Release Notes for JRButils for AD V10

Changes to multiple programs

  • Worked around a Microsoft bug where Win32 function WNetGetUniversalName, used to convert drive paths to UNC, produces an application error when passed a path longer than 260 characters. This potentially affected a number of programs working with the file system.
  • Fixed an issue affecting programs modifying file system DACLs where they failed to replace an existing ACE when the only difference was the presence or absence of the IO (inherit only) bit.
  • Increased the maximum length of file system paths which can be processed from 1024 to 2048 characters.
  • Added checks to ensure that the maximum length of a file system path is not exceeded to avoid an application error.
  • Added another method to improve the reliability of fully resolving paths (e.g. those containing DFS links or shares) to an actual server and volume. Various APIs e.g. those associated with quotas, require fully resolved paths.
  • Modified the initialization code to allow a jrbutils.ini file to contain JRButils for AD and JRButils for Micro Focus (Novell) specific global switch settings by using ad: (or ms:) and mf: prefixes e.g.

    ad: /y=n
    mf: /y=c

    sets the default to /y=n for JRButils for AD, and /y=c for JRButils for Micro Focus.

  • Fixed a longstanding issue where settings for /l and /e, when specified in the jrbutil.ini file e.g. /l=nowrap, worked correctly so long as /l was not used on the command line, but if, say, /l=user.log was specified on the command line, the “nowrap” setting was lost.
  • Updated programs allowing an entire directory structure to be processed, to support a maximum depth being specified via /d=t e.g. /d=t2 will process only first and second level subdirectories relative to the given path.
  • Fixed a cosmetic issue in all programs where an invalid path specified for /l or /e might not display correctly in the error message.
  • Fixed an issue where programs were not finding a jrbutils.ini file located in one of the search paths. Programs now check the current directory first, then the directory from which the program is run, then the search paths.
  • Modified all fully GUI programs to clear the previous selections when the tree view dialog is reopened to make an object selection. This overcomes several minor issues e.g. clicking on an already selected object did not generate an event to update the selected objects edit box.
  • Made changes to allow all programs to be used from a workstation not in a domain. The environment variable JRBDOMAIN must be set to point to the required domain. One difficulty in using AD aware programs this way is that the Windows name translation service is only available from machines in domains and JRButils for AD use this service to validate and convert names from any of the accepted input forms (NT style, display name, user principal name, SID, etc) to the form used internally. Currently, from a non-domain workstation, only NT style names, user principal names, common names and names in the form cn=fred,ou=abc are accepted. Common names may not be used from those programs supporting operations on local non-domain objects e.g. adgrpadd, adgrpdel and addelete. A name which cannot be recognised as representing a domain object is treated as local. For reasons which are not understood, accessing a domain from a workstation not in a domain tends to be very slow.
  • Fixed an issue where programs were not finding a jrbutils.ini file located in one of the search paths. Programs now check the current directory first, then the directory from which the program is run, then the search paths.
  • Fixed an issue when using /y=a to list names in canonical format where forward slashes forming part of the name were not escaped with a back slash.
  • Added support for inputting canonical style object names with components separated by forward slashes e.g. kiwi/staff/mgmt. These have the advantage of not having to specify typing for container names as when using the style cn=robin,ou=mgnt,ou=staff. For maximum convenience, a variety of name forms are accepted. The rules are:
    • Unlike true canonical names which require the presence of the domain in the form kiwi.jrbsoftware.com, the domain component is optional.
    • The domain component, if present, may be in the form kiwi.jrbsoftware.com, it may be a single level name representing the domain’s Active Directory name, or the domain’s NETBIOS name. The latter two are normally the same but Active Directory does not require them to be.
    • Wildcards may be included in the lowest level of the name when appropriate.
    • The name may start with a forward slash in which case, when given as a command line parameter, it must be enclosed in double quotes to prevent the leading ‘/’ being interpreted as denoting an option.
    • When an actual name component includes a forward slash as in “Mgmt/Accounting”, the slash must be escaped by a backslash e.g. “/abc/groups/Mgmt\/Accounting”.
    • Because the presence of a single forward slash is taken as denoting a canonical name, an untyped common name incorporating a forward slash as in “Mgmt/Accounting” is misinterpreted. Work-arounds include prefixing typing to the name (e.g. “cn=mgnt/accounting” or using another name format. This seems a small price to pay given the convenience of canonical names, and the rarity of forward slashes in common names.
    • Some programs such as adgetval and adsetval accept a server name preceding an object name e.g. ws2012s4/Marcus. A server name cannot be combined with a canonical style name. A name given in the style staff/Robin is ambiguous and if canonical, a leading slash should be used, or the domain name included to avoid ambiguity e.g. /staff/robin, kiwi/staff/robin or kiwi.abc.com/staff/robin.
    • Characters such as the comma, semicolon, and plus, which require escaping with a backslash in common names, must not be escaped in a canonical style name.
  • Fixed an issue in adgetval, adgetobjsec, and adobjsec when displaying security descriptors where the names of trustees were displayed as SIDs when working across domains, and there was no existing non-LDAP connection to a server in the target domain.