Re: [ActiveDir] bitwise filters
Thanks joe! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] bitwise filters
Sorry for the delay. Too many
things going on. I flagged this to come back to and finally got a chance.
Quickies that I see during the day I will fire off, the ones that take a little
thought I come back to. :) Especially for this list I try to make sure my ducks
are in a row so that I don't get smacked about too much.
Forgive converting to HTML, it
makes this post easier to read, at least for me, and since this is all freebee I
will do what I like. ;o)
1a. If you want to check multiple bits and ALL bits need
to be enabled then you want AND. If you want to check multiple bits and ANY of
them can be enabled then you want OR. For a single bit, either one is
fine.1b. Always try to make positive searches instead
of NOTed search. A NOT in the filter is more inefficient generally than anything
positive you do. Also a NOT filter can give you false positives. This can occur
if there are values you aren't expecting or you don't have permissions on the
attribute your are NOTing on some objects that you can otherwise see. For
example, there are some groups for AzMan that will cause your NOT filter below
to break. If you check out the MSDN Schema Def for groupType it looks like they
finally got the changes I submitted up there for APP_BASIC and
APP_QUERY[1].Next since grouptype is indexed, you can toss out the
objectcategory=group for the query to simply it.The fastest query I can
think of to get local and global groups would be(grouptype:1.2.840.113556.1.4.804:=6)The fastest
query I can think of to get security enabled local groups would be(samaccounttype=536870912)To get
all local groups would be((samaccounttype=536870912)(samaccounttype=536870913))To
get security enabled global and universal groups(samaccounttype=268435456)To get all global and
universal((samaccounttype=268435456)(samaccounttype=268435457))To
understand the sAMAccountType values, use -samdc switch in
adfind[2].2. You can't query AD for the OIDs.
If you use adfind, use -bit (which stands for bitwise operator) to tell it to
replace occurrences of the string :AND: and :OR: in the strings to the OIDs for
you like so (which finds disabled users)adfind -default -bit -f
"(objectcategory=person)(useraccountcontrol:AND:=2)"
-dnI require the switch in the off chance you just might use
:AND: or :OR: as part of your filter for some other
reason.3. Why does adfind output the grouptype in
negative numbers. That is actually a very good question. From my end it is a
simple answer but I will also give the hard answer... From the adfind
standpoint, I ask for that value to come back as a string, Active Directory
sends me back the string as you see it and I display it. So Adfind displays a
negative number (actually a string of number characters preceded by a dash which
we take to meana negative number) because that is what AD gives it to
display.The deeper answer is found partially in the schema definition
and partially in number representation in computers.First the schema
definitionG:\adfind -sc
s:grouptypeAdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March
2006Using server: r2dc1.test.loc:389Directory: Windows Server
2003Base DN:
CN=Schema,CN=Configuration,DC=test,DC=locdn:CN=Group-Type,CN=Schema,CN=Configuration,DC=test,DC=locobjectClass:
topobjectClass: attributeSchemacn:
Group-TypedistinguishedName:
CN=Group-Type,CN=Schema,CN=Configuration,DC=test,DC=locinstanceType: 4
[WRITABLE(4)]whenCreated: 20050805195858.0ZwhenChanged:
20050805195858.0ZuSNCreated: 287attributeID:
1.2.840.113556.1.4.750attributeSyntax: 2.5.5.9
[INTEGER/ENUMERATION]isSingleValued: TRUEuSNChanged:
287showInAdvancedViewOnly: TRUEadminDisplayName:
Group-TypeadminDescription: Group-TypeoMSyntax:
2searchFlags: 9 [INDEX(1);PRESERVE TOMBSTONE(8)]lDAPDisplayName:
groupTypename: Group-TypeobjectGUID:
{58E64833-8403-4CA7-8D33-D66E64580BF2}schemaIDGUID:
{9A9A021E-4A5B-11D1-A9C3-F80367C1}systemOnly:
FALSEsystemFlags: 18
[PAS-ATTR(2);CAT-1(16)]isMemberOfPartialAttributeSet:
TRUEobjectCategory:
CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=test,DC=loc1
Objects returnedNote you see that the attributeSyntax is 2.5.5.9
which is an integer (or enumeration which is a fancy name for an integer with
fixed values). An integer value is 32 bits in length and has a sign. When I say
it has a sign I don't mean it is running around with a chunk of cardboard that
says "Save the world from morons!", it means that it can be positive OR
negative. An value can be an unsigned integer as well which means it has no
sign, all values represented are positive. The way you represent signs in
integer values in computerscommonly today is with a system called two's
complement. This takes the leftmost (or highmost or most significant) bit and
calls it the sign bit. If that bit is off, the value is positive, if the value
is on, it is negative.
