Featured post

NetTools Basics

nettools

NetTools has a number of common features which are used throughout the program. This post provides details on some of these features.

AD or Server Connections

If NetTools is run on a machine that is joined to an AD domain, by default NetTools will connect to the domain controllers of that domain without needing to specify the server. It will also use the credentials of the user running NetTools to make the connection. If you want to connect to a specific domain controller, different domain, or use a different set of credentials, you use Connection Profiles.  See Connection Profiles for more details.

Server Lists
In most of the options there is a field to specify the server or domain, this field is used to enter a server name or select a Connection Profiles that the test will be run against.  The server and domain fields are optional, if no entry is provided NetTools will either connect to the domain the machine running NetTools to joined to, or use the default Connection Profile, if one has been defined.

Navigation
The toolbar is used to navigate the tests and access a number of features in NetTools.  The toolbar has both fixed buttons and user selected buttons.

The Back and Forward buttons allow you to move backwards and forwards between tests you have used, this is useful if you select a linked option and want to go back to the previous test.  The Connection Profiles button opens the Connection Profiles dialog, which allows you to configure profiles that defines, the LDAP server, GC server, SSL, authentication, credentials and paging properties.  For more details see Connection Profiles. The Resolver button will open the Resolve dialog, which lets you resolve different input types and provides a temporary scratch pad when investigating an issue.  For more details see Resolver.  The Help button opens the help page on the NetTools.net website for the selected test.  The Quick search entry field provides a quick entry method to perform a search of the AD using the User - Search option.

Permissions
You don't need any specific permissions to run NetTools, only execute right on the file system.  With a typical AD implementation a normal user can read a lot of the details in the AD, there are few features that might need elevated rights, i.e. viewing deleted objects or low level replication data shown in the Replication Queues option, where elevated permissions are required this is included in the corresponding Option's web page.  Only other scenario where permissions can be an issue is when NetTools is run on a Domain Controller that has User Access Control (UAC) enabled, the results returned by the local Domain Controller will be reduced unless NetTools is executed with Run as Administrator option.

Where to start
The number of options in NetTools can make it confusing where to start.  The best approach is to start with the Search option under Users or use the quick search option, this allows you to search the AD, be it at the Forest or Domain level for any object in the Active Directory, from there the context menu options allows you to then interrogate the returned objects.  See User Search.

To allow you to find your favorite option quickly, NetTools includes a Pin option, which will add user defined button to the toolbar to allow you to quickly select your commonly used options.  To Pin an item, select the option, then right click on the option name and select the Pin from the context menu, you will be prompted to select an icon for the button.  To remove a Pinned item, simply right click on the button on the toolbar and select Remove.

Option Pinning

Option or test Linking
For a number of the tests the output from one can be used as the input for other tests and options, by selecting the corresponding output entry and right clicking the context menu will display these options.  The User Search option has a number of linked options that are displayed under the use with sub menu.

Copy and Paste
The outputs from the tests can be copied into other functions in NetTools or to external programs.  The Copy and Paste option are displayed in the right click context menus. For table views it's possible to copy the data in a single column, the line, or the entire table. When using the copy column option, mouse position when the right click is pressed, is used to define which column will be selected.  For text based output fields it's possible to copy the text as with standard copy and paste. The Copy works with a single or multiple selected items, and when copying the details from all selected items is copied. A number of keyboard shortcuts are defined, Ctrl+C will copy the the details of from the column of the select items, Ctrl+L will copy all the details of the selected items, Ctrl+T will copy the entire contents of the table, include headers. The Copy to new window context menu option will copy the contains of the view to a new detached window, which provide additional sort and filtering options.  See Copy to new window

Messages\Results pane
On most options, there is a lower pane, this pane is used to display any errors or status report from the execution.  Any error messages or codes returned by the APIs are displayed here.

Exporting Objects
There is the ability to export objects in LDIF file format, this is available from the context menus. See LDIF Export for more details.

Common Dialogs
NetTools has four common dialogs which are available from most context menus on in the results and options.  These are the AD Properties, Attributes, Meta Data,  and Permissions dialogs, these are usually listed at the bottom of the context menus as shown below.

Context Menu
AD Properties
Attributes
Meta Data
Permissions

Resolver
The Resolver dialog provides a scratch pad to temporary store items that you are troubleshooting or investigating. The Resolver dialog is accessed via the toolbar and items can be added to the dialog either from the context menu, pressing Ctrl+R, manual entry, or pasting a list of DN, samaccountname, email, upn or displaynames.  From the Resolver dialog the NetTools options and test can be selected from the context menu in the Resolver dialog.

