Lance's TextBox

Cry Laughing

A friend of mine recently reminded me of the Inexperienced Chili Taster story.  He told me that if wife read it, and loved it.  I told him that I literally cried the first time I read it.  So did she, he said.

posted @ Friday, August 31, 2007 8:23 PM | Feedback (0) |

NetCmdlets Cheat Sheet (PowerShell)

Last winter, Ben Pearce put together a little PowerShell Cheat Sheet.  I printed it out and I keep it handy at my desk.  It occurred to me that a NetCmdlets cheat sheet would be useful too, so I borrwed Ben's style and did just that.

NetCmdlets Cheat Sheet - .docx
NetCmdlets Cheat Sheet - .doc

If you see something missing or if there are mistakes, let me know and I will update here.

posted @ Friday, August 31, 2007 6:09 PM | Feedback (0) |

LDAP PowerShell User Account Control

The userAccountControl attribute is used to control the access of a user account.  This value can be set to the bitwise OR of a set of flag values, documented here:

So the value of the userAccountControl attribute can be described in PowerShell as the -bor (binary or) of these flags.  A user with the "NORMAL_ACCOUNT" and "DONT_EXPIRE_PASSWORD" flags set would be expressed in PowerShell as 512 -bor 65536 (which equals 66048).

So to make a user account a normal account with a non-expiring password in PowerShell, you can use NetCmdlets set-ldap like so:

PS C:\> set-ldap -server testboy -cred $mycred -dn "CN=Lance Robinson,CN=Users,DC=JUNGLE" 
    -attrtype userAccountControl -attrvalue "66048" -replaceattribute

Host       : testboy
DN         : CN=Lance Robinson,CN=Users,DC=JUNGLE
Successful : True
Type       : userAccountControl
Value      : 66048

PS C:\>

To disable an account, just -bor 2 with whatever the existing value already is.

posted @ Wednesday, August 22, 2007 1:22 PM | Feedback (0) |

Adam Bell's PowerShell Toolbox

Adam's list of PowerShell tools.

posted @ Tuesday, August 21, 2007 4:10 PM | Feedback (0) |

Retrieve Remote MAC Address in PowerShell

Shay Levi played off my mac address retreival code yesterday and shared his own PowerShell script to retrieve a mac address.  Here's another PowerShell script to retrieve a mac address using get-snmp from NetCmdlets:

## Retrieves the MAC address of an snmp-enabled device 
## Returns a hex string that is the MAC address 
##  
## usage: get-mac [-agent] <string> 
##  

param( [string] $agent = "10.0.1.11" ) 

#a function to convert an octetstring into a hex string 
function get-hex($octectstring) { 	
  $len = $octectstring.length 	
  $hex = @() 	
  for($j=0;$j -lt $len;$j++)
  {
    $b = "{0:X}" -f ([int]$octectstring[$j])
    $hex = $hex + $b
  }
  return $hex
}

#get the number of network interfaces on the agent device: 
$numifs = (get-snmp -agent $agent -oid 1.3.6.1.2.1.2.1.0).OIDValue 

#for each interface, get the mac address: 
for($i=1;$i -le $numifs; $i++)
{
  $str = (get-snmp -agent 10.0.1.11 -oid 1.3.6.1.2.1.2.2.1.6.$i).OIDValue	
  write-host "Interface $i MAC Address: " (get-hex $str)
}

posted @ Tuesday, August 21, 2007 9:52 AM | Feedback (0) |

How to Retrieve Remote MAC Address Programmatically

The question often comes up, how do you find out the MAC address of a remote machine, given its IP address?  There are a few ways to do it, but here are two:

1. The first way is to use SNMP.  Use whatever SNMP library you like, or create your own.  Here are the steps you'll need to take, as well as an example showing how to implement these steps using IP*Works! or IPWorks Secure SNMP.
   
   
   • Get the number of interfaces on the device (ifEntryNum - 1.3.6.1.2.1.2.1)
   • For each interface, get the MAC address (ifPhysAddress - 1.3.6.1.2.1.2.2.1.6).  You can also determine a lot of other information about the interface (the ifEntry table has several children) including the type of the device  (ifEntryType - 1.3.6.1.2.1.2.2.1.3).

