NetTools Basics

NetTools has a number of common features which are used throughout the program. This post provides details on some of these features.

The toolbar is used to navigate the tests and access a number of features in NetTools.  The toolbar has both fixed button and user selected buttons.

The Back and Forward buttons allow you to move backwards and forwards between tests you have used, this is useful if you select a linked option and want to move back to the previous test.  The Connection Profiles button opens the Connection Profiles dialog, which allows you to configure profiles that defines, the server, SSL, authentication, credentials and paging properties.  For more details see Connection Profiles.   The Resolver button will open the Resolve dialog, which lets you resolve different input types.  For more details see Resolver.  The Help button opens the help page on the website for the selected test.  The Quick search entry field provides a quick entry method to perform a search of the AD using the User - Search option  

Where to start
The number of options in NetTools can make it confusing where to start.  The best approach is to start with the Search option under Users or use the quick search option, this allows you to search the AD, be it at the Forest or Domain level for any object in the Active Directory, from there the context menu options allows you to then interrogate the returned objects.  See User Search.

To find your favorite option quickly, NetTools includes a Pin option, which will add user defined button to the toolbar to allow you to quickly select your commonly used options.  To Pin an item, select the option, then right click on the option name and select the Pin from the context menu, you will be prompted to select an icon for the button.  To remove a Pinned item, simply right click on the button on the toolbar and select Remove.

Option or test Linking
For a number of the tests the output from one can be used as the input for other tests and options, by selecting the corresponding output entry and right clicking the context menu will display these options.  The Search option has a number of linking options that are displayed under the use with sub menu.

Copy and Paste
The outputs from the tests can be copied into other functions in NetTools or to external programs.  The Copy and Paste option are displayed in the right click context menus. For table views it's possible to copy the data in a single column, the line, or the entire table. When using the copy column option, mouse position when the right click is pressed, is used to define which column will be selected.  For text based output fields it's possible to copy the text as with standard copy and paste.  The Copy to new Window context menu option will copy the contains of the view to a new detached window, which provide additional sort and filtering options.  See Copy to new Windows

AD or Server Connections
To define the connection details for the AD or LDAP directory and credentials that will be used use the Connection Profiles.  See Connection Profiles

Server Lists
In most of the options there is a server or domain enter field, this is a dropdown list, which is used to select a saved server or the Connection Profiles.  From the right click context menu you can save the current name and also manage the lists.  A separate list is used based on the enter field name, i.e. Server, Domain, LDAP filters etc.  The server and domain fields are optional, if no entry is provided NetTools will either connect to the domain the machine running NetTools to joined to, or the default profile, if one has been defined.

Messages\Results pane
On most options, there is a lower pane, this pane is used to display any errors or status report from the execution.

NetTools saved configuration
NetTools uses a single configuration file called NetTools.ini, this is used to save any user defined configuration or saved lists.  NetTools will try to read the configuration from the same location as the exe from executed from.

Workaround for SmartScreen

When running NetTools on a Windows 10 machine, it can sometimes trigger the Microsoft Defender SmartScreen and block the execution of NetTools.  This is because NetTools is not signed and SmartScreen blocks apps that have been downloaded.  This is an example of the SmartScreen dialog that is be displayed.

To prevent SmartScreen from blocking NetTools, open the properties of NetTools.exe and check the Unblock option and click OK.

How Group Changes Works

This post provides a bit more detail on how the Group Changes option work and how it uses the lower level AD replication details to determine the the group changes, which includes what and when changes were made.  The Group Changes page has the basic information on how it works, here Group Changes 

There are a number of steps to get this information and then display the corresponding details of the group changes for the user.  The Group Changes option uses the Meta Data of groups to determine what changes have been made for a specific users, the Meta Data dialog allow you to displays the AD replication details for an object see Meta Data Dialog

Here is the the meta data dialog for a group called group3

The lower section of the dialog shows the changes to the member attribute, in this example it shows an entry for group1 and group2, the org time and delete time are used to determine what the last action was an addition or deletion from the member attribute.  When a object is added, only the org and create time have values set, and when the object is deleted from the member attribute the delete time value is also set.  In this case both the group1 and group2 have been deleted from group3 member attribute. 
The raw format of the msDS-ReplValueMetaData attribute is XML, this is a screenshot of the LDAP Search function displaying the attribute in it XML format. 

