think they are well worth the price though. :o)

The first bug was a simple leak that I simply plugged. The second bug I will blame on MS and how they display bitwise AND and OR in the STATS output. They change the OIDs to & and | which look like they are the normal &|I used in filters and my filter display routine would catch them and treat them like regular & and | which isn't correct. So I corrected how I displayed them.

I also fixed something that has bugged me to no end... The display of deleted objects is messy as several attributes have the newline embedded in them. MS half fixed that in K3 by changing the newline to \0A in the distinguished name but they missed the cn and name attributes. In 2K you also have the issue in the DN. I was getting fed up testing another app seeing it that way so I changed ADFIND to fix the string anytime DN, distinguishedName, name, and cn have a newline character in them. This may fix the silly collision objects that get returned as well, I don't have any in my AD currently so I couldn't test that yet. If you have some and you test adfind against them, let me know how it does. Thanks!

Anyway, the curious are thinking... you mentioned AdFind's sister and also mentioned you were testing another app above....

I introduce to you adfind's new baby sister.... AdMod. Ta-Da!

I have been promising myself (and others) to write a mod tool for a while now, months and years. I really wanted to do so after seeing the dsmod tool and seeing how limited it was with its hard coding. Then Dean and I sat in a bar in Seattle discussing the idea of me taking time to write a command line undelete tool... This last weekend after burning myself in the sun pretty well on Friday and Saturday running around in the Jeep I spent the time it was raining on Sunday indoors working on admod. The whole thing sort of clicked in my head on how I wanted to do it Sunday morning so I dragged my butt out of bed sunburn and all and wrote it.

So what does admod do you ask? It can

o Modify attribute(s) on an object. Multivalue or singlevalue. Add or remove values. Currently only string based values... sorry.

o Clear attribute(s)

o Rename an object (only one at a time until I work out some sort of wildcard scheme...)

o Delete object(s)

o Tree Delete object(s) aka branch delete

o Move object(s) (within same NC)

o Undelete object(s)

As I explain in the ADMOD usage (admod /?) it uses a basic structure for describing the modify operations to attributes.

attribute : operation : value(s)

For a clear attribute operation you only need the first two pieces...

description:-

For an update (or single value attribute add) of an attribute you need all three pieces...

description::Joe Rocks

For a remove a single value of a multivalue you would need all three pieces

somemvattrib:-:somevalue

If you want to remove several values of a multivalue you would need all three pieces with the third built in a specific way...\

somemvattrib:--:somevalue1;somevalue2;somevalue3

Adding values to attributes is the same.... Just replace the - and -- with + and ++.

You will note that the main piece is delimited by colons (:) and the values when multiple values are needed is delimited by semi-colons (;). You are thinking, that bonehead, I need to use those sometimes as actual values!!! And you can... You can specify the delimiters to use for either with switches.

Note also that for modify ops you can stack up attrib-op pieces... so you could do something like

[Mon 07/05/2004 23:04:19.13]
F:\DEV\cpp\AdMod>admod -b CN=$jricha34,CN=Users,DC=joe,DC=com "description::Joe Rocks" racfid:++:10;11;12;13;14;15 racfid:--:1;4;5 scriptpath::logon.bat proxyaddresses:-:smtp:[EMAIL PROTECTED]

AdMod V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) July 2004

DN Count: 1
Using server: 2k3dc01.joe.com
Modifying specified objects...
DN: cn=$jricha34,cn=users,dc=joe,dc=com...

The command completed successfully

[Mon 07/05/2004 23:05:12.55]
F:\DEV\cpp\AdMod>adfind -default -f name=$jricha34 description racfid scriptpath proxyaddresses

AdFind V01.18.00cpp Joe Richards ([EMAIL PROTECTED]) July 2004

Using server: 2k3dc01.joe.com
Base DN: DC=joe,DC=com

dn:CN=$jricha34,CN=Users,DC=joe,DC=com
>RACFId: 15
>RACFId: 14
>RACFId: 13
>RACFId: 12
>RACFId: 11
>RACFId: 10
>RACFId: 6
>RACFId: 3
>RACFId: 2
>description: Joe Rocks
>proxyAddresses: SMTP:[EMAIL PROTECTED]
>proxyAddresses: X400:c=US;a= ;p=joeware;o=Exchange;s=?jricha34;
>scriptPath: logon.bat

1 Objects returned

[Mon 07/05/2004 23:05:30.50]
F:\DEV\cpp\AdMod>

Also note that I liked the way dsmod took the STDIN from dsquery and could work with that. You will recall I added the -dsq switch to adfind a while back to give dsquery type output.... Well admod will use that as well so you can use dsquery or adfind to find some objects you want to dork with and pipe that right into admod.

Here is a fun example:

Say I have an OU of computer objects...

