Category Archives: Microsoft

Active Directory Search Controls for LDAP
Date Created: January 27, 2016  Date Modified: January 27, 2016

The following list shows many of the LDAP controls that Active Directory supports with relation to searching, as well as how to use the more common controls with AdFind:

LDAP_PAGED_RESULT_OID_STRING (1.2.840.113556.1.4.319)
Specifying this LDAP control instructs the domain controller that it can return more results than can fit in a single page. This is useful when searching for large result sets and should generally always be included in an Active Directory search.

LDAP_SERVER_DIRSYNC_OID (1.2.840.113556.1.4.841)
DirSync is an LDAP feature that allows you to ask Active Directory for all the objects in a given naming context that have changed since the last time the search was performed. Changes are tracked with a cookie that is returned by the server.

The DirSync control will only return modified attributes. If you want to return the full object when any attribute of that object has been modified, and you are running

Windows Server 2012 or later, use the LDAP_SERVER_DIRSYNC_EX_OID (1.2.840.113556.1.4.2090) version of this control instead.

Applications such as Microsoft Forefront Identity Manager (FIM) use the DirSync LDAP feature to track changes. For more information on this feature, refer to this link.

LDAP_SERVER_DOMAIN_SCOPE_OID (1.2.840.113556.1.4.1339)
To make sure that the domain controller does not return referrals to result sets that are stored on other servers, include this LDAP control in your request.

LDAP_SERVER_EXTENDED_DN_OID (1.2.840.113556.1.4.529)
When this LDAP control is enabled, Active Directory will return the SID and objectGUID of each result as prefixes to the object’s DN in the result set. For more information, refer to this link.

LDAP_SERVER_GET_STATS_OID (1.2.840.113556.1.4.970)
This extremely useful LDAP control instructs Active Directory to return statistics about how the query processor will perform the requested search, as well as per‐ formance statistics about the result. We’ll discuss this feature in more detail later in this chapter.

LDAP_SERVER_NOTIFICATION_OID (1.2.840.113556.1.4.528)
When this control is specified, Active Directory won’t return a result until the re‐ quested object is modified. This is useful for tracking changes to specific objects in the directory and responding to them. For more information, refer to this link.

LDAP_SERVER_RANGE_OPTION_OID (1.2.840.113556.1.4.802)
Similar to the paged results control mentioned earlier, this is typically a control you will always want to specify. The ranged results control is used when you need to retrieve values in a multivalued attribute in excess of the maximum number of values a DC will return by default. You can use the LDAP_SERVER_RANGE_RETRIEV AL_NOERR_OID (1.2.840.113556.1.4.1948) alternate implementation of this LDAP control to ensure that errors will not be returned if you request more values than are available.

LDAP_SERVER_SD_FLAGS_OID (1.2.840.113556.1.4.801)
Use this control to tell the domain controller which components of an object’s ntSecurityDescriptor (the ACL) to retrieve. Depending on the permissions of the user performing the query, not all of the components of the ACL may be read‐ able. For more information, refer to this link.

LDAP_SERVER_SEARCH_OPTIONS_OID (1.2.840.113556.1.4.1340)
This generic control’s most useful function is called phantom root. The phantom root feature enables you to perform a search across all of the naming contexts (application NCs excluded) hosted on a global catalog. If you have a multidomain

forest with disjointed namespaces, use this control to search across all of the do‐ mains at once. Use the -pr switch to enable this function in AdFind.

LDAP_SERVER_SHOW_DELETED_OID (1.2.840.113556.1.4.417)
This control instructs the domain controller to include deleted objects and tomb‐ stones in the result set. If you have enabled the Active Directory Recycle Bin, this will only include objects that are currently recoverable. To include objects that have transitioned out of the Recycle Bin, you must also include the LDAP_SERV ER_SHOW_RECYCLED_OID (1.2.840.113556.1.4.2064) control.

Active Directory treats deactivated linked values (links to objects that are in the Recycle Bin) differently. If you want to include deactivated links in your results, add the LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID (1.2.840.113556.1.4.2065) con‐ trol.

To include deleted objects in AdFind, append the -showdel switch. If you also want to include objects that have transitioned out of the Recycle Bin, also append the -showrecycled switch. To include deactivated links, append -showdelobjlinks.

