Enhancements to JRButils for AD v3.0

Changes to multiple programs

  • Added logging option “noblanks” for /e and /l to suppress the output of blank lines.
  • Added logging option “separator” for /e and /l to place a line of dashes at the end of output. This may be useful when logging output from multiple programs to the same log file to delineate the output from each program.
  • Added ‘q’ as an alternative to ‘e’ and ‘ESC’ to quit from the in-built help.
  • Updated various programs accepting file system rights from the command line to accept ‘c’ as used by cacls, as an alternative to RWXD. The value ‘m’ as used by icacls, may also be used.
  • Made changes to numerous programs so that objects of class inetorgperson could be processed as per users.
  • Fixed an issue in various programs where extended characters could be mangled during expansion of a relative path using a drive letter.
  • Updated various programs generating a SAM account name to use a maximum of 19 characters instead of 20 for users. While most Microsoft documentation states 20 is the maximum, and AD will allow up to 20 characters, it is also stated in the MSDN that the name must be less than 20 characters for compatibility with older systems. Customer feedback that users were unable to logon to W2008 with a 20 character SAM name precipitated this change.
  • Updated the logging code to delete rather than overwrite an existing file of the same name when 'append' mode is not used. This provides the potential to recover the file, and also ensures that the log file is created with the name using the exact case given on the command line.
  • Updated the logging code to prevent a dialog box appearing when attempting to create the file on a removable drive not containing a disk.
  • Updated all programs performing an operation on a directory structure to work with paths longer than 260 characters.
  • Updated various programs to support password settings objects under W2008 and later domains. More details are given under individual programs below.

Changes to individual programs

Adchkhome

  • Added /z=r to display each user’s rights to their home directory.
  • Fixed an issue when using /d, /c and /z where the values for homeDrive and homeDirectory were swapped in the output.
  • Updated to detect group members of class ‘contact’ and to report an error rather than attempting to process them.
  • Added /w to list just those users for which the home directory path does or does not exist.
  • Added /s to allow sorting by any of the fields which can be displayed.
  • Added /u to allow restricting the output to those users with a particular character sequence in the home directory path e.g. /u=\\neptune.

Adcreate

  • Updated to not attempt to copy the lastLogonTimestamp attribute from a template. This was producing a harmless error.
  • Updated to assign a user or inetOrgPerson to a password settings object via a template.
  • Updated to check the validity of sam account names supplied via /u to avoid the ridiculous Windows error “A device attached to the system is not functioning” returned when an attempt is made to assign an invalid value.

Addelhome

  • Fixed an issue where it may fail to determine the owner of the home directory.

Adfsupdate

  • Fixed issues with using Windows paths in an input file.
  • Fixed an issue where it could attempt to process the wrong server when a UNC path was given.
  • Fixed an issue where it would not accept /+ as a valid option.
  • Fixed an issue where files with extended characters in the name were being deleted from the target directory after copying when mirroring from Windows to NetWare.
  • Fixed an issue where using a drive letter and "*." to process only files without extensions was processing all files due to the unexpected removal of the trailing period by a Windows function.
  • Updated to use unicode paths internally which overcomes two issues: (1) Now supports paths longer than 260 characters (max 1024). (2) Avoids problems with extended characters not matching the machines code page.
  • Updated to display the number of files to be deleted when using /d=r.
  • Updated to by default attempt to retain the ownership of directories. It already attempted to retain file ownership.
  • Fixed an issue where setting file ownership may fail due to the required privileges not being enabled.
  • Implemented /t to copy the discretionary access control list for files and directories when the source and target path are both Windows drives.

Adgetrest

  • Fixed an issue where subsorting by object name was not working when sorting by value.
  • Added the ability to display the name of the effective password settings object under Windows 2008 and later domains.
  • Updated to retrieve values such as password minimum length and maximum age from a password settings object if applicable under Windows 2008 and later domains.
  • Fixed an issue where it was not reporting if the value was expired for account and password expiration dates when the results were sorted.
  • Added the ability to display the date and time of the last unsuccessful login attempt.
  • Fixed an issue where the values for “password expired” could be incorrect when the results were sorted.
  • Changed the display of various attributes to the form dd:hh:mm:ss. These include several intruder lockout settings which were previously displayed in minutes, and the minimum and maximum password ages which were previously displayed in days.