So if you have 32 bits available to express a positive number as you do in an
unsigned integer, your
Re: [ActiveDir] bitwise filters
Thanks for replying Tony. Unfortunately gmail couldnt read your reply so I resorted to the archive. In my example for searching universal groups, I wasnt distinguishing between security and distribution groups. Therefore the 2nd filter is correct too isnt it? As for the 3rd question, I am sure you can answer it. Please dont hold back. I merely addressed it to Joe as he wrote the tool and hence should know how it behaves more than anyone else ;-) But if anyone else could explain it, I will be most grateful. TIA M@ On 6/13/06, Tony Murray [EMAIL PROTECTED] wrote: List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] bitwise filters
Guys, I have a few questions on bitwise filters. 1. I just wanna make sure I've understood bitwise filters correctly. Basically if I want to check if all bits are set, I should use the Bitwise AND operator. If I need to check if any number of the bits I am interested in are set, I should use the OR operator. Therefore the OR operator is best used in multiple bit checking scenarios. If I am checking for only one bit (and not multiple bits) , then I should use the AND operator. I guess it really doesn't matter. Its just the logic behind it. If I want a list of global and local groups, I could either do a search for groups that are not universal or I could do a seach for groups that have the bit for either global or local set couldnt I? i.e ((objectcategory=group)(grouptype:1.2.840.113556.1.4.804:=6)) or ((objectcategory=group)(!(grouptype:1.2.840.113556.1.4.803:=8))). Please correct me if I am wrong. 2. How do I find the bitwise filter OID for AND or OR without refering to manuals. Can I query this in the directory or is it hardcoded? 3. Joe, Could you please explain why the group type value output in adfind is minus? If I do a query with -f (objectcategory=group)(grouptype:1.2.840.113556.1.4.803:=2147483650) grouptype, I get -2147483646 as the output. The results are correct. I just want to understand why the output is minus. Thanks M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] bitwise filters
Hi M@ Responses in-line. Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, 13 June 2006 8:08 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] bitwise filters Guys, I have a few questions on bitwise filters. 1. I just wanna make sure I've understood bitwise filters correctly. Basically if I want to check if all bits are set, I should use the Bitwise AND operator. If I need to check if any number of the bits I am interested in are set, I should use the OR operator. Therefore the OR operator is best used in multiple bit checking scenarios. If I am checking for only one bit (and not multiple bits) , then I should use the AND operator. I guess it really doesn't matter. Its just the logic behind it. ***TM: Your understanding is correct. If I want a list of global and local groups, I could either do a search for groups that are not universal or I could do a seach for groups that have the bit for either global or local set couldnt I? i.e ((objectcategory=group)(grouptype:1.2.840.113556.1.4.804:=6)) or ((objectcategory=group)(!(grouptype:1.2.840.113556.1.4.803:=8))). Please correct me if I am wrong. ***TM: The first filter looks better to me. The second one would not find Universal security groups (because with the AND matching rule all of the bits must match). Universal security groups have a decimal value of 2147483656. 2. How do I find the bitwise filter OID for AND or OR without refering to manuals. Can I query this in the directory or is it hardcoded? ***TM: I don't believe you'll find it in the directory (i.e. it's not part of the schema). It is however a (Microsoft) registered OID. See http://www.alvestrand.no/objectid/1.2.840.113556.1.4.html 3. Joe, Could you please explain why the group type value output in adfind is minus? If I do a query with -f (objectcategory=group)(grouptype:1.2.840.113556.1.4.803:=2147483650) grouptype, I get -2147483646 as the output. The results are correct. I just want to understand why the output is minus. ***TM: I'm sure Joe will answer this one. Thanks M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. [EMAIL PROTECTED])
