AdFind Usage

adfind /?

AdFind V01.62.00cpp Joe Richards (support@joeware.net) October 2023

-help         Basic help.
-?            Basic help.
-??           Advanced/Expert help.
-????         Shortcut help.
-sc?          Shortcut help.
-meta?        Metadata help.
-regex?       Regular Expressions help.
-gui          Combine with help switch to open that output in text editor.

Usage:
 AdFind [switches] [-b basedn] [-f filter] [attr list]

   basedn        RFC 2253 DN to base search from.
                 If no base specified, defaults to default NC.
                 Base DN can also be specified as a SID, GUID, or IID.
   filter        RFC 2254 LDAP filter.
                 If no filter specified, defaults to objectclass=*.
   attr list     List of specific attributes to return, if nothing specified
                 returns 'default' attributes, aka * set.

  Switches: (designated by - or /)

           [CONNECTION OPTIONS]
   -h host:port  Host and port to use. If not specified uses port 389 on
                 default LDAP server. Localhost can be specified as '.'.
                 Port can also be specified via -p and -gc.
                 IPv6 IP address w/ port is specified [address]:port
   -gc           Search Global Catalog (port 3268).
   -p port       Alternate method to specify port to connect to.

           [QUERY OPTIONS]
   -s scope      Scope of search. Base, One[Level], Sub[tree].
   -t xxx        Timeout value for query, default 120 seconds.

           [OUTPUT OPTIONS]
   -c            Object count only.
   -dn           Object DN's only.
   -appver       Output AdFind versioning info.


  Notes:
    o This tool was written with simple US ASCII in mind. UNICODE and special
      ASCII characters such as characters with umlauts or graphics may not
      be output correctly due to how the command prompt handles those
      characters. If you see this occurring, redirect the output to a text file
      with the command prompt redirection symbol (>) and it is possible the
      program will give the desired output.


  Ex1:
    adfind -b dc=joehome,dc=net -f "objectcategory=computer"
      Find all computer objects in joehome.net and displays all attributes

  Ex2:
    adfind -b dc=joehome,dc=net -f "objectcategory=computer" cn createTimeStamp
      Find all computer objects in joehome.net and displays cn and createTimeStamp

  Ex3:
    adfind -h .:50000 -b cn=ab -f "objectcategory=person"
      Find all person objects on cn=ab container of local ADAM instance


 This software is Freeware. Use at your own risk.
 I do not warrant this software to be fit for any purpose or use and
 I do not guarantee that it will not damage or destroy your system.
 Contact support@joeware.net via email for licensing information to package
 this utility in commercial products.

 See full Warranty documentation or download the latest version
 on http://www.joeware.net.

 If you have improvement ideas, bugs, or just wish to say Hi, I
 receive email 24x7 and read it in a semi-regular timeframe.
 You can usually find me at support@joeware.net

adfind /??

AdFind V01.62.00cpp Joe Richards (support@joeware.net) October 2023

-help Basic help.
-? Basic help.
-?? Advanced/Expert help.
-???? Shortcut help.
-sc? Shortcut help.
-meta? Metadata help.
-regex? Regular Expressions help.
-gui Combine with help switch to open that output in text editor.

Usage:
AdFind [switches] [-b basedn] [-f filter] [attr list]

basedn RFC 2253 DN to base search from.
If no base specified, defaults to default NC.
Base DN can also be specified as a SID, GUID, or IID.
filter RFC 2254 LDAP filter.
If no filter specified, defaults to objectclass=*.
attr list List of specific attributes to return, if nothing specified
returns 'default' attributes, aka * set.

Switches: (designated by - or /)

[CONNECTION OPTIONS]
-h host:port Host and port to use. If not specified uses port 389 on
default LDAP server. Localhost can be specified as '.'.
Port can also be specified via -p and -gc.
IPv6 IP address w/ port is specified [address]:port
-gc Search Global Catalog (port 3268).
-gcb Combines -gc -null switches. i.e. Full forest search.
-gco Only use GC port; do not use port 389. Note that normal secure bind
will start with Kerberos and Kerberos will do some SRV record
lookups and some LDAP "pings" to UDP 389. To avoid you should
also use -arecex and -ntlm (or -digest or -simple).
-this xxx Combines -s BASE and -b xxx
-p port Alternate method to specify port to connect to.
-hh host:port Combines -h with -arecex
-hd host:port Combines -h with -default
--------------Advanced--------------
-writeable Use a writeable domain controller.
-kerbenc Kerberos Encryption (LDAP_OPT_ENCRYPT).
-ssl Use SSL
-sslignoresrvcert Ignore any problems with the SSL server cert.
-starttls Use StartTLS
-arecex Hostname has a actual host name, not domain name.
-url xx Specify LDAP(S) URL.
o LDAP://host:port/basedn?comma_delim_attribs?scope?filter
o See https://www.ldap.com/ldap-urls

[QUERY OPTIONS]
-s scope Scope of search. Base, OneLevel, Subtree.
-base Alias for -s base.
-one Alias for -s onelevel.
-onelevel Alias for -s onelevel.
-sub Alias for -s subtree.
-subtree Alias for -s subtree.
-t xxx Timeout value for query, default 120 seconds.
--------------Advanced--------------
-bb xx Base level query of XX. Combines -b xx and -s base.
-nopaging [BETA] Turn off paging. Also turns off referrals.
-nopaging2 [BETA] Turn off paging. Does not turn off referrals.
-ps size Page size, default page size = 1000.
-maxe xx Max number of entries to be returned.
-upto xx Process up to xx piped in objects and then stop.
-null Use null base.
-root Determine and use root partition for BaseDN.
-config Determine and use configuration partition for BaseDN.
-schema Determine and use schema partition for BaseDN.
-default Determine and use default partition for BaseDN.
-rb xx Relative Base, use with special BaseDN's above.
So you could specify -default and -rb cn=users.
Can also use -rb when piping DNs in.
-rbb xx Same as -rb but with -s base added.
-users Use cn=users,<default domain> for base.
-forestdns Use ForestDNS NDNC for base.
-domaindns Use DomainDNS NDNC for base. Use default domain by default.
-dcs Use Domain Controllers container of default domain for base.
-gpo Use System Policies container of default domain for base.
-psocontainer Use PSO Container of default domain for base.
-quotas Use NTDS Quotas container of default domain for base.
-ldappolicy Use Ldap Query Policies container for base.
-xrights Use Extended Rights container for base.
-partitions Use Partitions container for base.
-sites Use Sites container for base.
-subnets Use Subnets container for base.
-exch Use Exchange Services container for base.
-pki Use CN=Public Key Services,CN=Services,<configDN> for base.
-fsps Use Foreign Security Principals container for base.
-sitelinks Use Site Links Container for base.
-legacydns Use Legacy DNS Container for base.
-displayspecifiers User Display Specifiers container in config for base.
-ds Use Directory Service container in config for base.
-svcs Use Services container in config for base.
-fgpp Use Password Settings Container for base.
-msa Use Managed Service Accounts Container for base.
-roles Use Roles relative base (for ADLDS).
-delobjs Use Deleted Objects relative base from whatever base defined plus -showdel.
-do Alias for -delobjs.
-delobjs+ Use Deleted Objects relative base from whatever base defined plus -showdel+.
-do+ Alias for -delobjs+.
-sort key Server side sort by key (Note: Sorts can time out easily).
-sorta key Same as -sort key but also adds key attribute to output.
-rsort key Reverse server side sort by key.
-rsorta key Same as -rssort key but also adds key attribute to output.
--------------Expert--------------
-stdinsort xx Sorts DN's that have been piped in in multi-DN mode, the
default sort is hierarchical, but can specify case-sensitive
alphabetic sort with csalpha or case-insensitive with cialpha
-srvctls xx Inserts arbitrary server controls. Delimiter is ;
-showdel Inserts show deleted objects server control into query.
-showdel+ Inserts show deleted objects, links, and recycled objects control.
-showdelobjlinks Inserts show deactivated links server control.
-showrecycled Inserts show recycled objects server control.
-pr Phantom Root, search all NCs that are subordinate
to the search base - special. Used primarily with
ADAM or if need to search Schema, Config, etc
-prb -pr combined with -null, Phantom Root from root of directory.
-asq xx Attribute Scoped Query focused on attribute xx
-bit Special filter conversion enable
:AND:= converts to :1.2.840.113556.1.4.803:=
:OR:= converts to :1.2.840.113556.1.4.804:=
:INCHAIN:= converts to :1.2.840.113556.1.4.1941:=
:NEST:= converts to :1.2.840.113556.1.4.1941:=
:DNWDATA:= converts to :1.2.840.113556.1.4.2253:=
-binenc Transform filter elements to proper format:
{{GUID:guid value}} converts to LDAP format of binary.
{{SID:sid value}} converts to LDAP format of binary.
{{BIN:hex string}} converts to LDAP format of hex binary.
{{BASE64:Base 64 string}} converts to LDAP format of BASE64.
{{UTC:YYYY/MM/DD-HH:MM:SS}} converts to int8 of UTC date/time.
{{UTCGT:YYYY/MM/DD-HH:MM:SS}} converts to Generalized Time of UTC date/time.
{{LOCAL:YYYY/MM/DD-HH:MM:SS}} converts to int8 of Local date/time.
{{LOCALGT:YYYY/MM/DD-HH:MM:SS}} converts to Generalized Time of Local date/time.
{{LOCALGTIPA:YYYY/MM/DD-HH:MM:SS}} is similar to LOCALGT but uses "Z" instead of ".0Z".
{{CURRENT:xx}} converts to int8 of Current date/time as modified
by xx. Two formats are allowed, dd:mm:hh:ss where dd is an
integer value for days, mm for minutes, hh for hours, and ss
for seconds and each value can be prefixed with the
minus(-) sign. The second format is (-)nnz where nn
is an integer value and z is d, m, h, or s.
{{CURRENTGT:xx}} is similar to CURRENT but generalized time format.
{{CURRENTGTIPA:xx}} is similar to CURRENTGT but uses "Z" instead of ".0Z".
-nr Do not follow referrals - client side.
-nrss Tells AD not to generate continuation referrals.
-ff filenm Pulls query filter from file named filenm.
-noautoranging Disables autoranging feature so you can request specific
ranges of multivalue attributes.
-fdnx Filter DN Expansion. Allows use of some normalized strings that
are expanded on the fly when submitted to the LDAP Server.
[ROOT] - Expand to Forest Root Domain DN
[CONFIG] - Expand to Configuration NC DN
[SCHEMA] - Expand to Schema NC DN
[DEFAULT] - Expand to Default NC DN
[DOMAINDNS] - Expand to Domain DNS (default domain) NC DN
[FORESTDNS] - Expand to Forest DNS NC DN

