NetTools v1.22.0

This update has a number of new features around AD security, NetTools now provides the simple ACL explorer view to display the object, mailbox, and schema security descriptor.  The ACL Browser is able to browser any partitions, if the schema partition is selected the Default Security Descriptor for schema class is also displayed.

Assigned Trustees is a new feature to provide the ability to search for any ACLs that contains the specified trustee, this can be a user, group or any other security principal.

LDAP Search has a number of new features including more Update query options, Auto Complete, and Conditional Attributes.  The Update Queries now support move and delete options, as the object will be moved or deleted, no other attributes updates can be included in the same query. The Auto Complete option is available on the filter and attribute fields, once the Populate list button has been pressed the schema details are cached and are available for Auto Complete on these fields.  The Auto Complete feature also includes a syntax checking on the Attributes field.  This feature will highlight any attributes or decode type in red that are not valid. The Conditional Attributes feature provides the ability to do attributes based comparisons that are not available in standard LDAP queries.  It provides a conditional check against each retuned object from the LDAP search results and will return a true or false result, the results can be static text or an attribute of the returned object.  Conditional Attributes are specified in the Attribute field as an extension to an attribute name and defines the conditional statement with the true and false results. 

Conditional Attributes have the following syntax: <attribute name>;{if:<variable1>[;type]<op><variable2>[;type]:<true result>:<false result>}

attribute name: is the name of the attribute that the result will be returned against
variable1: the first variable for the comparison, this can be an attribute of the object or static text
op: the logic operator used to compare variable1 and variable2, the options are:

==        Equal
!=         Not Equal
>          Greater Than
<          Less than
>=        Greater or equal
<=        Less or equal

variable2: the second variable for the comparison, this can be an attribute of the object or static text.  If the first character of the static entry is ‘*’ then the Equal and Not Equal op will search for the text within in variable1, if not then the variable2 must match variable1, comparisons are case in-sensitive.
type: is an optional format option to define the data type of the variable and is used for the comparison, the options are int or date
true result: the value to be returned against the attribute name if the condition is true
false result: the value to be returned against the attribute name if the condition is false

With all fields, static text is encapsulated in quote marks, and any value not encapsulated is assumed to be a attribute of the object.  Static entries can also include any of the substitutions options, i.e. oid, ip, ipn, idate, zdate, hex, guid, unicode, and userinput

PwdChanged:{if:pwdlastset;date>=”10/11/16”:”Updated”:”Needs updating”}
Password_Changed:{if:pwdlastset;date>=”{idate:now-14}”:”Updated”:”Needs updating”}
Not_Admin;{if:member!=”*admin account”:member:” ”}

Access Control Rights  ** New **
A complete rewrite of the Extended Rights and Property Sets options, they are now combined under the one option now including Validated Rights details

ACL Browser  ** New **
A new option to browser the ACL defined in the AD or AD LDS directory

Assigned  Trustees ** New **
This option will scan all accessible objects in the default naming context and displays the list of unique users and groups that have been assigned rights in the AD.  This option is useful to see if a specific security principal has been assigned rights in the directory.

Find Trustee Assignments  ** New **
This option provides the ability to search if the specified trustee has been assigned any rights to any objects in the directory.  Includes an option to include or exclude inherited permissions

Password Checker  ** New **
This option provides the ability to check a single password against a list of accounts, and confirm if the accounts are using the password. The status report will show if the account is currently locked, password reset required, expired, or is disabled. To use this option just paste a list of samaccountnames into the pane, enter the details and click go

Extended Rights  ** Removed  **

AD Subnet
Updated to remove spaces from user input
Updated to display Not Found if the IP address(es) are not defined in the AD

Attribute Replication
Updated to display all the values of attributes with multiple values.

Updated to support text selection and decodes across multiple lines

LDAP Browser
Significant rewrite of most functions to use the LDAPClass and added attribute cache feature to improve performance over slow links

LDAP Search
Bug fix: resolved issue where the attribute order was not preserved in table view
Now includes support auto complete and validation on filter and attributes fields, this option is available once the populate list button has been pressed.  The auto complete option is enabled by default but can be disabled by deselecting the Auto Complete option.  The Populate list button is shown below:

Added Clear Table option to allow the contents of the table view to not be cleared between searches
Added additional dialog option to allow the selection of attributes for the Attributes field
Added option for Conditional Attributes
Added Enum button to display the internally defined enum used by NetTools to decode attributes
Added PARENTCN DecodeType to display the parent CanonicalName of the object
Added DecodeType for ValidAccesses attribute
Added decode for msDS-UserPasswordExpiryTimeComputed
Added decode for msRTCSIP-UserRoutingGroupId
Added DecodeType SD_NAME_GROUP and SD_SID_GROUP for the primary group in the SD
Fixed sorting issues for Int data types
Updated the LDAP Browser button so if the shift key is held down when clicking on the LDAP Browser button its opened in a non-modal mode, so it can stay open
Updated Display Filter field to support parameter encapsulated in quote marks
Updated the Display Filter logic to provide better support for attributes with multiple values
Updated Value field in update queries to include substitutions commands to work with Input mode data  i.e. AccountExpires=={idate:##input2}
Updated to support quote marks encapsulation for Values in Update queries
Updated the Attribute List dialog to include a manual DecodeType type allocation
Updated so after an update query has completed the preview option is selected to prevent any accidental updates
Updated update queries to support move and delete operator, The delete option is only available once the Delete and Delete Tree options are selected:

To update an attribute an Update Operator must be specified after the attribute name, follow with the value you wish to set.  This is the Syntax for the update operation:


