Release Notes for JRButils for AD V10

Changes to Individual Programs

Adchkhome

  • Corrected an issue when using /w to locate objects matching home directory names, where it was failing to truncate the name to 20 characters before searching for an object with a corresponding samAccountName. SamAccountNames for user objects cannot exceed 20 characters.
  • Added a search by user logon name when trying to locate an object matching a home directory name. This provides consistency with adsethome which allows the user logon name to be used for the home directory path.

Adcreate

  • Added a check that a value for userPrincipalName is in the form name@abc.com.
  • Modified to check that the value for userPrincipalName is unique in the domain before attempting to set it. This avoids a possible “constraint violation” error when the value is already set for another user under w2008 and w2012. W2003 allows duplicate values.
  • Corrected some inconsistencies where it was not setting all attribute values which can be specified for non-user objects e.g. it was not adding a userPrincipalName to computer objects.
  • Updated to check for and correct the inadvertent use of “cn=” instead of “ou=” when creating an organizationalUnit. This previously resulted in a misleading error message.

Addelhome

  • Added the ability to delete the homeDirectory and homeDrive attributes upon successful deletion of the home directory and contents.

Adfsupdate

  • Fixed an issue when copying files and trustees from a Micro Focus (Novell) volume where it was setting the inheritance to (IO),(IO),CI) instead of (OI),(CI).
  • Enhanced the ability to skip files and directories when copying or deleting by adding support for entries in the form d=\*\*\backup. These allow entries with a particular name and at a particular depth in the directory structure to be skipped.
  • Fixed an oversight where the recently added support for skipping entries in the form d=name or f=name was not working when deleting from a Windows drive.
  • Fixed an issue introduced in 2014 where an application error could occur due to running out of stack space when copying from a Micro Focus (Novell) volume and the directory structure was more than 30 levels deep.

Adgetobjsec

  • Fixed an issue where it was not accepting ‘k’ as a valid value for /w.
  • Modified so that when the value for /w comprises only ‘,’, ‘;’ and ‘q’, the default fields of ‘utairjk’ are displayed.

Adgetrest

  • Updated to display all applicable account restrictions for non-domain local users.
  • Fixed an issue when sorting on password expiration date where entries with a non-zero value and “password never expires” set were displayed in an incorrect order.
  • Fixed an inconsistency where a value for password expiration date could be displayed as “Change next logon” when displaying individual values, but as “None (expired)” when displaying all values.

Adgetval

  • Updated to determine from the schema when an attribute using the octet string syntax hold SIDs and to format them correctly. Previously, the names of attributes known to hold SIDs were hard-coded. Unfortunately, it does not appear possible to do the same for octet string attributes holding guids.
  • Added /g=n to process members of nested groups in addition to the immediate group members.
  • Added support for using /o=pso as an easier alternative to /o=“msDS-PasswordSettings” when working with password settings objects. Using /o=pso allows just the common name of the password settings object to be given as adgetval will then automatically assume the object is in the CN=Password Settings Container,CN=System container.
  • Fixed an issue where it was not displaying the lockout duration correctly for a password policy when it was set to indefinite.
  • Added /c which performs a similar function to /d except that it allows one or more delimiter characters to be specified to appear between values for consecutive attributes specified via /a. When /c is used, any text appearing between attribute names in the value for /a, is ignored.
  • Added "Unselect all" and "Set defaults" buttons to assist with attribute selection in the fully GUI versions. There is no "Select all" button as per some other programs because the number of attributes defined for an object class is typically in the hundreds, and horizontal scrolling of list views can become very slow with 50+ columns.

Adgetvolquota

  • Worked around an issue when displaying all quotas on a volume, where the userPrincipalName was displayed for all users with this field set, regardless of the value used for /y. The problem arose due to the names being returned in this form which appears to be a change in behaviour since adgetvolquota was originally written.
  • Fixed an issue where the total quotas and used space included all quotas on the volume even when filtering was used.
  • Worked around an issue when running adgetvolquota on the host holding the quotas and the path was specified in the form C:\. Despite this exact path being used as an example in the Microsoft documentation, its use for initializing the quota APIs results in an “Access denied” error.
  • Added options to /v (display all quotas on a volume) to allow displaying only those entries where the SID can or cannot be resolved to an object name. It appears that SID entries in the volume quota table persist after object deletion.

Adgroups

  • Modified to automatically perform a secondary sort by member names when sorting by group names and vice versa. Sorting by member class now does a secondary sort by member name.
  • Fixed an issue where left clicking on an already selected item in the list view could allow modification of the displayed value but the change would not be saved. Editing via left click is now disabled. Currently right clicking allows addition and removal of members but not changes to member properties.
  • Added the ability to customise the GUI interface by selectively removing controls via command line option /n.
  • Added the ability to specify via the command line (/b), the starting container for the virtual tree view for selecting groups or members.
  • Fixed an issue where it was failing to process an input file of groups when adding or removing members.
  • Fixed an issue where the input file check boxes were not checked when an input file of groups or members was given on the command line.
  • Made numerous minor enhancements to the handling of input files including modifying the tool tips for the group and member edit boxes to make them more relevant.
  • Fixed an issue with doing a wildcard removal of members in a particular container with “Search child containers” checked. Now all removals via wildcards are done by retrieving the members of the group and comparing names.
  • Added the ability via command line option /d, to display in the object browser, only those groups for which the user running adgroups has permissions to modify the membership.
  • Fixed an issue where an error would occur when displaying each member’s container and a group was found with no members.
  • Fixed an issue with values for total members in a group when displaying membership for multiple groups in one run.