[OUTPUT OPTIONS]
-c Object count only
-c2 Object count only but allow object filtering with -incldn/-excldn
-dn Object DN's only
-appver Output AdFind versioning info.
--------------Advanced--------------
-dpdn Display Parent DN
-pdn Display Parent DN only
-pdnq Display Parent DN only in -dsq format (quoted DN)
-pdnu Display unique Parent DNs only
-pdnuq Display unique Parent DNs only in -dsq format (quoted DN)
-pdnucounts xx [BETA] Displays unique Parent DNs and then counts of objects in each container.
if xx is specified, it is a filename to write CSV output version.
-dpcanonical Display Parent Canonical Value - can also use attribute parentCanonical.
-objectdomaindn Display object's domain's DN - can also use attribute objectDomainDN.
-objectdomaindns Display object's domain's DNS - can also use attribute objectDomainDNS.
-nodn Do not output DN
-stripdn Strip DN's down to only RDN value
-nolabel Don't display attribute labels.
-noctl Filter control chars out of attrib value output.
-exclrepl Exclude display of certain replication related attributes.
dSASignature, masteredBy, msDS-IsFullReplicaFor
msDs-masteredBy, repsFrom, repsTo, replUpToDateVector
-nonoise Alias for -exclrepl
-excl xx Exclude display of certain attribs.
xx List must be semi-colon delimited
-excl "objectclass;memberof;name"
-excldn xx Exclude objects with given string in DN. Multiple
strings delimited by semi-colon (;). Cannot be
combined with the -c option. xx can be a regex.
-excldndelim Specify a delimiter for -excldn, default is (;).
-incldn xx Output only objects with given string in DN. Multiple
strings delimted by semi-colon (;). Cannot be
combined with -c option. xx can be a regex.
-incldndelim Specify a delimiter for -incldn, default is (;).
-incllike xx Only display attributes that match xx. Delimited by semicolon (;).
-excllike xx Only display attributes that do not match xx.
-dsq DSQuery style quoted DN output
-dsnq Non-quoted DNs only output (-dsq without the quotes)
-tdc Decode common 64 bit (int8) time fields (pwdLastSet, etc)
-tdcs Decode common 64 bit (int8) time fields string sortable format (pwdLastSet, etc)
-tdcgt Decode Generalized Time fields (whenChanged, etc)
-tdcgts Decode Generalized Time fields string sortable format (whenChanged, etc)
-tdcd Decode time with delta. Int8 only.
-tdcda Decode time with delta. Int8 and Generalized Time.
-tdcdshort Decode time with delta. Short output format.
-tdca Combined -tdc and -tdcgt
-tdcas Combined -tdcs and -tdcgts
-utc Use with tdc*, decodes to UTC instead of localtime.
-tdctzstr Set your own TimeZone String, e.g. EDT instead of Eastern Daylight Time.
-tdcfmt xxx Define format for -tdc/-tdcgt/-tdca/tdcd.
-tdcsfmt xxx Define format for -tdcs/-tdcgts/-tdcas/tdcd.
NOTE: The TDC format strings allow you to change the output
format of the various -tdc* switches. Pass a string into the
the switch defining the required format. Special format modifiers:
%MM% - 2 digit month
%DD% - 2 digit day
%YYYY% - 4 digit year
%HH% - 2 digit hour (24 hour format)
%mm% - 2 digit minute
%ss% - 2 digit second
%ms% - 2 digit millisecond
%TZ% - Time Zone value
%INT8% - Raw Integer8 time format
%% - Percent symbol
Default format for -tdc is %MM%/%DD%/%YYYY%-%HH%:%mm%:%ss% %TZ%
Default format for -tdcs is %YYYY%/%MM%/%DD%-%HH%:%mm%:%ss% %TZ%
-int8time xx Add attribute(s) to list for decoding as int8. Semicolon delimited.
-int8time- xx Remove attribute(s) from list to be decoded as int8. Semicolon delimited.
INT8 Notes:
===========
AdFind has many attributes that are pre-defined as time and
duration attributes that will be decoded by the -tdc* switches.
In addition, AdFind will search the schema looking for all 2.5.5.16
attributes and anything with the string 'time' in the lDAPDisplayName
or adminDescription will be added to the list of attributes to
to be decoded as time attributes. Anything with either 'duration'
or 'interval' will be decoded as interval attributes.

-samdc Decode SAM Type attributes:
forceLogoff, groupType, lockoutDuration, lockoutObservationWindow,
machinePasswordChangeInterval, maxPwdAge, maxRenewAge, maxTicketAge,
minPwdAge, minTicketAge, msDS-IsUserCachableAtRODC, msDS-LockoutDuration,
msDS-LockoutObservationWindow, msDS-MaximumPasswordAge,
msDS-MinimumPasswordAge, msDS-SupportedEncryptionTypes,
msDS-User-Account-Control-Computed, nTMixedDomain, pekKeyChangeInterval,
proxyLifetime, pwdProperties, sAMAccountType, trustAttributes,
trustDirection, trustType, userAccountControl
-flagdc Decode various flag type attributes:
dSHeuristics, instanceType, msDS-Behavior-Version,
mS-DS-ReplicatesNCReason, options, packageFlags, schemaFlagsEx
searchFlags, systemFlags, validAccesses, msDS-RevealedUsers.
-schdc Decode attributeSyntax, objectClassCategory, and objectVersion and also
enables -flagdc switch.
-sitenamedc Decode site name GUIDs to site names.
-alldc Enable all decode options EXCEPT -sddc/-sddl.
-alldc+ Enable all decode options including -sddc/-sddl.
-alldcd -alldc combined with -tdcda.
-elapsed Display elapsed time in seconds that the search occupied.
-selapsed Display elapsed time in seconds for various points of execution.
-elapsedms Display elapsed time in milliseconds that the search occupied.
-selapsedms Display elapsed time in milliseconds for various points of execution.
-list List style output, no DNs, no labels.
-qlist Quoted list, like -list but with quotes.
-sl Sorted List, shortcut for -sort -list
-progress Display Progress Bar for multi-DN operations in the title bar.
-cv Count values, requires -csv mode
-cva xx Count values for specified attributes only. Delimited by semicolons (;).
-hint Outputs "hint" parameter information for AdFind/AdMod, specifically:
-h switch -p switch -u switch -up switch -simple switch
-hh switch -url switch
-jtsv Combines -csv -csvdelim \t -csvmvdelim |
-jtsv2 Combines -jtsv -csvnoheader -csvnoq
-fl Combines -jtsv2 and -list.
-jcsv2 Combines -csv -csvnoheader -csvnoq
-csv xxx CSV output, xxx is an optional string that specifies value to
use for empty attribs.
-gcsv Generic CSV mode. Combines -csv, -replacedn _all
-adcsv xxx Special CSV mode for interacting with other joeware tools.
xxx is an optional string that specifies value to use for
use for empty attribs.
-csvdelim x Delimiter to use for separating attributes in CSV output,
default (,).
-csvmvdelim x Delimiter to use for separating multiple values in output,
default (;).
NOTE: The -csvdelim and -csvmvdelim switches allow you to
specify control characters such as tab via standard c\c++ printf
character sequences. For example tab is \t. There is no
filtering in place to validate that intelligent characters are
selected so if you choose \n you own the problem. :)
-csvq x Character to use for quoting attributes, default (").
-csvnoq Set Quote character to null - i.e. no quote character.
-nocsvq Alias for -csvnoq.
-csvqesc CSV Quote escape character. default (\)
-nocsvheader Don't output attribute header.
-csvnoheader Alias for -nocsvheader.
-csvsh x CSV Smart Header. When redirecting to a file (x) a header will
be written if file x doesn't exist or has a zero length. This is
useful especially for CMD FOR /F or PoSh foreach().
-csvconnerr Insert Host Connection Error in CSV output file.
-csvxl Excel CSV mode, sets quote escape character to " and changes
" in DNs to "" which makes the output incompatible with
any CSV type tools that modify AD such as AdMod.
-csvfinalcount Display number of rows at the end of the output. ObjCount=xxx.
CSV Notes:
==========
o The CSV mode requires you to specify the attributes you want
returned.
o To specify a static column specify an argument of the form
of header:value