Resolver Context Menu

NetTools saved configuration
NetTools uses a single configuration file called NetTools.ini, this is used to save any user defined configuration or lists.  NetTools will try to read the configuration from the same location as the exe from executed from.

How To: Delegate Object Restoration Rights

In this post we will look at how to delegation the restoration of deleted objects using the AD Recycle Bin.

First we need to enable AD Recycle Bin, this is enabled by default on newly built forests with DC of Windows 2012 and above, for older forests all the domain controllers must be Windows 2008 R2 and above and you will need to run this command from a PowerShell command prompt to enable AD Recycle Bin:

Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target <your domain>

By default only domain administrators have the rights to restore object that have been deleted, the following steps will delegate the ability to restore deleted objects to the members of the "Restore_Objects" group.

1.  Create an new AD group called 'Restore_Objects', the group can be a local, global or universal depending on your requirements

2.  Next we need to set restoration rights on the root of the domain, open a command prompt with Run As Administrator rights and run the following command:

dsacls dc=<your domain>,dc=<com> /g "restore_objects:ca;Reanimate Tombstones"
Root Permissions

3.  To be able to change the security on the Deleted Object container, we first need to take ownership of the container, from the same command prompt run the following command:

dsacls dc=<your domain>,dc=<com> /takeownership

4.  Now we are owners of the Deleted Objects container we can update the permissions, first we will assign the delegation group the rights to list the contents of the Deleted Objects container and read the properties of the objects using the following command:

dsacls "cn=deleted objects,dc=<your domain>,dc=<com>" /g "restore_objects:LCRP"
Deleted Object Permissions

The permissions set so far provide the Restore_Objects group with the rights to restore objects and view the contains of the Deleted Objects container.  However, they can't restore objects yet, they also need write permissions to the properties of the objects that have been deleted in order to be able to restore them.

Depending on your requirements, you can assign the properties permissions are the root of the domain so the Restore_Objects members can restore anything deleted in the domain or you can limit the delegation to a particular OU.

This is the command to assign the required permissions

dsacls "ou=<your ou>,dc=<your domain>,dc=<com>" /I:T /g "restore_objects:WPCC"

This shows the permissions assigned at the OU level:

OU Permissions

In this case the members of the Restore_Object group, will be able to see all the of the Deleted Object but will only be able to restore the objects that were deleted from Restore OU, unless they have been assigned Write All Properties (WP) and Create Child (CC) rights through other permissions.

To restore objects you can use the Restore Objects option in LDAP Browser, see How To Restore AD Deleted Objects for more details.

How To View the Permissions that will be assigned by the SDProp Process

This is a quick post to show how to display the permissions that will be assigned by the SDProp Process.

The SDProp process uses the AdminSDHolder container object as a template for the permissions that will be assigned to any users or groups that are protected by the SDProp Process. For more details on the SDProp Process see the SDProp Option.  The permissions assigned to the ADminSDHolder are used to replace the existing permissions when an object first comes into scope, or if the permissions of an existing in scope object are changed.

Using the NetTools Permission Browser option (formally - ACL Browser) is it very simple to view the permissions.  In the left hand pane navigate to the Access Control - Permissions Browser option.

Click on the Refresh button, this will display the directory tree, navigate down the tree to CN=System, CN=AdminSDHolder.  With the AdminSDHolder object selected the permissions will be displayed in the middle pane:

AdminSDHolder Permissions

We can use the Permission Compare feature to confirm that the permissions have been applied to a protected object.  In the tree view of the Permissions Browser right click on the AdminSDHolder node and select Select Left SD to Compare

Select Left SD to Compare

Using the Quick Search option we can search for a protected group i.e. Domain Admins.

Quick Search - Domain Admins

From the search results right click on the domain admins group and select Compare to 'AdminSDHolder' SD

Select Right Compare AdminSDHolder

This will display the Compare Permissions dialog, allowing you to confirm that the AdminSDHolder permissions have been applied to the Domain Admins group, you can repeat these steps to confirm any of the users or groups that are protected by the SDProp process.

Compare Permissions - AdminSDHolder

NetTools v1.31.0

AD Permissions Reporter    
A reporting option to report and search for permissions that have been assigned in the AD, supports both basic and advanced filters. See AD Permissions Reporter.

