Post v10 Enhancements to JRButils for AD

New program

  • Encrypt. A small program to AES encrypt a password and save it to a file for use by programs e.g. when using an environment variable to provide a password for performing operations in a different domain to that to which the workstation belongs.

Changes to multiple programs

  • Modified all programs to process the value for environment variable JRBADPASS when it points to a file containing an AES encrypted password as in JRBADPASS=@c:\temp\ruru.enc.
  • Worked around an issue in WS 2016 where programs such as adschema, adgetval and adlookup could report an error when retrieving information for all attributes in the schema. Retrieving the syntax failed for msDS-DrsFarmID, but succeeded for the other 1497 attributes in the schema. The attribute appears to be unused, and an issue with the attribute definition is suspected.
  • Fixed a cosmetic issue under Windows 10 where the vertical arrows in the in-built help were not displaying correctly.
  • Modified all programs to utilize the full 120 character width of a command window for output in recent versions of Windows. Previously the command window was always 80 characters wide.

Changes to individual programs

Adgetdirquota

  • Fixed an issue where it was failing to sort large values (greater than 4.3GB) correctly.
  • Provided more flexible output by combining the /u options with /m allowing any fields to be selected and displayed in any order and column width.
  • Added the ability to display the user’s department.
  • Modified /a (produce delimited output) to allow requesting values be enclosed in double quotes, as well as specifying the separator.
  • Fixed an issue where combining /j and /t resulted in no output.
  • Added /m=j allowing header lines containing field names and units to be displayed even when /j is used to suppress headers and totals.

Adgetobjsec

  • Fixed an issue where filtering by security principal was not working.
  • Added the ability to use /o=* to search all object classes.

Adgetrest

  • Added the ability to display whether the “home directory required” bit is set in the userAccountControl attribute.
  • Fixed an issue with filtering on account expiration date using a value of ‘none’.
  • Changed the way the server version is detected to avoid a noticeable delay which sometimes occurred at program startup.
  • Modified so that when doing a wildcard match on objects (e.g. a*) and using a filter (as in pne = yes), the filtering on values is done at the server when possible. For many fields this is not possible, due to how their values are derived e.g. the password expiration date requires checking the security descriptor that the user can change their password, and the maximum password age from domain-wide values or the applicable fine-grained password policy.
  • Fixed an issue when retrieving values for last logon or modification date from all domain controllers (DCs), under some circumstances it might skip one DC.
  • Added the ability to specify a second date, thereby forming a range, when filtering on date or date and time values, by separating two values with a comma e.g. today,today+10. A range may be used only with operators ‘eq’ and ‘ne’.

Adgetval

  • Fixed an issue in the GUI versions with displaying object names in some formats (e.g. guid) when displaying all attributes for each object.
  • Fixed an issue where displaying whether a user can change their own password always returned yes.
  • Fixed an issue in the GUI versions where clicking the “Set defaults” button on the attributes tab did not add the attributes to the “Selected” box.
  • Fixed an issue in the GUI versions where it did not sort correctly by number of values when displaying all attributes was selected, and the attribute values were not in the 3rd column.
  • Updated the GUI versions when displaying all attributes of each object, to adjust the column widths such that the entire list view width is always used.
  • Updated the GUI versions to allow filtering of results on the value for a particular attribute e.g. physicalDeliveryOfficeName (office) equals London. Filtering can be applied to attributes holding object names, text strings, boolean, 32 bit integer and 64 bit integer values, plus dates and times. It can be applied to specific values e.g. assistant equals trish, or on whether or not the attribute is populated. In addition, filtering may occur on a number of pseudo-attributes where the value is derived from one or more attributes e.g accountDisabled and pwdExpired. Where possible, filtering is done at the server for maximum efficiency. This does not happen in some circumstances e.g. when processing members of a group, and for some pseudo attributes requiring a search of the security descriptor e.g. to determine whether a user can change their own password. The security descriptor cannot be be searched via LDAP.

Adgetvolquota

  • Fixed an issue where it was failing to sort large values (greater than 4.3GB) correctly.
  • Provided more flexible output by combining the /u options with /m allowing any fields to be selected and displayed in any order and column width.
  • Added the ability to display the user’s department.
  • Modified /a (produce delimited output) to allow requesting values be enclosed in double quotes, as well as specifying the separator.
  • Fixed an issue where combining /j and /t resulted in no output.
  • Added /m=j allowing header lines containing field names and units to be displayed even when /j is used to suppress headers and totals.