   Example:
   
   

   snmpmgr1.Timeout = 10;
   snmpmgr1.RemoteHost = "10.0.1.11";
   	    
   snmpmgr1.ObjCount = 1;
   snmpmgr1.ObjId[1] = "1.3.6.1.2.1.2.1"; //ifEntryNum snmpmgr1.SendGetNextRequest();
   int ifindex = Convert.ToInt32(snmpmgr1.ObjValue[1]);
   textBox1.AppendText("Number of interfaces: " + snmpmgr1.ObjValue[1] + "\r\n");
   
   snmpmgr1.ObjCount = 2;
   snmpmgr1.ObjId[1] = "1.3.6.1.2.1.2.2.1.3"; 
   //ifEntryType, this is "6" for an ethernet adapter, "24" for loopback interface 
   //For a full list see rfc 1573
   snmpmgr1.ObjId[2] = "1.3.6.1.2.1.2.2.1.6"; //ifPhysAddress 
   for (int i = 1; i<= ifindex; i++)
   {
     snmpmgr1.SendGetNextRequest();
     textBox1.AppendText(i.ToString() + ".  Type " + snmpmgr1.ObjValue[1]);
     string hexval = "";
     for (int j = 0; j< snmpmgr1.ObjValueB[2].Length; j++)
     {
       hexval = hexval + snmpmgr1.ObjValueB[2][j].ToString("X") + " ";
     }
     textBox1.AppendText(", MAC address: " + hexval + "\r\n");
   }

2. The second way requires the use of the IPWorks IPInfo component, which has a GetMAC method.  This method takes an IP address as its argument and returns a string, which is the MAC address of the device at the remote IP.  Example:
   

   string macaddress = IPInfo1.GetMAC("10.0.1.11");
   //macaddress will now contain a string of the form "00-04-00-d7-90-d8"

posted @ Monday, August 20, 2007 5:26 PM | Feedback (6) |

XKCD today just made me choke on my water

posted @ Thursday, August 16, 2007 11:59 AM | Feedback (0) |

LDAP PowerShell - Search for Disabled User Accounts

PS C:\> get-ldap -server testboy -cred $mycred -dn dc=JUNGLE -searchscope wholesubtree 
    -search "(&(objectclass=user)(objectclass=person)(company=*)(userAccountControl:1.2.840.113556.1.4.803:=2))"

Again, there's no need for dozens of LDAP cmdlets.  The two LDAP cmdlets included in NetCmdlets, get-ldap and set-ldap, are all you need for most tasks.  The above command shows how you would search for disabled user accounts with the get-ldap cmdlet.

posted @ Tuesday, August 14, 2007 10:51 AM | Feedback (0) |

Synching My Blog with Twitter

Continuing on with RSSBus scripts showing how to pipe Google Calendar to Twitter and Flickr to Twitter, here's my last Twitter RSBScript.  Here's a script to pipe any existing RSS feed to Twitter.  I wanted to sync my blog with my twitter, so now everytime I post a new blog entry, it will be added to my Twitter status.  Here's the url:

http://www.textbox1.com/apps/twitterminder/blog_to_twitter.rsb?
     blog_url=http%3A%2F%2Ffeeds.feedburner.com%2FTextBoxOne
     &twitter_password=mypassword
     &twitter_user=mytwittername.

Of course you'll need to replace the querystring arguments blog_url, twitter_user, and twitter_password with your own values.

