Howdy.
Just wanted to let
you all know I updated AdFind. The latest version is V01.26.00. I know I said I
wasn't going to update the version 1 code base anymore but due to a bug fix in
Windows Server 2003 SP1 a bug popped up in AdFind. I chose to dust off the code
and implement the fix versus waiting for Version 2.0.0. Since I did that, I also
fixed a couple of other bugs I found and worked in some additional
functionality I wanted added, functionality that I think many will go "whoah,
that is cool" about.
In general news, I have completed most of the
code rewrite of my backend modules. This included adding more functionality to
them, looking for the umpteenth time for leaks and/or security bugs, working
towards having good UNICODE support. I have to say that UNICODE and command line
do not necessarily work well together. There is a lot of pain in that area. The
hope is that the new modules will handle UNICODE better than it is currently
handled.
The rewrite of these new modules also helped me standardize some
of the internal naming and and remove some complexity which is always a good
thing. Complexity is a serious contributor to chaos and supportability
issues.
The hope is now that I will be in a good position to write some
tools and solutions that I will sell for some moderate price. I am constantly
bombarded by software out there that is less than optimal but people are paying
incredible amounts of money for it anyway due to the lack of anything else. I am
wondering if I can put myself into a semi-retirement position putting out good
software for moderate amounts of money. I would love to be in a position where I
do joeware full time and full time is defined as how much time I want to spend
on it and play the rest of the time.
What is the difference between
incredible amounts versus moderate amounts? Well I don't intend, at least
initially, to charge anyone millions of dollars for any of the programs. I would
be incredibly shocked in myself if I charged hundreds of thousands of dollars
for any of the programs. I visualize things more in the $100-$5000 range; the
kind of range people in companies can expense on their Corporate AmEX card
easily. I recall many a time I have been in meetings where we would have taken
apps if we could do that instead of trying to force a multimillion dollar or
multi hundred thousand dollar PO through the system.
We shall see how it
all pans out and what I actually create. Time to dig into my big folder of ideas
I have been working on and collecting for years and years. I don't know what I
will create right now as the first app, but I expect it will be related to
Active Directory. :o) Don't worry Tony, once I start charging I won't
advertise here on the list. ;o)
I guess one question I have in the realm
of those apps is... How important is a pretty GUI to you versus an app that
works well and has good performance? And do you really mean it? What I mean by
that is when you look at an app do you make any decisions about it because it is
pretty before actually running it in a lab and throwing a network sniffer at it
to look at what it is doing?
Anyway back to AdFind.... What is
new?
O Fixed a bug in the STATS routine that impacts multipage searches.
This can cause incorrect counts. It is doubtful you have encountered this
problem.
O Fixed a bug in a message displayed when you do a base level
search. Harmless, but annoying.
O Fixed a bug in -h .
O Fixed a
bug with ranging on K3. This was a stupid item on my part. When rewriting some
of the base modules I looked carefully at my ranging code and realized the
possibility of issues with retrieving attributes with greater than 1500 values
on Windows Server 2003 due to the change in default ranging size. I changed the
logic behind the whole ranging process so that code is bullet proof even if MS
changes the default ranging size again.
O I now disallow the combination
of the -c and -excldn. This is due to code flow. -c is optimized for speed so I
don't unpack any of the LDAP info, not even the DN so I can't do the exclusion
check.
O Added -nodn option. This strips the "dn: objectDN" from the
output.
O Added -nolabel option. This strips the ">AttributeName: "
from the output.
O Added -noctl option. This replaces any control
characters in the output strings with spaces. Note that this doesn't impact the
behavior I have when handling specific naming attributes and the DNs for the
extremely annoying mechanism MS uses for deleted and collision objects.
O
Added -owner option. This is a truly cool option in my opinion. If you specify
it, adfind will read the security descriptor and output the owner of the object
as a normal attribute, specifically _OBJECT_OWNER.
O Added -owneronly
option. This is like owner, but will not show any attributes except for
owner.
C:\WINDOWS>adfind
-default -s base -owneronly
AdFind V01.26.00cpp Joe Richards
([EMAIL PROTECTED]) February 2005
Using server:
2k3dc01.joe.com
Directory: Windows Server 2003
Base DN:
DC=joe,DC=com
dn:DC=joe,DC=com
>_OBJECT_OWNER:
BUILTIN\Administrators
1 Objects returned
O Added
-ownercsv. Like owneronly only the format is a semi-colon delimited string for
each object.
C:\WINDOWS>adfind
-default -s one -ownercsv
AdFind V01.26.00cpp Joe Richards
([EMAIL PROTECTED]) February
2005
"CN=Builtin,DC=joe,DC=com";"BUILTIN\Administrators"
"CN=Computers,DC=joe,DC=com";"JOE\Domain
Admins"
"OU=Domain Controllers,DC=joe,DC=com";"JOE\Domain
Admins"
"OU=Exchange,DC=joe,DC=com";"JOE\Domain
Admins"
"CN=ForeignSecurityPrincipals,DC=joe,DC=com";"JOE\Domain
Admins"
"CN=Infrastructure,DC=joe,DC=com";"JOE\Domain
Admins"
"CN=LostAndFound,DC=joe,DC=com";"JOE\Domain Admins"
"CN=Microsoft
Exchange System Objects,DC=joe,DC=com";"JOE\Domain Admins"
"CN=NTDS
Quotas,DC=joe,DC=com";"JOE\Domain Admins"
"CN=Program
Data,DC=joe,DC=com";"JOE\Domain Admins"
"CN=System,DC=joe,DC=com";"JOE\Domain
Admins"
"OU=TestOU,DC=joe,DC=com";"JOE\Domain
Admins"
"CN=Users,DC=joe,DC=com";"JOE\Domain Admins"
O
Finally I added the -sdna option. This option stands for security descriptor
non-admin. Specifically it sets a special ldap control to allow someone without
special privs to return security descriptors from AD. Primarily it tells AD not
to return the SACL. I leave it as an exercise for the class to understand why
this reduces the perms needed to pull the object SD. If you are just retrieving
owner info (versus most of the SD) via the -owner* switches, it trims down what
AD returns by telling it to just return the owner info and is therefore more
efficient.
I have to say the owner switches excite me. They are very
fun. Combined with some command line tool to pull out unique lines you can
quickly and easily see all of the security principals that own objects in an NC
or the forest as a whole.
Ex:
[Sat 02/12/2005 1:10:17.50]
C:\WINDOWS>adfind -gc -b
-f * -owneronly -nodn -nolabel -q
|unique
BUILTIN\Administrators
CHILD1\Domain
Admins
JOE\$jricha34
JOE\2K3DC01$
JOE\2K3EXC01$
JOE\2K3EXC02$
JOE\2K3UTL01$
JOE\Domain
Admins
JOE\Enterprise Admins
JOE\FASTMOFO$
JOE\Schema Admins
NT
AUTHORITY\SYSTEM
[Sat 02/12/2005 1:10:22.39]
You
will note that that is the dump for all security principals that own objects in
my entire test AD with about 9600 objects. The whole thing was completed in
under 5 seconds. I can make that faster, but only through multi-threading. I was
very careful to optimize the SID resolution code to be as fast as
possible.
Oh one last note. People, if you use the joeware tools. Update to the latest versions. These are all free downloads. No point in not having the latest versions. I recently chatted with someone who was having an issue with one of the tools and was several revs behind. The issue that was hit was handled better in a later version and probably would have avoided some confusion.
joe
joe
