While this is only a minor version number change, this version is a significant change in the functionality of NetTools. With previous versions the LDAP Search option would only allow you to query the AD or LDAP directory. With this version you can now perform update operations on objects in the directory. Combined with the new Batch and Multi-Column Input Modes the update option offers tremendous flexibility and power to update objects in the directory. Like any tool that allow direct writes to the directory, it also has the potential to cause damage, so use with care!!
To use the Update option you have to input the required details in the Attribute field, see the syntax below, you then need to select the Enable Updates option. This will enable the preview mode by default as an extra safety net. Preview mode allow you to run the query and show the values that would be written to the attributes when the preview mode is turned off. When Preview mode is deselected the Go button turns red to show that the update mode is enabled and attributes could be changed when the query is run. Please note, there is no undo option for updates. When you run an update query the values returned against each of the attributes are the new value for the attributes after the update has been completed. If an error occurs during the update the LDAP error code is returned, in most case these are self explanatory and are usually due to a schema restriction. See the Single Update option below for more information on how to determine which update caused the error.
The Add operator ‘=+’ can fail due of the schema definition of an attribute that is being updated. If you use Add operator to update an attribute that has a schema definition of single value, if there is no value assigned to the attribute the update will succeed. However, if there is a value already assigned the update will fail. In the case of single value attributes its better to use the Set ‘==’ operator to assign the new value, as this will set or replace the existing value.
The value provided to update attributes can use the same substitution options that are available in the filter field i.e sid, oid, ip, ipn, idate, zdate, hex, guid, unicode, and userinput. There is additional substitutions options for the attributes field, these are attrib and code characters. The attrib substitution option can be used to retrieve the value of an attributes, this is useful for updating multiple line single value attributes like the Info field. To retrieve the value of an specific attribute, this doesn’t have to be the same attribute as the one that is being updated, you only need to specify the attribute name in the subst command i.e. {attrib:info}. The support for the retrieval of a value is limited to attributes that only have a single value set. If multiple values are assigned to the attribute the retrieval will fail and report an error that multiple values exist. The substitution also supports the use of the standard C\C++ Escape characters to include control character or binary values, these are listed below.
The batch mode feature provides the ability to run a number of saved queries in a specified order. It can be used to complete management tasks, one example is the automation of disabling inactive accounts. This is achieved by creating a query that returns all accounts that are inactive based on your audit requirement, then the next query in the batch list is an update query that is configured as input query taking the results from the first query as an input, these accounts are then disabled by the second query.
Group Compare ** New **
Provides the ability to compare the group membership of two users accounts. There are two comparison options, compare by Name or Object SID. The list of groups that are returned can be derived from either the group membership attribute of the user or the user’s Token Group details which will contain all the SIDs of all the groups, including nested groups, and domain security principals that are granted at logon. The SIDs can also be resolved in a number of different ways:
None – the SID is displayed.
Relative – the name associated to the SID based on the SID assigned to the ObjectSID or SIDHistory attributes in the domain.
Absolute – the SID is referenced back to the source domain and real name is displayed. Network performance and old SID History entries to a non-existent domain can impact the performance of this resolution type.
Last Logon Time ** New **
This new feature allows you to display the last logon time for a list of users. NetTools will scan all the domain controllers in the domain for the individual Logon Time and display which Domain controller has the latest time. You just need to paste a list of samaccountnames into the output pane and click Go.
AD Properties Dialog
Added ability to open the properties dialog for managers and direct reports.
Updated hints on fields to display the name of the attributes that contains the value.
AD Replication Queue
Added option to change how long the queue entries are display before they are removed from the list.
DC Resolution
Bug Fix: fixed issues in the default context detection
Last Logon
Updated Last Logon output to include the meta for the PwdLastSet attribute.
Updated the Event log scan criteria to also look for the user’s UPN as well as SamAccountName.
AD Attributes Dialog
Added the Single column to display if the attribute is single value.
LDAP Browser
Bug Fix: resolved issue where the browser could be slow to open.
Added additional context menu option on the Attribute menu to allow the Raw attribute data to be viewed.
LDAP Search
Bug Fix: Intermittent Invalid handle exception.
Bug Fix: in security descriptor decoder.
Added a Zoom feature for the Filter and Attribute fields.
Added CSV output option, when used in conjunction with the fie output option
Updated with support for Windows 2016TP3
Improved the performance of the column redraw.