Adgroups

  • Added a sorting tab allowing primary and secondary sorting by any combination of fields.
  • Fixed an issue with the values for number of members when displaying group information only for multiple Active Directory groups.
  • Changed the sorting for group type from numeric to character, so that the displayed values are sorted alphabetically.
  • Changed the way the server version is detected when required to avoid a possible small but noticeable delay.
  • Moved the position of the “Search child containers” checkbox on the Main tab to improve the presentation.
  • Replaced the “Create group” checkbox under “Add members” with a “Create” button present at all times on the main tab. This opens a new dialog box making it easier to create multiple groups, and provides the ability to set both the description and displayName fields.

Adhomedirs

  • Updated to allow the units to be included as part of the value entered for a directory quota, volume quota, or volume warning threshold. This overrides the current setting for the associated units combo box.

Adimport

  • Fixed an issue where attributes specified in a “create subdirectory” statement were set on the home directory, not the subdirectory.

Adlookup

  • Added the ability to filter on the following pseudo attributes:

    accountDisabled (a bit value in userAccountControl)
    accountExpired (from the value in accountExpires)
    accountLocked (from lockoutTime + the relevant lockout policy)
    accountWillExpire (from the value in accountExpires)
    homedirRequired (a bit value in userAccountControl)
    protectFromAccidentalDeletion (from ntSecurityDescriptor)
    pwdAllowChange (from ntSecurityDescriptor)
    pwdChangeNextLogon (from pwdLastSet, userAccountControl, ntSecurityDescriptor)
    pwdExpired (from pwdLastSet, userAccountControl, relevant password policy)
    pwdNeverExpires (a bit value in userAccountControl)
    pwdRequired (a bit value in userAccountControl)
    pwdReverseEncryption (a bit value in userAccountControl)

  • Fixed an issue in the fully GUI versions where specifying a value for /c (starting container) on the command line was ignored.
  • Fixed an issue in the fully GUI versions where values for some boolean pseudo attributes such as pwdNeverExpires were not displayed.
  • Modified the fully GUI versions so that the search results are now displayed on a separate form.
  • Modified the fully GUI versions to support the following options previously only available in the command line versions:
    • Select a search operator (greater than or equal to, etc).
    • Specify a file of labels allowing attribute names to be replaced with alternative strings.
    • Select the format in which object names are displayed.
    • Suppress field names.
    • Display totals only.
    • Select the naming attributes to search.
    • Select whether the display for consecutive objects is separated by a line of dashes, a blank line or there is no separation.
    • Sort the search results by object name or the value of the search attribute.
  • Added an option to the fully GUI version to clear previous output before starting each new search.

Adobjsec

  • Fixed an issue where selecting “all classes” did not search the DACLs of organizationalUnits.
  • Added an “All” checkbox to the filter for selecting the object class for security principals.
  • Added the ability to display ACEs only where a specific object is the security principal.
  • Fixed an issue where the program failed to perform further searches after quitting a previous search.
  • Fixed an issue where “Include system containers in the tree view” was not working unless specified via /m on the command line.

Adpsomgr

  • Added the ability to enable and disable “Protect from accidental deletion”.

Adschema

  • Added the adminDescription to the output for individual attributes, but only when it contains a value differing from the ldapDisplayName. Under WS2016, a small percentage of attribute schema definitions have meaningful descriptions.

Adsetpwd

  • Modified to indicate where appropriate, that when a domain or local password change fails due to lack of rights, that running with elevated privileges may solve the problem. Adsetpwd checks that elevated privileges are available but have not been invoked.

Adsetrest

  • Added the ability to set the “home directory required” bit in the userAccountControl attribute.

Adtrstlist

  • Added a header line giving field names. This is suppressed via /j, but may be reinstated without other headings and totals when using /w via /w=j.
  • Modified /w to allow selection of columns for columnar output by using /w=z. Previously, /w always resulted in delimited output.
  • Modified /w to allow specification of field widths for columnar output.
  • Added /w=f to display the security principal’s object class.
  • Added /w=h to display the inheritance in descriptive form e.g. “This folder only”.
  • Added /w=k to show whether or not an ACE is inherited.
  • Updated the fully GUI versions to select fields given via /w on startup.

Adwhodidit

  • Added the ability via /u to easily skip files and directories with specific attributes set e.g. hidden. This does not offer filtering on the full set of attributes but is intended for easy avoidance of certain system directories and files when processing a volume root.