-attrprefix x Prefix character for attribute output, default is greater than (>).
-attrvaldelim x Delimiter character between attribute and value, default is colon (:).
-xmod Used -attrprefix/-attrvaldelim to output object similar to AdMod input format.
-soao Sort order attrib output, sorts attrib names for each record.
-oao xxx Order attrib output, orders attrib output by specified order.
xxx allows you to specify NULL value for specified attributes.
-noerr Do not write errors to stderr/stdout when output is redirected.
-pause Forces AdFind not to exit until <ENTER> is pressed when prompted.
-gplinkmulti Output GPO DNs in gPLink attribute as a multi-valued attribute.
--------------Expert--------------
-ic Intermediate count (for multi-dn mode).
-ictsv Intermediate count TSV output (for multi-dn mode).
-db Display base DN (for multi-dn mode).
-objcnterrlevel Object count only, send to command prompt ERRORLEVEL variable.
-resolvesids Resolve SIDs to names
-resolvesidsgeneric xxx Resolve SIDs but transform domain names to xxx. Default xxx = [DOMAIN]
NOTE: All domains will have the same xxx value.
-resolvesidsgenex Resolve SIDs but transform root domain name to {{*rootdns*}} and ALL
other domains in forest to {{*domaindns*}}
-resolvesidsldap Uses LDAP to resolve SIDs to DNs. This is done automatically
when connecting to ADAM for ADAM SecPrins.
-sidtype Output SID types - USER, GROUP, WELLKNOWN, BI-GROUP, etc
-rawsddl Show rawsddl.
-rawsddlnl Does not include [SDDL] label prefix on -rawsddl output.
-rawsddlexpl Show rawsddl explicit ACEs only.
-sddc / -sddl Partial decode of security descriptors
-sddc+ / -sddl+ Better partial decode of security descriptors
-sddc++ / -sddl++ Even better decode of security descriptors
-sddc+++ / -sddl+++ Combines -sddl++ with -resolvesids
-sddc3 / -sddl3 Alias for -sddl+++
-sdpipe Output explicit ACEs of security descriptor in -adcsv format.
-sdpipe+ Adds -resolvesidsgeneric to -sdpipe.
-sdpipe+x Adds -resolvesidsgenex to -sdpipe.
-daclpipe Output explicit ACEs of DACL only in -adcsv format.
-daclpipe+ Adds -resolvesidsgeneric to -daclpipe.
-daclpipe+x Adds -resolvesidsgenex to -daclpipe.
-sdna SD info Non-Admin. Allows non-admins to get some SD Info (same as -nosacl)
-sddlpsflag Mark property sets in SDDL output
-sdcsvsingle xx Special CSV output of Security Descriptor with one ACE per line broken out.
Note: xx is optional string values that can be combined:
d - Use defaultSecurityDescriptor instead of nTSecurityDescriptor
e - Explicit ACEs only
f - Full mode, enable -sddl++, -csv, and -resolvesids.
g - Generic secprins, replace domain with [DOMAIN].
r - Insert -replacedn _all to genericize the DN.
x - Like g but with -resolvesidsgenex versus -resolvesidsgeneric
-sdcsvsinglesort xx Same as -sdcsvsingle but with sorted output. Same values for xx.
-acecount Numbers each ACE on the ACE output line in the -sddl+ and higher output.
-sidbinout xx SID binary pack as unicode string output (unfriendly format)
-guidbinout xx GUID binary pack as unicode string output (unfriendly format)
Note: For -sidbinout, -guidbinout you have the option to
to specify format type via xx parameter:
HEX for Hex output
BASE64 for Base64 output
-binsize x Output binary attribute size. x defines units, default
is bytes, use KB, or MB for KiloBytes or MegaBytes.
-binsizenl Do not put string label on end of BinSize output.
-extname Shows Extended Name format DNs, i.e. GUID/SID info
-exterr Show Extended Error info. DSID Info...
-norrerr Do not throw errors if invalid range is specified on attribute.
-owner Display Owner - will show as attrib _OBJECT_OWNER
-owneronly Display DN and Owner only
-ownercsv Display DN and Owner only, Semicolon delimited output
-ameta xx Display Attribute Replication MetaData (msDS-ReplAttributeMetaData)
xx can be a semicolon delimited list of specific attributes.
-ametal xx -ameta combined with -list
-ametanl xx -ameta combined with -nolabel
-vmeta xx Display Linked Value Replication MetaData (msDS-ReplValueMetaData)
Note: The value for xx in -ameta/-vmeta can be a -metafilter string.
-vmetal xx -vmeta combined with -list
-vmetanl xx -vmeta combined with -nolabel
-vmetaplus Combined with -vmeta switches to display additional meta info.
-vmeta+ Alias for -vmetaplus.
-metas xx Both attribute and value metadata.
-metasnl xx -metas but with no label.
-metasl xx -metas but in list format.
-metamvcsv Output metadata in MV CSV type format
-metamvcsva xx Specify properties list to output for attribute metadata (delimiter: ;)
Field Names: attribute datetime dsa usnlocal usnorig version
-metamvcsvv xx Specify properties list to output for value metadata (delimiter: ;)
Field Names: attribute datetime dn dsa state usnlocal usnorig version initialaddtime removetime
-dloid Don't load OID's for GUID/SID decode
-ddo Display Dynamic Object attributes if present.
-showttll Display Link TTL values.
-mvfilter xx Multivalue filter. (Also works on single value attributes)
-mvnotfilter xx Multivalue NOT filter. (Also works on single value attributes)
-mvfiltercs Make filter case sensitive.
-mvfilterdelim xx Delimiter between multiple filter definitions. Default (;)
Multivalue Filter Notes:
========================
Filters are specified in the format:
attribute1=filter;attribute2=filter,etc
Alternate filter format is:
attribute1=filter1;filter2;filterN;attribute2=filter1
The default semi-colon delimiter can be modified with the
-mvdelimiter switch. These are simple exists or not exists
filters, the values are scanned for the string and if there
is a match, the value is displayed or not based on whether
it is a NOT filter or show filter. If a semicolon is part of a
returned attribute name, the match will be made on the attribute
name itself so extensions like ;binary or ;range= will not be
part of the matching. Do not use * or ? in the filter as a
wildcard because it will not be used as a wildcard.
Ex: -mvfilter proxyaddresses=smtp;proxyaddresses=sip;mail=@domain.com
Ex: -mvfilter proxyaddresses=smtp;sip;mail=@domain.com
-mvsort xx Sort the values in a multivalue attribute. Default *.
-mvrsort xx Sort the values in a multivalue attribute in reverse. Default *.
Notes: -mvsort and -mvrsort specify the multivalue attribute(s)
to sort via semicolon delimited list. To make the sort
case insensitive for an attribute append :ci onto the
the attribute name. To select all MV attribs specify *.
-metasort xx See adfind /meta?
-sddlfilter xx SDDL filter, use with -sddl++
-sddlnotfilter xx SDDL NOT filter, use with -sddl++
SDDL Filter Notes:
==================
Filters are specified in the format:
acetype;aceflags;rights;objectguid;inheritobjectguid;account
If you want to specify an empty value for one of the fields use
the tilde (~) for the field value to do so. You do not have to
specify values for all fields. An empty field indicates to match
on anything. You can only specify a single filter and a single
NOT filter.
NOTE: Previously the dash (-) was the empty value character.
Ex1: -sddlfilter ;inherited
Only display inherited ACEs
Ex2: -sddlnotfilter ;inherited
Only display non-inherited ACEs
Ex3: -sddlfilter allow;;;;;joe
Display allow ACEs for account with joe in the value
Ex4: -sddlfilter allow;;;;;administrators
Display all ACEs except allow ACEs for administrators
-recmute Suppress display of DN if all attributes are empty. This is
primarily in place for the -sddlfilter options.
-recmutedsq -recmute functionality but only output quoted DNs of objects with values.
-noowner Do not retrieve owner info for Security Descriptors
-nogroup Do not retrieve group info for Security Descriptors
-nodacl Do not retrieve DACL info for Security Descriptors
-nosacl Do not retrieve SACL info for Security Descriptors
-onlydacl Only retrieve DACL info for Security Descriptors
-onlysacl Only retrieve SACL info for Security Descriptors
-onlydaclflag Only retrieve DACL and display DACL flag
-onlysaclflag Only retrieve SACL and display SACL flag
-onlyaclflags Only retrieve DACL/SACL and display ACL flags
-onlyaclprot Only display protected ACLs (i.e. ACLs that do not inherit).
-onlyaclunprot Only display unprotected ACLs (i.e. ACLs that inherit).
-sdsize x Output Security Descriptor Size. x defines units, default
is bytes, use KB, or MB for KiloBytes or MegaBytes.
-sdsizenl Do not put string label on end of SDSize output.
-sdblob Display the Security Descriptor as a HEX BLOB.
-sdbinout Alias for -sdblob
-dplsids Use older method for resolving SIDs for SDDLs (generally slower).
-jsd xxx SD Decode shortcut - adds ntsecuritydescriptor -sddl++, resolvesids.
-jsdnl xxx Same as -jsd but add -nolabel
-jsdnlb xxx Same as -jsdnl but add -s base
-jsde xxx SD Decode shortcut explicits - adds ntsecuritydescriptor -sddl++, resolvesids.
-jsdenl xxx Same as -jsde but add -nolabel
-jsdenlb xxx Same as -jsdenl but add -s base
JSD NOTES:
==========
The -jsd* switches take an optional parameter specifying filters
using a format of <sddlfilter>:<sddlnotfilter> or regex.
The optional filters are parsed off and passed to the sddlfilter or
sddlnotfilter switches so use the usage info for those switches as
a guide for that format. You can use blah or blah:blah2 or :blah.
For regex you can use m/regex/options or !m/regex/options.
-metafilter xxx Filter metadata output. (both attributes)
-metafilterattr xxx Filter metadata output. (msDS-ReplAttributeMetaData)
-metafilterval xxx Filter metadata output. (msDS-ReplValueMetaData)
METADATA FILTER NOTES:
======================
When using the -sc objsmeta shortcut or when specifying that
AdFind should return the binary versions of the metadata
attributes msDS-ReplAttributeMetaData;binary and
msDS-ReplValueMetaData;binary you can configure some specific
filtering on fields of the metadata. You can specify several
filters by separating them with a semi-colon (;). If you specify
several filters of the same type, i.e. two or more version filters
they are OR'ed together. If you specify several filters of different
types they are AND'ed together. The available fields are:
attribute [both] - specify LDAP attribute name.
ex: -metafilterattr cn;description
time [both] - specify time=(wildcard time value)
ex: -metafilterattr time=2010/03/29
site [both] - specify site=(site name)
ex: -metafilterattr site=MySite
server [both] - specify server=(server name | nodeleted)
ex: -metafilterattr server=MyServer
ex: -metafilterattr server=nodeleted
originating USN [both] - specify usnorig=(USN)
ex: -metafilterattr usnorig=12345
local USN [both] - specify usnloc=(USN)
ex: -metafilterattr usnloc=12345
version [both] - specify ver=(version)
ex: -metafilterattr ver=19771107
state [ReplVal] - specify state=(state)
ex: -metafilterval state=(+)
link value [ReplVal] - specify link=(link value)
ex: -metafilterval link=cn=administrators
-nirs Not in Result Set option. Enables sorted order output and
requests the constructed attribute 'allowedAttributes' and
determines what attributes that could be populated for an
object that AREN'T populated for the object and populates those
attribute's value with <NOT IN RETURN SET>. The attributes
'allowedAttributes' and 'allowedAttributesEffective' will
both show as <INTENTIONALLY MUTED> for ease of reading the
output. Cannot be used with -CSV. Use with -list to just list
all possibly attributes of an object.
-nirsx Similar to -nirs but uses 'allowedAttributeEffective' which
"sort of" returns attributes that AD defines as writeable for the
current user. In reality not all of the attributes may truly be writeable.
Use with -list to just list the effective writeable attributes.
-nirsonly Used with -nirs/-nirsx and ONLY shows attributes with no values.
-subset x Output only a subset of the returned results. By default output
will contain every 10 objects, specify X for alternate value.
-objfilefolder x [BETA] Output returned objects in individual files in top level folder
specified by x. Each file is written under the top level folder
by the most specific class specified by the objects
structuralObjectCategory values. The file names will be based
on the objectGUID.
-exportfile x=y Export binary of attribute y to file x. Semicolon delimited.
Think of it as file x = attribute y info. Can also just
specify the attribute name and it will use the RDN of the object
appended with .bin (or .jpg for attributes with photo in the
name) for the file name. If the attribute is multivalued _x
will be appended where x will be a consecutive number.
If there is a filename collision _x will also be appended
to the filename. So a collision on a multivalued attribute
could end up with a name like jpegPhoto.jpg_1_0. You can also
specify {rdn} in the specified file name and {rdn} will be
replaced with the actual RDN string such as Export_{rdn}.file.