Attribute:  The name of the attribute that you wish to update
Op: The operation that is to be performed

=+        Add Value to attribute
=-         Remove the Value from the Attribute, if no Value is specified the attribute is cleared
==        Set\Replace the current value of the attribute with Value
=|         Perform a bitwise operation of the current value of the attribute, this Op has a specific format for the Value
Value = <Mask>:<Data>
Mask - the bitwise mask  Note: Input Mode substitution can’t be used on this field, only the data field
Data - is the bits to be set based on the bit mask
=#        Delete object, the Attribute can be any attribute that has a value assigned, no value is required  ** New **
=>        Move the object the new location specified by the Value, the Value should be encapsulated in quote marks ** New **
            The Attribute can be any attribute that has a value assigned
Value: the data to be written to the attribute

AccountExpires=={idate:##input2}                          - Set AccountExpires to the int64 value of ##input2
dn=>”cn=users,dc=domain,dc=com”                   - Move the selected object to the specified location
dn=#                                                                - Delete the object from Active Directory

Added a DN Select Location option to all fields that require a DN entry, which allow the DN to be selected by browsing the specified directory.  The Select Location button has three dots ...
Updated to include better support for displaying Unicode and UTF-8 LDAP strings

Group Compare
Bug fix – auto sort is disabled when SID resolution is selected

Group Manager
Updated to allow cross forest lookup of security principals

Last Logon Time
Fixed intermittent Indexing error

AD Properties dialog
Bug fix – fixed issues where primary group is not resolved in some domain configurations
Updated to display the user’s thumbnail photo
Improved the user feedback and stability when the members and memberof tabs are displayed for object with large number of memberships
Updated icons in member and memberof to show disabled objects

Schema Version
Updated to include the Forest, Domain and Domain Controller Functional Levels
Updated to cover Windows 2016 technical preview 4

Schema History
Updated to include Exchange 2016 CU1

Use with option on context menu updated with ACL Browser option
Updated to display an icon for each object returned, disabled objects are shown with a disabled icon

User Rights
Updated to display current assigned and enabled user rights

DecodeType list:
    64DATE - Win32 64bit Date Format
    64TIME - Win32 64bit Date & Time Format, local time
    64TIME_UTC - Win32 64bit Date & Time Format, UTC
    ATTRIBENUM - predefined enumerate
    ATTRIBENUM_NONUM - predefined enumerate only symbolics are displayed
    BEROID - Basic Encoding Rules (BER) Organization Identifier
    BIN - Binary list
    CERT - Certificates
    COUNT - Returns the number of entries in the attribute
    CRL - Certificate Revocation List
    DNSPROPERTY - DNS Properties entries
    DNSRECORD - DNS entries
    DNSRECORD.DATA - return only the data field
    DNSRECORD.RANK - return only the rank field
    DNSRECORD.SERIAL - return only the serial field
    DNSRECORD.TIMEOUT - return only the timeout field
    DNSRECORD.TIMESTAMP - return only the timestamp field
    DNSRECORD.TTL - return only the ttl field
    DNSRECORD.TYPE - return only the type type field
    DNSRECORD.VERSION - return only the version field
    DSA_SIG - DSA Signature
    FILETIME - Win32 File Date & Time Format
    GTFTIME - Generalized Time Format, local time
    GTFTIME_UTC - Generalized Time Format, UTC
    GUID - Windows COM GUID format
    GUID_LDAP - GUID in LDAP filter format
    GUID_RAW - Hex GUID format
    HEX - Display a number if Hex format
    IP - DWORD IP address in windows order
    IPN - DWORD IP address in network order
    MSTRUST - Decoder for msds-TrustForestTrustInfo
    NTDS_CONN_OPT - Returns the options for the Options of NTDSConnection
    NTDS_DSA_OPT - Returns the options for the Options of NTDSDSA
    NTDSSSITE_OPT - Returns the options for the Options of NTDS Sites Settings
    PARENTCN - Returns the parent container of the CanonicalName
    PARENTDN - Returns the parent container of the distinguishedName
    PERIOD - Certificate renewal period
    PSMTP - Display primary smtp entry
    PWDSEC - Password secounds
    PX400 - Display primary x400 entry
    PX500 - Display primary x500 entry
    REPL_UTDV - NC Up ToDateness Vectors
    REPS_INFO - Replication neighbours RepsTo and RepsFrom
    RIDPOOL - RID Pool Allocations
    SD - Security Descriptor in SDDL format
    SD_NAME - Returns the resolved names of all the entries in the SD
    SD_NAME_DACL - Returns the resolved names of the DACL entries in the SD
    SD_NAME_GROUP – Return the primary group assigned in the SD
    SD_NAME_OWNER - Returns the resolved name of the owner in the SD
    SD_NAME_SACL - Returns the resolved names of the SACL entries in the SD
    SD_SID - Returns the SID of all entries in the SD
    SD_SID_DACL - Returns the SID of the DACL entries in the SD
    SD_SID_GROUP – Returns the primary group assigned in the SD
    SD_SID_OWNER - Returns the SID of the Owner in the SD
    SD_SID_SACL - Returns the SID of the SACL entries in the SD
    SID - Display Security Identifier in text form
    SID_ABS - Display the absolute name of the SID
    SID_REL - Display the relative name of the SID
    SITE_LINK_OPT - Returns the options for the Options of SiteLink
    SIZE - The size of the data returned
    SMTP - Display only smtp entries
    TRANSPORT_OPT - Returns the options for the Options of transport container
    X400 - Display only x400 entries
    X500 - Display only x500 entries