Release Notes for JRButils for AD v5.0

Changes to Individual Programs

Adaccexp

  • Added /v to display the error level being set and the reason when the account is not expired and not within the designated number of days of expiration. /v=e may also be used to display just the error level. This feature is intended for use in the text mode version but it also works in the GUI version.

Adchrcheck

  • Fixed an issue where it failed to display the file owner via /w when the file name contained extended characters not matching the current code page setting.
  • Modified to permit the allowed or disallowed character sets specified via /a or /b to be given via an input file. This allows the characters to be given in the local code page instead of in the OEM character set on the command line.

Adcreate

  • Fixed an issue where it failed to create the home directory when logged in with administrator rights, but no rights were held to the parent directory. This has been overcome by invoking restore privilege.
  • Added the ability to specify via /q, a container in which to create objects. This allows new object names to be specified without each including the container information.

Adfsrights

  • Resolved the issue requiring the use of a separate DLL for evaluation of the rights.
  • Fixed an issue where an application error could result if the second parameter was omitted.
  • Updated to support omission of the path parameter when the first parameter represents users, inetOrgPersons or groups whose members are to be processed. In this case, the home directory of each object is used.
  • Updated to display "[None]" when there are no effective rights.

Adfsupdate

  • Modified the mirroring code so that files and directories flagged SH (system + hidden) in the target path are not deleted. This prevents the removal of system entries, particularly at a volume root.
  • Fixed an issue where adfsupdate could fail to truncate a file to the copied length when replacing the file with a shorter one.
  • Fixed an issue with updating files using /u=n from a NetWare to a Windows drive or from Windows to Windows. If the file in the target directory had a modification date/time one second later than the source, it was not replaced. The issue arose because NetWare APIs return dates in packed DOS format which stores only an even number of seconds, and Windows file dates were converted to the same format for comparison. The comparison is now done in seconds since 1 January 1970 which retains the exact value for Windows dates. Note that if updating from Windows to NetWare when the Windows modification time has an odd number of seconds, the file will be copied on every occasion because the exact modification date cannot be set on the target file.
  • Added the ability to filter on file attributes via /i, allowing for example, only files flagged R to be copied.

Adgetrest

  • Fixed an issue where it rejected inetOrgPerson as a value for /o when more than the first four letters were given.
  • Fixed an issue where /u (display object names only) was ignored.
  • Fixed an issue where listing users with no password expiration date (e.g. adgetrest c* ped = none), did not include users whose passwords were set to never expire when the user had a non-zero value in the pwdLastSet attribute.
  • Fixed a cosmetic issue with the column alignment for values when either the object name, or object name and display name exceeded the 45 character field width.
  • Fixed an anomaly when displaying account expiration dates where it reported a date one day later than "Active Directory Computers and Users" (ADUC). This is strictly correct, the date is set to the following day resulting in the account expiring in the last second of the specified day. Adgetrest now gives a date consistent with ADUC rather than what is actually stored in the attribute. However, when the value contains a time component, the exact date and time are reported whereas ADUC will still report the previous day.

Adgetval

  • Modified to display the samAccountType in both decimal and hexadecimal because the value is actually a combination of bit values.
  • Modified to not display "none" when there is no lastLogon value. This is now consistent with the display of other date values.
  • Fixed an issue where /l=separator was not writing the dashed line to the log file.
  • Fixed an issue where it did not display values for the whenChanged and lastLogon attributes for computer objects.
  • Modified so that if a value is given for /f to filter on the values of a particular attribute, and no value is given for /a to indicate the attributes to display, then the attribute given via /f is displayed.
  • Added the ability to display the primary group name in addition to the group's RID.
  • Modified to allow pseudo attribute names such as accountDisabled to be used with computers, inetOrgPersons and contacts. Note that not all pseudo attributes are applicable to all of these classes.
  • Fixed an issue where sorting on some fields e.g. modification date was not working.
  • Fixed an issue when sorting on password expiration date, that while the dates were sorted correctly, it failed to sort the results displayed as "Change next Logon" and "Never" because both had been assigned a numeric value of zero.

