Release Notes for JRButils for AD v11

Changes to Individual Programs

Addelhome

  • Fixed an issue where using /d without a value was not defaulting to /d=p as documented.

Adgetdirquota

  • Fixed an issue where it was not correctly sorting values larger than 4.3GB.
  • Provided more flexible output by combining the former /u options with /m allowing any fields to be selected and displayed in any order and column width.
  • Added the ability to display and sort on the user’s department.
  • Modified /a which produces delimited output, to allow requesting values be enclosed in double quotes, as well as specifying the separator.
  • Fixed an issue where combining /j and /t resulted in no output.
  • Added /m=j allowing header lines containing field names and units to be displayed even when /j is used to suppress headers and totals.
  • Added the ability to display and sort on the quota description.
  • Added the ability to display all quotas on a volume via /d=v. While this could previously be done by specifying the volume root with /d=t, using /d=v is very much more efficient, avoiding the need to check for a quota on every directory.
  • Updated to indicate an auto apply quota in the status field.
  • Corrected an issue with displaying the free space for a directory with an auto apply quota (the usage is not tracked for this quota).

Adgetobjsec

  • Fixed an issue where filtering by security principal was not working.
  • Added the ability to use /o=* to search all object classes.

Adgetrest

  • Added the ability to display whether the “home directory required” bit is set in the userAccountControl attribute.
  • Fixed an issue with filtering on account expiration date using a value of ‘none’.
  • Changed the way the server version is detected to avoid a noticeable delay which sometimes occurred at program startup.
  • Modified so that when doing a wildcard match on objects (e.g. a*) and using a filter (as in pne = yes), the filtering on values is done at the server when possible. For many fields this is not possible, due to how their values are derived e.g. displaying the password expiration date requires checking the security descriptor to determine if the user can change their password, and it requires the maximum password age from domain-wide values or the applicable fine-grained password policy.
  • Fixed an issue when retrieving values for last logon or modification date from all domain controllers (DCs), under some circumstances it might skip one DC.
  • Added the ability to filter on a date range. A second date may be specified by separating the two dates with a comma e.g. today,today+10. A range may be used only with operators ‘eq’ and ‘ne’.

Adgetval

  • Fixed an issue in the GUI versions with displaying object names in some formats (e.g. guid) when displaying all attributes for each object.
  • Fixed an issue where displaying if a user can change their own password always returned yes.
  • Fixed an issue in the GUI versions where clicking the “Set defaults” button on the attributes tab did not add the attributes to the “Selected” box.
  • Fixed an issue in the GUI versions where it did not sort correctly by number of values when displaying all attributes was selected, and the attribute values were not in the 3rd column.
  • Updated the GUI versions when displaying all attributes of each object, to adjust the column widths such that the entire list view width is always used.
  • Updated the GUI versions to allow filtering of results on the value for a particular attribute e.g. physicalDeliveryOfficeName (office) equals London. Filtering can be applied to attributes holding object names, text strings, boolean, 32 bit integer and 64 bit integer values, plus dates and times. It can be applied to specific values e.g. assistant equals trish, or on whether or not the attribute is populated. In addition, filtering may occur on a number of pseudo-attributes where the value is derived from one or more attributes e.g accountDisabled and pwdExpired. Where possible, filtering is done at the server for maximum efficiency. This does not happen in some circumstances e.g. when processing members of a group, and for some pseudo attributes requiring a search of the security descriptor e.g. to determine whether a user can change their own password. The security descriptor cannot be be searched via LDAP.

Adgetvolquota

  • Fixed an issue where it was not correctly sorting values larger than 4.3GB.
  • Provided more flexible output by combining the /u options with /m allowing any fields to be selected and displayed in any order and column width.
  • Added the ability to display the user’s department.
  • Modified /a which produces delimited output, to allow requesting values be enclosed in double quotes, as well as specifying the separator.
  • Fixed an issue where combining /j and /t resulted in no output.
  • Added /m=j allowing header lines containing field names and units to be displayed even when /j is used to suppress headers and totals.
  • Fixed an issue where it correctly reported when quotas were not enabled on a volume, but then continued on and attempted to retrieve quota values for all specified users.

