AdFind

Summary

Command line Active Directory query tool. Mixture of ldapsearch, search.vbs, ldp, dsquery, and dsget tools with a ton of other cool features thrown in for good measure.

Warranty

See warranty.

PlatForms

• Windows 2000 against Active Directory and AD/AM
• Windows Server 2003 against Active Directory and AD/AM
• Windows XP against Active Directory and AD/AM
• Windows Vista against Active Directory and AD/AM
• Windows Longhorn against Active Directory and AD/AM

Current Version

Version 1.37.00 - June 24, 2007

Modification(s) from previous version

• Added new special base switches: forestdns, domaindns, gpo, psocontainer, ldappolicy, xrights, partitions, sites, subnets, exch, dcs, fsps
• Added new switches: noautoranging, onlyaclprot, onlyaclunprot
• Added the following shortcuts: rodcpas, rodcpasl, !rodcpas, !rodcpasl, export, sddldmp, sddlmap, sitedmp, subnetdmp, gpodmp, fspdmp, oudmp, showmeta, showmetas
• Updated switches:-replacedn
• Decode more time/interval values
• Decode attributes: options, mS-DS-ReplicatesNCReason
• Updated some of the decode functions for Longhorn (aka Windows Server 2008) values  
• Updates STATS to work properly with Longhorn
• Fixed multiple usage typos
• Fixed bug with -mvfilter
• Streamlined some of the shortcuts
• Sped up SID resolution (especially in cases where LDAP connection but no RPC connection)
• Changed "Coordinated Universal Time" in time decode to UTC.

Security Requirements

There are no local security requirements for running AdFind. Information returned from Active Directory and AD/AM will be dependent on the security configured for the directory. Generally a normal Active Directory user can return a considerable amount of information from Active Directory while AD/AM tends to be a little more locked down.

The -showdel option will require permissions to see into the cn=Deleted Objects container. By default, this requires administrator permissions. It can be modified but it is involved.

The STATS control options (stats, stats+, statsonly, stats+only) require the user to have DEBUG_PRIVILEGE on the server being queried. This generally means admin access is required to use that functionality.

The -sdna (Security Descriptor Non-Admin) or -nosacl options can be used to tell LDAP to not return the SACL portion of the ACL. This will allow users without auditing rights to retrieve most of the Security Descriptor of an object. Specifically, the Owner, Group Owner, and DACL information will be returned. If you attempt to use -sddl,-sddc,-owner* options and you don't get the information returned, add the -sdna option to see if that helps.

Language

C++. Compiled with Borland Builder 6.0

Source Code Availability

None

Story

AdFind was put together when I finally got sick of the limitations in ldapsearch and search.vbs and didn't want to continue writing quick vbscript solutions every time I needed some generic info. Plus, anyone will tell you vbscript doesn't handle several of the attributes in Active Directory very well. Some time after I had this tool out there for some time, Microsoft introduced dsquery and dsget. While they are nice tools, adfind continues to be more flexible and I rarely, if ever, use the ds* tools. I did, however, like the ability to pipe the results from the query into other command line tools so I emulated that functionality from the ds* series with adfind with the -dsq option. One day I realized that I could take the piping one step further and worked out the -adcsv option which when combined with AdMod is extremely powerful for doing updates to AD. 

V01.31.00 added a bunch of new changes, some of these changes include shortcut options. You can view information on the shortcut options with the new help screen available through /????. The story behind these shortcut options where that there were queries I was doing on a regular basis that I hated typing up the whole command for, for example, one of my most common queries is to check a schema object for its definitions which would normally take the command adfind -schema -f "|(name=objectname)(ldapdisplayname=objectname)" and now it is as simple as adfind -sc s:objectname. Another common one for me is listing all of the schema objects with a specific prefix which normally would look like adfind -schema -f "|(name=prefix*)(ldapdisplayname=prefix*)" -sort -list ldapdisplayname and now it is adfind -sc sl:prefix*. Anyway there are a ton of shortcuts, have fun.