Here's what the actual script looks like, if you'd rather run it on your own server:

<rsb:info strict="true" title="Blog2Twitter" description="If new blog posts exist, they are tweeted.  Feed items are the Twitter responses.">   
  <input name="blog_url" req="true" />   
  <input name="twitter_user" req="true" />   
  <input name="twitter_password" req="true" /> 
</rsb:info>  

<rsb:call op="feedGet?feed=[blog_url | urlencode]" diff="blog2twitter-[twitter_user].xml">   
  <!-- set the twitter text to the blog post title -->   
  <rsb:set attr="twitter.text" value="New blog post: [rss:title]" />    

  <!--generate a tinyurl -->   
  <rsb:set attr="twitter.tinyurlapi" value="http://tinyurl.com/api-create.php?url=[rss:link]" />  
  <rsb:call op="httpGet?url=[twitter.tinyurlapi]">     
    <rsb:set attr="twitter.tinyurl" value="[rss:description]" />   
  </rsb:call>      

  <!-- append the tinyurl to the twitter text, and update twitter -->   
  <rsb:set attr="twitter.status" value="[twitter.text] [twitter.tinyurl]" />    
  <rsb:call op="twitterStatusUpdate" in="twitter">     
    <rsb:push />   
  </rsb:call> 
</rsb:call>

posted @ Monday, August 13, 2007 3:19 PM | Feedback (0) |

Worst IT Excuses

From Bill Ryan, from unknown:

1. It works on my machine

2. It doesn't matter because no one will ever do that

3. Users like it the way it is

4. I don't write any bugs

5. It'll be fixed in the next release

6. It'll be ready on Monday, we just need to build the setup package

7. The spam filter ate it

8. A little more RAM will fix your performance problem

9. You can't do that because it's a security risk

10. The database is slow because it's too normalized

I've heard a few of these before.  Also there's:

- It'll be ready on Monday, we just need to test it first.
- It works in Internet Explorer.

posted @ Thursday, August 09, 2007 4:55 PM | Feedback (3) |

Flickr -> Twitter

To illustrate what I mentioned in the previous post about how swapping out one connector for another to achieve a completely different task would be very simple - I did just that.

I noticed that Dave Winer has been working on some sort of Flickr->Twitter app.  I changed about 4 lines of code in the Gcal_to_Twitter RSBScript to make it into Flickr_to_Twitter.  In the updated script, all I did was change the call to gcalSearch to a call to the atom feed of my Flickr photos.  Then I do a quick check on the atom:updated date to see if it is a recent post - if its less than an hour old, I send the Twitter status update with the name of the photo and a tinyurl to the new picture.  The rest of the code is the same.

In the call to the Flickr photo feed, I set pagesize=1.  I did this because a lot of times when I upload photos, I upload 10 or 20 at once.  I don't want to send out 20 twitter updates if I just uploaded 20 new Flickr photos.

If you want to try this one, you can copy its RSBScript source code and add it to your own RSSBus installation.  Just swap out my Flickr URL for yours.

posted @ Thursday, August 09, 2007 4:52 PM | Feedback (1) |

TwitterMinder - Google Calendar to Twitter

In my last two posts I mentioned my recent introduction to Twitter (after having watched so many people blab about it for the past few months).  So today I went ahead and published my Google Calendar to Twitter RSBScript, and gave it the name TwitterMinder:

TwitterMinder will check your Google Calendar for events that are occuring in the next hour, and if it finds any, they will be automatically submitted to your Twitter account.  RSBScript source code is available.

Now if my desktop agent (Twitterific, Tweet-r, etc.) knew how to automatically POST to TwitterMinder every hour, that would be nice.  I subscribed to TwitterMinder in FeedDemon:  FeedDemon includes my auth info on the querystring, and the rss feed itself returns either successful tweet details or nothing at all.

The coolest thing about TwitterMinder is the source.  If you look at it (available in the "developers" note), its amazingly simple thanks to the power of the RSSBus Gcal and Twitter connectors.  This source could easily be modified so that instead of connecting Google Calendar to Twitter, I could connect SalesForce.com events to Twitter, or Upcoming.org events to Twitter.

Technical details about TwitterMinder:

• TwitterMinder has two formats, text (Gcal_to_Twitter.rst) and RSS (Gcal_to_Twitter.rsb).  The text (.rst) will return a textual response indicating the message that was Tweeted or a statement that no events were found to tweet.  The RSS (.rsb) will return a rich RSS feed with 1 item per tweeted message.
  