Certificate Checker    
A new feature to verify the certificate that are assigned to website, including the revocation status, More details available here.

Compare AD Permissions    
Context menu option to compare the permissions of different objects.  See How to compare AD permissions.

Object Replication    
A new feature to test if AD objects and their attributes are replicated across the domain controllers in the domain. See Object Replication for more information.

SDDL Viewer    
A new feature to display SDDL strings in the Permissions dialog.  More details available here.

Find Trustee Assignments
Depreciated

AD Permissions Browser
ACL Browser renamed to AD Permissions Browser
Updated context menu to support option to export a permission as a dsacls command.
Updated inheritance text to include no propagation rights details and displayed separately in the rights view.
Changed the icons used in trustee mode to the same as used in AD Permissions Reporter, to make it easier to see which permissions are applies to the trustee.
Fixed index error when assigning the NT Authority\Self to a trustee.

AD Properties
Fixed context menu on delegation tab to allow linked SPN tests.
Fixed memberof bug, some groups are not displayed if the displayname is not set.
Added option to display the time and date when changes to the group membership happened.
Updated to display the Fine Grain Password details for both users and groups.
Updated Logon tab to include Password Expires based on the msDS-UserPasswordExpiryTimeComputed attribute.

AD Sites
Updated to include a dsBind test to test RPC connection, also updated to support profiles.

AD Subnet
Updated to support IP Addresses with CIDR.
Subnet that are not linked to a site are shown as <not assigned>.

Attributes Dialog
Hex dump - now able to provide hex dump of security descriptor for non-admin users.

Attribute Replication
Updated to display all the attributes of the selected object across the selected domain controllers.

Base64
Updated to support encoding a SID string to binary in Base64 and back to SID String.

DC Resolution
Removed port 3389 from default list of ports, added for testing and shouldn't be there.

Error Messages
Updated to also return error details for WinInet error codes.

GPO Explorer
Added GPO testing functionality similar to that of GPOTool.exe. See How To Test GPOs as GPOTool is no longer available.
Update security tab to include the rights view of the permissions assignment.
Fixed display updates when switching from OU to WMI and back again.

GUID Search
Updated to now search for the entered GUID against common object GUID, and option to search against all GUID attributes found as part of the dynamic attribute discovery.

LDAP Browser
Added button to allow a DN to be opened in a separate window.
Updated to include a Restore Objects for deleted objects, see How To Restore deleted AD objects.

LDAP Search
Added option to limit the number of records returned.  Update Favorite Import to support import of multiple favorite in one go.
Updated the DNSProperty decode to support all data types.
Updated favorites variables to include ##root to specific the root DN of the forest.
Updated to support different Ordering OIDs on the sort field, see Sort for more details.
Certificate verification date format now based on regional settings.  When connecting using SSL it will now displays the SSL connection information.
Fixed intermittent exception error that could happen when using meta data attribute types.
Fixed bug in the getdn subst variable that could cause an exception.
LDAP Search Enum dialog - Updated context menu to allow selection of bit operator.
Define the enum DecodesType for GPOptions, ServerState, ForceLogoff.
Set DecodeType for AuditPolicy to DecodeType BIN.
Added DecodeType GMSAPWD.PWD_B and GMSAPWD.PPWD_B to display GMSA password in byte based binary output.

Object Count
Updated to save the count details, with subsequent counts shows the delta between the counts.

Object MetaData
Updated to also display the value of the value of the attribute and changed time to display local time.

Organization Structure
Fixed exception that can occur when multiple Left SD menu item selected.
Added additional logic to detect circular references.
Added an extra context menu item to display a separate window with the org structure.

Ping
Added option to specify the ICMP packet size used for the ping.

Permissions dialog
Added additional caching at the profile level to improve performance and reduce data requests. Also improves the performance of AD Permissions Browser,  and GPO explorer.
Added Inheritance details to the status bar.

Resolver
Updated test options so any entry is added to the resolver history.
Fixed columns update so blank attributes are shown correctly.

Schema Version
Updated to support Exchange 2019 CU11, CU12 & 2016 CU22, CU23.

SDProp
Updated to include support Service Managed Accounts and improved performance.

SID Converter
Updated to include icons for resolved names and now if a SID is not found, it will now check if the domain SID exists to confirm if the SID has been deleted or the domain is invalid.

