1. New Programs
2. Changes to Multiple Programs
3. Renaming of programs
4. Changes to Individual Programs

Release Notes for JRButils for AD v3.0

Changes to Individual Programs

Adchkhome

• Fixed an issue when adchkhome failed to connect to the server retrieved from the homeDirectory attribute. The reason given for the failure was incorrect.
  
• Added /n to allow listing only those users without a homeDirectory attribute or without a homeDrive attribute.
  
• Modified /c which causes checks on the homeDirectory contents to be performed. It is now possible to select which of the individual checks are required.
  
• Modified /t which limits output to error reports, so that /t=a can be used to display just the object name. This may be useful, for example, when checking if the path in the homeDirectory attribute exists. When it does not, the names can be used as input to adsethome.
  
• Fixed an issue where for some combinations of options when processing users, the owner of the home directory was not shown for /z=o.

Adchrcheck

• Added /i to disallow only non-printable characters with ASCII values less than 32 and extended characters with ASCII values greater than 127.

Adcreate

• Updated to add the type (e.g. CN=) appropriate for the object class when this is omitted from the object name.
  
• Updated to check that a container is given as part of the object name for objects which cannot be created at rootDSE.
  
• Updated to accept a set of file system rights as a third value for /d. These rights are granted to each user for their home directory.
  
• Modified to allow up to 256 characters in the samAccountName for groups. Previously, the limit was 20 but “Active
• Directory Computers and Users” (ADUC) in W2003 and W2008 allows more. Obtaining a definitive answer on the maximum length is difficult, but as one programming reference states 256, that number has been used.
  
• Fixed an issue with creating home directories where backslashes escaping special characters in common names (e.g. CN=Barton\, Molly) were not removed when building the home directory path.
  
• Updated to construct a value for userPrincipalName when creating users and a value is not supplied. ADUC requires that this attribute be populated. The value is derived from the common name and the typeless domain name.
  
• Modified /d so that a home drive and/or home directory path can be specified. Previously, both values had to be present.

Addelete

• Fixed an issue where a value for /d was ignored. 

Adgetrest

• Added more flexibility for specifying the servers from which the non-replicated attributes whenChanged and lastLogon are read to find the most recent value. A comma separated list of server names or IP numbers may now be specified. Wildcards may be used in names. A ‘!’ preceding a server name or IP number may be used to skip a server that would be otherwise included via a wildcard match. A file name preceded by ‘@’ may also be given e.g. @servers.txt/fred where the file contains a list of servers, one per line. The default action is to retrieve the above values from all servers in the domain.
  
• Made changes to improve the speed at which values for the non-replicated attributes whenChanged and lastLogon are retrieved.
  
• Fixed an issue where the server from which the most recent last logon time was retrieved was not displayed when listing all restrictions.

Adgetval

• Updated to display the contents of the ntSecurityDescriptor attribute.
  
• Modified the parsing of a value for /a so that it recognises that the end of an attribute name has been reached when a double quote is encountered.
  
• Added /_ (slash underscore) to suppress the display of the contents of the ntSecurityDescriptor when using /a=*. This restores the behaviour to that of adgetval in V2.0 where the security descriptor was not displayed.
  
• Updated to recognise attribute mS-DS-creatorSID as a security identifier and to display it appropriately.
  
• Updated to recognise attribute attributeSecurityGUID as a GUID and to display appropriately.

Adgrpadd

• Fixed an issue where it was failing to remove disallowed characters such as ‘/’ when assigning the samAccountName for a group created via /c.
  
• Modified to correctly report that an object is already a member of a group when the group membership has been hidden via Exchange. Previously an error that “The object already existed” was reported when the attempt to add the member failed.
  
• Updated to support adding users to local workstation groups.

Adgrpdel

• Fixed an issue where it could incorrectly report that a user was not a group member when the group membership had been hidden via Exchange.
  
• Updated to support removing users from local workstation groups.

Adgrplist

• Modified to not report when a nested group has no members.
  