Removed the limitation that requires the DN to be in the first column for DN context menu items
Updated PWDSEC DecodeType to handle 64 bit -1 correctly
Added decode for the pwdProperties attribute
Two new subst options available on the filter and attribute fields. These are called userinput and unicode. The userinput will prompt the user for an input. This requires a label which is shown on the dialog box. The user inputs are cached against the label, if a label is used a second time the cached response is used and the user is not prompted. The userinput subst can be nested in other subst options e.g. (pwdpastset>={idate:{userinput:Date}}) the user would be prompt to enter the date, then the idate subst will cover this into a 64 bit date code. The Unicode subst will convert the text to a escaped hex unicode value i.e. {unicode:uni-text} results in \75\00\6E\00\69\00\2D\00\74\00\65\00\78\00\74\00
The Input Mode paste and file load function have been updated to allow up to ten column inputs to be added. The separation is the tab character, which is the default used by Excel when copying multiple columns. Each column is given its own designator i.e. ##input, ##input2, ##input3 etc. These designator can then be used in the DN, Filter, and Attribute fields and will be substituted for the value in the column when the query is run.
Batch Mode ** New **
Allows you to specify a list of favorite queries to be executed in a specified order. The output of one query can be used as the input for the next query. Use the Batch List button to select the queries and order. The batch list can be saved and recalled at a later date.
Update Mode ** New **
The LDAP Search now has has the ability to update attributes based on the values specified in the attribute field or data specified in the Input Mode columns. To update an attribute an Update Operator must be specified after the attribute name, follow with the value you wish to set. This is the Syntax for the update operation:
<Attribute><Op><Value>
Attribute: The name of the attribute that you wish to update
Op: The operation that is to be performed
=+ Add Value to attribute
=- Remove the Value from the Attribute, if no Value is specified the attribute is cleared
== Set\Replace the current value of the attribute with Value
=| Perform a bitwise operation of the current value of the attribute, this Op has a specific format for the Value
Value = <Mask>:<Data>
Mask - the bitwise mask Note: Input Mode substitution can’t be used on this field, only the data field
Data - is the bits to be set based on the bit mask
Value: the data to be written to the attribute
Examples:
ExtensionAttribute1==Office1 - Sets the ExtensionAttribute1 to Office1
ProxyAddresses=+smtp:www.world.com - Adds the value to the ProxyAddresses, the existing values are preserved
ProxyAddresses=-smtp:www.world.com - Removes the specific value from the attribute
ProxyAddresses=- - Clear the attribute, i.e. set to not set
UserAccountControl=|2:2 - Sets the 2 bit of the attribute to 1
UserAccountControl=|2:0 - Clears the 2 bit of the attribute to 0
UserAccountControl=|6:4 - Clears the 2 bit and sets the 4 bit of the attribute
UserAccountControl=|2:##input2 - sets bit 2 to the value of ##input2
Info=={attrib:info}\n user updated as part of change 31012
Info=={attrib:info}{attrib:mail} user updated as part of change 31012
Objectversion=={attrib:objectversion}1
Binary=+\23\34\01\5a\4f\00
The Update mode can be combined with the multi-column Input Mode to update the attributes on objects with different values. For example if you wanted to update the department and telephone numbers in AD for a number of users. If you paste three columns of data containing a list of samaccountname, department name, and new telephone number and then by setting the Filter field to (samaccountname=##input) and the attribute field to Department==##input2, telephone==##input3 you can update all the users details in one operation. Another example you have a list of users that need to be disabled and another list of users that need to be enabled. If you combine the list of samaccountname and in the second column specify 0 for an account you want to enable and 2 for an account you want to disable. Pasting these columns into Input Mode and set the Filter field the same as with the previous example but setting the Attribute field to UserAccountControl=|2:##input2, this will update all the accounts in one operation.
Single Update – is the default when the Update mode is selected, this causes all the required updates to be performed as a single update when the query is run. The disadvantage to using single update is if you update multiple attributes at once and one of the updates fails i.e. due to a schema restriction, the resulting error message which is reported is against the first attribute that is displayed and not the attribute that caused the update to fail. By deselected Single Update option, each update is performed separately and if that update fails the error message is display against the attribute that failed to update.
Search
Added option to context menu to select which attributes are displayed
Schema Browser
Added an extra column to show if the Attribute is available in the GC
Schema History
Updated to include Exchange 2016 RTM, Windows 2016TP3
Schema Version
Updated to include Exchange 2013 CU1/2/3/4/5/6/7 & SP1, 2016, and Windows 2016TP3
User Groups
Update output to include security principal SID
C\C++ Escape Characters:
\a 07 Alarm (Beep, Bell)
\b 08 Backspace
\f 0C Formfeed
\n 0A Newline (Line Feed); see notes below
\r 0D Carriage Return
\t 09 Horizontal Tab
\v 0B Vertical Tab
\\ 5C Backslash
\' 27 Single quotation mark
\" 22 Double quotation mark
\? 3F Question mark
\hh any The character whose numerical value is given by hh interpreted as a hexadecimal number