It is true, I am quite innocent ask anyone who really knows me. But at the
same time I have to thank you for all of the good ideas of things I add to
adfind. :o)
As for the little j... Just feels right.
However, to do the encoding from nice to not do nice formats you want to
recall the -binenc option. It is a bit misnamed now because I have expanded
it up for GUIDs and SIDs it is perfect. Basically you specify the GUID or
SID in the friendly format and ADFIND will convert to a blob and encode it
for query purposes. You simply need to insert a marker in the filter so I
know where to do the conversion at... So....
The general marker for things to convert with -binenc is
{{label:string}}
Where label is
guid - GUIDs
sid - SIDs
bin - Binary specified in HEX
utc - Time/Date in UTC to Integer 8 (pwdlastset, lastlogon, etc...)
local - Time/Date in Local time to Integer 8 (pwdlastset,
lastlogon, etc...)
So if I want to encode a guid to check against invocation ID
adfind -config -binenc -f
invocationid={{guid:D8E032EE-9E9B-4E2D-A8CE-A1FAA8B9238D}}
If you wanted to encode a date to look for accounts with passwords set
within a date range
adfind -default -binenc -f
"&(pwdlastset>={{local:2005/12/01}})(pwdlastset<={{local:2006/01/01}})" -dn
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Tuesday, February 21, 2006 8:59 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] repadmin info oddity
The GUIDs returned in this scenario are not used by the directory in the
traditional manner and, as such, using a GUID-based binding string won't
locate the owning object. The invocation IDs (which are indeed GUIDs but
not objectGUIDs) are maintained on the DC's NTDSDSA instance (its NTDS
Settings object) by the "invocationId" property ... retired invocation IDs
are maintained by retiredReplDSASignatures.
ADfind can likely hit these ... but the GUIDS needs to be expressed as part
of the query filter, not the base. I'll leave joe (why does he insist on
using a little "j"?) to provide the ADfind syntax (it seems that no matter
how hard I try, joe will always have a better switch ... and if he doesn't
have one, I'm fairly certain he quickly adds it, quietly releases the new
binary with the same version number, posts the reply, ridicules my
uneducated attempt at using a "real tool" (joe's words, not mine) and
professes his innocence :0).
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Tuesday, February 21, 2006 7:44 AM
To: [email protected]
Subject: RE: [ActiveDir] repadmin info oddity
Adfind (http://www.joeware.net/win/free/tools/adfind.htm) to the rescue!
I recently had to do this and got it accomplished with the following syntax
(with a little help from joe :) ):
adfind -default -binenc -f
objectGUID={{GUID:0B3F5BC4-5713-4611-8F6A-752A3B0DE664}} dn
("adfind /???" For lots of good info!)
Mike Thommes
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of SCOTT KLASSEN
Sent: Monday, February 20, 2006 8:56 PM
To: [email protected]
Subject: [ActiveDir] repadmin info oddity
I try to keep up on new or updated MS KB articles and often check to see how
they correlate with my environment. I noticed that 875495, dealing with USN
rollbacks, was updated earlier this month. As I've experienced two AD
issues, both of which needed PSS involvement (one dealing with sysvol
inconsistency and the other which wound up being the RID master going on
temporary strike) I figured that I'd do a quick check as described in the
article. On the good side, the USN's are consistent between controllers.
On the disconcerting side, I got a little more information than I was
expecting. Besides my DC's, I also got USN listings for several GUIDs.
I
assume these are leftovers from DC demotions and only remain in the form of
historical data. Do I need to worry about these (especially the DC1
(retired) listing) and is there a way I can resolve the GUIDs to names, find
where this info is hiding, and clear them out?
Thanks,
Scott Klassen
>repadmin /showutdvec dc1 dc=domain,dc=com Caching GUIDs.
..
Default-First-Site-Name\DC2 @ USN 455091 @ Time 2006-02-20
20:08:20
2c92760e-e8fc-4418-947e-3b1016ab8514 @ USN 1012381 @ Time 2005-08-04
00:02:34
6e129965-56c3-469e-b70a-f1fdfb8bb2cc @ USN 969931 @ Time 2004-07-24
11:53:16
Default-First-Site-Name\DC1 @ USN 1717571 @ Time 2006-02-20
20:10:50
Default-First-Site-Name\DC1 (retired) @ USN 1298674 @ Time 2005-08-05
06:36:16
e2199f22-f1dd-4d1c-90a6-0e8bb874f355 @ USN 744173 @ Time 2004-12-28
20:52:04
ff0d7d50-214f-4bc1-96b6-55ac6ef317f0 @ USN 852323 @ Time 2005-06-08
14:29:20
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