Adgrpadd

  • Fixed an issue where it failed to add all objects to a group when multiple objects of different classes were named on the command line.
  • Added /b to allow the group to be set as the primary group for each member processed. Note that while the user must be made a member of the group before it can be set as the primary, the act of setting it as the primary results in conventional membership of the group being removed. Similarly, Active Directory makes the user a conventional member of the old primary group when the new value is set. /b=r can be used to remove membership from the old primary group, after the new primary group is set.
  • Updated to support adding members from a trusted domain.
  • Updated to support adding well known objects as members.

Adgrpdel

  • Fixed an issue where it failed to remove all objects from a group when multiple objects of different classes were named on the command line.
  • Modified the error given when an attempt is made to remove a user's membership from their primary group. When a group is set as the primary, Active Directory removes the user's conventional membership. Consequently, adgrpadd could report adding membership, then adgrpdel would report "No such member". Adgrpdel now states it cannot remove membership because the group is the user's primary group.
  • Updated to support removing members from a trusted domain.
  • Updated to support removing well known objects as members.

Adgrplist

  • Modified so that when /t (totals only) and /m (alternative format) are used together, then each line of output comprises a group name and the number of members separated by a semicolon e.g. "comp101;27".
  • Added the ability to sort by the number of members when using /m and /t.
  • Modified to use a semicolon instead of a comma as the separator between items in the line when /m (alternative format) is used.
  • Added the ability to sort members by display name.
  • Fixed an issue where sorting was ignored when using an expression.
  • Updated to convert names for well known objects from the form CN=S-1-5-11,CN=ForeignSecurityPrincipals to NT format e.g. "NT AUTHORITY\Authenticated Users". Such members are found, for example, in CN=Users,CN=Builtin.
  • Made a similar change to above for members existing in a foreign domain. The name is converted from the SID format to the actual name in the foreign domain allowing use of all the options for /y to display the name as required.
  • Added /b to suppress conversion of member names from the form CN=SID,CN=ForeignSecurityPrincipals.

Adgrpmemb

  • Added /x to allow a command to be specified, which is executed when the user is a member of the group.
  • Added support for checking membership for objects in trusted domains.
  • Added support for checking the membership of well known objects.

Adhome

  • Modified to report why it is unable to change the current drive when running a 32 bit version on 64 bit Windows. For the change to persist after program exit, the environment of the parent cmd.exe must be modified. A 32 bit process cannot modify a 64 bit process, and the attempt previously failed with an "access denied" error. Use the 64 bit version on 64 bit Windows.

Adimport

  • Added control statement "Line separator" for use with streetAddress attributes to allow multi-line values to be imported and exported.
  • Added the control statement "Require unique cn" to disallow object creation when another object with the same CN exists in a different container.
  • Fixed an issue which could result in an application error when retrieving object classes from the schema.
  • Fixed an issue where it could generate the same sequence of random passwords, if run multiple times within the same second. The issue arose because the seed for the random number generator was the current time in seconds.
  • Added control statement "Profile path name" to control whether the CN, samAccountName or user login ID is used for the lowest level of the profile path. This functions similarly to control statement "Home directory name".
  • Fixed an issue where setting directory quotas could fail when the user's home directory path contained a DNS host name. Adimport was failing to recognise that the DNS name represented the local host.
  • Fixed an issue where it would set ownership of the home directory when no other home directory related tasks were undertaken.
  • Added a "Template cn" control statement, allowing a template common name to be specified. Adimport will attempt to locate a template with that name in the container in which each user is being created or modified. This is an alternative to the "Template" control statement which names a template object to be used for all users, regardless of container.
  • Modified adimport so that control statement "Delete on name mismatch" applies to deleting the profile path as well as the home directory.
  • Modified adimport so that control statement "Delete on owner mismatch" applies to deleting the profile path as well as the home directory.
  • Fixed a cosmetic issue where two error messages occurred when deleting users, the homeDirectory attribute was set, but the actual home directory path did not exist.
  • Modified to allow substitution identifiers %cn% and %samAccountName% to be used for the mailNickname attribute.
  • Fixed an issue where a value for "Second home directory name" was ignored when deleting a second home directory. The common name was always used for the lowest level of the path.
  • Added control statements "Delete second home directory contents only" and "Delete profile path contents only" to allow these directories to be emptied without deleting the directory itself. This provides consistency with the "Delete home directory contents" control statement.
  • Added new field "Primary group name" allowing the primary group to be modified. This can also be done by specifying a value for attribute primaryGroupID but (a) the user must already be a member of the group, and (b) the group's RID must be given as the value.
  • Added control statement "Move to" allowing objects to be moved to a different container.
  • Fixed an issue where control statement "Group membership remove" worked correctly only for a value of "*" meaning all groups.
  • Added control statement "Require sam name equals cn" which can be used to prevent adimport creating a unique samAccountName by adding digits when the CN is already used as a samAccountName for another user.
  • Modified so that when /v (verbose mode) is not used, it always reports the name of the object being processed. When using two passes, the names are given in both passes, so that progress can be monitored.