Site Browser
Updated to displays bridgehead servers in the site settings view.
Added addition error reporting for Validate function and added DsBind test.
Subnets that are not linked to a site are shown as <not assigned>.

Token Size
Updated the connection to use the GC to correctly resolve cross forest groups and fixed bug were multiple entries in SIDHistory caused the token size to be calculated incorrect.

User Search
Fixed bug where from a child domain, the Use GC option didn't use the root of the forest for the search.

User Search dialog
Updated so if only one user account found and it matches the search, it automatically returns the single entry.

Predefined Queues
The follow queues have been updated:

AD: Invalid Pwd Change (All users)
AD: Invalid Pwd Change (Nominated user)
AD: List gMSA Accounts
AD: List MSA Accounts
AD: Restore Deleted User
AD: RootDSE Modify - Dump Database
Users: Invalid characters for O365
Users: Mail and UserPrincipalName different

How To Compare the Permissions of Two AD Objects

The permissions for a object in AD are stored in the ntSecurityDescriptor attribute, these permissions are used to control who can access the object.  When troubleshooting access issues, it is sometimes useful to be able to compare the permissions that are assigned to two different objects.  With v1.30.11 above there is now simple method to compare the permissions between two different objects.

The context menu in NetTools now provides two additional menu items to allow permissions of objects to be compared:

  • Select left SD to compare
  • Compare to 'left object' SD
Compare Menu Items

To compare the permissions or security descriptors (SD), select the first object and select the Select left SD to compare option, this will set the object as the left items.  Then find the second object you want to compare against, and then select the Compare to 'left name' SD option and the compare Permissions dialog box will be displayed.

Compare Permissions

Compare two user objects

The easiest method to compare two user objects is use the quick search option to find the first user, enter the user name in the quick search box and press enter, in this case we are searching for greynolds.

Quick Search

From the Search results, right click on the greynolds object and select the Select left SD to compare

Compare Left

If we search for the second user object, and then right click on the second user and select the Compare to 'Gary Reynolds' SD menu item and the Compare Permissions dialog will be displayed.

Compare SD Item

The comparison between the two objects will be displayed.

Compare Permissions Result

Click on the column header with a '*' to select options to filter the displayed ACEs.

Compare Permissions Options

Compare Other Objects

To compare objects other than users, use one of NetTools options to find the object you are looking for, i.e. LDAP Browser, LDAP Search, ACL Browser, GPO Explorer, etc.  all these options have the same context menus to allow to you to compare permissions against any other object.

See Comparing AD Permissions for more information

How To Import an AD Permissions Report Filter

The AD Permissions Reporter option provides the ability to export and import filters, this post provide details on how to import a filter.

This is a sample of a filter text

[Find Deny Permissions Assigned to a user]
Count=1
Options=18437
Rule1_Enabled=1
Rule1_Options=1280
Rule1_SDControl=0
Rule1_SDNotControl=0
Rule1_SDNullAcl=0
Rule1_Prompt=1
Rule1_Token=1
Rule1_Scope=12
Rule1_NotScope=0
Rule1_ACEType=2626
Rule1_ACEFlags=0
Rule1_ACENotFlags=0
Rule1_Perms=0
Rule1_NotPerms=0
Rule1_MatchRules=546

Here are the steps required to import the filter.

  1. Click on the Select button
  2. Click on the Import button
  3. Paste the filter into the dialog
  4. Click Add button
AD Permissions Reporter - Import Filter

Once the filter is imported the list will be updated, now select the new filter from the list.

AD Permission Reporter - Select Filter

How To Test GPOs as GPOTool.exe is no longer available

This feature is available in NetTools v1.30.10 beta and above

Previously included in the Windows 2003 Resource Kit there was simple tool called GPOTool.exe, which checked the status of the GPOs in a domain, this would check the consistency of the details between the AD and Sysvol and highlight a number of common problems.  As Windows 2003 Resource kit is no longer available for download from Microsoft, and this functionality hasn't been incorporated into any of the existing tools, there is no easy way to confirm the status of the GPOs in a domain.

Under the GPO Explorer in NetTools there is a test option that performs a similar suite of tests that were performed by GPOTool.exe.  There are two methods to test the status of the GPOs, either at the individually GPO level or at the domain level to test all GPOs.