Adgroups

  • Added a sorting tab allowing primary and secondary sorting by any combination of output fields.
  • Fixed an issue with the values for number of members when displaying group information but not member information for multiple Active Directory groups.
  • Changed the sorting for group type from numeric to character, so that the displayed values are sorted alphabetically.
  • Changed the way the server version is detected when required to avoid a possible small but noticeable delay.
  • Moved the position of the “Search child containers” checkbox on the Main tab to improve the presentation.
  • Replaced the “Create group” checkbox under “Add members” with a “Create” button present at all times on the Main tab. This opens a new dialog box making it easier to create multiple groups, and provides the ability to set both the description and displayName fields.
  • Fixed an issue with expression evaluation using logical operators with local groups.
  • Fixed an issue where sometimes on the second or subsequent evaluation of an expression (e.g. groupa and groupb), it could report an error with the reverse polish stack.
  • Fixed an issue with the use of boolean operator ‘not’ in an expression where it could display the inverse of the required results.
  • Fixed an issue with the use of boolean operator ‘not’ in an expression where the group name column could be empty instead of displaying the expression.
  • Modified to evaluate an expression containing ‘and’ and ‘not’, but not ‘or’ using only the memberships of the named groups which is very much faster.

Adhomedirs

  • Updated to allow the units to be included as part of the value entered for a directory quota, volume quota, or volume warning threshold. This overrides the current setting for the associated units combo box.
  • Added the ability to display the inheritance flags for the ACE granting users’ permissions to their home directories.
  • Added the ability to modify the inheritance flags via a right click option in the list view.
  • Made all right click dialog boxes resizeable to allow easier viewing of any error messages appearing in the status bar.
  • Fixed an inconsistency where the right click option to modify permissions did not offer the same range of permissions as when creating home directories.

Adimport

  • Fixed an issue where attributes specified in a “create subdirectory” statement were set on the home directory, not the subdirectory.
  • Modified the code for generating random passwords containing alphanumeric plus special characters so that the password is guaranteed to contain three of the four character types (numeric, uppercase, lowercase, special) but may contain all four. Previously all four were guaranteed for a password of four characters or longer.

Adjrbpass

  • Fixed an issue where it would report “Unable to focus a disabled or invisible window” after a search when /n=o was used to suppress the old password edit box.
  • Modified to not check that the passwords match when the focus changes directly from the “Verify password” edit box to the exit button.

Adlookup

  • Added the ability to filter on the following pseudo attributes
    • accountDisabled (a bit value in userAccountControl)
    • accountExpired (from the value in accountExpires)
    • accountLocked (from lockoutTime + the relevant lockout policy)
    • accountWillExpire (from the value in accountExpires)
    • homedirRequired (a bit value in userAccountControl)
    • protectFromAccidentalDeletion (from ntSecurityDescriptor)
    • pwdAllowChange (from ntSecurityDescriptor)
    • pwdChangeNextLogon (from pwdLastSet, userAccountControl, ntSecurityDescriptor)
    • pwdExpired (from pwdLastSet, userAccountControl, the relevant password policy)
    • pwdNeverExpires (a bit value in userAccountControl)
    • pwdRequired (a bit value in userAccountControl)
    • pwdReverseEncryption (a bit value in userAccountControl)
  • Fixed an issue in the fully GUI versions where specifying a starting container via /c on the command line was ignored.
  • Fixed an issue in the fully GUI versions where values for some boolean pseudo attributes such as pwdNeverExpires were not displayed.
  • Modified the fully GUI versions so that the search results are now displayed on a separate form.
  • Modified the fully GUI versions to support the following options previously only available in the command line versions:
    • Select a search operator (greater than or equal to, etc).
    • Specify a file of labels allowing attribute names to be replaced with alternative strings.
    • Select the format in which object names are displayed.
    • Suppress field names.
    • Display totals only.
    • Select the naming attributes to search for matching objects.
    • Select whether the display for consecutive objects is separated by a line of dashes, a blank line or there is no separation.
    • Sort the search results by object name or the value of the search attribute.
  • Added an option to the fully GUI version to clear previous output before starting each new search.