Adgetval

  • Fixed an issue where it could use the object class ‘user’ in the header instead of ‘computer’ when displaying attributes for a computer object.
  • Fixed an issue where incorrect date values could be displayed for some attributes such as whenCreated when using an input file.
  • Updated to work with password settings objects under W2008 and later domains. Values such as password maximum age and minimum length are now retrieved from a password settings object if applicable, otherwise the domain-wide setting are displayed as in earlier versions.
  • Improved the display of the following attributes:

    msDS-MaximumPasswordAge for password settings objects.
    msDS-MinimumPasswordAge for password settings objects.
    msDS-LockoutObservationWindow for password settings objects.
    msDS-LockoutDuration for password settings objects.
    maxPwdAge (now displayed in the form dd:hh:mm:ss)
    minPwdAge (now displayed in the form dd:hh:mm:ss)
    lockoutDuration (now displayed in the form dd:hh:mm:ss)
    lockoutObservationWindow (now displayed in the form dd:hh:mm:ss)


Adgrpadd

  • Fixed an issue where an application error could occur when creating a group with a name exceeding 20 characters. The issue occurred when generating the sam account name.

Adgrplist

  • Updated to avoid an issue where it could go into an endless loop when expanding nested groups if circular nesting occurred.
  • Added /a=u to ensure individual members are listed only once when expanding nested groups.

Adgrpmemb

  • Updated to work with nested groups. This is now the default, but checking of nested groups may be suppressed via /n.
  • Updated to check membership of the primary group.
  • Implemented /y to control the format of object names when using /v to display the result.

Adimport

  • Updated to support creating, updating and deleting objects of class inetorgperson via an “Object class=inetorgperson” control statement.
  • Updated to support V2 profiles paths used on Vista and Windows 7. A new control statement “use v2 profile paths” has been added.
  • Fixed an issue when creating contacts and /c=t was used, it checked for user objects rather than contact objects.
  • Added a new data field “home volume quota” to assign or remove a quota from the volume on which the home directory exists.
  • Added a new data field “volume quota” to assign or remove a quota from any network volume.
  • Updated the code for copying files and directories into the home directory to work correctly with paths longer than 260 characters.
  • Updated to not attempt to copy the lastLogonTimestamp attribute from a template. This was producing a harmless error.
  • Modified to allow for incorrect typing of containers in the value given for the “container” control statement. The most common support issue to date for adimport has been due to the use of the “CN” type instead of the “OU” type for organizational units. When the path given is invalid, adimport now attempts to validate each level using “OU” if “CN” was specified and vice versa.
  • Fixed issues where it was reporting that several attributes had been set regardless of /v, when they should have been reported only when /v was used.
  • Added “Use template” as an alternative to control statement “User template”.
  • Updated to allow a password settings object to be assigned under Windows 2008 onwards via control statement “Password settings object”.
  • Updated to support assigning a password settings object via a template.
  • Updated to support assigning a password settings object via a field of the same name, or via the msDS-PSOApplied attribute name.
  • Made various changes where values such as minimum password length from the domain object are used, to check if a password settings object has been applied to each user and if so to use the value from that object.
  • Fixed an issue where a value of “*” for field “Group membership remove” resulted in an error. This value did work correctly for the “Group membership remove” control statement.
  • Updated to check the validity of sam account names supplied in the data file to avoid the ridiculous Windows error “A device attached to the system is not functioning“ returned when an attempt is made to assign an invalid value.
  • Updated to check if the sam account name is already used when doing a syntax check i.e. adimport is run with /c.