[AUTHENTICATION OPTIONS]
--------------Advanced--------------
-u userdn Userid authentication. AD simple bind supports All ID
formats and secure bind only supports ID formats 1 and 2.
No userid specified indicates anonymous authentication.
ID Formats
1. domain\userid
2. user@domain.com (userPrincipalName)
3. cn=user,ou=someou,dc=domain,dc=com (DN)
-up pwd Password for specified userid. * indicates to ask for password.
Password can be clear text password or ENCPWD:xxx format as
created by -encpwd switch
-simple Simple Bind
-digest Digest Authentication (LDAP_AUTH_DIGEST)
Notes: ADLDS - Can be used with DN and UPN
AD - Can be used with flatdomainname\samname,
dnsdomainname\samname, and UPN
If SAMNAME/UPN is changed password needs to be changed
as DIGEST hashes are calculated at password change.
Alternately account can be set with reversible encryption.
-ntlm NTLM Authentication (LDAP_AUTH_NTLM)

[MISC OPTIONS]
--------------Expert--------------
-po Print options. This switch will dump to the command line
all switches with values and attributes specified.
-allowdupeargs Disables argument filtering such that you could specify the
same argument (attribute) multiple times for CSV output.
-decint xx Decode int8 interval value.
-decutc xx Decode int8 value to UTC time string.
-declocal xx Decode int8 value to local time string.
-encutc xx Encode UTC time to int8. Format: YYYY/MM/DD-HH:MM:SS
-enclocal xx Encode local time to int8. Format: YYYY/MM/DD-HH:MM:SS
-enccurrent xx Encode current time to int8.
xx is required to be a string of one of two formats
Format 1: dd:hh:mm:ss
where dd is days, hh is hours, mm is minutes, ss is secs
each value can be prefixed with a minus (-) symbol.
Ex: 00:-20:-30:00 for -20 hours and 30 minutes.
Format 2: (-)nnZ
where nn is an integer and Z is d, h, m, or s.
Ex: -20h for -20 hours.
The strings are a modifier from the current time. If you
want the current time in int8, specify 0d for the string.
-decdelta xx Decode delta time value.
-encpwd xx Encodes password xx for -up switch. Not required, use to assist
with some additional security.
-encguidtoiid xx Encodes GUID to IID (BASE64 GUID)
-deciidtoguid xx Decodes IID (BASE64 GUID) to GUID
-encguidtohex xx Encoded GUID to Hex String
-dechextoguid xx Decodes Hex String to GUID
-encsidtohex xx Encoded SID to Hex String
-dechextosid xx Decodes Hex String to SID
-nopagingcheck Disable LDAP paging OID existence check on startup.
-decsddlacl x Decodes ACL x specified in SDDL format. Use -h to specify
machine to use for resolving SIDs to names.
-filterbreakdown xx Breaks down LDAP filter specified in xx into a more
readable format. Can specify filter as param or with -f.
-expandfilter xx Alias for -filterbreakdown.
-dnbreakout xx:yy Break DN xx into various components. Valid values for yy:
CANONICAL_NAME - lockout.test.loc/System/Policies
DN - CN=Policies,CN=System,DC=lockout,DC=test,DC=loc
DOMAIN - DC=lockout,DC=test,DC=loc
EXPLODED_DN - CN=Policies;CN=System;DC=lockout;DC=test;DC=loc
GRANDPARENT - DC=lockout,DC=test,DC=loc
NAME - Policies
NDC - CN=Policies,CN=System
PARENT - CN=System,DC=lockout,DC=test,DC=loc
PARENTRDN - CN=System
PARENT_CANONICAL_NAME - lockout.test.loc/System
RDN - CN=Policies
-rootdse Returns and decodes RootDSE + some non-default attribs.
Attributes Decoded:
* domainControllerFunctionality
* domainFunctionality
* forestFunctionality
* supportedCapabilities
* supportedControl
* supportedExtension
-rootdseanon Like RootDSE but anonymous.
-fullrootdse xxx Returns and decodes RootDSE + all non-default attribs. If
xxx is specified as the string "bin" the ;binary option
will be appended to the appropriate attributes and cause
their decode via AdFind versus getting XML versions.
-adminrootdse xxx Returns and decodes RootDSE + all non-default attribs including admin.
Like with -fullrootdse "bin" can be used for ;binary.
-rootdseinternals Display even more rootdse information, requires admin to see everything.
-extsrvinfo Give additional server info for bind string info.
-domainlist xx Shortcut -sc domainlist promoted to normal switch, see shortcut help for info.
-domainncsl xx Shortcut -sc domainncsl promoted to normal switch, see shortcut help for info.
-dclist xx Shortcut -sc dclist promoted to normal switch, see shortcut help for info.
-fsmo xx Shorcut -sc fsmo promoted to normal switch, see shortcut help for info.
-replacedn xxx:yyy Replaces xxx in DNs with yyy. Following special cases:
"" alias for _all
_all replaces all of the following:
_config Configuration DN replaced with <CONFIG>
_schema Schema DN replaced with <SCHEMA>
_default Default NC DN replaced with <DEFAULTNC>
_root Root NC DN replaced with <ROOT>
_sites Sites DN replaced with <SITES>
_subnets Subnets DN replaced with <SUBNETS>
_system System DN replaced with <SYSTEM>
_exch Exchange services DN replaced with <EXCH>
_dcs Domain Controllers DN replaced with <DCS>
_fsps ForeignSecurityPrincipal DN replaced with <FSPS>
_msa Managed Service Accounts DN replaced with <MSA>
_psc Password Settings Container DN replaced with <PSA>
_gpo Group Policy Container DN replaced with <GPO>
_services Services DN in Config NC replaced with <SERVICES>
Not specifying a value is alias for _all
-replacedndelim x Specifies delimiter to separate replacedn strings
-sslinfo Doesn't return any data other than SSL Certificate and Connection info
-e xxx Load switches from environment. Will read env vars with prefix
and dash (adfind-) by default and load them in. To
specify a different prefix, specify string after -e. For
example to specify the host switch create an env var of
adfind-h. To specify properties specify the env var adfind-
or adfind-props. To specify a switch that doesn't take a
a value, specify a value of {~} because you can't set a
an environment variable to blank. By default, AdFind will read any
environment variables prefixed with (joeware-default-adfind-)
without specifying -e.
Ex: Queries ADAM on localhost port 5000 for subnets.
set adam1-h=.:5000
set adam1-config={~}
set adam1-f=objectcategory=subnet
set adam1-props=name siteobject
set adam1-u=thispc\myid
set adam1-up=ENCPWD:EhfEeD0ZVyV9O2AdWzoNyXzYrQwVJm9cN1
adfind -e adam1