So while the data is available in the AD in XML format, this is not the easiest data format to use, luckily an number of AD Attribute support the binary option, see RFC4522 section 3.  By specifying the attribute as msDS-ReplValueMetaData;binary the DCs will return the data in a DS_REPL_VALUE_META_DATA_BLOB data structure which is much easier to handle from the programmatic point of view. See ds_repl_value_meta_data_blob

So now we are able are able to determine the membership changes that have been made to the group object, we just need to enumerate the replication data of all the groups under the specified BaseDN and display the changes associated to the specified user.


The Resolver feature provides a quick and easy way to search for objects in the AD.  The feature is launched from the toolbar by clicking on the Resolver button.

The Resolver allows you to copy and paste a list of name into the form and it will try to resolve the names against the AD, and display if they exist or not.  Once the names have been resolved the AD Properties, Attributes, Meta Data dialog  and Use With options are available via the context menu in the form.

The details that can be pasted into the form can be in any of the following format:

        • Distinguished Name
        • SID
        • email
        • User Principal Name (UPN)
        • SamAccountName
        • Name or Display Name

The details are searched in the same order as above, if there is no match after the above searches have been completed, it will perform an Ambiguous Name Resolution (ANR) search against the details.  The ANR search is the same search used by the User - Search feature, the search is across multiple indexes and can result in multiple results, if multiple entries are found, the the Resolves will display first entry returned and display an exclamation mark icon for the record. In this case it's best to search for that particular name using the User Search feature which will display all the records that matched the name. 

Any subsequent items pasted into the form to be resolved are added to the existing list, previous items are not cleared, unless they are cleared by the user via the context menu.

This dialog shows the resolved entries.

Details that have been resolved will have a green tick, while items that haven't will have a red cross.  For items where more than one match was found and exclamation mark will be displayed. The Resolver form also includes a context menu that allow you to interrogate the items that have been resolved.

The Update List context menu item causes the resolver thread to run again, and any items that have not been resolved will be searched again.

Circular References

The Circular Reference features is used to determine if there are any infinite loops in the group memberships.  These are examples of circular references, GroupA is a member of GroupB, and GroupB is a member of GroupA, or GroupA is a member of GroupB, GroupB is a member of GroupC and GroupC is a member of GroupA.  While circular references don't really cause much of an issue for AD, it can cause issues with programs that enumerate group members and support nested groups.  The main issue that circular references do cause is with the management and confusion on how a user received access to an item.

The feature will scan all the groups under the specified Base DN, and enumerate the membership of all the groups under the Base DN to determine if there are any circular references.  The depth of the nested groups that is scanned is defined by the Depth field.  By default the results will display any occurrence of a circular reference is found in the nested groups.  If the Start of circular reference only option is selected, then only when the groups that are causing the circular reference will be displayed.

In the above example, with Start of circular reference only option is not selected then it will display all the groups that have a circular reference in the nested groups:

However, with the Start of circular reference only option is selected, then only the groups that cause the circular reference are returned:

The context menu include an additional item to enable you to display the complete inheritance of the selected group, for both the member and memberof attributes. 

Here is an example of group inheritance, any circular references are highlighted with a red group icon.

Connection Profiles

By default NetTools will use the domain the workstation is joined to define the AD it talks to and the user context that NetTools is executed under to provide the credentials used to access the AD.  In most case this is sufficient, however, there are a number of scenario where you might want to connect to different AD or use a different set of credentials, Connection Profiles provide this ability.  

Multiple Connection Profiles can be defined, that can be used to select different domains, specify the domain controller, different credentials, different authentication method, AD paging and page size, or SSL binds.  Once Connection Profiles are defined they can be selected on per feature basis or a Connection Profile can be set as default and that Connection Profile will be used if no server or profile is selected.

If no profiles are defined then NetTools will continue to use the default domain of the workstation and credentials of the user context executing NetTools when connecting the AD.

The Connection Profiles dialog is access via the toolbar:

This is the Connection Profiles dialog

New profiles are created click on the New button, you will be prompted to enter a name for the new profile.  Once a profile is selected the Server and Credentials options will be enabled.
The Remove button will delete the selected profile.
The Default button is used to the selected which profile will be used by default if the Server field on the NetTools test\option is left blank.  If the selected profile is already set to be the default profile, clicking Default again will be cleared as the default.
The Clear Credentials button is used to clear cached passwords, and when a profiles that prompts for a password is used, you will be prompted to provide the password.
The Save button is used to save any changes made to the profile, if you forget to save changes when changing between profiles or closing the dialog you will be prompted to save your changes.