The test covers the following items:

  • AD Replication
  • Sysvol Replication
  • Mismatching of AD and Sysvol versions
  • Compare object counts for both AD and Sysvol
  • Sysvol gpt.ini exists
  • Trustees that have apply GPO rights have permissions in Sysvol

Test an Individual GPO

When selecting a GPO in the GPO Explorer an tab called Testing is shown with the details of the policy, which allows you to test the selected GPO.  By default, the test will be run against all Domain Controllers in the domain, however, you are able to select which domain controllers will be be included in the test.  This allows you to deselect domain controllers that might be at the end of a slow link or are offline temporarily.   The server selection is on the test all GPO screen, see below.

GPO Testing Results - Individual

Test All or multiple GPOs at once

This option is found by select the root of the domain in the left hand pane, the Testing tab displays the domain controllers and GPOs in the domain.  The lists can be used to select which servers and GPOs will be included in the test .  The test provides to those who have used GPOTool.exe before, with a touch nostalgia, as the output is pretty must the same as GPOTool.exe.

GPO Testing Results

If an issue is found with the policies, the details of the policies on all domain controllers is displayed, or if Display Policy Details options is selected.

Failed Results

How To Display the RootDSE of an AD Domain Controller

In this post we will look at how to display the RootDSE of a domain controller using NetTools.

RootDSE is the root of the directory tree on a directory server. The rootDSE provides information about the directory server, and the details of the features and options that the server supports.

With NetTools it is a simple task to display the RootDSE, In NetTools if you navigate to the LDAP Search option.

To retrieve the RootDSE entry the name of the domain controller in the server field, ensure that the Base DN field is blank and then click on the Show Attributes for DN button.

Display RootDSE

This RootDSE will be displayed as shown below.

Attributes - RootDSE

How To Find Assigned Permissions in AD (v1.30.8+)

In this post we will look at how to find where a user or group have been assigned permissions in the AD, this is based on NetTools v1.30.8 or later.  For details using NetTools v1.30.7 or earlier see this post.

For this task we will use the AD Permissions Reporter option in NetTools, which will allow us to search the entire domain or a specific OU structure and report on any permissions that are assigned to the specified user or group.  As this will search every object in the AD, it's best to run this on a server or workstation that is on the same network segment as the Domain Controller, or on the Domain Controller itself.

First we need to find the user or group we are interested in, in the Quick Search box enter the name of the user or group and click the search button.  In this case we are searching for the user called greynolds.

Quick Search

The results of the search will be displayed in the User Search option, right click on the correct user or group from the list, and select Use With -> AD Permissions Reporter from the context menu.

Find Permissions

NetTools will switch to the AD Permissions Reporter option and start searching for selected user or group in AD.  Depending on the size of your AD this might take a while as it will read the permissions of every object in the domain context.  Once the search is complete all the objects that user or group have been assigned direct permissions will be displayed.

Find User's Permissions

By clicking on one of the objects listed in the left results pane you can view the permissions that have been assigned to the user or group.

It's also worth completing a search of the Configuration partition in case permissions have been assigned there as well.  This can be done by changing the Context field to Configuration NC and pressing Go.

How To Restore deleted AD objects

This feature is supported in NetTools v1.30.9 beta and above

With the introduction of Windows 2008 R2, a new feature called Active Directory Recycle Bin was introduced.  This feature allow you to restore objects that have been deleted by mistake or maliciously, without the need to do a restoration from backup and the AD authoritative restore.  For new forest installs of Windows 2008R2 and above, this feature is enabled by default, for forests were the domain controller have been upgrade, the feature has to be manually enabled.  To enable the Active Directory Recycle Bin see this page which has the details.

The only method that was originally provided to recovery delete object was through LDP, which requires multiple steps and configuration changes to be able to restore an object.

NetTools provides a simple method to restore single or multiple objects in a single operation.  This feature is incorporated in the LDAP Browser option.

To be able to restore a delete object you must meet the following prerequisites:

  • The recycle bin feature must be enabled
  • The recycle bin feature must have been enabled before the objects were deleted
  • Be a member of Domain Admins or equivalent

When an object is deleted it's moved to the Deleted Objects container, in the partition that the object existed.  This also means that objects that have been deleted from the Configuration, DomainDNSZones, and ForestDNSZones can be restored using NetTools.  When browsing the partitions with LDAP Browser the deleted object will be displayed in CN=Deleted Objects,<partiton dn>.

Deleted Objects Container

Objects that are listed in the Deleted Objects container can be restored by select the objects and right clicking and selecting Restore Objects from the context menu.