-ef xxx Load switches from file (default file = adfind.cf), one
switch per line. Properties can be placed on multiple lines
Ex: Queries ADAM on localhost port 5000 for subnets.
adam1.cf
-h .:5000
-config
-f objectcategory=subnet
name siteobject
adfind -ef adam1.cf

By default AdFind will process the default configuration
file 'joeware_default_adfind.cf' without specifying -ef.

ENVIRONMENT NOTES
There are five levels for specifying switches, a lower level will
not override a higher level. The levels from highest to lowest:
1. Command line switches
2. Environment variable specified via -e
3. Environment file specified via -ef
4. Default environment variables prefixed with joeware-default-adfind-
5. Default environment file joeware_default_adfind.cf

-inputdn xx Specifies DN for LDAP_SERVER_INPUT_DN_OID.
-ldapping xx Special LDAP "ping" functionality. xx has one optional value:
!closest when you don't want next closest site.
-netlogonexdc Modifies output format for LDAP Ping to alternate format.
-ldappingex xx -ldapping + -netlogonexdc.
-dncharvalidation [BETA] Bounce DNs with non-US ASCII Characters (c & 0x80 > 0)
-dirsync xx Enable DirSync query. xx is prior DirSync Cookie or Cookie File.
If nothing is specified, it will look for a default file that is
named .\adfind_x.y_cookie.dirsync where x.y is the NC being
queried converted from DC=blah,DC=blah to blah.blah format.
If the default file is empty or non-existent it will create it.
To specify a specific filename, use the format FILE:filename.
To specify a cookie, just specify the cookie string.
Specify filter with -f as normal to filter what is returned.
-dirsyncro xx Identical to -dirsync but will not update the cookie file.
-dirsync_opts xx Options for DirSync. Values for xx:
OS - Object Security Mode (Should work without high level access)
AFO - Ancestors First Order (Helps with chicken/egg issues)
IV - Incremental Values (useful for large groups)
-dirsync_maxbytes xx Maximum number of bytes for return sets, minimum 100k, default 1MB
-dirsync_cont xx Continuous dirsync, sleep xx seconds between passes.

Notes about DIRSYNC functionality
The DirSync functionality is very different from normal LDAP queries, make no assumptions
about the output formatting. TEST! Some additional switches that should generally be used
with -dirsync are -extname and -showdel+ to turn on extended DN names and deleted objects.
By default, nTSecurityDescriptor will be output as -rawSDDLExpl mode. You can override with
-rawsddl if you need the inherited ACEs with the security descriptor.
Please review the Microsoft LDAP DirSync documentation:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/2213a7f2-0a36-483c-b2a4-8574d53aa1e3
https://docs.microsoft.com/en-us/windows/win32/ad/polling-for-changes-using-the-dirsync-control

-stats Display STATS control info
-stats+ Display STATS control info + some analysis.
-statsonly Display STATS control info - ONLY
-stats+only Display STATS control info + some analysis - ONLY
-statsonlynodata Display STATS control info, no data return
-stats+onlynodata Display STATS control info + some analysis, no data return
-statsnofilter Don't output LDAP filter.

Notes about STATS functionality
All of the STATS options require user have DEBUG_PRIVILEGE
on the domain controller queried.

All switches except the two with nodata appended will return the query result
set in the background but will not display it. The nodata switches work with
with Windows Server 2003 and better and will tell AD not to return the data
set but to instead just return what would happen if it did.

Hit rate is a function of data in the directory and the specific filter
being used; it is not an absolute measure across directories.

You could use a query of (&(objectcategory=person)(objectclass=user))
in one directory and get a hit rate of 95% but then in another that has
a bunch of contacts could get a hit rate of 40% or less.

STATS against 2K AD is pretty boring, so don't bother as ADFIND
will almost certainly say the data is worthless, and not display it.

Notes:
o AdFind was written with simple US ASCII in mind. UNICODE and special
ASCII characters such as characters with umlaut's or graphics may not
be output correctly due to how the command prompt handles those
characters. If you see this occurring, redirect the output to a text file
with the command prompt redirection symbols and it is possible the program
will operate correctly. If not, you do not need to tell me, I know and I
am working to correct it in some future version... no timeline.

o AdFind will decode the following attributes whenever encountered:
* any GUID attributes
* generic binary decode to hex string
* msDS-Cached-Membership
* msDS-NCReplCursors
* msDS-NCReplInboundNeighbors
* msDS-NCReplOutboundNeighbors
* msDS-ReplAllInboundNeighbors
* msDS-ReplAllOutboundNeighbors
* msDS-ReplAttributeMetaData
* msDS-ReplConnectionFailures
* msDS-ReplLinkFailures
* msDS-ReplPendingOps
* msDS-ReplQueueStatistics
* msDS-ReplValueMetaData
* msDS-RetiredReplNCSignatures
* msDS-Site-Affinity
* msDS-TopQuotaUsage
* msPKIRoamingTimeStamp
* retiredReplDSASignatures

o In V01.40.00 AdFind gained the ability to take in a stream of DNs through
the STDIN pipe - one DN per line. In this mode, the default search scope
of AdFind changes from SUBTREE to BASE.

Ex1:
adfind -b dc=joehome,dc=net -f "objectcategory=computer"
Find all computer objects in joehome.net and displays all attributes

Ex2:
adfind -b dc=joehome,dc=net -f "objectcategory=computer" cn createTimeStamp
Find all computer objects in joehome.net and displays cn and createTimeStamp

Ex3:
adfind -h .:50000 -b cn=ab -f "objectcategory=person"
Find all person objects on cn=ab container of local ADAM instance

Ex4:
adfind -schema -f "objectcategory=attributeschema" ldapdisplayname -list
List ldapdisplaynames of all attributes defined in schema.

Ex5:
adfind -gc -u domain\user -up passwd -b -f name=joe
Search GC with userid domain\user and password passwd for objects with name=joe

Ex6:
adfind -default -rb cn=users -f "&(objectcategory=person)(samaccountname=*)"
Show all users in the default domain's cn=users container.

Ex7:
adfind -default -showdel -f isdeleted=TRUE
Show deleted objects in default partitions deleted objects container

Ex8:
adfind -default -f "&(name=bob*)(instancetype=4)" -stats+only
Show STATS result from specified query.
Ex9:
adfind -default -f name=administrators member -list | adfind samaccountname
Dump administrators group membership and then retrieve sAMAccountNames.
Ex10:
adfind -encpwd MySecurePassword1!
Encode password for use in -up switch.
Ex11:
adfind -rootdse -u dom\myuser -up ENCPWD:EhfEeD0ZV -simple
Simple bind with specified credentials and return rootdse.
Ex12:
adfind -default -rb ou=MyUsers -objfilefolder c:\temp\ad_out
Output all objects in MyUsers OU to specified folder structure.

This software is Freeware. Use at your own risk.
I do not warrant this software to be fit for any purpose or use and
I do not guarantee that it will not damage or destroy your system.
Contact support@joeware.net via email for licensing information to package
this utility in commercial products.

See full Warranty documentation or download the latest version
on http://www.joeware.net.

If you have improvement ideas, bugs, or just wish to say Hi, I
receive email 24x7 and read it in a semi-regular timeframe.
You can usually find me at support@joeware.net

adfind /sc?

