"I guess one question I have in the realm of those apps is... How important is a pretty GUI to you versus an app that works well and has good performance? And do you really mean it? What I mean by that is when you look at an app do you make any decisions about it because it is pretty before actually running it in a lab and throwing a network sniffer at it to look at what it is doing?"
>From what I've seen, decisions are made several ways: 1) does it do what I need it to do/want it to do? 2) can my dumbest consumer of this concept do it unsupervised (opens a whole can of worms, I know.. :) 3) will my company purchasing policy support getting it and 4) would I be able to do it in-house with same or better results faster and cheaper? There's always 5) did the sales rep play golf with the CIO? But who really counts that, right? Personally, I don't give a flip about the GUI for most apps. Some apps need it when they display complicated concepts that lead to a manual decision being made. Most of the widget utilities don't need that and I could personally care less if they have one. In fact, for many I prefer not to have them especially if a repeatable process needs to be done. Your utilities are usually in the latter category and work well with repeatable processes meaning that GUI is not wanted/desired. Being able to use them in a script/batch and rely on them for quality is far more important to me. That said, I think you have a good idea if you go after the expense account crowd and keep some of the free-ware stuff around as well. Seems a workable model. As for me, I guess I'll go update a few versions of adfind :) Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, February 12, 2005 1:32 AM To: [email protected] Subject: [ActiveDir] AdFind V01.26.00 and general news Howdy. Just wanted to let you all know I updated AdFind. The latest version is V01.26.00. I know I said I wasn't going to update the version 1 code base anymore but due to a bug fix in Windows Server 2003 SP1 a bug popped up in AdFind. I chose to dust off the code and implement the fix versus waiting for Version 2.0.0. Since I did that, I also fixed a couple of other bugs I found and worked in some additional functionality I wanted added, functionality that I think many will go "whoah, that is cool" about. In general news, I have completed most of the code rewrite of my backend modules. This included adding more functionality to them, looking for the umpteenth time for leaks and/or security bugs, working towards having good UNICODE support. I have to say that UNICODE and command line do not necessarily work well together. There is a lot of pain in that area. The hope is that the new modules will handle UNICODE better than it is currently handled. The rewrite of these new modules also helped me standardize some of the internal naming and and remove some complexity which is always a good thing. Complexity is a serious contributor to chaos and supportability issues. The hope is now that I will be in a good position to write some tools and solutions that I will sell for some moderate price. I am constantly bombarded by software out there that is less than optimal but people are paying incredible amounts of money for it anyway due to the lack of anything else. I am wondering if I can put myself into a semi-retirement position putting out good software for moderate amounts of money. I would love to be in a position where I do joeware full time and full time is defined as how much time I want to spend on it and play the rest of the time. What is the difference between incredible amounts versus moderate amounts? Well I don't intend, at least initially, to charge anyone millions of dollars for any of the programs. I would be incredibly shocked in myself if I charged hundreds of thousands of dollars for any of the programs. I visualize things more in the $100-$5000 range; the kind of range people in companies can expense on their Corporate AmEX card easily. I recall many a time I have been in meetings where we would have taken apps if we could do that instead of trying to force a multimillion dollar or multi hundred thousand dollar PO through the system. We shall see how it all pans out and what I actually create. Time to dig into my big folder of ideas I have been working on and collecting for years and years. I don't know what I will create right now as the first app, but I expect it will be related to Active Directory. :o) Don't worry Tony, once I start charging I won't advertise here on the list. ;o) I guess one question I have in the realm of those apps is... How important is a pretty GUI to you versus an app that works well and has good performance? And do you really mean it? What I mean by that is when you look at an app do you make any decisions