• Both take either an Http Post or an Http Get.  The Http request should contain 4 inputs:
  
  1.  gcal_email - an email address used to authenticate with Google Calendar
  2.  gcal_password - a password used to authenticate with Google Calendar
  3.  twitter_user - a user name to authenticate with Twitter
  4.  twitter_password - a password to authenticate with Twitter
  
• Examples of how to use TwitterMinder:
  1.  Subscribe to the RSS (.rsb) endpoint in any feed reader, such as FeedDemon.  Include the inputs in the querystring, ie:
  http://textbox1.com/apps/twitterminder/Gcal_to_Twitter.rsb?gcal_email=lmrobins@gmail.com&gcal_password=****&twitter_user=lmrobins&twitter_password=****
  2.  Perform a standard web form http post to the text (.rst) endpoint, include the inputs in the querystring or in the postdata, ie:
  http://textbox1.com/apps/twitterminder/Gcal_to_Twitter.rst?gcal_email=lmrobins@gmail.com&gcal_password=****&twitter_user=lmrobins&twitter_password=****

posted @ Thursday, August 09, 2007 12:38 PM | Feedback (1) |

Google Calendar to Twitter

A few months ago, Charlie pointed out how it might be useful to have a script that would automatically post Google Calendar events on Twitter.  Then he found someone that had already done it.  Well, at the time I filed a note to do this with RSSBus - but then I got busy and never got to it - until today!  :)

Let me say that I did the RSSBus script first, and then I looked at how the other guy did it (he used a 200 line php script + Yahoo Pipes).  Here's my roughly 20 line RSB script (using the RSSBus Google Calendar connector + the Http connector for Tinyurl + the new Twitter connector):

<!-- set some Google Calendar inputs -->
<rsb:set attr="gcal.email" value="lmrobins@gmail.com"/>
<rsb:set attr="gcal.password" value="************"/>
<rsb:set attr="gcal.fromdate" value="[null | now('U')]"/>
<rsb:set attr="gcal.todate" value="[null | now('U') | dateadd('hour', '1')]"/>

<!-- set some Twitter inputs -->
<rsb:set attr="twitter.user" value="lmrobins" />
<rsb:set attr="twitter.password" value="*********"/>

<!-- call the gcalSearch operation to get events in the next 1 hour -->
<rsb:call op="gcalSearch" in="gcal" diff="gcal2twitter.xml">

  <!-- create a twitter status message out of the entry using tinyurl api -->
  <rsb:set attr="twitter.text" value="[rss:title | truncate('100')]" />
  <rsb:set attr="twitter.tinyurlapi" value="http://tinyurl.com/api-create.php?url=[gcal:eventweburl]" />
  <rsb:call op="httpGet?url=[twitter.tinyurlapi]">
    <rsb:set attr="twitter.tinyurl" value="[rss:description]" />
  </rsb:call>
  <rsb:set attr="twitter.status" value="[twitter.text] [twitter.tinyurl]" />    

  <!-- call twitterStatusUpdate to tweet the calendar entry -->
  <rsb:call op="twitterStatusUpdate" in="twitter">
    <rsb:push />
  </rsb:call>

</rsb:call>

I ran the script through and my 4:30 Google Calendar entry ("Blogging about TwitterOps") got tweeted successfully!  I'll get this script and TwitterOps uploaded to rssbus.com soon, until then let me know if you want me to send you the TwitterOps dll to plug-in to RSSBus.

posted @ Wednesday, August 08, 2007 4:26 PM | Feedback (2) |

Twittering around

If you are using Twitter, let me know so I can follow you.  Yep, I'm on Twitter now, finally.  I decided to give it a shot and see what all the hoopla is about.  Is it really that great?  We'll see.

While I'm checking it out - I decided to look at its API and look into whether or not I should throw together a Twitter connector for RSSBus.  The API is very compact - simple and to the point.  All simple HTTP get and put.  All of the API methods return data in several formats - it looks like all of the gets return XML, RSS, Atom, or JSON - and it looks like all the puts return XML or JSON.  Nice.