AdFind V01.62.00cpp Joe Richards (support@joeware.net) October 2023

Usage:
AdFind [switches] [-b basedn] [-f filter] [attr list]

Switches: (designated by - or /)

AdFind Shortcuts
================
AdFind allows you to specify shortcuts. Shortcuts are not actual commands
themselves but instead are shortcuts to other commands so you do not have
to recall or type the longer commands. Anything one of the shortcuts does
is actually a combination of various other switches. To see exactly what
switches are specified on your behalf, use the -po switch in combination
with the shortcut switch and it will show you everything that AdFind is
processing.

Since these shortcuts are simply a combination of switches auto-entered for
you it means that generally you can use the other switches in AdFind to add
to the query to focus it further or get output closer to what you need. In
addition, most of the shortcuts support the added switch -af xxx, this
allows you to 'add on' to the filter that is specified by the shortcut
in case you want to make the filter more granular. Also if you want to change
which attributes are returned, you can add additional attributes by specifying
them in the normal manner. If you want to reset the list of attributes returned
and specify your own, prefix one of the attributes with an underscore (_attr).
If you want to remove one or more of the attributes from the list you can
can specify the attribute with a trailing dash (attr-).

If you have an issue with any of these shortcuts, remember you can just
enter the proper combination of real switches yourself. In general the
shortcuts will work on Windows 2000 AD, Windows Server 2003 AD, and ADAM.
There are however some shortcuts that will not work on Windows 2000 AD
and those have been noted and where possible I have added other shortcuts
specific to Windows 2000 to try and get the same info. There are also some
shortcuts that are specific to AD or ADAM. The name of the shortcut should
help in the event that a switch is specific to ADAM or AD in most cases
This isn't for all cases because there are shortcuts that don't work on
Windows 2000 AD or Windows Server 2003 AD but expect to work in a future
version of AD.

When in doubt, just try the switches, AdFind is a query only tool, it can
not harm your directory by writing data to it because it can't write.

--------------Shortcuts--------------
-af xxx Add filter to hardcoded filter in most shortcuts

-sc policies Display forest policy info.
-sc dompol Display Domain Policy, specify domain base or -default.

-sc modes Show DC, Domain, and Forest Mode info from RootDSE

-sc forestmodes Show modes from NC partition objects for forest
-sc forestmodes:csv Same as above but CSV output

-sc dcmodes Show modes of all DCs in forest from config
-sc dcmodes:csv Same as above but CSV output

-sc masterncs Show NCs mastered by all DCs in forest
-sc masterncs:csv Same as above but CSV output

-sc domainncs Show all domain partitions of forest
-sc domainncs:csv Same as above but CSV output
-sc domainncsl List domain partitions (DN Format) as list output
-sc domainncsl:q Same as above but quoted list output
-sc domainncsl:noroot List domain partitions (DN Format) EXCEPT the root domain as list output
-sc domainncsl:root List root domain partition (DN Format) as list output
NOTE: There is now a switch for the domainncsl shortcut. -domainncsl
Instead of specifying a colon between domainncsl and the extra params, separate by a space
-sc domainlist Dump all Domain NCs in forest in sorted DNS list format
-sc domainlist:short Dump all Domain NCs in forest in sorted SHORT hostname list format
-sc domainlist:noroot Dump all Domain NCs in forest EXCEPT the root domain in DNS list format
-sc domainlist:root Dump root Domain NC in forest in DNS list format
NOTE: There is now a switch for the domainlist shortcut. -domainlist
Instead of specifying a colon between domainlist and the extra params, separate by a space

-sc ridpool Dump Decoded Rid Pool Info

-sc appparts Show application partitions
-sc appparts:csv Same as above but CSV output
-sc apppartsl Same as above but list output
-sc apppartsl:q Same as above but quoted list output

-sc appparts+ Show application partitions (extra info)
-sc appparts+:csv Same as above but CSV output

-sc adsid:xx Resolve Active Directory SID (xx) to object
-sc adguid:xx Resolve Active Directory GUID (xx) to object

-sc whoami Display authenticated user info and token
-sc whoami:csv Same as above but CSV output
-sc adinfo Active Directory Info with whoami info.

ACL / SECURITY DESCRIPTOR / SECURITY SHORTCUTS
**********************************************
-sc sdfilter:xx Display SDs for objects, if xx specified, filter for
that string using MVFILTERing.
-sc sdfilterns:xx Same as above but don't return SACL
-sc explaces Display explicit ACEs
-sc aclnoinherit Display protected ACLs (i.e. inheritance blocked)
-sc getacl Combines -resolvesids, -s base, -sddl++, -sdna
-sc getacls Combines -resolvesids, -s subtree, -sddl++, -sdna
-sc dsd:xx Retrieve defaultSecurityDescriptor for xx in -adcsv format.
-sc cclone Container Clone. ADCSV output for key container attributes.
-sc cclone+ -sc cclone + -resolvesidsgeneric .
-sc cclone+x -sc cclone + -resolvesidsgenx.
-sc sdcsvdmp:xx Dump CSVs in SD CSV Single mode with DNs and SIDs genericized.
Specify xx to specify domain replacement string.

The next few commands use the following filter:
Filter: (|(objectclass=domaindns)(ou=*)(o=*)
(&(objectclass=container)(|(iscriticalsystemobject=TRUE)
(systemFlags=-1946157056))(!(objectclass=grouppolicycontainer))))

-sc ccs Common container search, specifies filter above.
-sc cexplaces:xx Display explicit ACEs only for specific container type objects.
xx will be appended to -sddlfilter ;;;;;<xx>
-sc caclnoinherit Display protected ACLs but only for specific container objects
with same filter used for -sc cexplaces

-sc accessrights Display effective allowed attributes and child classes as well
as well as rights to modify Security Descriptor.
-sc accesscheck Alias for -sc accessrights.
-sc daclcsvdmp:xxx Dump Security Descriptor DACL in generic single ACE CSV mode, use xxx for DOMAIN replacement
-sc daclcsvdump:xxx Alias for -sc daclcsvdump
-sc sdcsvdmp:xxx Dump Security Descriptor in generic single ACE CSV mode, use xxx for DOMAIN replacement
-sc sdcsvdump:xxx Alias for -sc sdcsvdump
NOTE: For daclcsvdmp and sdcsvdump if no xxx specified uses -resolvesidsgenex

REPLICATION / METADATA SHORTCUTS
********************************
-sc objmeta:xxx Object metadata for single object xxx
-sc showmeta:xxx Alias for objmeta
-sc objsmeta:xxx Object metadata for multiple objects base xxx
-sc showmetas:xxx Alias for objsmeta
-sc legacylvr:xxx Show any legacy members in object xxx
-sc legacylvrs:xxx Show any legacy members in multiple objects base xxx
-sc legacygroupmembers:xxx Show legacy group members from base xxx
-sc replqueue Show replication info for DC
-sc ncrepl Show replication info by NC, specify NC separately.
-sc replstat:server Shows replication info for server.
Note: See adfind /meta? for more information

QUICK OBJECT LOOKUP SHORTCUTS
*****************************
-sc fo:xx Find object in GC with name xx.
-sc kids:xx Dump one level kids of DN xx.
-sc u:xx Find user in GC with name/samaccountname of xx.
-sc userinfo:xx Get common attributes for user xx.
-sc g:xx Find group in GC with name/samaccountname of xx.
-sc c:xx Find computer in GC with name/samaccountname of xx.
-sc ou:xx Find OU in GC with name of xx.
-sc spn:xx Find object with SPN cifs/xx or host/xx.
-sc email:xx Find object with email address of xx.
-sc site:xx Find AD site with name xx.
-sc subnet:xx Find AD subnet with name xx.
-sc export Filter out most attributes that are not needed in export. (no CSV)
-sc export_user Include standard writeable attributes for user. Does not filter for users.
-sc export_group Include standard writeable attributes for group. Does not filter for groups.
-sc export_container Include standard writeable attributes for container/OU. Does not filter
for containers and OUs.
-sc export_x [BETA] Include standard writeable attributes for most objects.
-sc export_gpo Include standard attributes for gpo. Does not filter for gpos.
-sc sddldmp Dump SDDLs for all objects.
-sc sddlmap Dump GUIDs needed for decoding SDDLs.
-sc sitedmp Dump all objects (except subnets) under sites container.
-sc sitelinkdmp:xx Dump site link objects for site named x
-sc sitelinkdmpl:xx Same as -sc sitelinkdmp but list mode
-sc subnetdmp Dump all subnets.
-sc gpodmp Dump all objects under GPO container.
-sc fspdmp Dump foreign security principals.
-sc oudmp Dump OUs.
-sc dcdmp Dump Domain Controllers.
-sc dclist Dump Domain Controllers FQDNs. Return DCs for specific
domain by specifying that domain for the base. Return DCs
for forest by specifying -gcb.
-sc dclistf Alias for -sc dclist + -gcb
-sc dclist:rodc Dump RO Domain Controllers FQDNs.
-sc dclist:!rodc Dump Writeable Domain Controllers FQDNs.
-sc dclist:short Dump Domain Controllers Short Host Names.
-sc dclist:short:xx Dump Domain Controllers Short Host Names, xx can be rodc,!rodc.
-sc dclist:dn Dump Domain Controllers Distinguished Names.
-sc dclist:dn:xx Dump Domain Controllers Distinguished Names, xx can be rodc,!rodc.
NOTE: There is now a switch for the dclist shortcut. -dclist
Instead of specifying a colon between dclist and the extra params, separate by a space
-sc dcdmp:csv Dump Domain Controllers in CSV format.
RODC (for RODCs), !RODC (for all writeable DCs).
-sc dcdmp:RODC Dump RODC Domain Controllers.
-sc dcdmp:!RODC Dump NOT RODC Domain Controllers - writeable DCs.
-sc trustdmp Dumps trust objects.
-sc admincountdmp Dump objects with adminCount set with DACL flags.
-sc adobjcnt Count of all objects in specified NC.
-sc adobjcnt:user Count of all user objects in specified NC.
-sc adobjcnt:contact Count of all contact objects in specified NC.
-sc adobjcnt:computer Count of all computer objects in specified NC.
-sc adobjcnt:group Count of all group objects in specified NC.
-sc adobjcnt:ou Count of all OU objects in specified NC.
-sc adobjcnt:site Count of all site objects in specified NC.
-sc adobjcnt:subnet Count of all subnet objects in specified NC.
-sc adobjcnt:gpo Count of all GPO objects in specified NC.
-sc adobjcnt:fsp Count of all foreign security principal objects in specified NC.
-sc adobjcnt:mailbox Count of all mailbox objects in specified NC.
-sc users_disabled Dump disabled users.
-sc users_noexpire Dump non-expiring users.
-sc users_accexpired Dump accounts that are expired (NOT password expiration).
-sc users_pwdnotreqd Dump users set with password not required.
-sc computers_disabled Dump computers that are disabled.
-sc computers_pwdnotreqd Dump computers set with password not required.
-sc computers_active Dump computers that are enabled and password last
set and lastlogontimestamp <= 90 days. Req DFL2.
-sc computers_inactive Dump computers that are disabled or password last set
or lastlogontimestamp > 90 days. Req DFL2.
-sc rodc_cacheable:xx Check to see if secprin xx DN is cacheable on any RODCs.
-sc structdmp Best effort structure output of Active Directory.
-sc structdump Alias for -sc structdmp.
-sc fgpps:xx Dump Fine Grained Password Policy. Optional value xx=report.
-sc fgpps:short Dump Fine Grained Password Policy. Report Mode.
-sc psos Alias for fgpps.

