Zoho Banner September 2011

Archive for September, 2012

It is sometimes helpful to be able to search for objects in AD by their creation date.  The whenCreated attribute is useful for this as it is a replicated attribute (i.e. is consistent across all DCs).  The challenge for using whenCreated in LDAP filters is the syntax.  The attribute uses the GeneralizedTime syntax to represent the date and time (see X.680 for more details regarding the syntax).  I haven’t found an standard method within Powershell to obtain GenerlizedTime format, so it involves some custom formatting. 

Here’s an example of using whenCreated in a LDAP filter to find all user objects created in the past 90 days. 

$wcdate = "{0:yyyMMddHHmmss}.Z" -f (Get-Date).adddays(-90) 

Get-ADUser -LDAPFilter "(whencreated>=$wcdate)" -pr * | fl samaccountname, whencreated

Quest Software make it hard to love them sometimes.  When they made Quest Quick Connect Express for Active Directory available at no cost it was a real boon for anyone wanting to synchronise objects from AD to AD (or AD LDS instances).  In particular it offered a great free method of achieving GAL Sync between two Exchange Organisations, the likes of which have not been seen since the days of Microsoft’s Identity Integration Feature Pack (IIFP – a cut down version of MIIS/ILM/FIM). I thought was smart, strategic thinking on Quest’s part: make the sync engine available with basic functionality to get everyone used to the product and then generate revenue through add-on licences for other data sources (generic LDAP, SQL, Oracle, etc.).  Sadly, the strategic approach seems to have been thrown out in the (mistaken) belief that charging for the AD connector will bring in more revenue.  Hopefully Dell (Quest’s new owner) will hear the howls of derision and bring back the free version.

Now that I’ve got that off my chest, what are the options left for (free) GAL Sync?  Well, if you have a copy of the Quest One Quick Connect Sync Engine version 4.7 or 5.0 you can still use these to achieve GAL Sync free of charge.  The current version of the Sync Engine (5.1) has had the AD DS/AD LDS connectors disabled so if you download that you will need to purchase a Quest One Quick Connect Express for Active Directory licence to get the old functionality back.

It doesn’t look like version 5.0 of the Sync Engine is available on the Quest web site, but you can still download version 4.7.  To get there you need to register for the Quest One Quick Connect Express for AD trial version and you will then see the download options for the Sync Engine.  The Step-by-Step Guide that I originally wrote was for version 4.7 and is still available:

http://www.open-a-socket.com/index.php/2011/01/06/quest-activeroles-quick-connect-express-gal-sync-step-by-step-guide/

If you have version 5.0 downloaded somewhere, consider yourself lucky – and hold on to it!