Admakememb

  • Fixed an issue where groups were not created when using both /c and /w.
  • Fixed an issue where it would not create a group named in canonical format e.g. “abc/staff/Health and Safety”.
  • Modified to give a more appropriate error message when /c is used, the group cannot be located, and no container is specified, preventing the group from being created.
  • Added /b to specify a container in which to create groups when using /c and only single level names are given on the command line or in an input file.

Admovedir

  • Corrected an issue where the inherited ACEs in the DACL of the moved file or directory were not updated. The Windows function performing the move retains the unmodified DACL despite the inherited ACEs not bieng applicable to the new location.

Admovehome

  • Corrected an issue when the home directory is moved within a volume where the inherited ACEs within the DACL were not updated.

Adobjsec

  • Fixed an issue where selecting “all classes” did not search the DACLs of organizationalUnits.
  • Added an “All” checkbox to the filter for selecting the object class for security principals.
  • Added the ability to display ACEs only where a specific object is the security principal.
  • Fixed an issue where the program failed to perform further searches after quitting a previous search.
  • Fixed an issue where “Include system containers in the tree view” was not working unless specified via /m on the command line.
  • Fixed an issue where adobjsec quit without displaying an error when it could not connect to the target domain.

Adpsomgr

  • Added the ability to enable and disable “Protect from accidental deletion” on password settings objects.

Adschema

  • Added the adminDescription to the output for individual attributes, but only when it contains a value differing from the ldapDisplayName. Under WS2016, a small percentage of attribute schema definitions have meaningful descriptions.

Adsetowner

  • Fixed an issue where under some circumstances it could report an error retrieving the SID for the user running the program. However, the program otherwise ran correctly.

Adsetpwd

  • Modified to indicate where appropriate, that when a domain or local password change fails due to lack of rights, and that running with elevated privileges may solve the problem. Adsetpwd checks that elevated privileges are available but have not been invoked.
  • Modified the code for generating passwords containing alphanumeric plus special characters (/g=s) so that the password is guaranteed to contain three of the four character types (numeric, uppercase, lowercase, special) but may contain all four. Previously all four were guaranteed for a password of four characters or longer.

Adsetrest

  • Added the ability to set the “home directory required” bit in the userAccountControl attribute.
  • Fixed an issue where it could randomly fail to set a date value and time due to an an uninitialized field in a structure.
  • Fixed an issue where it correctly unexpired a password but incorrectly reported the new password expiration date as the today's date i.e. the maximum password age was not added.

Adtrstlist

  • Added a header line giving field names. This is suppressed via /j, but may be reinstated without other headings and totals when using /w via /w=j.
  • Modified /w to allow selection of columns for columnar output by using /w=z. Previously, /w always resulted in delimited output.
  • Modified /w to allow specification of field widths for columnar output.
  • Added /w=f to display the security principal’s object class.
  • Added /w=h to display the inheritance in descriptive form e.g. “This folder only”.
  • Added /w=k to show whether or not an ACE is inherited.
  • Updated the fully GUI versions to select fields given via /w on startup.
  • Corrected an issue introduced in v10 where it was not displaying the SID of the security principal when it could not be translated to a name.
  • Corrected an issue in command line versions when using /w to display the owner, group or control flags, but no DACL components, one line of output was produced for each ACE, instead of just one line for the path.
  • Added /i=m to allow displaying both inherited and explicit ACEs on the highest level directory or directories, but only explicit ACEs on subdirectories when /d=t is used.

Adwhodidit

  • Added the ability via /u to easily skip files and directories with specific attributes set e.g. hidden. This does not offer filtering on the full set of attributes but is intended for easy avoidance of certain system directories and files when processing a volume root.
  • Corrected a long-standing omission by adding ‘+’ as a value for /o allowing values to output without the actual path and file.
  • Fixed an anomaly when sorting on physical size, and displaying logical sizes, where the logical sizes for a given physical size were not sorted into order. Adwhodidit now does a secondary sort on logical size whenever sorting on physical size.
  • Changed the default output fields in the command line versions from the logical size and attributes to the modification date and logical size. In the GUI versions, the modification date has replaced the owner.