Post v11 Enhancements to JRButils for AD

Changes to multiple programs

  • Added the ability to create error and log files in UTF-8 format.
  • Added two new values for environment variable JRBDATETIME. A value of ISO displays date and times using local time in ISO format i.e. 20180524132145. A value of ISOZ displays dates and times using GMT time in ISO format e.g. 20180524012145Z.
  • Added the ability to accept date/times in ISO format, either in local, or GMT time if ‘Z’ is appended. Not all variations on the ISO format are accepted but the following are:
    • A date may be given in the form yyyymmdd or yyyy-mm-dd e.g. 2018-08-23.
    • A time may be given in the form hhmmss or hh:mm:ss e.g. 21:19:03.
    • The minutes and seconds may be omitted as per the traditional date/time formats.
    • A date and time may be concatenated together without a separator e.g. 2018-08-2321:19:03 or separated by ‘T’ e.g. 2018-08-23T21:19:03.
    • ‘Z’ may be appended to a date and time to indicate that the value is in GMT time rather than local time.
  • Updated relevant programs to support Active Directory auxiliary classes and their attributes. Program specific comments are included below.
  • Updated various programs to work internally, entirely in unicode rather than single byte characters. This is a work in progress, all programs will eventually be converted. Those done to date include:
    adcreate adlist
    addelete adlookup
    addelattr admove
    adgetrest adrename
    adgetobjsec adschema
    adgetval adsetobjsec
    adgrpadd adsetrest
    adgrpdel adsetval
    adgrplist adtrstlist
    adimport
    Where programs have corresponding fully GUI versions, they have also been updated.
  • Updated all programs to accept input files containing unicode (big-endian or little-endian), or UTF-8 as indicated by a byte order marker (BOM). The unicode options may be useful when processing files created from a spreadsheet.

Changes to individual programs

Adcreate

  • Updated to not copy attribute uidNumber from a template.
  • Updated to copy auxiliary class attributes from a template. Currently, auxiliary classes with mandatory attributes are not supported.

Adfsupdate

  • Added the ability to copy all volume quotas from one Windows volume to another via /w.

Adgetrest

  • Fixed an issue introduced in v11 when displaying all restrictions, adgetrest displayed the password expiration date in place of the password last changed date.
  • Fixed an issue with filtering on workstation restrictions.
  • Fixed an error where it did not filter correctly on date and times when using ‘gt’ and an incomplete time was given e.g. 23-Aug-2018:18:30.
  • Modified the heading when filtering on a date and time, so that the filter date is displayed in the output date format (the default or that specified via environment variable JRBDATETIME), instead of as specified on the command line, which may be something like “today-4”.

Adgetval

  • Updated the command line versions to support a “container” field to display each object’s container. This was already supported in the fully GUI versions.
  • Modified to recognise ‘@’ and ‘#’ as delimiters denoting the end of an attribute name, in a line containing both attribute names and text.
  • Fixed an issue when using /c to specify text to appear between attribute values, and adgetval automatically inserted %objectName as the first field, it was inserting a field width for %objectName when it should not have.
  • Modified so that when displaying values for selected attributes, and using /q to alter the format, /v may be also used to suppress the attribute names.
  • Fixed an issue where no values were displayed when using /a=* and /q.
  • Fixed an issue where it was not working correctly when a multi-character sequence was specified via /c to appear between attributes in the output.
  • Added /b=m to allow a line of output to be produced for every value of a selected attribute. The default is the first attribute, not counting the object name, but a number may follow m e.g. m3 would use the 3rd attribute. This provides a means of displaying values for a multi-valued attribute in a form where they can be saved, edited and returned to AD via adsetval.
  • Added support for auxiliary classes. If a named attribute does not belong to the selected object class, adgetval checks if it belongs to an auxiliary class and if so, allows its use.
  • Added a check box to fully GUI versions controlling whether or not auxiliary class attributes are included in the attributes list.
  • Updated to display the meaning of the values (structural, abstract or auxiliary) for the objectClassCategory attribute used by classSchema objects.

Adgroups

  • Fixed an issue when saving the output to a file, with “In columns at required widths” selected, only the first column was saved.
  • Fixed an issue where it failed to verify a group when only the common name was given, and this differed from the samAccountName.

Adgrplist

  • Modified to not report that a group has no members when /z is used to produce adgrpadd or adgrpdel commands.
  • Fixed an issue where it failed to verify a group when only the common name was given, and this differed from the samAccountName.