SCHEMA SHORTCUTS
****************
-sc schver Output Schema Version
-sc sguid:xx Resolves rightsGuid or schemaIdGuid to object
will not work on Windows 2000. Use next switches.
-sc s2kguid:xx Resolves schemaIDGuid to object
-sc r2kguid:xx Resolves rightsGuid to object

-sc findpropsetrg:xx Resolves property set displayname to rightsGuid
-sc permguid:xx Alias for findpropsetrg.
-sc propsetmembers:xx Finds all attributes with specified rightsGuid
-sc propsetmembersl:xx Same as above but sorted list output
-sc listpropsets List the available Property Sets
-sc listpropsetsl Same as above but sorted list output of displaynames
-sc listpropsetscsv Same as above but CSV output, displayname/rightsguid
-sc listvwrites List the available Validated Writes
-sc listvwritesl Same as above but sorted list output of displaynames
-sc listvwritescsv Same as above but CSV output, displayname/rightsguid
-sc listxrights List the available Extended Rights
-sc listxrightsl Same as above but sorted list output of displaynames
-sc listxrightscsv Same as above but CSV output, displayname/rightsguid

-sc s:xx Find schema objects by name/lDAPDisplayName
-sc sl:xx Same as above but sorted list output
NOTE: For -sc s: and -sc sl: append ;class or ;attr
to focus on classes or attributes.

-sc scontains:xx Find classes an attribute is directly part of
-sc scontainsl:xx Same as above but sorted list output

-sc cc:xx Find classes that include specified class
-sc ccl:xx Same as above but sorted list output

-sc pas Display attributes marked for PAS inclusion
-sc pasl Same as above but sorted list output

-sc ropas Display attributes marked for RODC replication
-sc ropasl Same as above but sorted list output
-sc !ropas Display attributes NOT marked for RODC replication
-sc !ropasl Same as above but sorted list output

-sc indexed Display attributes marked as indexed
-sc indexedl Same as above but sorted list output

-sc tuple Display attributes marked as tuple indexed
-sc tuplel Same as above but sorted list output

-sc cindexed Display attributes marked as container indexed
-sc cindexedl Same as above but sorted list output

-sc sindexed Display attributes marked as subtree indexed
-sc sindexedl Same as above but sorted list output

-sc confidential Display attributes marked as confidential
-sc confidentiall Same as above but sorted list output

-sc copy Display attributes marked to be copied
-sc copyl Same as above but sorted list output

-sc constructed Display contructed attributes
-sc constructedl Same as above but sorted list output

-sc cat1 Display category 1 attributes
-sc cat1l (cat one el) Same as above but sorted list output

-sc norepl Display non-replicated attributes
-sc norepll Same as above but sorted list output

-sc norepl+ Display non-replicated attributes (no links)
-sc norepll+ Same as above but sorted list output

-sc anr Display ANR attributes
-sc anrl Same as above but sorted list output

-sc tombstone Display attributes maintained in tombstone
-sc tombstonel Same as above but sorted list output

-sc linked Display linked value attributes
-sc linkedl Same as above but sorted list output
-sc linked:fwd Display forward linked value attributes
-sc linkedl:fwd Same as above but sorted list output
-sc linked:rev Display reverse linked value attributes
-sc linkedl:rev Same as above but sorted list output

-sc syscrit System Critical attributes
-sc syscritl Same as above but sorted list output

-sc sdump Dump schema in generic format for comparison
-sc sdump:csv Same as above but CSV output
-sc sdump:attrib Dump just the attribs.
-sc sdump:class Dump just the classes.
-sc schemadmp This is an alias for -sc sdump.

-sc xrdump Dump Extended rights for comparison
-sc xrdump:csv Dump Extended rights for comparison
-sc xrdump:propset Dump Property Sets for comparison
-sc xrdump:vwrite Dump Validated Writes for comparison
-sc xrdump:xright Dump Extended Rights for comparison
-sc xrdmp This is an alias for -sc xrdump.

UNIVERSAL GROUP CACHING SHORTCUTS
*********************************
-sc ugcenabled Sites enabled for Universal Group Caching (UGC)
-sc ugcenabledl Same as above but sorted list output

-sc usedugc Display users/computers that have used UGC
-sc usedugc:decode Same as above but decode values

-sc dumpugcinfo Dump info for users/computers that have used UGC
-sc dumpugcinfo:decode Same as above but decode values

FSMO SHORTCUTS
**************
-sc fsmo Display all FSMOs in domain of DC plus forest roles

-sc fsmo:domain Display all FSMOs in domain of DC
-sc fsmo:pdc Display PDC FSMO
-sc fsmo:rid Display RID FSMO
-sc fsmo:im Display Infrastructure Master FSMO

-sc fsmo:forest Display forest FSMOs
-sc fsmo:schema Display Schema FSMO
-sc fsmo:dnm Display Domain Naming Master FSMO

EXCHANGE SHORTCUTS
******************
-sc exchaddresses Display objects with Exch addresses and addresses
-sc exchaddresses:xx Same as above, but only display addresses with xx
-sc exchmbxs Display objects with Exchange Mailboxes
-sc exchsmtpaddr Display SMTP addresses for Exchange enabled objects
-sc exchprimarysmtp Display Primary SMTP addresses for Exchange enabled objects
-sc exchme:xx Display objects that are Exchange mail enabled. If
xx is specified, it should be one of the strings:
users, contacts, or groups and focuses the query on those
object types.
-scexchnosys Add on to filter out Exchange system objects

ADAM / ADLDS SHORTCUTS
**********************
-sc adamsid:xx Resolve ADAM SID (xx) to object
-sc adamguid:xx Resolve ADAM GUID (xx) to object

-sc caua Add Constructed ADAM User Attribs for display
-sc adam_info Alias for -sc caua
-sc adamobjcnt Count of all objects in ADAM instance.
-sc adamobjcnt:user Count of all user objects in ADAM instance.
-sc adamobjcnt:contact Count of all contact objects in ADAM instance.
-sc adamobjcnt:computer Count of all computer objects in ADAM instance.
-sc adamobjcnt:group Count of all group objects in ADAM instance.
-sc adamobjcnt:ou Count of all OU objects in ADAM instance.
-sc adamobjcnt:site Count of all site objects in ADAM instance.
-sc adamobjcnt:subnet Count of all subnet objects in ADAM instance.
-sc adamobjcnt:gpo Count of all GPO objects in ADAM instance.
-sc adamobjcnt:fsp Count of all foreign security principal objects in ADAM instance.
-sc adamobjcnt:mailbox Count of all mailbox objects in ADAM.
-sc adam_fo:xx Find object in ADAM with name xx.
-sc adam_u:xx Find user in ADAM with name xx.
-sc adam_ou:xx Find OU in ADAM with name xx.
-sc adam_email:xx Find object in ADAM with email address xx.
-sc adam_spn:xx Find object in ADAM with SPN xx.
-sc adam_g:xx Find group in ADAM with name xx.
-sc ldsldapurl:xx Return LDS LDAP URLs for instances with instancename xx.
-sc ldsldapsurl:xx Return LDS LDAPS URLs for instances with instancename xx.
-sc ldsinstances:xx Return info on instances with instancename xx.