Context Menu - Restore Objects

The context menu option will open the Object Restore dialog, shown below.  When the dialog opens it will perform a number of validation checks of the selected objects, to ensure that the common issues are detected before the restore is attempted.

The Validation consists of the following checks:

  • If the object has been tombstoned
  • If the target parent container still exists
  • if the target parent container is deleted
  • If a new object with the same name has been created in the target parent

The objects that pass the validation will show a status of Good, for objects that fail these checks, the reason will be displayed in the status column and can't be restored. See Troubleshooting section for details on how to try and resolve these issues.

Object Restore - Validation

Once the validation is complete the results are shown at the bottom of the list of objects, and then the Restore button will be enabled.  By clicking the restore button, only the objects that are valid will be restored.

Object Restore - Restored

The context menu provides the standard option to review the restored objects.

Restoring A Deleted OU

If an OU has been deleted which contains multiple objects and child OUs, these can also be restored, however, the OU structure must be restored first, then followed by the object in the OU.  The simplest method to find objects that have been deleted from the same the OU, is to change the column displayed to include the LastKnownParent and WhenChanged

Change Columns

For this example, here are the details of the OU Structure that has been deleted.  Sorry about the names, it was an OU that was already created!

Deleted OU Structure

These are the steps needed to restore the OU structure

  • Restore the Parent OU
  • Restore any sub level OUs
  • Restore the child objects

Restore Parent OU

First you will need to restore the top level OU called Test5, sort the columns by the LastKnownParent column to make it easier to find the parent OU for Test5, in this case the root.

Object Restore - Parent OU

Restore the sub level OU

With the Parent OU restored it's now easier to find which objects were in the OU structure, as the LastKnownParent has now been updated, next restore any sub level OUs, in our example sub-OU has been restored.

Object Restore - sub level OU

Restore child Objects

Once the OU structure has been restored, we are ready to restore the objects from the OU structure, one things that we need to be conscious of, some objects may have been deleted previously and we don't want to restore these objects, using the WhenChanged column to help identify the objects we want to restore.

Object Restore - OUs Restored

Troubleshooting

This section provide somes some extra details of the possible error messages that can happen during the validation.

Object has tombstoned

The object was been delete grater than msDS-deletedObjectLifetime period and now the object has been tombstoned. The object has the IsRecycled attribute set to true.  Which means most of the attributes of the object have been removed and the object only exists to ensure replication is consistent between the domain controllers and the object can't be restored.

Parent Object is deleted

You are trying to restore an object to a parent object, but the parent object is currently deleted, restore the parent object first, then try restoring the child object.

Parent Object not found

Something has changed from selecting the object and running the validation, close the Object Restore dialog and try again.

Parent details not found

Failed to read the LastKnownParent attribute, confirm the attribute is set and try again.

Another object already exists

Since the object was deleted, another object with the same name has been created in the parent OU, either move or rename the new object so you can restore the deleted object.

Failed to get DN details

Failed to read the LastKnownParent or msDS-LastKnownRDN attributes, confirm these attributes are set and try again.

How To Display which Fine Grain Password Policy is applied

In this post we look at how to display which Fine Grain Password Policy (FGPP) is being applied to a user.

Fine Grain Password Policies were introducted in Windows 2008, and provide the ability to define different password policies that can be assigned to users or members of a group.  The assigned FGPP will take precedence over the default domain policy, and can be used to provide a different settings depending on your requirements, this could be used to have a more strict password policy for admin accounts.

The FGPP configuration is stored in a Password Security Object or PSO and multiple PSO can be created with different settings.  These are stored in the Password Settings Container under the default name context i.e CN=Password Settings Container,CN=System,DC=w2k12,DC=local.

A user can be assigned multiple FGPP, but only one will be active and used to control the user password requirements.  The msDS-PSOApplied attribute is used to list all the PSO that are assigned directly to user or group objects.  The msDS-ResultantPSO attribute is used to show which FGPP is being applied to the user.

NetTools is able to display the FGPP polices and which FGPP is allocated to a user. (Version 1.30.7 and above required)

If we search for a user using the Quick Search field on the toolbar.

Quick Search

From the search results if we double click on the user's account and open the AD properties dialog, the Logon tab, shows which Fine Grain Policy is being applied and the Fine Grain Password tab shows the settings of that policy.

AD Properties - Logon
AD Properties - FGPP