Adimport

  • Updated to recognise that “location” is a valid attribute for computer objects. For users and contacts, “location” is a label for the “l” attribute where values for “city” or “location” are stored.
  • Added the ability to specify a file containing an encrypted password as a value for /z. Use the JRButils jrbencrypt program to create the file.
  • Added control statement “Create uidNumber” to generate a unique value for attribute uidNumber from the object’s SID. This is an alternative to “Assign next uidNumber” below.
  • Added control statement “Assign next uidNumber” to assign the next higher unused uidNumber. This option may be slow to execute because AD has to be searched for the highest number already assigned. This is an alternative to “Create uidNumber” above.
  • Updated to not copy attribute uidNumber from a template.
  • Added control statement “Assign gidNumber to new groups” to ensure that any groups created when “Create groups=y” are assigned a gidNumber. The value is determined by identifying the highest value used for existing groups and incrementing it by one.
  • Added option ‘w’ to control statement “Random password type” to produce random passwords compliant with Windows password complexity requirements in terms of characters included, and not including the samAccountName, displayName, or any component of three or more letters in the displayName.
  • Added control statement “Export file format” which can have values, of oem, char, utf8 or unicode.
  • Added control statement “Password file format” which can have values, of oem, char, utf8 or unicode.
  • Added the ability to set attributes for auxiliary classes via the “Auxiliary classes” control statement. Classes with mandatory attributes are supported.
  • Added the ability to transfer auxiliary classes and optional attributes from a template object.

Adlookup

  • Added an option to the fully GUI versions to include/exclude auxiliary class attributes in the list of attributes for the object class.
  • Fixed a minor issue where a small but noticeable delay could occur when starting the fully GUI versions.

Adobjsec

  • Updated the ACE add/remove/modify dialog to include two letter permissions symbols in the labels for the permissions check boxes. This makes it easier to match the symbols with the description e.g. CR for “Control access”.
  • Fixed an issue with the add/remove/modify dialog where the “Applies to” combo box might not be populated when the dialog is first displayed.
  • Added a check that when adding an object allow or object deny ACE, a value other than “The object itself” is selected in the “Applies to” combo box.
  • Fixed an issue when saving the output to a file, with “In columns at required widths” selected, only the first column was saved.

Adpsomgr

  • Removed the blank lines between consecutive policies when using /v=d or /v=n.

Adschema

  • Added /n for filtering on attribute name when listing the attributes for an object class. A string optionally containing wildcards must be given e.g. /n=pwd*. The string may also be be preceded by ‘!’ to negate the search e.g. /n=!pwd* would list attributes whose names do not start with “pwd”.
  • Added /m to filter the attributes displayed based on various properties. These include:

    Attribute is associated with auxiliary classes
    Attribute belongs to the base schema
    Attribute is constructed
    Attribute is flagged confidential
    Attribute is indexed
    Attribute is multi-valued
    Attribute belongs to a property set
    Attribute is single valued

    The properties may be combined and negated in the filter e.g. it is possible to list all non-indexed single valued attributes.

Adsetowner

  • Fixed an issue where it failed to set the ownership for directories when a user was specified e.g. “adsetowner john”.
  • Fixed an issue where it was failing to set a new owner for files without a valid owner when using /a.

Adsetpwd

  • Added /g=w to produce random passwords compliant with Windows password complexity requirements in terms of characters included, and not including the samAccountName, displayName, or any component in the displayName.

Adsetval

  • Fixed an issue where it could report values were added, when they were already present when using /n.
  • Added the ability via /n to set multiple values for attributes holding object names. Previously, /n could be used only with attributes holding text values.
  • Added the ability to easily set values for multiple attributes in a single command using parameters in the form “givenName=Jan lastName=Smith title=Ms”.
  • Modified to not attempt to delete attributes such as accountExpires and codePage which cannot be deleted. This results in a simpler error message given only once.
  • Fixed a problem with using /d and /n together.
  • Added support for adding, modifying and removing attributes belonging to auxiliary classes. If an attribute is found to belong to an auxiliary class, that class is automatically added to the objectClass attribute if not already present.
  • Added the ability to specify an attribute in the form auxClass\auxAttribute. This may be useful when adding a value for an auxiliary attribute which is valid for more than one auxiliary class. When an attribute is valid for only one auxiliary class, that class is automatically added to the objectClass attribute if not already present.
  • Added /d=a which allows removing an auxiliary class from the objectClass attribute when attributes associated with the auxiliary class still have values in place. All values for attributes associated with the auxiliary class are removed, along with the class being removed from objectClass. /d=a is the only way to remove an auxiliary class with mandatory attributes.

Adtrstlist

  • Fixed a problem in the GUI versions where redisplaying the output as commands to remove or restore ACE entries, did not work when the “Redisplay” button was clicked. Instead the user selected columns were displayed. Clicking the “Find” button worked correctly.
  • Modified the GUI versions to display a line in the list view when processing objects, and they do not have a homeDirectory attribute, or there is an issue with the path contained therein. The relevant error message is displayed in the messages field, as well as in the status bar where it may be replaced by a subsequent error message.
  • Added the ability to display the original object name as an output field when processing the home directories of users.
  • Added the ability to display all DACL entries for home directories, not just those ACEs where the security principal is the owner of the home directory.
  • Changed the method of selecting fields for sorting in the GUI version, from a series of radio buttons to a combo box.

Adwhodidit

  • Added two letter codes for all of the output fields, to avoid having to use letters such as ‘(’ and ‘{’. Either the single or two letter codes may be used. A consequence of the change is that a sequence of single letter codes, if used, must be comma separated e.g. /o=a,b,c. This does provide a work-around to the obscure issue of (e.g.) /o=@o being treated as a template when the intention was to display the full DOS path and owner.
  • Changed /i to an option under /h. This is a consequence of various path formatting options being combined under /h in the Micro Focus versions of this program.