• Modified to check for hidden membership, and if so to report this, when no members are found for a group

Adgrpmemb

• Updated to check for group membership via both the group’s member attribute and the member’s memberOf attribute to cover the situation where the group membership has been hidden by Exchange.

Adimport

• Updated to support “Home directory rights” and “Second home directory” rights control statements, allowing any combination of rights to be set for the primary and secondary home directories. Previously full rights were always granted.
  
• Implemented “Group directory rights” and “Group directory group rights” statements. These are used in conjunction with “Create group directories=y” to create directories under a group structure for each group to which a user is added. The “Group directory rights” control statement specifies the rights given to each user’s subdirectory of the group directory. The “Group directory group rights” statement specifies the rights assigned to the group object for the directory of the same name.
  
• Updated the “Create subdirectory” statement to allow rights to be specified which are assigned to other objects.
  
• Modified the “Group membership add”, “Group membership remove”, “Group directory process list” and “Group directory ignore list” control statements to require semicolons rather than commas between groups. The use of commas had been retained for consistency with jrbimprt, but has proved to be problematic given the commas in fully qualified AD names. Hence the change.
  
• Updated to check that the password length and complexity conforms to the password policy when using /c. This feature requires that adimport be run on Windows server 2003 or later, or Windows Vista.
  
• Fixed a cosmetic issue where it could attempt to set the password twice when the first attempt failed due to the password not complying with the password policy.
  
• Fixed an issue where it would not create objects with an escaped comma in the common name e.g. “Foo\, Fred”.
  
• Updated to recognise directReports as an attribute which it cannot set or copy from a template.
  
• Added checks to ensure that the value for attribute “c” is a valid two character country code.
  
• Fixed an issue where a value for samAccountName was ignored when creating users. However, the value was being set correctly when updating users.
  
• Built in a list of attributes which adimport knows cannot be deleted. This is used when processing a “delete attribute” control statement. Adimport now gives a more meaningful error message than was returned by Active Directory when an attribute cannot be deleted.
  
• Fixed an issue where an application error could occur when a container statement was not present in the control file.
  
• Fixed an issue where users were not being added to or removed from groups when “Group membership add” or “Group membership remove” statements appeared in the data file instead of the control file.
  
• Fixed an issue where attempting to set “Password allow change” failed with “Unspecified error”.
  
• Added the following control statements for creating and deleting profile paths:
  

  profile path
  profile path rights
  create profile path
  delete profile path
  
  These function as per the home directory equivalents.

• Updated to create a profile path via a template providing that the path is in UNC format. If the lowest level of the path matches the template name, this is removed before the user’s common name is appended. The path must be in UNC format to be created.
  
• Updated to allow creation of contacts via a new “Object class” control statement. Currently allowed values are “contact”, and “user” which is the default.
  
• Fixed an issue where using /c=t to check for existing objects with the same common names as users to be created was failing for names containing escaped commas.
  
• Added control statement “Use sam name in principal name”. “Active Directory Computers and Users” (ADUC) requires that this attribute have a value, hence adimport builds a userPrincipalName when creating users and a value is not supplied. By default the userPrincipalName comprises the CN and the typeless domain name (e.g. “Bill Smith@kiwi.xyz.com”), but this control statement forces the samAccountName to be used instead of the CN.
  
• Doubled the maximum line length from 2048 characters to 4096 for both the control and data file. This was primarily to accommodate long lists of groups for “Group membership add” control statements.
  
• Modified to allow up to 256 characters in the samAccountName for groups. Previously, the limit was 20. See further comments under adcreate.
  
• Added support for setting directory quotas on primary and secondary home directories on Windows 2008. The following new control statements have been added:
  

  home directory quota
  home directory quota status
  home directory quota template
  second home directory quota
  second home directory quota status
  second home directory quota template

• Fixed an issue where it failed to process users when a container was included in the name in the data file (e.g. cn=fred,ou=xyz) but the domain portion of the name was omitted.
  
• Added control statements “Home directory name” and “Second home directory name” controlling whether the name assigned to the lowest level of the home directory is the common name, samAccountName, or the value of userPrincipalName prior to any ‘@’ character.
  