Add-Ons

ADCSV.PL - Perl script to convert a full ADFIND output dump to CSV style format. Included in ZIP file for AdFind. No I will not rewrite this in vbscript. I dislike vbscript. I have received a couple of vbscript scripts to do this, I will not include them as I will only include stuff that I have done so I am only answering questions on stuff I wrote. If you only need to export specific attributes, specify those attributes and use the -csv option to get CSV output natively.

Download

You do not have to supply the email address. I would like you to fill that in though so that I have an idea on how popular a tool really is. If I see 1000 downloads with 900 different email addresses I know it is more widespread than one that has 1000 downloads and 200 different email addresses because the same person needed to keep downloading it for some reason.

Version History

• Update: Version 1.02.00 - Decode more GUID attributes, maintains attribute name case versus converting to lowercase, convert non-print chars to ?.
• Update: Version 1.03.00 - Changed how I identified what was a single value SID or GUID field for decoding. Seems MS decided to make a couple of GUID fields that were actually UNICODE strings octet strings. I got bit by it when working on a little project to do programmatic AD ACL enumerations from a perl script.
• Update: Version 1.04.00 - Added option to allow changing timeout value, also increased page timeout default to 120 seconds from 60 seconds. Added bitwise filter conversion option which will convert simple strings to bitwise OID values. Changes some of the error handling because some error messages weren't seeing the light of day such as bad filter or timeout errors.
• Update: Version 1.05.00 - Added anonymous connection capability. Also added Simple authentication capability
• Update: Version 1.06.00 - Changed -dn and -c options to not return values unless specifically asked for.
• Update: Version 1.07.00 - Added more SID/GUID attributes for decoding. Most specifically for Exchange 2000.
• Update: Version 1.08.00 - Added more SID/GUID attributes for decoding. Most specifically for Dot NET Domains.
• Update: Version 1.09.00 - Attempting to read schema to determine binary/GUID/SID attributes. Display Binary Info as HEX. Also fixed some bad memory management I was doing during count and DN only operations. You should notice that less memory being used for these operations.
• Update: Version 1.10.00 - Added No referrals option (-nr). Added Page size option (-ps)
• Update: Version 1.11.00 - 02/23/2003 - Added port option (-p)
• Update: Version 1.12.00 - 05/24/2003 - Fixed a bug in the -BIT option with OR. Also added -default, -root, -schema, -config that can be used instead of having to specify the full DN for those partitions with -b.
• Update: Version 1.13.00 - 12/01/2003 - Never publicly released, fixed a small bug.
• Update: Version 1.14.00 - 04/10/2004 - Added decode sid option (-sddc), added dsquery style output for Deano (-dsq), added elapsed time counter (-elapsed), added sort (-sort) and reverse sort (-rsort), added show deleted objects (-showdel) which inserts the deleted objects display OID into the server control, added new parameter validation system I worked up for oldcmp.
• Update: Version 1.14.01 - 04/11/2004 - Added a line outputting the full SDDL string for security descriptors because ~Eric asked for it. :o)
• Update: Version 1.15.00 - 04/24/2004 - Fixed an issue with the elapsed time option, it was really screwed up. ;o)
• Update: Version 1.16.00 - 05/20/2004 - Change for internal attrib identification for display. Took into account defunct attribs.