At first I wasn't sure if there was much point in creating a Twitter connector for RSSBus since alot of the methods are already returnable as RSS feeds and there are already RSSBus connectors for doing HTTP operations with XML data (HttpOps, XmlOps).  RSSBus can already connect to any RSS source, of course (not to mention Atom).  But I decided its definitely much easier for the user if there is a separate connector - now that the connector is finished I can easily write some scripts to pipe other RSSBus connectors together with this one.

Benefits of the RSSBus Twitter connector:

• richer RSS feeds
• RSSBus scripting capabilities so that I can pipe other connected services/applications into twitter - ie, if I wanted to automatically "tweet" all my Google Calendar additions or upcoming.org events, etc.

posted @ Wednesday, August 08, 2007 1:27 PM | Feedback (0) |

SQL Server to Excel

With RSSBus, right out of the box you can run a SQL query on an Excel sheet using the excelQuery operation.

If you create a little RSSBus script, you can also perform queries on SQL Server, Access, or other database sources and pipe the results into Excel:

<!--hard-code some inputs to sqlQuery: -->
<rsb:set item="myinput" attr="query" value="SELECT TOP 20 * FROM Customers" />
<rsb:set item="myinput" attr="conn" value="Data Source=localhost\\SQLEXPRESS;Initial Catalog=Northwind;" />

<!--now call sqlQuery and save the results in _feeds.myquery:
<rsb:call op="sqlQuery" in="myinput" save="myquery" />

<!-- now call excelCreateSheet, and pass in the saved feed-->
<rsb:call op="excelCreateSheet?file=C:\\myquery.xls&feed=[_feeds.myquery | urlencode]" />

posted @ Tuesday, August 07, 2007 4:47 PM | Feedback (0) |

Winsock Error 10054

Winsock error 10054 is "Connection reset by peer", or "An existing connection was forcibly closed by the remote host".  The error means exactly what it says - the remote host closed the connection unexpectedly.  This happens when a connection is aborted, and there is no tcp disconnection handshake (fin, fin ack, ack) , but instead a rst (reset) flag is sent.  A reset flag aborts the connection, and can be sent when:

- The device is suddenly stopped, rebooted, or loses its network connection.

- The device uses a "hard close".  With IP*Works! a hard close never occurs unless you specifically set the Linger property (IPPort, IPDaemon) to false.

- A "half-open connection" state occurs.  That is, when one device not been receiving acknowledgements of the data it has sent, or it receives acknowledgement for an unrecognized sequence or ack number, it will send a rst flag to reset the connection.  This particular case could have a variety of its own causes, such as misconfigured proxy/firewall or network quality issues resulting in too many dropped packets.

Related Posts:

Winsock Error 10035
Winsock Error 10053
Winsock Error 10053: Part 2

posted @ Tuesday, August 07, 2007 12:18 PM | Feedback (1) |

LDAP - Change Group Membership

In my previous posts about LDAP group membership, I've talked about how to get a list of groups, how to search for a particular groups members, and how to search for what groups a particular user belongs to.  Up next:  how to change group membership.

To add or remove a user from a group, you need to modify the "member" attribute of the group itself.  To do this we'll use the set-ldap cmdlet of NetCmdlets.

Add a user to a group:

To add a user to a group, set the DN parameter of set-ldap to the DN of the group itself.  Then use the -addattribute flag to tell the cmdlet to add the attribute specified by -attrtype and -attrvalue.  -Attrtype in this case will be "member", and -AttrValue will be the DN of the user you want to add to the group.  So to add myself to the Administrators group:

PS C:\> set-ldap -server testboy -cred $mycred -dn "CN=Administrators,CN=Builtin,DC=JUNGLE" -attrtype member 
  -attrvalue "CN=Lance Robinson,CN=Users,DC=JUNGLE" -addattribute

Host       : testboy
DN         : CN=Administrators,CN=Builtin,DC=JUNGLE
Successful : True
Type       : member
Value      : CN=Lance Robinson,CN=Users,DC=JUNGLE

PS C:\> get-ldap -server testboy -cred $mycred -dn dc=JUNGLE -searchscope wholesubtree 
  -search "(&(member=CN=Lance Robinson,CN=Users,DC=JUNGLE)(objectcategory=group))"