Adjrbpass

  • Fixed an issue where there could be a delay of 10 seconds or more before the window appeared when running on a machine with the NetWare client installed, but no connection to a NetWare server existed.
  • Updated to state the password has been set rather than changed when set by an administrator, i.e. the old password was not required for the change.
  • Updated to give an accurate error message when a password change using the old password fails because the account is disabled. Aactive Directory returns an error indicating that the old password is invalid. Adjrbpass now checks the account status when this error is returned and changes the error message if appropriate.
  • Modified to search the userPrincipalName attribute for matching users when the name entered includes '@'.
  • Fixed an inconsistency where the user's display name was not displayed in some circumstances after object verification.

Adlist

  • Modified to not retrieve all object classes from the schema when common object class names (e.g. user or group) are given in full via /o. This avoids a small but noticeable delay when the program starts running.
  • Added checks that the type (e.g. CN=) is appropriate for the object class given via /o. This is intended primarily to cover a common mistake of using CN= instead of OU= for organizational units.
  • Modified /f to allow a separator character to be specified. This allows an input file containing multiple fields per line to be used providing that the first field contains an object name. This might be useful for example to check which objects already exist in an adimport data file.
  • Fixed an issue where using /+ also resulted in /a being set.
  • Added the ability to search for objects by samAccountName and by user logon name (or user ID) which is the portion of the userPrincipalName preceding the '@' symbol.
  • Added the ability to display the samAccountName, user logon name (or user ID), user principal name , display name and object class. Any number of fields can be displayed in any order, and may be in columnar or delimited format.
  • Added the ability to sort the results on user logon name, samAccountName, user principal name or display name.
  • Fixed an issue where /g=d displayed all groups instead of only distribution groups. /g=s was working correctly.
  • Fixed an issue where adlist reported an error when /o=group was used and a value was also given for /g.

Adlookup

  • Fixed an issue where any starting container given via /c was ignored.

Admove

  • Fixed an issue where it would not move computer objects stating that they were container objects, which although true does not prevent their being moved to a different container.

Admovedir

  • Fixed an issue introduced when changing to wide paths where a move could fail.
  • Fixed an issue where it was returning an error level of 0 instead of 1 when a move failed.

Admovehome

  • Fixed an issue where it did not give a reason for the failure when it was unable to create the new home directory.
  • Modified to allow an input file to contain both object names and the path to which the home directory is to be moved, one pair per line.

Adpwdexp

  • Fixed an issue where it failed to use the maximum password age from a password settings object if applicable, due to a single character mistake.

Adrename

  • Modified to check for wildcards in the object name when /c is not used and to report the error. Previously, the resulting error did not indicate the cause of the problem. Wildcards in an object name are allowed only when changing the case of names.

Adsethome

  • Added option /r=z to allow removal of any ACEs granting permissions to the home directory. This may be useful when users have resigned but their account is being retained in the interim.
  • Fixed an issue when creating a second home directory via /m=a where adsethome could produce an error indicating /w should be used to rename the existing home directory.
  • Fixed an issue where it failed to create the home directory when logged in with administrator rights, but no rights were held to the parent directory. This has been overcome by invoking restore privilege.
  • Added /t to allow any user to be granted permissions to each user's home directory. The value for /t is an object name followed by a colon then the permissions to be granted. This option may also be used to remove permissions previously granted.