• Update: Version 1.17.00 - 05/29/2004 - Added several new options: /stats, /stats+, /statsonly, /stats+only - all of these are for displaying LDAP STATS info on Windows 2003 AD. They will help you determine how efficient a given query is. Some additional options: /extname which will give you the GUID and SID bind DNs as well as the regular DN, /exterr which will display some additional error info - specifically dsid codes which PSS likes to see. I also added some additional functionality that works all the time and that is closest match display if you specify a bad base DN and also it will display any referrals generated.
• Update: Version 1.18.00 - 07/05/2004 - Fixed a leak in the ldap result section added last version. Fixed a bug in the Stats section on how it displayed the bitewise AND|OR. Fixed the display of deleted objects. You will note that you usually have a new line in the middle of the name and cn fields with K3 and also the DN and distinguishedName fields in 2K. MS fixed the DN for K3 but missed the others, I catch them all.
• Update: Version 1.19.00 - 08/09/2004 - Fixed a bug with decoding of lastLogonTimestamp. Fixed a bug where you couldn't use -root. Added relative base option (-rb). Added -binenc option, this allows you to specify guids and sids in nice human format in a query and it will convert it (ex: objectsid={{sid:S-1-5-21-3593593216-2729731540-1825052264-1105}}). Add excl option to exclude display of certain attribs. I also added some code to catch what appears to be a bug in AD. Occasionally STATS control will return a DWORD value where it should return an OctetString. This was throwing exceptions in AdFind. Now it will capture it and set the bad values to be "".
• Update: Version 1.20.00 - 08/10/2004 - Found out more about STATS bug, added additional usage info and throw up a message when it occurs. MS requires DEBUG_PRIVILEGE on the DC in order to returns STATS info.
• Update: Version 1.21.00 - 09/05/2004 - Fixed division by zero error, fixed some usage text.
• Update: Version 1.22.00 - 09/18/2004 - Added -selapsed, fixed bug in -sddl, added ldap directory determination capability
• Update: Version 1.23.00 - 09/22/2004 - Added lockoutTime to list of time values to be decoded
• Update: Version 1.24.00 - 09/30/2004 - Recompiled to remove Debug info
• Update: Version 1.25.00 - 12/10/2004 - Added several options - maxe,sddl,kerbenc,ff,samdc,excldn,excldndelim. Port can be specified in -h option. -sddc functionality changed to not append nTSecurityDescriptor attribute if attribs are specified. Dot (.) specified for -h gets translated to localhost.
• Update: Version 1.25.01 - 12/10/2004 - Missed cleaning up some debug statements from 1.25.00.
• Update: Version 1.26.00 - 02/12/2005 - Fixed stats bug. Fix stats base search message bug. Fixed bug in "-h .". Fix bug in ranging for K3. Added -nodn,-nolabel,-noctl,-owner,-owneronly,-ownercsv,-sdna.
• Update: Version 1.27.00 - 11/05/2005 - Fixed bug in stats filter expansion. Decode msDS-User-Account-Control-Computed with -samdc. Add TZ string for -tdc(s). Added port info on host connection output info. Broke help up. Added -pr, -list, -soao, -oao,-csv, -csvdelim, -csvmvdelim, -csvq, -nocsvheader, -incldn, -incldndelim, -e, -ef, -tdcs, -utc, -po.
• Update: Version 1.28.00 - 12/21/2005 - Fixed bug in stats, fixed bug in usage display, fixed bug in counting for -incldn.
• Update: Version 1.29.00 - 12/22/2005 - -up * will now query user for password so you don't have to specify on command line
• Update: Version 1.30.00 - 01/29/2006 - Bug fix for multivalue sid/guid attribs. Fixed /??? usage bug. Added -ssl, -null, -flagdc, -sl, -adcsv. Added logic to prevent logonWorkstations from being displayed in HEX.
• Update: Version 1.30.01 - 01/31/2006 - Fixed small bug with usage.
