JSI Tip 5898. Freeware ADFind.
November 3, 2002
Click for Download link and official documentation.
I quote:
AdFind
Summary
Command line Active Directory query tool. Mixture of ldapsearch, search.vbs, ldp, dsquery, and dsget tools with a ton of other cool features thrown in for good measure.
Warranty
See warranty.
PlatForms
Windows 2000 against Active Directory and AD/AM
Windows Server 2003 against Active Directory and AD/AM
Windows XP against Active Directory and AD/AM
Current Version
Version 1.27.00 - November 5, 2005
Modification(s) from previous version
Added -pr. Phantom root. Allows cross-NC searching.
Added -list. List output format. Single attribute of objects, say sAMAccountName.
Added -soao. Sorted Order Attribute Output. Output of attribs is in attribute name sorted order.
Added -oao. Ordered Attribute Output. Output of attribs in order specified on command line.
Added -csv. Delimited output.
Added -csvdelim. Specifies delimiter for -csv.
Added -csvmvdelim. Specifies delimiter for multivalues for -csv.
Added -csvq. Specifies quote character for csv fields for -csv.
Added -nocsvheader. Don't output attribute header for -csv
Added -incldn. Specifies a simple search string for the DNs of what objects to display (like excldn).
Added -incldndelim. Delimiter to separate multiple strings for -incldn.
Added -e. Read options/switches from environment variables.
Added -ef. Read options/Switches from a file.
Added -tdcs. Decode int8 time values but with better format for sorting compared to -tdc
Added -utc. Used with -tdc(s). Use UTC time instead of localtime for output.
Added -po. Prints out all switches and attribs specified through command line, -e, and -ef.
Broke help into multiple levels for easier use by inexperienced users.
Added port info on host connection output string
Added TZ string for -tdc(s)
Decode msDS-User-Account-Control-Computed when using -samdc
Fixed stats filter expansion bug
Removed some extra strings output for -dsq
Forum
Security Requirements
There are no local security requirements for running AdFind. Information returned from Active Directory and AD/AM will be dependent on the security configured for the directory. Generally a normal Active Directory user can return a considerable amount of information from Active Directory while AD/AM tends to be a little more locked down.
The -showdel option will require permissions to see into the cn=Deleted Objects container. By default, this requires administrator permissions. It can be modified but it is involved.
The STATS control options (stats, stats+, statsonly, stats+only) require the user to have DEBUG_PRIVILEGE on the server being queried. This generally means admin access is required to use that functionality.
The -sdna (Security Descriptor Non-Admin) option can be used to tell LDAP to not return the SACL portion of the ACL. This will allow users without auditing rights to retrieve most of the Security Descriptor of an object. Specifically, the Owner, Group Owner, and DACL information will be returned. If you attempt to use -sddl,-sddc,-owner* options and you don't get the information returned, add the -sdna option to see if that helps.
Language
C++. Compiled with Borland Builder 6.0
Source Code Availability
None
Story
AdFind was put together when I finally got sick of the limitations in ldapsearch and search.vbs and didn't want to continue writing quick vbscript solutions every time I needed some generic info. Plus, anyone will tell you vbscript doesn't handle several of the attributes in Active Directory very well. Some time after I had this tool out there for some time, Microsoft introduced dsquery and dsget. While they are nice tools, adfind continues to be more flexible and I rarely if ever use the ds* tools. I did, however, like the ability to pipe the results from the query into other command line tools so I emulated that functionality from the ds* series with adfind with the -dsq option.
Add-Ons
ADCSV.PL - Perl script to convert ADFIND output to CSV style format. Included in ZIP file for AdFind. No I will not rewrite this in vbscript. I dislike vbscript.
Version History
Update: Version 1.02.00 - Decode more GUID attributes, maintains attribute name case versus converting to lowercase, convert non-print chars to ?.
Update: Version 1.03.00 - Changed how I identified what was a single value SID or GUID field for decoding. Seems MS decided to make a couple of GUID fields that were actually UNICODE strings octet strings. I got bit by it when working on a little project to do programmatic AD ACL enumerations from a perl script.