Host                                                        DN
----                                                        --
testboy                                                     CN=Administrators,CN=Builtin,DC=JUNGLE
testboy                                                     CN=Domain Admins,CN=Users,DC=JUNGLE
testboy                                                     CN=DnsAdmins,CN=Users,DC=JUNGLE


PS C:\>

Remove a user from a group:

Removing a user from a group is the same process - except instead of using the -addattribute flag of the set-ldap cmdlet, I'll use -deleteattribute:

PS C:\> set-ldap -server testboy -cred $mycred -dn "CN=Administrators,CN=Builtin,DC=JUNGLE" -attrtype member 
  -attrvalue "CN=Lance Robinson,CN=Users,DC=JUNGLE" -deleteattribute

Host       : testboy
DN         : CN=Administrators,CN=Builtin,DC=JUNGLE
Successful : True
Type       : member
Value      : CN=Lance Robinson,CN=Users,DC=JUNGLE

PS C:\>

PS C:\> get-ldap -server testboy -cred $mycred -dn dc=JUNGLE -searchscope wholesubtree 
  -search "(&(member=CN=Lance Robinson,CN=Users,DC=JUNGLE)(objectcategory=group))"


Host                                                        DN
----                                                        --
testboy                                                     CN=Domain Admins,CN=Users,DC=JUNGLE
testboy                                                     CN=DnsAdmins,CN=Users,DC=JUNGLE

PS C:\>

posted @ Monday, August 06, 2007 10:22 AM | Feedback (1) |

LDAP - Search for What Groups a Particular User Belongs to

In the last LDAP series post, I mentioned how to search for the members of a group.  Now the opposite, here's how to search for what groups a particular user is a part of:

To do this search, all I do is form a search filter that is searching for all groups that has a particular member in it.  So really this is a slight alteration of the search for all groups.

PS C:\> get-ldap -server testboy -cred $mycred -dn dc=JUNGLE -searchscope wholesubtree 
  -search "(&(member=CN=Lance Robinson,CN=Users,DC=JUNGLE)(objectcategory=group))"

Host                                                        DN
----                                                        --
testboy                                                     CN=Domain Admins,CN=Users,DC=JUNGLE
testboy                                                     CN=DnsAdmins,CN=Users,DC=JUNGLE

PS C:\>

Here I can see that I (CN=Lance Robinson,CN=Users,DC=JUNGLE) am a member of two groups:  Domain Admins and DNS Admins.  That sounds a lot cooler than it actually is since "testboy" is just a test machine.  ;)

Technorati Tags: PowerShell, NetCmdlets, ldap, active directory

posted @ Friday, August 03, 2007 12:51 PM | Feedback (0) |

Amazon Flexible Payments Service

It looks like Amazon has a new web service, FPS - the Amazon Flexible Payments Service.  This one will allow developers to build Amazon payment functionality directly into their applications.  The service looks to be similar to PayPals ExpressCheckout.

FPS Overview
FPS Technical Docs

posted @ Friday, August 03, 2007 9:19 AM | Feedback (1) |

EDI AS2 Adapter for BizTalk Tutorial

Spencer Brown published a tutorial, "AS2 Adapter for Microsoft BizTalk" that walks through installing the /n software BizTalk Adapters and configuring send and receive ports for the included AS2 adapter.

posted @ Thursday, August 02, 2007 5:12 PM | Feedback (0) |

LDAP - Search for Group Members

More with the ldap cmdlets in NetCmdlets, here's how to list the members of a particular group.

I used the get-ldap command shown in the last post to get a list of all my admin groups, and save it in a $groups collection:

PS C:\> $groups = get-ldap -testboy myserver -cred $mycred -dn dc=JUNGLE -searchscope wholesubtree 
  -search "(&(objectclass=group)(cn=*admin*))"

PS C:\> $groups

Host                                                        DN
----                                                        --
testboy                                                     CN=Administrators,CN=Builtin,DC=JUNGLE
testboy                                                     CN=Schema Admins,CN=Users,DC=JUNGLE
testboy                                                     CN=Enterprise Admins,CN=Users,DC=JUNGLE
testboy                                                     CN=Domain Admins,CN=Users,DC=JUNGLE
testboy                                                     CN=DnsAdmins,CN=Users,DC=JUNGLE