[Mon 07/05/2004 23:09:29.01]
F:\DEV\cpp\AdMod>adfind -b OU=AdModUndeleteTest,OU=TestOU,DC=joe,DC=com -f objectcategory=computer -s one -dn

AdFind V01.18.00cpp Joe Richards ([EMAIL PROTECTED]) July 2004

Using server: 2k3dc01.joe.com

dn:CN=undel-a1,OU=AdModUndeleteTest,OU=TestOU,DC=joe,DC=com
dn:CN=undel-a2,OU=AdModUndeleteTest,OU=TestOU,DC=joe,DC=com
dn:CN=undel-a3,OU=AdModUndeleteTest,OU=TestOU,DC=joe,DC=com
dn:CN=undel-a4,OU=AdModUndeleteTest,OU=TestOU,DC=joe,DC=com
dn:CN=undel-a5,OU=AdModUndeleteTest,OU=TestOU,DC=joe,DC=com

5 Objects returned

[Mon 07/05/2004 23:09:58.47]
F:\DEV\cpp\AdMod>

Say I want to delete one...

[Mon 07/05/2004 23:09:58.47]
F:\DEV\cpp\AdMod>adfind -b OU=AdModUndeleteTest,OU=TestOU,DC=joe,DC=com -f objectcategory=computer -s one -dsq |admod -rm

AdMod V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) July 2004

DN Count: 5
Using server: 2k3dc01.joe.com
Deleting specified objects...
   DN: cn=undel-a1,ou=admodundeletetest,ou=testou,dc=joe,dc=com...
   DN: cn=undel-a2,ou=admodundeletetest,ou=testou,dc=joe,dc=com...
   DN: cn=undel-a3,ou=admodundeletetest,ou=testou,dc=joe,dc=com...
   DN: cn=undel-a4,ou=admodundeletetest,ou=testou,dc=joe,dc=com...
   DN: cn=undel-a5,ou=admodundeletetest,ou=testou,dc=joe,dc=com...

The command completed successfully

[Mon 07/05/2004 23:10:43.15]
F:\DEV\cpp\AdMod>

[Mon 07/05/2004 23:12:10.31]
F:\DEV\cpp\AdMod>adfind -b OU=AdModUndeleteTest,OU=TestOU,DC=joe,DC=com -f objectcategory=computer -s one -dn

AdFind V01.18.00cpp Joe Richards ([EMAIL PROTECTED]) July 2004

Using server: 2k3dc01.joe.com

0 Objects returned

[Mon 07/05/2004 23:12:16.55]
F:\DEV\cpp\AdMod>

[Mon 07/05/2004 23:12:16.55]
F:\DEV\cpp\AdMod>adfind -default -f "&(lastknownparent=OU=AdModUndeleteTest,OU=TestOU,DC=joe,DC=com)" -showdel -dn

AdFind V01.18.00cpp Joe Richards ([EMAIL PROTECTED]) July 2004

Using server: 2k3dc01.joe.com
Base DN: DC=joe,DC=com

dn:CN=undel-a1\0ADEL:db12be55-cdac-4c06-a9fb-280cf445ae73,CN=Deleted Objects,DC=joe,DC=com
dn:CN=undel-a2\0ADEL:3da8ab38-d8a5-40f0-8cc2-13a43bad59b7,CN=Deleted Objects,DC=joe,DC=com
dn:CN=undel-a3\0ADEL:66c49f17-064b-41a3-8e60-10e3dbf1c1c0,CN=Deleted Objects,DC=joe,DC=com
dn:CN=undel-a4\0ADEL:735cdaaf-1d21-4264-bb84-8c64b05f6247,CN=Deleted Objects,DC=joe,DC=com
dn:CN=undel-a5\0ADEL:ea628cdb-069a-4993-b7bb-fca6dd206f8b,CN=Deleted Objects,DC=joe,DC=com

5 Objects returned

[Mon 07/05/2004 23:12:41.77]
F:\DEV\cpp\AdMod>

OH OH! I deleted all of them, not just one...I better bring them back....

[Mon 07/05/2004 23:12:41.77]
F:\DEV\cpp\AdMod>adfind -default -f "&(lastknownparent=OU=AdModUndeleteTest,OU=TestOU,DC=joe,DC=com)" -showdel -dsq |admod -undel

AdMod V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) July 2004

DN Count: 5
Using server: 2k3dc01.joe.com
Undeleting specified objects...
   DN: cn=undel-a1\0adel:db12be55-cdac-4c06-a9fb-280cf445ae73,cn=deleted objects,dc=joe,dc=com...
   DN: cn=undel-a2\0adel:3da8ab38-d8a5-40f0-8cc2-13a43bad59b7,cn=deleted objects,dc=joe,dc=com...
   DN: cn=undel-a3\0adel:66c49f17-064b-41a3-8e60-10e3dbf1c1c0,cn=deleted objects,dc=joe,dc=com...
   DN: cn=undel-a4\0adel:735cdaaf-1d21-4264-bb84-8c64b05f6247,cn=deleted objects,dc=joe,dc=com...
   DN: cn=undel-a5\0adel:ea628cdb-069a-4993-b7bb-fca6dd206f8b,cn=deleted objects,dc=joe,dc=com...