Update: Version 1.04.00 - Added option to allow changing timeout value, also increased page timeout default to 120 seconds from 60 seconds. Added bitwise filter conversion option which will convert simple strings to bitwise OID values. Changes some of the error handling because some error messages weren't seeing the light of day such as bad filter or timeout errors.
Update: Version 1.05.00 - Added anonymous connection capability. Also added Simple authentication capability
Update: Version 1.06.00 - Changed -dn and -c options to not return values unless specifically asked for.
Update: Version 1.07.00 - Added more SID/GUID attributes for decoding. Most specifically for Exchange 2000.
Update: Version 1.08.00 - Added more SID/GUID attributes for decoding. Most specifically for Dot NET Domains.
Update: Version 1.09.00 - Attempting to read schema to determine binary/GUID/SID attributes. Display Binary Info as HEX. Also fixed some bad memory management I was doing during count and DN only operations. You should notice that less memory being used for these operations.
Update: Version 1.10.00 - Added No referrals option (-nr). Added Page size option (-ps)
Update: Version 1.11.00 - 02/23/2003 - Added port option (-p)
Update: Version 1.12.00 - 05/24/2003 - Fixed a bug in the -BIT option with OR. Also added -default, -root, -schema, -config that can be used instead of having to specify the full DN for those partitions with -b.
Update: Version 1.13.00 - 12/01/2003 - Never publicly released, fixed a small bug.
Update: Version 1.14.00 - 04/10/2004 - Added decode sid option (-sddc), added dsquery style output for Deano (-dsq), added elapsed time counter (-elapsed), added sort (-sort) and reverse sort (-rsort), added show deleted objects (-showdel) which inserts the deleted objects display OID into the server control, added new parameter validation system I worked up for oldcmp.
Update: Version 1.14.01 - 04/11/2004 - Added a line outputting the full SDDL string for security descriptors because ~Eric asked for it. :o)
Update: Version 1.15.00 - 04/24/2004 - Fixed an issue with the elapsed time option, it was really screwed up. ;o)
Update: Version 1.16.00 - 05/20/2004 - Change for internal attrib identification for display. Took into account defunct attribs.
Update: Version 1.17.00 - 05/29/2004 - Added several new options: /stats, /stats+, /statsonly, /stats+only - all of these are for displaying LDAP STATS info on Windows 2003 AD. They will help you determine how efficient a given query is. Some additional options: /extname which will give you the GUID and SID bind DNs as well as the regular DN, /exterr which will display some additional error info - specifically dsid codes which PSS likes to see. I also added some additional functionality that works all the time and that is closest match display if you specify a bad base DN and also it will display any referrals generated.
Update: Version 1.18.00 - 07/05/2004 - Fixed a leak in the ldap result section added last version. Fixed a bug in the Stats section on how it displayed the bitewise AND|OR. Fixed the display of deleted objects. You will note that you usually have a new line in the middle of the name and cn fields with K3 and also the DN and distinguishedName fields in 2K. MS fixed the DN for K3 but missed the others, I catch them all.
Update: Version 1.19.00 - 08/09/2004 - Fixed a bug with decoding of lastLogonTimestamp. Fixed a bug where you couldn't use -root. Added relative base option (-rb). Added -binenc option, this allows you to specify guids and sids in nice human format in a query and it will convert it (ex: objectsid={{sid:S-1-5-21-3593593216-2729731540-1825052264-1105}}). Add excl option to exclude display of certain attribs. I also added some code to catch what appears to be a bug in AD. Occasionally STATS control will return a DWORD value where it should return an OctetString. This was throwing exceptions in AdFind. Now it will capture it and set the bad values to be "".
Update: Version 1.20.00 - 08/10/2004 - Found out more about STATS bug, added additional usage info and throw up a message when it occurs. MS requires DEBUG_PRIVILEGE on the DC in order to returns STATS info.
Update: Version 1.21.00 - 09/05/2004 - Fixed division by zero error, fixed some usage text.