Adlookup

  • Fixed an issue where it searched for user objects when /o=contact or /o=inetorgperson was used.
  • Updated to retrieve attributes such as minimum password length from a password settings object under Windows 2008 and later domains if such an object had been applied to a user or inetOrgPerson.
  • Updated to retrieve values such as password minimum length and maximum age from a password settings object if applicable under Windows 2008 and later domains.
  • Fixed inconsistencies in the use of ‘pwd’ and ‘password’ in the names of pseudo attributes such as pwdNeverExpires.
  • Changed the display of values for maxPwdAge, minPwdAge, lockoutDuration and lockoutObservationWindow from days or minutes to the more accurate form of dd:hh:mm:ss. The values are stored in seconds and will not necessarily be an exact multiple of days or minutes.
  • Added /s to allow the results to be sorted by object name.
  • Modified /h which previously caused a line of dashes to appear between the output for consecutive objects. It now has three options which are a line of dashes, a single blank line (the default) or no separation.

Admovehome

  • Fixed an issue where it could fail to move the home directory.
  • Added /h to use the sam account name instead of the common name when creating the new home directory.
  • Fixed an issue where the lowest level of the destination directory was ignored when using /b and the directory did not exist.
  • Revamped the code for copying the dacl from the old to the new home directory, to do a better job of merging the dacl entries.

Adrename

  • Fixed several issues with renaming objects of class inetorgperson where the samAccountName was not being updated, and the home directory was not being renamed.
  • Fixed an issue where the samAccountName was not updated when a new name was given and /c was used to change the case.
  • Updated to change the value in the Exchange mailNickname attribute if used.
  • Updated to rename the profile path and update the profilePath attribute if the path is in UNC format. This change allows for V2 profile paths where “.V2” is appended to the path, but is not appended to the value stored in the profilePath attribute.

Adsethome

  • Updated to detect group members of class ‘contact’ and to report an error rather than attempting to process them.
  • Changed the previous /i to /n.
  • Added a new /i controlling DACL inheritance for the home directory. Inheritance can be enabled, disabled with existing inherited ACEs converted to explicit, or disabled with existing inherited ACEs discarded.

Adsetrest

  • Updated to assign users to or remove users from password settings objects under Windows 2008 domains.
  • Updated to use the lockout duration from a password settings object if applicable when determining if an account is locked.

Adsettrust

  • Added /i controlling DACL inheritance for each directory. Inheritance can be enabled, disabled with existing inherited ACEs converted to explicit, or disabled with existing inherited ACEs discarded. This can be done at the same time as adding or removing ACEs or as a stand-alone operation.
  • Fixed an issue where it failed to check if the path supported persistent ACLs when it was given in UNC format.

Adsetval

  • Added /# to allow the setting or removal of specific bits from 32 bit values stored in integer attributes. For example “adsetval Fred /a=userAccountControl /# +0x02” adds bit 0x02 which disables the account.
  • Modified to give an appropriate error when an attempt is made to set an invalid samAccountName. The default error returned by the server is 31 translating to “A device attached to the system is not functioning”.
  • Corrected the in-built help for /f which failed to state that a separator can be supplied as a value e.g. /f=,.
  • Fixed an issue where double quotes around a text value were not removed when there were trailing spaces, even when /b was used to remove them. The issue arose because checking for double quotes was done before removal of the trailing spaces.
  • Updated to allow values for minPwdAge, maxPwdAge, msDS-MinimumPasswordAge and msDS-MaximumPasswordAge to be specified in days (e.g. 40days) rather than in seconds.

Adtrstlist

  • Modified /a to accept a semicolon delimited list of objects. Any ACEs granting or denying rights to these objects are omitted from the output. When /a is used without a value, ACEs are suppressed for well known objects, as previously.
  • Fixed an issue created in V3.0 where using a path in the form \\server to process all volumes on a server was not working.
  • Fixed an issue where it failed to check if the path supported persistent ACLs when it was given in UNC format.

Adwhodidit

  • Fixed an issue where it was failing to remove the “\\?\” prefix from a Windows path when reporting that no matching files were found. This prefix is required to correctly handle paths longer than 260 characters.
  • Updated to display a Windows file or directory owner’s SID rather than “None” when the SID cannot be translated to an object name.
  • Modified the calculation of the path length displayed via /o=g so that the length is always correct for the format in which the path is displayed.
  • Modified so that the units of the total usage given in the final line of output are controlled by /m. Previously, they were fixed in KB.
  • Modified so that the units of the total usage given in the final line of output are controlled by /m. Previously, they were fixed in KB.