Ex1:
adfind -sc exchaddresses:smtp
Dump all Exchange objects and their SMTP proxyaddresses

Ex2:
adfind -sc indexedl
Display sorted list of lDAPDisplayNames of indexed attributes

Ex3:
adfind -sc sl:msds*
Display sorted list of lDAPDisplayNames of schema objects starting with msds

Ex4:
adfind -sc sdump
Dump schema in generic format for WINDIFF compare with another schema

See full Warranty documentation or download the latest version
on http://www.joeware.net.

If you have improvement ideas, bugs, or just wish to say Hi, I
receive email 24x7 and read it in a semi-regular timeframe.
You can usually find me at support@joeware.net

adfind /meta?

AdFind V01.62.00cpp Joe Richards (support@joeware.net) October 2023

Usage:
AdFind [switches] [-b basedn] [-f filter] [attr list]

Switches: (designated by - or /)

MetaData Help
=============
AdFind has the ability to decode various metadata type attributes. These
attributes can give information about replication status of the server
itself or replication metadata for individual objects.

These special attributes are normally returned from Active Directory in
XML format. This is a bit bulky and can be tough to read without cleanup
so I have added the ability decode the attributes and cut down the amount
of data passed over the wire. Using the ;binary option when specifying an
attribute causes AD to reformat certain attributes and send them across as
binary blocks of data. When requesting the meta attributes outlined below
if you do not specify the ;binary option, they will be returned in the
native format, if you add the ;binary option, they will be returned in the
alternate format and AdFind will decode the strings to its format.

To further assist the ease of retrieving this information, see the shortcut
usage menu via adfind /sc?
Also see -metafilter* switches under the output section of AdFind /??

MetaData Attributes
-------------------
msDS-ReplQueueStatistics - RootDSE attribute
Replication queue statistics. Output is labeled. No sort options.

msDS-ReplPendingOps - RootDSE attribute
Any replications operations currently in progress. Output is labeled.
Default sort order is server return order. Sort options - dsa,date

msDS-ReplConnectionFailures - RootDSE attribute
msDS-ReplLinkFailures - RootDSE attribute
Replication failure information. Output is labeled. Default sort order
is by DSA. Sort options - dsa,date

msDS-ReplAllInboundNeighbors - RootDSE attribute
msDS-ReplAllOutboundNeighbors - RootDSE attribute
Replication info for all direct neighbors. Output is labeled. Default
sort order is by DSA. Sort options - dsa,date,nc,err

msDS-TopQuotaUsage - RootDSE attribute
Indicates the top object owners on a given server. Output is labeled.
Default sort order is server return order. Sort options - nc,owner.

msDS-NCReplInboundNeighbors - Naming Context attribute
msDS-NCReplOutboundNeighbors - Naming Context attribute
Replication for all direct neighbors for the specific NC. Output is
labeled. Default sort order is by DSA. Sort options - dsa,date,nc,err

msDS-NCReplCursors - Naming Context attribute
Replication cursors by DSA by context. Output format:
HighestUSN LastSyncTime DSA
Default sort order is last sync time. Sort options - lastsync,dsa

msDS-ReplAttributeMetaData - Object Level attribute
Replication metadata for object. Output format:
USNLocal DSA USNOrig Date/Time Version Attribute
Default sort order is date. Sort options - attrib,DSA,date,usnloc,usnorig,ver

msDS-ReplValueMetaData - Object Level attribute (FFL2+ only - i.e. LVR Replication)
Replication value metadata for object. Output format:
attribute USNLocal DSA USNOrig Date/Time Version State ObjectDN
Default sort order is date. Sort options - attrib,obj,DSA,state,date,usnloc,usnorig,ver

Sort Options
------------
The decoded output for most of the metadata attributes can be sorted to various
fields in the output. The specific fields for each attribute are listed with
the description of the attributes. In order to change the sort field, use the
-metasort switch. Specify the switch combined with the options specified above
to change the sort order. If value has a dash (-) appended, the search order
is reversed. Note that if there are more than 1000 values returned the output will
not be fully sorted. This is due to how the values are returned, coupled with memory
and CPU utilization issues in trying to maintain and sort all of that information.
Visualize a group with 500k users in it. A purposeful decision to be fast and not
eat up resources was made versus to guarantee sort order in those conditions.

Filter Options
The decoded output for msDS-ReplAttributeMetaData;binary and
msDS-ReplValueMetaData;binary can be filtered using -metafilter* switches. You
can specify several filters by separating them with a semi-colon (;). If you
specify several filters of the same type, i.e. two or more version filters
they are OR'ed together. If you specify several filters of different types they
are AND'ed together.

Ex1:
adfind -rootdse msDS-TopQuotaUsage;binary
Get top 10 quota users in decoded format

Ex2:
adfind -b cn=someobject,ou=someou,dc=test,dc=loc -s base msDS-ReplAttributeMetaData;binary
Get attribute metadata for specified object in decoded format

Ex3:
adfind -b dc=test,dc=loc -s base msDS-ReplAttributeMetaData;binary -metafilter maxpwdage
Get attribute metadata for maxpwdage attribute for domain.

See full Warranty documentation or download the latest version
on http://www.joeware.net.

If you have improvement ideas, bugs, or just wish to say Hi, I
receive email 24x7 and read it in a semi-regular timeframe.
You can usually find me at support@joeware.net

adfind /regex?

AdFind V01.62.00cpp Joe Richards (support@joeware.net) October 2023

Usage:
AdFind [switches] [-b basedn] [-f filter] [attr list]

Switches: (designated by - or /)

AdFind Regular Expressions
==========================
AdFind allows you to specify regular expressions as an ongoing beta feature.
The functionality is provided by the boost::regex (boost 1.71.0). You can find
more information on this module at
https://www.boost.org/doc/libs/1_71_0/libs/regex/doc/html/index.html
I have enabled boost::regex::perl and will try to make the functionality as similar
to perl regex functionality as possible.

This functionality is beta while I try to sort out how people will use the functionality
and how the Boost RegEx module functions. As of right now the functionality is primarily
"inclusive" functionality meaning that you can use regexs to make inclusive choices.
There is also, as of V01.53.00, some limited exclusive functionality where you can exclude
things. This exclude functionality is enabled with !m instead of m.
If you have any questions, comments, thoughts on this functionality
please email me at support@joeware.net and give me the details.

You specify regular expressions as an addendum on attributes when you specify attributes
to return and display. Currently there is no global regular expression capability that
simultaneously works across all attributes. To specify a regular expresion append a
colon and then the regular expression like "attributename:m/regex/options". Generally
it will be a good idea to include the whole value, attribute and regular
expression, in quotes in case there are any characters that the shell consider as
special and blows up the parameter handling. For exclusionary matching, use !m instead of m.

The current functionality includes regex match which is specified with m/regex/options
and regex substitute s/regex/replace/options as well as !m/regex/options exclusion match.
The options available are i for case-insensitive search and g for global search.
A note for global search in that the version of boost::regex I am using is not compiled with
the experimental feature BOOST_REGEX_MATCH_EXTRA due to performance concerns so marked
subexpression captures may be limited.

Again, for V01.53.00 I have added !m/regex/options which is just like m/regex/options
but it will return data that doesn't match.

Special characters that need to be "escaped" with \ are .[{}()*+?|^$ for matches because
they have special functions just like with perl. Allegedly you should be able to escape \ with
a \ as well but I have not found that to work well and instead use \x5c instead.

There isn't likely to be a joeware tutorial on regular expressions, please check out the perl
tutorials on regular expressions. If you attempt a regular expression and it doens't work
try to duplicate with perl and see if the functionality is the same. If it works under perl
and doesn't work with the boost::regex functionality in AdFind please email me with details.

For the -jsd* switches you can replace the include:exclude parameter with a regular expression.
This will only allow the inclusive regular expression and not an exclusionary value.

Ex1:
adfind -f "ou=*" -jsdenl "m/\[owner|\[group|allow.+(domain admins|account operators)/i"
Retrieve all OUs and output owner, group, and any ACEs with domain admins or account ops.

Ex2:
adfind -f description=* description:s/administrators/***ADMINS***/ig
Retrieve all objects that have a description and replace "administrators" with "***ADMINS***".

Ex3:
adfind -f description=*adm* description:s/(adm\w+)/\U\1/ig
Retrieve all objects that have a description including *adm* and replace "adm*" with
uppercase version of match.
Ex4:
adfind -f "ou=*" -jsdenl "!m/\[owner|\[group|allow.+(domain admins|account operators)/i"
Retrieve all OUs Security Descriptors and output everything but owner, group, and any ACEs
with domain admins or account ops.

Ex5:
adfind -f "ou=*" -jsdenl "!m/(NT AUTHORITY|BUILTIN)/i"
Retrieve all OUs Security Descriptors and output any lines that don't contain BUILTIN or
NT AUTHORITY.

See full Warranty documentation or download the latest version
on http://www.joeware.net.

If you have improvement ideas, bugs, or just wish to say Hi, I
receive email 24x7 and read it in a semi-regular timeframe.
You can usually find me at support@joeware.net