Update: Version 1.22.00 - 09/18/2004 - Added -selapsed, fixed bug in -sddl, added ldap directory determination capability
Update: Version 1.23.00 - 09/22/2004 - Added lockoutTime to list of time values to be decoded
Update: Version 1.24.00 - 09/30/2004 - Recompiled to remove Debug info
Update: Version 1.25.00 - 12/10/2004 - Added several options - maxe,sddl,kerbenc,ff,samdc,excldn,excldndelim. Port can be specified in -h option. -sddc functionality changed to not append nTSecurityDescriptor attribute if attribs are specified. Dot (.) specified for -h gets translated to localhost.
Update: Version 1.25.01 - 12/10/2004 - Missed cleaning up some debug statements from 1.25.00.
Update: Version 1.26.00 - 02/12/2005 - Fixed stats bug. Fix stats base search message bug. Fixed bug in "-h .". Fix bug in ranging for K3. Added -nodn,-nolabel,-noctl,-owner,-owneronly,-ownercsv,-sdna.
Update: Version 1.27.00 - 11/05/2005 - Fixed bug in stats filter expansion. Decode msDS-User-Account-Control-Computed with -samdc. Add TZ string for -tdc(s). Added port info on host connection output info. Broke help up. Added -pr, -list, -soao, -oao,-csv, -csvdelim, -csvmvdelim, -csvq, -nocsvheader, -incldn, -incldndelim, -e, -ef, -tdcs, -utc, -po.
Usage
adfind [switches] [-b basedn] [-f filter] [attr list]
Any option that you specify that has spaces or special characters such as &,|,<,>, etc need to be placed within quotes. All options/switches can be specified with either a / or a -. Type adfind /? for usage.
Switch/option
Purpose
Example
-b ""
RFC 2253 DN to start the query from.
-b "cn=users,dc=domain,dc=com"
-f ""
RFC 2254 LDAP Filter.
-f "(&(objectcategory=person)(objectclass=user))"
-h "[:]"
Server hosting LDAP service to connect to. Default is default LDAP Server. If machine is member of Windows Active Directory Domain this is automatically determined, anything else will require the host to be specified. Port can be specified with host name, not required. If dot (.) is specified then host name is considered to be localhost
-h server2
-h server2:3000
-h .
-s
LDAP scope of search. Available options are the standard LDAP options: base, one, and subtree. Default value is subtree.
-s base
-t
How long query should wait on the server before terminating. Use this when you have a slow server or a slow query and you get timeout errors. Default value is 120 seconds.
-t 300
-gc
Indicates that the global catalog port should be queried. If the -h option is not specified and the machine running adfind is in an active directory domain it will locate the nearest global catalog to use.
-gc
-ff
Read filter from file. This is handy if you have a filter too large to be specified on the command line.
-ff filter.txt
-c
Only display count of objects returned
-c
-maxe xx
Max entries to be returned
-maxe 100
-dn
Only display DN's of objects returned
-dn
-nodn
Don't display object DNs
-nodn
-nolabel
Don't display attribute labels
-nolabel
-noctl
Convert control characters to spaces
-noctl
-excldn xx;xx;xx
Specify a string or strings to be checked against the DN to see if the object should be filtered from the output. The is case insensitive and the object will still be returned from the server, it just won't be displayed. Default separator between strings is semicolon but can be switched with -excldndelim. You can not use this switch in combination with the -c option. I apologize but the code flow currently doesn't support it. The -c option is optimized for maximum speed so never unpacks the LDAP packets returned.
-excldn "cn=domain controllers,;cn=users";bob
-excldndelim x
Changes the delimiter character for -excldn
-excldndelim !
-incldn xx;xx;xx
Specify a string or strings to be checked against the DN to see if the object should be displayed. The is case insensitive and the objects returned from the server will not be impacted, just what is displayed. Default separator between strings is semicolon but can be switched with -incldndelim. You can not use this switch in combination with the -c option. I apologize but the code flow currently doesn't support it. The -c option is optimized for maximum speed so never unpacks the LDAP packets returned.