LDAP_SERVER_SORT_OID (1.2.840.113556.1.4.473)
This control instructs the server to sort the results based on one attribute before returning the result set. You can request search results to be sorted with AdFind by using the -sort and -rsort (reverse order) parameters. This document provides a great deal more information about sorting, especially with regard to the language- specific ordering of a result set and phonetic sort functionality on Japanese- language domain controllers.

Server-side sorting requires the use of a temporary table in the Active Directory database when the attribute being sorted on is not indexed. Temporary tables are limited in size. Consequently, server-side sorting of large result sets with unindexed attributes will likely fail due to the size constraints of the temporary table.

LDAP_CONTROL_VLVREQUEST (2.16.840.1.113730.3.4.9)
Virtual list view (VLV) searches are useful for large searches that will be paged through in a format similar to scrolling through an address book or phone directory. In fact, some versions of Microsoft Exchange use VLV for building the address books shown in email clients. For more information, refer to this link.

LDAP_SERVER_ASQ_OID (1.2.840.113556.1.4.1504)
Attribute scoped queries (ASQs) are useful when you want to perform a query based on a linked attribute’s value(s). For example, you might want to return all of the users who are members of a group called All Users. You can do this using AdFind with this syntax:

adfind -asq member -b "cn=All Users,ou=Groups,dc=cohovines,dc=com"
          -f "objectClass=user"
This rant was posted in Intranet, Microsoft, Work on by .

Finally we have reached the 21st century
Date Created: January 15, 2013  Date Modified: January 24, 2013

After seeing Lawnmowerman in the 90’s (even before) I have wanted a VR headset. I remember reading in a PC mag 20 years ago about a system that was commercially available at the time that could run… the original DOOM. This new product includes OOTB support for DOOM 3 BFG Edition:

DOOM 3 BFG Edition and Hawken are the only official Oculus-ready titles that have been announced as of November 1, 2012. We hope there are plenty of game developers who soon integrate Oculus technology into their upcoming titles and begin creating new games designed specifically for virtual reality!

also from the FAQ:

Libraries, headers, documentation, and samples for integrating the Oculus Rift with any game. We’ll also include out-of-the-box Unreal Engine and Unity integrations. The Oculus SDK will support PC (Windows) at launch.

From the Oculus FAQ

Dont care too much about Doom 3–when I was reading it for Games Art and Design, I really didnt enjoy it; Im nostalgic for the original but I found 3 “disconnected” and dated, still its a Gamne I own and have modded with. Unity intergration will be fun with the framework being used by many indy developers, but Unreal is where this product will likley shine being that the engine is the core of many games on the market.

This rant was posted in Doom, Games, Modding, Playstation, Tech, Video, Xbox on by .

[VIDEO] This is why I need an Xbox (and another copy of Skyrim)
Date Created: April 15, 2012  Date Modified: May 2, 2012

I had been putting off buying an xbox just for Forza 3, but this makes me want to get the box, and kinect, AND another copy of Skyrim. I did buy Oblivion for both PC and PS3 so precident is set.

Skyrim Kinect FTW!!!
UPDATE: Since Im on the Kinect tip, here is another vid that Im posting for me to watch later

This rant was posted in Games, Kinect, Oblivion, Skyrim, Xbox on by .

Layout Changes (navigation)
Date Created: September 26, 2011  Date Modified: September 26, 2011

So I have spent the afternoon knee deep in CSS customizing the navigation and Im nearly happy with the layout. Now my problem is to go thru and edit each post to fit within the layout, there are about 6 blogs of mine I have bought together in this site and none had the same template, tho most of my blogger accounts are not the issue–its the bleepin Murdoch blog that has given me the most drama so far–and it does not suprise me given that we could only choose from a few templates and no access to the template files.

Im yet to check this site in IE; I know thats not best practice but I spent the last 12 months building spesifically for IE (UNDA company policy was Microsoft-centric), so now that Im free to work on my own site Im quietly avoiding that little blue “E”…

On the topic of IE: one thing I did notice is that the Twenty Eleven theme sitll supports IE6. Great for people with computers that still have windows 98–but not nessisary for anyone (read: everyone) else. Im tempted to take out all the “if IE6” CSS, or put a javaScript browser detectioin that redirects IE6 users to Microsoft’s downloads page but thats a bit conceded and arrogant.

The market share of IE6 is now at 2.0%, less than Safari, less than the more standards compliant Opera. Im not forced to support it but if I dont, its basically saying Im only 98% of a web developer, as Im only serving potentially 98% of the market.

I guess its something to think for another day, I’ve done enough for now..