Adsetpwd

  • Fixed an issue where if run multiple times (e.g. in a batch file) within the same second to produce random passwords, the same passwords were generated each time run. The problem arose because the seed for the random number generator was the current time in seconds.
  • Fixed an issue where value 'd' (do not set) for /g (generate random passwords) was ignored.
  • Updated to determine whether password reset rights are held for each target, when the old password is not supplied. Previously, when this right was not held, adsetpwd gave an "access denied" error after a delay of several seconds.
  • Added /o to specify the object class allowing wildcards to be used for computers, inetOrgPersons and groups.
  • Added an option to display the passwords being set or verified when reporting the results. The default is to report success or failure for each object but not to report the password used. This may be useful when reading passwords from a file or generating random passwords.

Adsetrest

  • Fixed an issue where it rejected inetOrgPerson as a value for /o when more than the first four letters were given.
  • Fixed an anomaly when setting account expiration dates where it reported setting the date to the following day. This is strictly correct, the date is set to the following day as per "Active Directory Computers and Users" (ADUC) resulting in the account expiring in the last second of the named day. Adsetrest now reports the expected result rather than what was actually set which is consistent with ADUC. When a time component is given, the exact value is set and reported as being set.

Adsettrust

  • Modified to ignore NP (no propagation) if specified while removing ACEs. While this flag is used to control inheritance when adding an ACE, the value representing NP is not placed in the ACE flags.
  • Made minor changes to fix some problems matching ACEs when deleting them.
  • Fixed an issue where under some circumstances an application error could occur when removing ACEs.
  • Fixed an issue where it could report that it was unable to set an inherited ACE when processing a file of adsettrust commands, and no value had been specified for inheritance.
  • Modified to allow /r (remove ACEs) to be used without an object name being given. This can be used to remove all inherited or non-inherited ACEs from a DACL as per the icacls /reset option.
  • Made changes to the values for /d to give greater flexibility as to how the named path and/or its contents are processed.
  • Fixed an issue where it failed to set permissions for parent directories after setting the designated rights to the named directory. If the command was repeated, i.e. the permissions already existed, the parent directories were processed correctly.
  • Updated to allow a value for /h specifying the maximum number of parent directories to process e.g. /h=2.
  • Added /u to allow removal of ACEs containing orphaned SIDs i.e. the corresponding object has been deleted, but the SID remains within file system DACLs or SACLs. ACEs containing orphaned SIDs can be identified via adtrstlist. When /u is used, adsettrust checks only that the form of the SID is correct.

Adspace

  • Modified to run without the machine being in a domain when a path instead of an object name is given on the command line.

Adtrstlist

  • Fixed an issue where using /w to display the owner or group failed unless these fields were also selected via /v.
  • Fixed an issue where adtrstlist could fail to read the security descriptor when logged in as administrator, despite invoking SE_BACKUP_NAME privilege. This occurred when administrator had no rights to the directory or file.
  • Added /u for use when <entity> is a path to allow displaying only those ACEs for which the SID cannot be resolved to an object name.

Adusergrps

  • Fixed an issue where it would not display the groups belonged to for contacts.
  • Added /n=m to suppress the display of groups belonged to. This might be useful when using an input file with /i and /g to produce a sub list of users belonging to a particular group.
  • Modified /d=s to not suppress the primary group which must be a security group. This allows /d=dsn to display just the primary group for each user.

Adwhodidit

  • Fixed an issue where column headings were displayed when using /t to display totals only.
  • Fixed an issue where file times (creation, modification and last accessed) were not displayed 100% accurately. Odd values for minutes and seconds were rounded down to the next lower even number. The issue with seconds was due to the use of the packed DOS date and time format internally. This is still true for times from NetWare servers because the APIs return the values using packed DOS date and time format.