-incldn "cn=domain controllers,;cn=users";bob
-incldndelim x
Changes the delimiter character for -incldn
-incldndelim !
-excl
Exclude specific attributes from being displayed. This is helpful when you want to display all attributes of an object except for one or two. List must be semi-colon delimited.
-excl whenchanged;whencreated
-bit
Enables the bitwise operator filter conversion. This allows you to specify :AND:= and :OR:= instead of the actual AND and OR bitwise OIDs. Note that AND and OR must be specified in CAPS in the filter.
-bit
combined with a filter like
-f useraccountcontrol:AND:=2
-binenc
Enables the binary value filter conversion. This allows you to specify SIDs and GUIDs in a readable format and AdFind converts them to the proper LDAP Binary string format for searching. SIDs must be specified as {{SID:}} and GUIDs must be specified as {{GUID:}}
-binenc
combined with a filter like the following
-f "objectsid={{SID:S-1-5-21-1862701446-4008382571-2198042679-500}}"
-f "objectguid=((GUID:26C18F02-9B73-495B-9F53-8207FC72527D}}"
-kerbenc
Enables LDAP_OPT_ENCRYPT which encrypts traffic when default authentication is used and kerberos was the mechanism for the authentication.
-kerbenc
-simple
Enables simple authentication. Use with -u and -up. For anonymous authentication just specify -simple.
-simple
-u ""
Used to provide alternate credentials from the user running AdFind. can be specified as a DN, UPN, or NT Style ID for simple auth, for secure auth only UPN and NT Style are valid.
-u CN=joeuser,CN=Users,DC=domain,DC=com
-u domainjoeuser
-up
Password of user specified with -u
-up MySecurePassword!!
-dloid
Don't load OIDs for GUID/SID decode logic.
-dloid
-ps size
Specify page size which is the number of records returned in each LDAP page. Default is 1000. Active Directory has a max page size of 1000.
-ps 20
-nr
Do not follow LDAP referrals.
-nr
-p port
Specify port to use. This really doesn't need to be used for Active Directory, it is more for AD/AM.
-p 9009
-root
Special base designator. Auto populates -b with DN of the root of the forest.
-root
-config
Special base designator. Auto populates -b with DN of the configuration container for the forest.
-config
-schema
Special base designator. Auto populates -b with DN of the schema container of the forest.
-schema
-default
Special base designator. Auto populates -b with DN of the default naming context of the server connected to.
-default
-rb ""
This is used with one of the other base specifiers such as -b -root, -config, -schema,-default. Allows you to get away from typing part of the base.
-rb cn=sites
combined with
-config
-dsq
Output only DNs in dsquery format. I.E. Quoted DN's
-dsq
-sort
Specify attribute that result set should be sorted by. Note that this is processed at the server and can be harsh on the server for large result sets.
-sort samaccountname
-rsort
Same as sort, but in reverse
-rsort samaccountname
-elapsed
Show elapsed time in seconds of the search.
-elapsed
-selapsed
Show elapsed time in seconds of various steps in the query such as bind, rootdse bootup query, etc.
-selapsed
-tdc
Decode common time fields such as pwdLastSet, lastLogon, etc from their native 64 bit integer (FILETIME) format to human readable. If you encounter a time field that is from Microsoft that isn't being decoded, please contact me.
-tdc
-tdcs
Decode common time fields such as pwdLastSet, lastLogon, etc from their native 64 bit integer (FILETIME) format to human readable. If you encounter a time field that is from Microsoft that isn't being decoded, please contact me. Output is in a format that is better for sorting.
-tdcs
-utc
Tells -tdc(s) to output in UTC instead of local TZ
-utc
-sddl
Partial decode of security descriptors. This will take an sd such as ntSecurityDescriptor and decode it to sddl.
-sddl
-sddc
Partial decode of security descriptors. This will take an sd such as ntSecurityDescriptor and decode it to sddl.
-sddc
-owner
Display decoded owner of object as a normal attribute in the returned values. Attribute label is _OBJECT_OWNER.