Adgrpdel

  • Fixed an issue with wildcard removal of group members where for a name given in the form cn=*,ou=staff, it was also removing members from child containers of cn=staff when /x was not used.

Adgrplist

  • Added /v to provide full control over the fields displayed and their order. This includes new fields, and supports columnar or delimited output. Values may be enclosed in double quotes and when using columnar output may be truncated to the specified field width. The available fields are:

    Host name (for local workstations)
    Group name
    Group type
    Group display name
    Group description
    Group creation date
    Group modification date
    Member name
    Member display name
    Member description
    Member container without the domain component
    Member container with the domain component

  • Fixed an issue where names were displayed incorrectly with periods instead of commas when using /s=x.

Adhomedirs

  • Corrected an issue when attempting to locate objects matching home directory names, where it was failing to truncate the name to 20 characters before searching for an object with a corresponding samAccountName. SamAccountnames for user objects cannot exceed 20 characters.
  • Fixed an issue when attempting to locate objects matching home directory names, where it was failing to find an object with a matching samAccountName when working in a different domain from that in which the workstation was a member.
  • Added a search by user logon name when trying to locate an object matching a home directory name. This provides consistency with adsethome and adhomedirs itself which allows the user logon name to be used for the home directory path.
  • Fixed an issue where it was not searching display names when trying to locate an object matching a home directory name.
  • Modified to make locating objects from path names very much quicker when working across domains.

Adimport

  • Updated to determine from the schema when an exported attribute using the octet string syntax holds SIDs and to format the values correctly. Previously, the names of attributes known to hold SIDs were hard-coded.
  • Fixed an issue where permissions for other objects, specified in a “Create subdirectory” control statement, were applied to the home directory, not the subdirectory named in the statement.
  • Added a check when setting a userPrincipalName that the value is unique in the domain. Attempting to set a duplicate value produces a “Constraint violation” error under w2008 and w2012.
  • Fixed an issue where the password was being expired when a value of false was given for “Password change next logon”. Now, no change is made.
  • Fixed an issue where adimport failed to create an object when the name given in the data file included the object’s containers.
  • Updated to check the validity of container names given in the data file as part of the “name” field, when doing a syntax check.
  • Updated to support storing the password value in an attribute via the “Fixed values” section using a statement such as “roomNumber=%password%“.
  • Fixed an oversight where “name” was not supported as a substitution identifier (it is a synonym for CN).
  • Fixed an issue where the wrong date was reported when copying a 64 integer holding a date from a template. The value was assigned correctly.
  • Updated to allow a substitution identifier to be used in the “Fixed values” section for attributes using the directory name, boolean, integer, integer8 and UTC time syntaxes.
  • Added a “container” field which may be used in all modes. When creating or updating an object, a container specified as part of the name takes precedence, then any value for a container field, and finally the name given in a container or “name context” control statement.

Adjrbpass

  • Previously, when a user and container was entered, then the search button clicked, the container was ignored. Now, adjrbpass will search the specified container and its child containers for matching objects.
  • Fixed an issue where it was not finding its help file when run from the start menu.

Adlencheck

  • Fixed an issue where using /d=s was not working as expected.
  • Added the ability via /g to check the length of the entire path rather than just the lowest level.

Adlist

  • Added the ability to display object SIDs.
  • Added /$ to allow forcing retrieval of objects from the domain controller name preceding the object name e.g. mars/cn=*,ou=staff.

Adlookup

  • Fixed an issue where it was not accepting some alternative names for attributes e.g. creationDate for whenCreated.
  • Added “select all”, “unselect all” and “revert” buttons to the attribute selection dialog in the fully GUI versions.

Admovedir

  • Fixed an issue when using wildcards on a Windows drive where matching files and directories were moved when /d was not used. Only matching files should have been moved.

Adopenfile

  • Fixed an issue where sorting the results could fail.
  • Worked around a w2008 bug where open files for a path were not returned unless two backslashes followed the drive letter e.g. C:\\jrbad64. The root directory e.g. C:\ was an exception.
  • Further modified adopenfile to allow for the above bug resulting in two backslashes being included after the drive letter for each returned open file path e.g. C:\\jrbad64\adlist.exe. The extraneous backslash is now removed.
  • Added the ability via /w=w to display a list of workstations from which the user holding the file open is connected. It is not possible to retrieve the specific workstation holding a file open, but it is possible to retrieve a list of workstations from which a user is connected. The workstations are returned by the host as either IPV4 or IPV6 addresses. Adopenfile attempts to translate IPV4 addresses to domain or netbios names.
  • Added the ability to sort by server name, local path and the workstations from which the file might be opened.
  • Updated to allow adopenfile to be used from a workstation which is not a domain member.
  • Added support for authenticating to a different domain when the target server was in another domain.
  • Added /n to prevent logging in to a domain which is used only for converting names from the samAccountName returned by the APIs to any of the forms available under /y. This may be useful to avoid having to provide a user name and password just for name conversion.