The command completed successfully

[Mon 07/05/2004 23:12:58.39]
F:\DEV\cpp\AdMod>adfind -b OU=AdModUndeleteTest,OU=TestOU,DC=joe,DC=com -f objectcategory=computer -s one -dn

AdFind V01.18.00cpp Joe Richards ([EMAIL PROTECTED]) July 2004

Using server: 2k3dc01.joe.com

5 Objects returned

[Mon 07/05/2004 23:13:08.23]
F:\DEV\cpp\AdMod>

Ta-Da...

Note that these objects will only retain what is marked to be retained in the schema. So if you have the default, you will get some basic stuff back but boy it sure is nice to get that same SID back isn't it? If you have modified your schema you can get considerably more back. My next adventures will be in that area and whipping something up to allow people to select what they get back. Yes, yes. I know you can't mark and get everything back. But that is part of the fun I have to go through figuring out later.

Say I have some dorked up proxyAddresses and want the RUS to rebuild all of them across the forest... I could use the following command:

adfind -gc -b "" -f "proxyaddresses=*" -dsq | admod proxyAddresses:-

And for my final example....

I need to set the logon script for every single userobject in the forest... How do I do it?

[Mon 07/05/2004 23:25:26.00]
F:\DEV\cpp\AdMod>adfind -gc -b "" -f "&(objectcategory=person)(objectclass=user)" -dsq | admod scriptpath::logon.bat

AdMod V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) July 2004

DN Count: 295

More DNs than allowed for by safety setting of 10
Use safety parameter to specify larger safety size.

The command did not complete successfully

[Mon 07/05/2004 23:25:35.52]
F:\DEV\cpp\AdMod>

Oh ooops... I set up a safety. If the number of objects to modify exceeds the safety limit, it won't modify ANY. This way you can have some little measure of safety. Of course I give you nice -safety switch where you can specify how many objects you want for that cut off so I could set it to say 300 here and work fine, or I can just say, I really want this and use the -unsafe switch...

[Mon 07/05/2004 23:25:35.52]
F:\DEV\cpp\AdMod>adfind -gc -b -f "&(objectcategory=person)(objectclass=user)" -dsq | admod -unsafe scriptpath::logon.bat

AdMod V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) July 2004

DN Count: 295
Using server: 2k3dc01.joe.com
Modifying specified objects...
   DN: cn=$jricha34,cn=users,dc=joe,dc=com...
   DN: cn=postmaster,ou=mailusers,ou=joeware2,ou=exchange,dc=joe,dc=com...
   DN: cn=guest,cn=users,dc=joe,dc=com...
...

   DN: cn=ztestuser8,ou=testusers2ou,ou=testou,dc=joe,dc=com...
   DN: cn=ztestuser9,ou=testusers2ou,ou=testou,dc=joe,dc=com...
   DN: cn=ztestuser10,ou=testusers2ou,ou=testou,dc=joe,dc=com...
   DN: cn=firstname lastname,ou=testusers2ou,ou=testou,dc=joe,dc=com...
   DN: cn=joedoe,cn=users,dc=joe,dc=com...
   DN: cn=adminid,cn=users,dc=joe,dc=com...
   DN: cn=listmail,ou=mailusers,ou=joeware2,ou=exchange,dc=joe,dc=com...
   DN: cn=joe,ou=mailusers,ou=joeware2,ou=exchange,dc=joe,dc=com...
   DN: cn=administrator,cn=users,dc=child1,dc=joe,dc=com...
   DN: cn=guest,cn=users,dc=child1,dc=joe,dc=com...
   DN: cn=support_388945a0,cn=users,dc=child1,dc=joe,dc=com...
   DN: cn=krbtgt,cn=users,dc=child1,dc=joe,dc=com...
   DN: cn=$jricha34,cn=users,dc=child1,dc=joe,dc=com...

The command completed successfully

[Mon 07/05/2004 23:28:05.32]

Note the IDs are in a couple of different domains. Also note I can clear all of the scripts in a forest just as easily....

[Mon 07/05/2004 23:28:05.32]
F:\DEV\cpp\AdMod>adfind -gc -b -f "&(objectcategory=person)(objectclass=user)" -dsq | admod -unsafe scriptpath:-

AdMod V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) July 2004

The command completed successfully

[Mon 07/05/2004 23:30:32.62]
F:\DEV\cpp\AdMod>

Main reason I posted this here is I know this can be useful to many folks who partake of this great list. Also I know that there will be many great ideas that come out of people on this list on how this tool could be made better. Send those ideas my way and I will see about adding them in. Also any bugs encountered, let me know about those as well.

joe

[ActiveDir] ADFIND is updated and his sister is born.....

Reply via email to