about it because it is pretty before actually running it in a lab and throwing a network sniffer at it to look at what it is doing? Anyway back to AdFind.... What is new? O Fixed a bug in the STATS routine that impacts multipage searches. This can cause incorrect counts. It is doubtful you have encountered this problem. O Fixed a bug in a message displayed when you do a base level search. Harmless, but annoying. O Fixed a bug in -h . O Fixed a bug with ranging on K3. This was a stupid item on my part. When rewriting some of the base modules I looked carefully at my ranging code and realized the possibility of issues with retrieving attributes with greater than 1500 values on Windows Server 2003 due to the change in default ranging size. I changed the logic behind the whole ranging process so that code is bullet proof even if MS changes the default ranging size again. O I now disallow the combination of the -c and -excldn. This is due to code flow. -c is optimized for speed so I don't unpack any of the LDAP info, not even the DN so I can't do the exclusion check. O Added -nodn option. This strips the "dn: objectDN" from the output. O Added -nolabel option. This strips the ">AttributeName: " from the output. O Added -noctl option. This replaces any control characters in the output strings with spaces. Note that this doesn't impact the behavior I have when handling specific naming attributes and the DNs for the extremely annoying mechanism MS uses for deleted and collision objects. O Added -owner option. This is a truly cool option in my opinion. If you specify it, adfind will read the security descriptor and output the owner of the object as a normal attribute, specifically _OBJECT_OWNER. O Added -owneronly option. This is like owner, but will not show any attributes except for owner. C:\WINDOWS>adfind -default -s base -owneronly AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: DC=joe,DC=com dn:DC=joe,DC=com >_OBJECT_OWNER: BUILTIN\Administrators 1 Objects returned O Added -ownercsv. Like owneronly only the format is a semi-colon delimited string for each object. C:\WINDOWS>adfind -default -s one -ownercsv AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 "CN=Builtin,DC=joe,DC=com";"BUILTIN\Administrators" "CN=Computers,DC=joe,DC=com";"JOE\Domain Admins" "OU=Domain Controllers,DC=joe,DC=com";"JOE\Domain Admins" "OU=Exchange,DC=joe,DC=com";"JOE\Domain Admins" "CN=ForeignSecurityPrincipals,DC=joe,DC=com";"JOE\Domain Admins" "CN=Infrastructure,DC=joe,DC=com";"JOE\Domain Admins" "CN=LostAndFound,DC=joe,DC=com";"JOE\Domain Admins" "CN=Microsoft Exchange System Objects,DC=joe,DC=com";"JOE\Domain Admins" "CN=NTDS Quotas,DC=joe,DC=com";"JOE\Domain Admins" "CN=Program Data,DC=joe,DC=com";"JOE\Domain Admins" "CN=System,DC=joe,DC=com";"JOE\Domain Admins" "OU=TestOU,DC=joe,DC=com";"JOE\Domain Admins" "CN=Users,DC=joe,DC=com";"JOE\Domain Admins" O Finally I added the -sdna option. This option stands for security descriptor non-admin. Specifically it sets a special ldap control to allow someone without special privs to return security descriptors from AD. Primarily it tells AD not to return the SACL. I leave it as an exercise for the class to understand why this reduces the perms needed to pull the object SD. If you are just retrieving owner info (versus most of the SD) via the -owner* switches, it trims down what AD returns by telling it to just return the owner info and is therefore more efficient. I have to say the owner switches excite me. They are very fun. Combined with some command line tool to pull out unique lines you can quickly and easily see all of the security principals that own objects in an NC or the forest as a whole. Ex: [Sat 02/12/2005 1:10:17.50] C:\WINDOWS>adfind -gc -b -f * -owneronly -nodn -nolabel -q |unique BUILTIN\Administrators CHILD1\Domain Admins JOE\$jricha34 JOE\2K3DC01$ JOE\2K3EXC01$ JOE\2K3EXC02$ JOE\2K3UTL01$ JOE\Domain Admins JOE\Enterprise Admins JOE\FASTMOFO$ JOE\Schema Admins NT AUTHORITY\SYSTEM [Sat 02/12/2005 1:10:22.39] You will note that that is the dump for all security principals that own objects in my entire test AD with about 9600 objects. The whole thing was completed in under 5 seconds. I can make that faster, but only through multi-threading. I was very careful to optimize the SID resolution code to be as fast as possible. Oh one last note. People, if you use the joeware tools. Update to the latest versions. These are all free downloads. No point in not having the latest versions. I recently chatted with someone who was having an issue with one of the tools and was several revs behind. The issue that was hit was handled better in a later version and probably would have avoided some confusion. joe joe List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