Adrename

  • Added /n=c to perform all requested changes to attribute values but to not rename the object itself, i.e. the original CN is retained.

Adrights

  • Modified to display “none” when one object has no rights to another.

Adsessions

  • Modified to allow the first parameter to be a UNC or drive path from which a Windows host name can be derived.
  • Added /n to prevent logging in to a domain which is used only for converting names from the samAccountName returned by the APIs to any of the forms available under /y. This may be useful to avoid having to provide a user name and password just for name conversion.
  • Modified to attempt to convert computer names returned as IPV6 addresses to DNS names, and IPV4 addresses if required.
  • Modified to display the session flags as strings rather than as a numeric value.
  • Added support for authenticating to a different domain when the target server was in another domain.

Adsethome

  • Fixed a cosmetic issue where it failed to state why setting a quota via /s failed when quotas were not enabled on the volume.

Adsetobjsec

  • Fixed an issue where if creating a new DACL failed, it could display an empty error message, but give the correct reason for failure. This could happen when specifying a trustee from a class which cannot be a security principal e.g. contact.

Adsetrest

  • Added the ability to modify all applicable account restrictions for non-domain local users.

Adsettrust

  • Updated to display the inheritance settings after an ACE has been added or modified.
  • Updated to ignore lines starting with “rem ” when processing a file of cacls, icacls or adsettrust commands. These might be inserted by the GUI adtrstlist when a valid command cannot be created.

Adsetval

  • Added /i to allow insertion of new lines at any point into a value for the info attribute, which typically contains multiple lines separated by pairs.
  • Adsetval now allows options to follow the value e.g. adsetval bob /a=info “new line 1” /s=0 works correctly. Previously, the value had to be the last item on the command line, and /s=0 would have been treated as part of the value.
  • Added /g=n to process members of nested groups in addition to the immediate group members.
  • Added support for using /o=pso as an easier alternative to /o=“msDS-PasswordSettings” when working with password settings objects. Using /o=pso allows just the common name of the password settings object to be given as adsetval will then automatically assume the object is in the CN=Password Settings Container,CN=System container.

Adsetvolquota

  • Worked around an issue when running adsetvolquota on the host holding the quotas and the path was specified in the form C:\. Despite this exact path being used as an example in the Microsoft documentation, its use for initializing the quota APIs results in an “Access denied” error.

Adspace

  • Fixed an issue when using a command of the form “adspace c:\users /d /q=d” where it could report a failure to initialize the quota manager due to function CoInitialize not being called.

Adtrstlist

  • Modified so that when the value for /w comprises only ‘,’, ‘;’ and ‘q’, the default fields of ‘ptair’ are displayed.
  • Fixed a cosmetic issue when using /# to expand groups, where it could report twice that a group has no members under w2008 and earlier where two ACEs typically exist for each trustee.
  • Fixed an issue where it could fail to expand groups via /# when the path being processed included a DFS-N link.
  • Fixed an issue in the fully GUI version where an application error could occur when creating commands to restore or remove ACEs and a path was processed with insufficient rights to read the DACL.
  • Added the ability to exclude file and directories based on attributes set e.g. it may be useful to ignore entries flagged hidden or system.
  • Enhanced the exclusion options under /r, by allowing a path to include a file name, and by allowing single level entries of the form f=*.pst and d=*recycle* where f= indicates a file filter and d= indicates a directory filter.
  • Added the ability to display trustee SIDs.
  • Added two new output columns to the GUI version (in addition to displaying SIDs):

    Whether the ACE is explicit or inherited. This may be useful for sorting ACEs into explicit/inherited.
    The inheritance flags as displayed by MS tools e.g. “This folder, subfolders and files” for OI,CI.

  • Modified the GUI versions so that when checking the “First level subdirectories” or “All subdirectories” check boxes, if the “No contents” radio button is checked, the “Directories only” radio button is checked instead.
  • Fixed an issue in the fully GUI versions where the “Process group objects instead of their members” check box setting on the “Other” tab was ignored.
  • Fixed an issue where it could incorrectly display the IO (inherit only) inheritance flag when displaying the Microsoft view of ACEs, where if two consecutive ACEs differ only in the inheritance flags, they are displayed as one.
  • Added a sorting tab to the fully GUI versions allowing both primary and secondary sorting of columns.
  • Fixed an issue where the fully GUI versions would not sort the “Messages” column.
  • Fixed an issue where the fully GUI versions failed to correctly display an object name given on the command line.
  • Added the ability to command line versions to display the trustee’s display name via /w=u.
  • Fixed an issue where an application error could occur when running the program from a machine not in a domain, and listing ACEs on a domain controller.

Adwhodidit

  • Fixed an issue in the GUI version when using the right click delete option, followed by pause and then cancel, the two control buttons ended up with incorrect labels.