• Update: Version 1.31.00 - 03/22/2006 - Added /???? shortcut help menu describing a ton of shortcuts which will not be listed here. Fixed Decode issue with msDS-User-Account-Control-Computed. Decode some more flags/values. Decode more attributes - msDS-Behavior-Version, msDS-Cached-Membership, msDS-Cached-Membership-Time-Stamp, msDS-Site-Affinity, retiredReplDSASignatures, msDS-RetiredReplNCSignatures. Properly handle requested binary format ;binary. Added support for \t for delimiter switches so you can specify tab delimited. Added options for -binenc to encode int8 time format using {{utc:}} and {{local:}}. Officially added (unhid) shortcut options (-sc xxx:yyy), see /????. Added -schdc, -rootdse, -rootdsefull, -alldc (all decode), -replacedn, -replacedndelim, -sitenamedc, -resolvesids, -sddc+/-sddl+, -rawsddl, -mvfilterdelim, -mvfilter, -mvnotfilter, -sidbinout, -guidbinout, -asq, -decutc, -declocal, -encutc, -enclocal
• Update: Version 1.32.00 - 10/01/2006 - Fixed several bugs, added subnets and exch to DN Replace option, Added support to decode longhorn mode values, Expanded partitions msDS-Behavior-Version decoded on, Decode defaultSecurityDescriptor, Changed usage switches around - see adfind /?, Added switches -sddl++, -sddlfilter, -sddlnotfilter, -recmute, -noowner, -nogroup, -nodacl, -nosacl, -decsddlacl, -tdca, -tdcas, -tdcgt, -tdcgts, Allow ACEs in SDDL+/SDDL++ output to be filtered with -mvfilter, Fixed -maxe so it works for values >1000, Increased buffer size of -ef and -ff options to 10MB, Special Exchange specific decode of msExchMailboxSecurityDescriptor with sddl+, Added shortcuts listpropsets, listpropsetsl, listpropsetscsv, listvwrites, listvwritesl, listvwritescsv, listxrights,listxrightsl,listxrightscsv,exchmbxs, exchme, sdfilter, sdfilterns, explaces
• Update: Version 1.33.00 - 10/30/2006 - Updates usage, fixed -sc u bug, mod to -decsddlacl, more timers for -selapsed, Added INCHAIN/NEST for -bit, added -exterr option for more error points.
• Update: Version 1.34.00 - 11/13/2006 - Fixed bug in filtered SDDL output, added -qlist, -onlysacl, -onlydacl
• Update: Version 1.35.00 - 01/06/2007 - Fixed bug in -onlydacl, added shortcut DomainNCs, fixed bug in -sddl flag output, changed decode output for ACL Flag for -sddl+, added -onlydaclflag -onlysaclflag -onlyaclflags
• Update: Version 1.36.00 - 02/24/2007 - Added switches: -nrss, -resolvesidsldap, -csvnoq, -gcb, -mvfiltercs, -scexchnosys, -sdsize, -sdsizenl, -metasort. Added the following shortcuts: exchsmtpaddr, exchprimarysmtp, objmeta, objsmeta, legacylvr, legacylvrs, legacygroupmembers, replqueue, ncrepl. Updated switches:-rootdse, -fullrootdse. Updated shortcut: exchme. Decode attributes: supportedExtension, pwdProperties. Decode ;binary form of attributes: msDS-ReplAttributeMetaData, msDS-ReplValueMetaData, msDS-NCReplCursors, msDS-ReplConnectionFailures, msDS-ReplLinkFailures, msDS-NCReplInboundNeighbors, msDS-NCReplOutboundNeighbors, msDS-ReplAllInboundNeighbors, msDS-ReplAllOutboundNeighbors, msDS-ReplPendingOps, msDS-TopQuotaUsage
• Update: Version 1.37.00 - 06/24/2007 - Added new special base switches: forestdns, domaindns, gpo, psocontainer, ldappolicy, xrights, partitions, sites, subnets, exch, dcs, fsps. Added new switches: noautoranging, onlyaclprot, onlyaclunprot Added the following shortcuts: rodcpas, rodcpasl, !rodcpas, !rodcpasl, export, sddldmp, sddlmap, sitedmp, subnetdmp, gpodmp, fspdmp, oudmp, showmeta, showmetas. Updated switches:-replacedn. Decode more time/interval valuesDecode attributes: options, mS-DS-ReplicatesNCReasonUpdated some of the decode functions for Longhorn (aka Windows Server 2008) values Updates STATS to work properly with Longhorn Fixed multiple usage typosFixed bug with -mvfilterStreamlined some of the shortcutsSped up SID resolution (especially in cases where LDAP connection but no RPC connection)Changed "Coordinated Universal Time" in time decode to UTC.

As seen in

• Active Directory Third Edition - O'Reilly Publishing
• Active Directory Cookbook Second Edition - O'Reilly Publishing
• http://www.jsiinc.com in tips and tricks
• Windows IT Pro Magazine
• Various blogs.
• Thousands of USENET newsgroup postings.
• ActiveDir Org postings.

Usage

    Download and type adfind /? for basic usage

See current usage screens