-owner
-owneronly
Display DN and owner only in standard format.
-owneronly
-ownercsv
Display DN and owner only in semi-colon delimited format.
-ownercsv
-sdna
Security Descriptor Non-Admin. Attempts to return a limited set of info for the object ACL. This should be used if you can't retrieve the nTSecurityDescriptor of an object. It will exclude the SACL from being returned which may allow the user access to return the attribute.
-sdna
-samdc
Decode of some SAM attribs. Specifically userAccountControl, sAMAccountType, groupType.
-samdc
-showdel
This adds the Show Deleted OID to the server controls so that the query will be allowed to see deleted items.
-showdel
-extname
Enables the return of extended name information for the DNs of objects. This extended name includes the DN as well as the objectGuid. The format of the extended name output looks like: ;CN=Sites, CN=Configuration,DC=domain,DC=com
-extname
-exterr
Enables the display of extended error information for any query that is generating an error. This will include more detailed information about the error including the DSID which MS PSS likes to have for troubleshooting problems with Active Directory Search issues as it points to a specific line of code.
-exterr
-stats
Enables STATS control and the display of the returned information. The feature requires Windows Server 2003 Active Directory.
-stats
-statsonly
Disables all output except for the STAT control information. The feature requires Windows Server 2003 Active Directory.
-statsonly
-stats+
Same as -stats but also has some "analyzed" results including redisplaying the used filter in a simple breakdown mode. The feature requires Windows Server 2003 Active Directory.
-stats+
-stats+only
Disables all output except for the information displayed by -stats+. The feature requires Windows Server 2003 Active Directory.
-stats+only
-pr
Phantom Root. Search across all NCs covered by specified by base such as -b com or -b "".
-pr
-list
List mode. Specify a single attribute and it will generate a list format output of that attribute.
-list
-soao
Sorted Order Attribute Output. Output attribs for each object in an order defined by sorted attribute names.
-soao
-oao ""
Ordered Attribute Output. Output attribs for each object in order attribs are specified on command line. You can specify value to use for attributes that do not have a value. By default, value will be blank.
-oao
-csv ""
CSV output. Phantom Root. You can specify value to use for attributes that do not have a value. By default, value will be blank.
-csv
-csvdelim ""
Delimiter for CSV output. Default is comma (,).
-csvdelim "|"
-csvmvdelim ""
Delimiter for multivalue attributes in CSV output. Default is semicolon (;).
-csvmvdelim ":"
-csvq ""
Specify quote character for fields in CSV output. Default is quote (").
-csvq ""
-nocsvheader
Don't output attribute header at top of CSV output
-nocsvheader
-e ""
Grab switches and attribs to retrieve from environment for query. Default env var prefix is adfind-. See adfind /??? for details
-e adam1
-ef ""
Read switches and attribs from file. Default file is adfind.cf. See adfind /??? for details
-ef adam1.cf
-po
Print out all switches and attributes specified on command line, -e, or -ef.
-po
Notes about STATS functionality
Hit rate is a function of data in the directory and the specific filter
being used; it is not an absolute measure across directories.
You could use a query of (&(objectcategory=person)(objectclass=user))
in one directory and get a hit rate of 95% but then in another that has
a bunch of contacts could get a hit rate of 40% or less.
Examples
Retrieving object named testuser and decoding time attributes.
