Saturday, February 7, 2009

Adfind (from joeware) - part1

Export Sites from AD sites and services:
adfind -config -f "(objectClass=site)" -dn
Export sites and associated subnets:
adfind -config -f "(objectClass=subnet)" distinguishedname siteobject
Show user which have certificates:
adfind -tdc -default -f "(&(objectCategory=person)(objectClass=user)(userCertificate=*))" -dsq
Show users whch don't have certificates:
adfind -tdc -default -f "(&(objectCategory=person)(objectClass=user)(!userCertificate=*))" -dsq Show useful informations about users:
adfind -tdc -default -f "(&(objectCategory=person)(objectClass=user))"
The output of the command above is shown in the above picture.


Anonymous said...


Thanks for sharing your insightful thoughts and suggestions - very cool and helpful indeed.

In the spirit of sharing helpful information, thought I'd mention that one of my Microsoft colleagues informed us about a cool FREE tool from a Microsoft partner, that offers over 50 super-helpful Active Directory security reports, such as which accounts are locked out, which accounts are set to expire in the next few days, which security groups are nested, where all a user may have permissions etc.

The tool is called Gold Finger, and it is developed by a company called Paramount Defenses. You can download it from

Why bother writing complicated scripts or using unsupported command-line tools when you can use a 100% AUTOMATED, GUI based, FREE solution that is not only SUPPORTED but also ENDORSED by Microsoft?!

If you're into Active Directory security, then this tool is a must-have.

Thought I'd share this helpful tip with you!


MarcJ said...

Hey, nice post - thanks. Indeed, a plan and sticking to it is so important and can be so helpful.

By the way, I run a blog on Free Active Directory Tools, so if you're into helpful AD tools, please feel free to stop by!