The Server tab defines the connection details to the AD and the connection type to be used. 

The Server field specifies the name of the server that NetTools will connect to.  If the AD being accessed is the same AD as the workstation is joined to, this can be blank and NetTools will use the default AD name resolution to find a domain controller. Or it can be the FQDN of the AD domain and forest, and as a long as name  can be resolved, it will connect.
By default the Port is set to 389, this can be changed to reflect the requirements of the AD, AD LDS or LDAP directory you are connecting to. 
The SSL Bind specifies if the connection will use SSL encryption for the traffic, when SSL Bind is selected the Port will automatically change to 636, however, this can be changed if required.
The Verify Certificate option defines if the server certificate that is used during the bind is validated or not, with this option selected the certificate is validated by the default Microsoft revocation process.  When this option is not selected the certificate is not verified and the certificate is accept without any form of validation, and a certificate with issues will also be accepted. 
The Paging option define if the paging server side control is used when performing queries against the AD. If this option is not selected then the number of items returned will be limited to MaxPageSize entry as defined the Query Policy applied to the domain controller. The Page Size defines the number of records that will be returned in each page request.  It's recommended to leave Paging enabled when connecting to Microsoft AD or AD LDS directories.

The Bind Type specifies the bind method and if credentials are required.
The Current user's credentials option will use the LDAP_AUTH_NEGOTIATE authentication method and the current credentials used to execute NetTools. 
The Bind with Credentials option will bind with the LDAP_AUTH_NEGOTIATE authentication method and use the credentials provided in the Credentials section
The Advanced Bind type option allow you to specify the bind\authentication method that will be used when connecting to the directory.  The available bind types are listed below, some of which may require additional security packages to be installed for them to be used:

LDAP_AUTH_SIMPLE this method requires the DN of the account and password, domain is not required
LDAP_AUTH_DIGEST Digest authentication package
LDAP_AUTH_DPA Distributed password authentication. Used by Microsoft Membership System
LDAP_AUTH_MSN Microsoft Network Authentication Service
LDAP_AUTH_NTLM this method uses NTLM to authenticate against the directory
LDAP_AUTH_SICILY covers package negotiation to MSN servers
LDAP_AUTH_DIGEST this method requires the samaccountname and password
LDAP_AUTH_NEGOTIATE this method requires either, samaccountname or UPN and password, the domain is optional
ANONYMOUS the username and password are not required

The Credentials options are enabled based on the Bind Type selection and provide the ability to specify different Credentials.


NetTools doesn't save passwords to permanent storage, they are only cached in memory for the duration that NetTools is running.  In the Connection Profiles, there is no option to enter the password, if a password is required then the Prompt for Password option must be selected.  Then when the profile is used and a password is required, you will be prompted to provide the password (the dialog below will be displayed).  The password provided is encrypted and stored in memory and the cached password will be used if the profile is used again.  If the password entered causes an invalid credential error when connecting to the server, the cached password is cleared and you will be prompted to enter the password again the next time the profile is used.

When a profile is changed and saved, the cached password associated to the profile is cleared and you will be prompted for the password when the profile is next used.

You can use the Clear Credentials button to clear the password associated to all profiles.

Using Connection Profiles

Once the Connection Profiles have been created, you can select the required profile from the server or domain field dropdown lists on each of the NetTools Options.  The servers or domains that have been saved are displayed first, then under the Profiles tag, the list of profiles are displayed.  If default profile has been setup, then if the server field is left blank then the default profile will be used.  In the screenshot below the Profiles: New, Test, admin, and local are displayed.

The following NetTools options do not uses Connection Profiles:

        • DsGetDcName
        • NetGetDcName
        • LDAP Ping
        • LSA Trust

NetTools V1.28.0

NetTools V1.28.1 - minor fix in LDAP Browser

NetTools no longer uses the ADSI APIs, all queries against the AD now only use the LDAP API, this provides a small performance increase but more importantly it provides consistency across all features.
The toolbar is now always displayed at the top of NetTools, and includes buttons for navigation, Connection Profiles, Resolver and Help and quick search by default, Pin items are displayed to the right of these buttons.