F:DEVcppAdFind>adfind -b dc=joe,dc=com -f name=testuser -tdc
AdFind V01.24.00cpp Joe Richards ([email protected]) September 2004
Using server: 2k3dc01.joe.com
Directory: Windows Server 2003
dn:CN=TestUser,OU=Protected,OU=TestOU,DC=joe,DC=com
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: TestUser
>sn: User
>description: Test Description
>physicalDeliveryOfficeName: joe's office
>userPassword: 6A6F 6570 6173 73
>givenName: Test
>distinguishedName: CN=TestUser,OU=Protected,OU=TestOU,DC=joe,DC=com
>instanceType: 4
>whenCreated: 20040401215600.0Z
>whenChanged: 20040825210426.0Z
>displayName: TestUser
>uSNCreated: 21431
>memberOf: CN=Domain Users,CN=Users,DC=joe,DC=com
>uSNChanged: 445256
>company: joeware.net
>name: TestUser
>objectGUID: {EBED58CB-2264-4FF7-B448-CC78459C7C1D}
>userAccountControl: 512
>badPwdCount: 0
>codePage: 0
>countryCode: 0
>homeDirectory: \fdsharename
>homeDrive: Z:
>badPasswordTime: 00/00/0000-00:00:00
>lastLogoff: 00/00/0000-00:00:00
>lastLogon: 07/13/2004-09:29:42
>logonHours: FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FF
>pwdLastSet: 08/25/2004-17:04:26
>primaryGroupID: 1667
>objectSid: S-1-5-21-1862701446-4008382571-2198042679-1121
>accountExpires: 00/00/0000-00:00:00
>logonCount: 1
>sAMAccountName: TestUser
>sAMAccountType: 805306368
>userPrincipalName: [email protected]
>lockoutTime: 0
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com
>lastLogonTimestamp: 07/13/2004-09:29:42
1 Objects returned
Retrieve rootdse of default LDAP server.
F:DEVcppAdFind>adfind -b -s base
AdFind V01.24.00cpp Joe Richards ([email protected]) September 2004
Using server: 2k3dc01.joe.com
Directory: Windows Server 2003
dn:
>currentTime: 20040905143244.0Z
>subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=joe,DC=com
>dsServiceName: CN=NTDS Settings,CN=2K3DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=joe,DC=com
>namingContexts: DC=joe,DC=com
>namingContexts: CN=Configuration,DC=joe,DC=com
>namingContexts: CN=Schema,CN=Configuration,DC=joe,DC=com
>namingContexts: DC=DomainDnsZones,DC=joe,DC=com
>namingContexts: DC=ForestDnsZones,DC=joe,DC=com
>defaultNamingContext: DC=joe,DC=com
>schemaNamingContext: CN=Schema,CN=Configuration,DC=joe,DC=com
>configurationNamingContext: CN=Configuration,DC=joe,DC=com
>rootDomainNamingContext: DC=joe,DC=com
>supportedControl: 1.2.840.113556.1.4.319
>supportedControl: 1.2.840.113556.1.4.801
>supportedControl: 1.2.840.113556.1.4.473
>supportedControl: 1.2.840.113556.1.4.528
>supportedControl: 1.2.840.113556.1.4.417
>supportedControl: 1.2.840.113556.1.4.619
>supportedControl: 1.2.840.113556.1.4.841
>supportedControl: 1.2.840.113556.1.4.529
>supportedControl: 1.2.840.113556.1.4.805
>supportedControl: 1.2.840.113556.1.4.521
>supportedControl: 1.2.840.113556.1.4.970
>supportedControl: 1.2.840.113556.1.4.1338
>supportedControl: 1.2.840.113556.1.4.474
>supportedControl: 1.2.840.113556.1.4.1339
>supportedControl: 1.2.840.113556.1.4.1340
>supportedControl: 1.2.840.113556.1.4.1413
>supportedControl: 2.16.840.1.113730.3.4.9
>supportedControl: 2.16.840.1.113730.3.4.10
>supportedControl: 1.2.840.113556.1.4.1504
>supportedControl: 1.2.840.113556.1.4.1852
>supportedControl: 1.2.840.113556.1.4.802
>supportedLDAPVersion: 3
>supportedLDAPVersion: 2
>supportedLDAPPolicies: MaxPoolThreads
>supportedLDAPPolicies: MaxDatagramRecv
>supportedLDAPPolicies: MaxReceiveBuffer
>supportedLDAPPolicies: InitRecvTimeout
>supportedLDAPPolicies: MaxConnections
>supportedLDAPPolicies: MaxConnIdleTime
>supportedLDAPPolicies: MaxPageSize
>supportedLDAPPolicies: MaxQueryDuration
>supportedLDAPPolicies: MaxTempTableSize
>supportedLDAPPolicies: MaxResultSetSize
>supportedLDAPPolicies: MaxNotificationPerConn
>supportedLDAPPolicies: MaxValRange
>highestCommittedUSN: 463105
>supportedSASLMechanisms: GSSAPI
>supportedSASLMechanisms: GSS-SPNEGO
>supportedSASLMechanisms: EXTERNAL
>supportedSASLMechanisms: DIGEST-MD5
>dnsHostName: 2k3dc01.joe.com
>ldapServiceName: joe.com:[email protected]
>serverName: CN=2K3DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=joe,DC=com
>supportedCapabilities: 1.2.840.113556.1.4.800
>supportedCapabilities: 1.2.840.113556.1.4.1670
>supportedCapabilities: 1.2.840.113556.1.4.1791
>isSynchronized: TRUE
>isGlobalCatalogReady: TRUE
>domainFunctionality: 2
>forestFunctionality: 2
>domainControllerFunctionality: 2
1 Objects returned
Retrieve rootdse of default LDAP server and show super elapsed timing.