• Added the ability to include substitution identifiers %cn% and %samAccountName% at the beginning of values for “mail” and “userPrincipalName”. The identifiers are replaced by the common name and samAccountName respectively, allowing values to be set from the “Fixed values” section rather than having to be individually specified for each user. 

AdJrbpass

• Updated to check for and remove double quotes around a name entered in the “user name” edit box.
  
• Added /s to search for users via the samAccountName instead of the common name.
  
• Fixed an issue with setting NetWare passwords where adjrbpass was not translating the -319 returned by the Novell client to a meaningful error when a universal password does not comply with a password policy.

Adlist

• Fixed an issue when sorting by container name (/s=x) where object names were being displayed with periods instead of commas as component separators.
  
• Modified to allow the domain controller preceding the object name (e.g. nakita/cn=*,ou=staff) to be in a different domain from that to which the workstation belongs. Adlist will prompt for authentication if required.

Adrename

• Fixed an issue where renaming users and computers failed if the new samAccountName equalled the old one. Adrename reported that the new name was already in use.

Adsethome

• Updated to be able to specify the rights to be granted to the home directory. Previously full rights were always granted.
  
• Added /i to allow the samAccountName instead of the common name to be used when creating the home directory.
  
• Fixed an issue with creating home directories where backslashes in common names (e.g. CN=Barton\, Molly) were not removed when building the home directory path. 

Adsetowner

• Fixed an issue with assigning a different owner to the contents of user’s home directories.
  
• Fixed an issue where it was failing to process a path containing a file name without wildcards e.g. p:widget.exe.
  
• Updated to allow setting the ownership to a local user on a member server.
  
• Added options to /v to list either all files and directories processed or only entries for which ownership has been changed.

Adsetpwd

• Modified to explicitly report when the new password is too short. Previously, adsetpwd used the Windows translation for error 2245 which covers too short, insufficiently complex or has recently been used.
  
• Fixed an issue where /a could fail to unlock an account prior to changing the password.
  
• Modified to allow a delay to be specified via /d when generating random passwords. The same random password may be generated when running adsetpwd multiple times in a script. The issue arises because the Borland C randomize() function uses the current time to generate a random number seed but appears to use the time to a resolution of one second. Hence if adsetpwd is run multiple times within the one second, the same seed is generated, and therefore the same random password is created. When /d (introduce a delay) is used with /g (generate random passwords), adsetpwd will now pause for the specified number of seconds when finished. Using /d=1 will solve the problem.

Adsetrest

• Fixed an issue when setting the account expiration date for multiple users where it incremented the date by one day for each consecutive user.

Adsetval

• Fixed an issue where it was failing to delete single valued attributes but reported that it had done so.
  
• Modified to report when no value existed when attempting to delete a multi-valued attribute. Previously, adsetval reported successfully deleting the values when in fact none were present.
  
• Added the ability to include substitution identifiers %cn% and %samAccountName% at the beginning of values for “mail” and “userPrincipalName”. The identifiers are replaced by the common name and samAccountName respectively.

Adsetvolquota

• Modified to allow the values on each line of an input file to be separated by a specific character e.g. a comma or semicolon instead of white space. The character can be specified via /v or /w which indicate that there is more than one value per line.

Adtrstlist

• Added /# to display the group members rather than the group name, when listing the trustees for a directory or file, and an ACE for a group object is found.
  
• Added ‘b’ as an option to /w allowing both the group name and the member name to be displayed when using /#.
  
• Added /t to limit the results to either ‘allow’ or ‘deny’ ACE entries.
  
• Modified to allow adtrstlist to run when a domain is not present or the machine on which it is being run is not a domain member.
  
• Updated to allow processing of users and groups on local workstations. When also connected to a domain, local objects must be prefixed by the workstation name e.g. wks0027\martin. A connection to the workstation must already exist.
  
• Modified to display the SID in text form rather than “[Unknown]” when the SID cannot be translated to an object name.
  
• Fixed an issue where it was not enabling privileges before reading the security descriptor when listing ACEs for well known objects e.g. “CREATOR OWNER”. This could result in a message reporting that “A required privilege is not held by the client”.
  