Connection Profiles  *** New ***
With previous versions of NetTools, it would use the current user's credentials and domain join information of the workstation running NetTools to authenticate and select the directory that would be interrogated and there were only a few features that supported the use of different credentials via the Use LDAP Search Credentials option.  This version introduces a new feature called Connection Profiles, which adds the extra capability to define the server connection and credentials that will be used by the tests and features and provides a common method to define and access the AD across all tests.  See Connection Profiles.

Circular References  *** New ***
A new feature to test if there are any infinite loops in your group memberships. See Circular References

Resolver *** New ***
A quick way to search for a single or multiple items, just copy and paste a a single or list of items that you want to find, and it will search the AD for the items and display if they exist in the directory or not.  The copy and pasted list can be displayname, samaccountname, DN, SID, UPN, or email address.  See Resolver

AD Properties Dialog
Added an extra tab to display the TokenGroups for user and computer objects

A complete rewrite of the function from ADSI to LDAP API

Compare Objects
Updated to include the NTSecurityDescriptor attribute 

LDAP Browser
Added an additional feature to display the attribute values as a hex dump
Fixed issue with the filter limiting the number of items displayed (v1.28.1)

LDAP Search
Table view context menu updated to include a Use Column with option to allow data in the column for common dialogs
Removed the Credential option, you now use Connection Profiles to specific different credentials and authentication methods
Updated Tab views so selected items count on the status bar is updated when a tab is selected

A complete rewrite of the function from ADSI to LDAP API

NetTools V1.27.7

A new Pin context menu option is available in the left hand option selector, which is used to create shortcut buttons for your commonly used options.  See Basics
Default Copy to clipboard shortcut key has been changed to Ctrl-C, to align with standard copy and paste keys. now in any of the table views if one or more rows are selected and Ctrl-C is pressed, contents of the column directly under the cursor is copied to the clipboard

AD Properties
Updated to display Kerberos DES-CDC-CRC, DES-CDC-MD5, RC4 encryption options
Updated to use the LDAP enum decode function so attribute decodes are common across all dialogs 

Compare Objects
Added a Compare Values context menu option which displays a visual side by side comparison of the values with the difference highlighted. See Compare Objects

LDAP Browser
Fixed bug in LDAP browser, where intermittently it would display the attribute values twice

LDAP Search
Updated the LDAP Session options to fix a bug with the GetDsName flags
Updated enums to support LargeInteger (int64) values
Updated the MsExchRecipientTypeDetails, msExchRemoteRecipientType, msExchModerationFlags, and MsExchRecipientDisplayType enums with O365 values
Updated the OmSyntax enums values 
Added new Base64 Decode Type, to allow attribute values to be outputted in base64 format

RID Pool
Added an extra column to display the number of RID that are left in the pool for each domain controller


the Base64 option provides the ability to encode and decode different data into and from base64 encoding.  This is useful when creating LDIFDE input files which use Base64 for the GUID or just encoding data to be send via email.

The pane is free text entry form, you just need to enter the data you want to encode, highlight the text you want to encode and then right click and select require Encode from option and select the input data type and it will be encoded it in base64.  To decode a base64, just copy and paste the base64 encode text into the pane, then highlight the encoded text and the required decode to option.

These are the menu options that are available:

Generate GUID - using the Windows API this will generate a unique GUID
Text - will encode from text to base64 or base64 from to text
GUID - will encode a GUID to base64, the text GUID is converter to Hex before its encoded, or base64 to text GUID
Hex - Encode a hex text to Base64, or from base64 and dump the decoded data in Hex

This shows a sample text being encode to Base64:

This shows the previously encoded text being decoded:

Now this is decoding a base64 encoded text to Hex:

This shows a number of GUID that have been generated and the last entry is encoded to base64 and then decoded to Hex:

AD Subnets

AD Subnets allow you to query the AD to see which site a single or multiple IP addresses have been assigned to.  For a single IP address enter the IP into the IP Address field and click Go and results will be display.  If you have multiple IP addresses that you need to check, you can copy and paste the list of IP addresses in the results pane and NetTools will check and display the results for each IP addressed that is pasted.  


The Site ISTG option is used to display which DC are performing the Inter-site topology generator in the domain.   When the Go button is pressed the sites of AD site and corresponding DC is displayed.

For more information on ISTG see here