F:DEVcppAdFind>adfind -b -s base -selapsedAdFind V01.24.00cpp Joe Richards ([email protected]) September 2004Using server: 2k3dc01.joe.comDirectory: Windows Server 2003dn:>currentTime: 20040919222116.0Z>subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=joe,DC=com>dsServiceName: CN=NTDS Settings,CN=2K3DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=joe,DC=com>namingContexts: DC=joe,DC=com>namingContexts: CN=Configuration,DC=joe,DC=com>namingContexts: CN=Schema,CN=Configuration,DC=joe,DC=com>namingContexts: DC=DomainDnsZones,DC=joe,DC=com>namingContexts: DC=ForestDnsZones,DC=joe,DC=com>defaultNamingContext: DC=joe,DC=com>schemaNamingContext: CN=Schema,CN=Configuration,DC=joe,DC=com>configurationNamingContext: CN=Configuration,DC=joe,DC=com>rootDomainNamingContext: DC=joe,DC=com>supportedControl: 1.2.840.113556.1.4.319>supportedControl: 1.2.840.113556.1.4.801>supportedControl: 1.2.840.113556.1.4.473>supportedControl: 1.2.840.113556.1.4.528>supportedControl: 1.2.840.113556.1.4.417>supportedControl: 1.2.840.113556.1.4.619>supportedControl: 1.2.840.113556.1.4.841>supportedControl: 1.2.840.113556.1.4.529>supportedControl: 1.2.840.113556.1.4.805>supportedControl: 1.2.840.113556.1.4.521>supportedControl: 1.2.840.113556.1.4.970>supportedControl: 1.2.840.113556.1.4.1338>supportedControl: 1.2.840.113556.1.4.474>supportedControl: 1.2.840.113556.1.4.1339>supportedControl: 1.2.840.113556.1.4.1340>supportedControl: 1.2.840.113556.1.4.1413>supportedControl: 2.16.840.1.113730.3.4.9>supportedControl: 2.16.840.1.113730.3.4.10>supportedControl: 1.2.840.113556.1.4.1504>supportedControl: 1.2.840.113556.1.4.1852>supportedControl: 1.2.840.113556.1.4.802>supportedLDAPVersion: 3>supportedLDAPVersion: 2>supportedLDAPPolicies: MaxPoolThreads>supportedLDAPPolicies: MaxDatagramRecv>supportedLDAPPolicies: MaxReceiveBuffer>supportedLDAPPolicies: InitRecvTimeout>supportedLDAPPolicies: MaxConnections>supportedLDAPPolicies: MaxConnIdleTime>supportedLDAPPolicies: MaxPageSize>supportedLDAPPolicies: MaxQueryDuration>supportedLDAPPolicies: MaxTempTableSize>supportedLDAPPolicies: MaxResultSetSize>supportedLDAPPolicies: MaxNotificationPerConn>supportedLDAPPolicies: MaxValRange>highestCommittedUSN: 487991>supportedSASLMechanisms: GSSAPI>supportedSASLMechanisms: GSS-SPNEGO>supportedSASLMechanisms: EXTERNAL>supportedSASLMechanisms: DIGEST-MD5>dnsHostName: 2k3dc01.joe.com>ldapServiceName: joe.com:[email protected]>serverName: CN=2K3DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=joe,DC=com>supportedCapabilities: 1.2.840.113556.1.4.800>supportedCapabilities: 1.2.840.113556.1.4.1670>supportedCapabilities: 1.2.840.113556.1.4.1791>isSynchronized: TRUE>isGlobalCatalogReady: TRUE>domainFunctionality: 2>forestFunctionality: 2>domainControllerFunctionality: 21 Objects returnedElapsed Times: LDAP_OPEN 0.015 ROOT_DSE 0 PARTIAL_SCHEMA 0.172 LDAP_SEARCH_INIT 0 LDAP_GET_PAGES 0.078 LDAP_UNBIND 0
As seen in
http://www.jsiinc.com in tips and tricks
Windows IT Pro Magazine
Various blogs.