PS C:\>

Of course if you already know exactly what group you want, you can just hard code that group DN and call the cmdlet.  But I can get all of the members of all of the admin groups by looping through this $groups collection.  Here's how to get all the members of the first group (CN=Administrators):

PS C:\> get-ldap -server testboy -cred $mycred -dn $groups[0].DN -searchscope baseobject -search "objectClass=*" 
 -attr

objectClass            : {top, group}
cn                     : {Administrators}
description            : {Administrators have complete and unrestricted access to the computer/domain}
member                 : {CN=Domain Admins,CN=Users,DC=JUNGLE, CN=Enterprise Admins,CN=Users,DC=JUNGLE, CN=Administrato
                         r,CN=Users,DC=JUNGLE}
distinguishedName      : {CN=Administrators,CN=Builtin,DC=JUNGLE}
instanceType           : {4}
whenCreated            : {20070227205517.0Z}
whenChanged            : {20070730142747.0Z}
uSNCreated             : {8213}
uSNChanged             : {46068}
name                   : {Administrators}
adminCount             : {1}
sAMAccountName         : {Administrators}
sAMAccountType         : {536870912}
systemFlags            : {-1946157056}
groupType              : {-2147483643}
objectCategory         : {CN=Group,CN=Schema,CN=Configuration,DC=JUNGLE}
isCriticalSystemObject : {TRUE, }
Host                   : testboy
DN                     : CN=Administrators,CN=Builtin,DC=JUNGLE

PS C:\>

 Note the use of the -attr flag in the cmdlet - this is to tell the cmdlet to return all the attributes resulting from the search.  The reason I need to do this here is because all the members of the group will be contained inside the member attribute (or the memberUid or uniqueMember attribute depending on your server). 

If I were to set a $result variable to the result of the command above, I could then examine $result.member to see all the members of the "CN=Administrators" group:

PS C:\> $result.member

CN=Domain Admins,CN=Users,DC=JUNGLE
CN=Enterprise Admins,CN=Users,DC=JUNGLE
CN=Administrator,CN=Users,DC=JUNGLE

PS C:\>

Technorati Tags: PowerShell, NetCmdlets, ldap, active directory

posted @ Thursday, August 02, 2007 9:31 AM | Feedback (0) |

LDAP - Search for Active Directory Groups in PowerShell

NetCmdlets doesn't have a long list of Active Directory cmdlets for PowerShell.  Instead, it has 2.  And they aren't AD specific - they just implement the LDAP protocol itself so they can work with any LDAP server, Active Directory or not.

Two cmdlets are all that is needed to make common tasks simple.  One for setting values (set-ldap), and one for getting values (get-ldap).

Here's how I can retrieve a list of all the "admin" groups:

PS C:\> get-ldap -server myserver -cred $mycred -dn dc=JUNGLE -searchscope wholesubtree 
 -search "(&(objectclass=group)(cn=*admin*))"


Host                                                        DN
----                                                        --
testboy                                                     CN=Administrators,CN=Builtin,DC=JUNGLE
testboy                                                     CN=Schema Admins,CN=Users,DC=JUNGLE
testboy                                                     CN=Enterprise Admins,CN=Users,DC=JUNGLE
testboy                                                     CN=Domain Admins,CN=Users,DC=JUNGLE
testboy                                                     CN=DnsAdmins,CN=Users,DC=JUNGLE

PS C:\>

As you can tell, the get-ldap cmdlet is very flexible.  I can specify any custom search scope and perform a search for any filter I like.  This particular search filter searches for any groups that contain "admin" anywhere in the cn. 

A more complete group search might have a search filter like so:  "(|(|(|(objectClass=posixGroup)(objectClass=groupOfUniqueNames))(objectClass=groupOfNames))(objectClass=group))"

The cmdlet can also return all the attributes of each DN returned if I just specify the -attr flag in the get-ldap command.

posted @ Wednesday, August 01, 2007 10:28 AM | Feedback (0) |