• Fixed minor issues with the heading when using an input file.
  
• Modified /a to not only exclude entries for “NT AUTHORITY\SYSTEM” but all entries with the “NT AUTHORITY” prefix.
  
• Corrected an issue where it could report that “A required privilege is not held by the client” for a user with less than full rights to the target directory.
  
• Fixed an issue where it was processing the parent directory rather than the file for a path and file given on the command line as in adtrstlist p:orders.xls /d.
  
• Updated to report when no discretionary ACL exists, or an empty ACL exists.
  
• Updated to produce adsettrust commands via /b and /m in addition to cacls and icacls commands.
  
• Updated so that when producing cacls, icacls and adsettrust commands, consecutive ACEs where one sets the rights and the other sets the inheritance, are combined into a single command.
  
• Added /v to control which parts of the security descriptor are displayed. Possible values are:
  

  a Display all components.
  c The control flags.
  d The discretionary access control list (dacl). This is the default.
  g The group.
  o The owner.
  s The system access control list (sacl).
  One or more values may be combined e.g. /v=cog. Note that /v=o replaces the previous use of /h
  

• Added /d=p to allow values to be displayed for a directory or file, and each of its parent directories.
  
• Updated to accept Microsoft’s two letter abbreviations for many well-known security identifiers which can be given as the first parameter e.g. AO for BUILTIN\Account Operators.
  
• Changed /i to allow display of either inherited aces only or explicit (non-inherited) aces only.
  
• Made various changes to /w which results in user defined output.
  • Changed the default delimiter to the semicolon to avoid issues with commas in object names.
  • Changed ‘t’ to ‘a’ for displaying the ACE type (allow/deny).
  • Changed ‘o’ to ‘t’ for displaying the trustee from each ACE.
  • Added ‘c’ to display the security descriptor control flags.
  • Added ‘g’ to display the group from the security descriptor.
  • Added ‘o’ to display the owner.
• Added /h to provide a means of displaying directories and files for which the selected trustees have no ACEs.
  
• Added the ability to filter the results on permissions via two extra parameters i.e. a logical operator (equals, not equals, includes, does not include) and a permissions mask.
  
• Fixed an issue when displaying an ACE on a member server where it was failing to convert a SID to a name when the SID pointed to a local object rather than an object in AD.

Adusergrps

• Fixed an issue where including and excluding groups via /i and /z was failing when using an input file.
  
• Added /n=i to enable a new output format of one group name followed by the user name on each line. This provides another alternative for using the results with adgrpadd or adgrpdel commands. In conjunction with this change /n=d and /n=e have been modified to provide comma delimited and semicolon delimited output respectively with both /n=c (user name then group name on each line) and /n=i (group name then user name on each line).
  
• Added /n=q to force the use of double quotes around user and group names.

Adwhodidit

• Modified to accept a negative field width in a template file. This causes the field to be right justified in the output.
  
• Added /o=) to display the path. By default, the path is automatically displayed at the beginning of each line, but it may be useful to display it elsewhere, usually at the end of the line when the maximum path length is unknown. When ‘)’ is included in the value for /o, the path’s inclusion at the beginning of the line is suppressed.
  
• Fixed an issue where /$ was ignored for Windows paths.
  
• Updated to allow searching a directory structure for directories with a particular name e.g. adwhodidit \\mars\users\www /$ /d=dt will list all directories named www in \\mars\users and it subdirectories.
  
• Fixed an issue with the use of wildcards and filtering on directory names when /d=d is used.
  
• Fixed an issue where using /d without a value to display details of the path, not its contents was failing for Windows paths of the form P:, P:\ and \\server\share. It worked correctly providing that at least one directory level was appended e.g. p:\users or \\server\share\users.
  
• Updated to support Windows paths exceeding 260 characters in length. This required changing to the unicode versions of file system functions.
  
• Changed the way in which adwhodidit displays file and directory owners local to a member server. The form server\user is now used making it clear that the owner is not in Active Directory.
  
• Updated to display the file or directory owner’s SID rather than “None” when the SID cannot be translated to an object name.