Thousands of USENET newsgroup postings.
ActiveDir Org postings.
FAQ
How do I display the rootdse of a domain controller with AdFind?
adfind -h servername -b -s base
How do I search across multiple domain trees in a forest on a Global Catalog? Specifying the forest root DN doesn't work.
adfind -gc -b -f ""
How do I search for disabled user accounts across the entire forest?
adfind -gc -b -bit -f "&(objectcategory=person)(samaccountname=*)(useraccountcontrol:AND:=2)" -dn
AdFind is going slow, how do I know what part of adfind is going slow?
Check out the -selapsed switch. It will break out the various parts of what ADFIND does and gives you times. So if the bind is going slow you should see that in the output.
How do I get AdFind to produce CSV output?
-csv will work if you specify the attributes you want. If you want all attributes, stream the data to a text file and then use the perl script adcsv.pl to convert the text file to a CSV text file. You will find the adcsv.pl script in the adfind.zip file with adfind.exe starting with AdFind V01.25.00.
How do I not display one OU nested in a bunch of other OUs I want to display?
Check out the -excldn option. It allows you to specify a string to match on DNs, if there is a match, the object will not be displayed.
How come I can't query for owner using _OBJECT_OWNER=someowner?
The ability for adfind to display the object owner with -owner and output it with an attribute label of _OBJECT_OWNER is a special function of adfind. The owner is not represented in the directory as that attribute, it is a small piece of a complicated binary blob structure. You can not initiate a search on owner like that, adfind will however allow you to enumerate the owners which is better than what you probably had before.
How come when I specify one of the -sddl/c switches the security descriptor doesn't display?
You probably don't have the requisite permissions. Try using the -sdna option to see if that helps. If it doesn't, you simply don't have permissions to see the security descriptor.
How do I know what I can use for a filter?
That is beyond the scope of adfind. It is a generic LDAP question and you should search the internet or pick up a few AD or LDAP books to learn how to use LDAP.
When AdFind displays groups, I want it to display the friendly names of the accounts that are members, not the DN. How do I do that?
Short answer is you don't. Adfind dumps what it finds in AD. While it could do what you ask, it would be expensive. The general way it works is that AD stores DNs in the member attribute. To retrieve anything else would require an individual call back to the DC for every member. So say you have 1000 groups with an average of 100 users per group. Just displaying the groups and DNs of the members takes a single call to AD. Resolving to friendly names would take 100,000 calls back to AD. You can imagine how much slower that would be. There is a special case when looking at a single group when the DC is a Windows 2003 DC which will retrieve the nice names, but that has not been implemented yet and there is no time frame for it being implemented.
When I get STATS on a multi-page query the time elapsed and count are off?
This is a bug in STATS in Windows 2003 Server Pre-SP1. It is corrected in SP1, upgrade when you can.
ADFIND doesn't seem to run on NT4 or against NT4, is this right?
Yes, it isn't expect to run on or against NT4.
More to come...
About the Author
You May Also Like