Featured post

NetTools Basics

nettools

NetTools has a number of common features which are used throughout the program. This post provides details on some of these features.

AD or Server Connections

If NetTools is run on a machine that is joined to an AD domain, by default NetTools will connect to the domain controllers of that domain without needing to specify the server. It will also use the credentials of the user running NetTools to make the connection. If you want to connect to a specific domain controller, different domain, or use a different set of credentials, you use Connection Profiles.  See Connection Profiles for more details.

Server Lists
In most of the options there is a field to specify the server or domain, this field is used to enter a server name or select a Connection Profiles that the test will be run against.  The server and domain fields are optional, if no entry is provided NetTools will either connect to the domain the machine running NetTools to joined to, or use the default Connection Profile, if one has been defined.

Navigation
The toolbar is used to navigate the tests and access a number of features in NetTools.  The toolbar has both fixed buttons and user selected buttons.

The Back and Forward buttons allow you to move backwards and forwards between tests you have used, this is useful if you select a linked option and want to go back to the previous test.  The Connection Profiles button opens the Connection Profiles dialog, which allows you to configure profiles that defines, the LDAP server, GC server, SSL, authentication, credentials and paging properties.  For more details see Connection Profiles. The Resolver button will open the Resolve dialog, which lets you resolve different input types and provides a temporary scratch pad when investigating an issue.  For more details see Resolver.  The Help button opens the help page on the NetTools.net website for the selected test.  The Quick search entry field provides a quick entry method to perform a search of the AD using the User - Search option.

Permissions
You don't need any specific permissions to run NetTools, only execute right on the file system.  With a typical AD implementation a normal user can read a lot of the details in the AD, there are few features that might need elevated rights, i.e. viewing deleted objects or low level replication data shown in the Replication Queues option, where elevated permissions are required this is included in the corresponding Option's web page.  Only other scenario where permissions can be an issue is when NetTools is run on a Domain Controller that has User Access Control (UAC) enabled, the results returned by the local Domain Controller will be reduced unless NetTools is executed with Run as Administrator option.

Where to start
The number of options in NetTools can make it confusing where to start.  The best approach is to start with the Search option under Users or use the quick search option, this allows you to search the AD, be it at the Forest or Domain level for any object in the Active Directory, from there the context menu options allows you to then interrogate the returned objects.  See User Search.

To allow you to find your favorite option quickly, NetTools includes a Pin option, which will add user defined button to the toolbar to allow you to quickly select your commonly used options.  To Pin an item, select the option, then right click on the option name and select the Pin from the context menu, you will be prompted to select an icon for the button.  To remove a Pinned item, simply right click on the button on the toolbar and select Remove.

Option Pinning

Option or test Linking
For a number of the tests the output from one can be used as the input for other tests and options, by selecting the corresponding output entry and right clicking the context menu will display these options.  The User Search option has a number of linked options that are displayed under the use with sub menu.

Copy and Paste
The outputs from the tests can be copied into other functions in NetTools or to external programs.  The Copy and Paste option are displayed in the right click context menus. For table views it's possible to copy the data in a single column, the line, or the entire table. When using the copy column option, mouse position when the right click is pressed, is used to define which column will be selected.  For text based output fields it's possible to copy the text as with standard copy and paste. The Copy works with a single or multiple selected items, and when copying the details from all selected items is copied. A number of keyboard shortcuts are defined, Ctrl+C will copy the the details of from the column of the select items, Ctrl+L will copy all the details of the selected items, Ctrl+T will copy the entire contents of the table, include headers. The Copy to new window context menu option will copy the contains of the view to a new detached window, which provide additional sort and filtering options.  See Copy to new window

Messages\Results pane
On most options, there is a lower pane, this pane is used to display any errors or status report from the execution.  Any error messages or codes returned by the APIs are displayed here.

Exporting Objects
There is the ability to export objects in LDIF file format, this is available from the context menus. See LDIF Export for more details.

Common Dialogs
NetTools has four common dialogs which are available from most context menus on in the results and options.  These are the AD Properties, Attributes, Meta Data,  and Permissions dialogs, these are usually listed at the bottom of the context menus as shown below.

Context Menu
AD Properties
Attributes
Meta Data
Permissions

Resolver
The Resolver dialog provides a scratch pad to temporary store items that you are troubleshooting or investigating. The Resolver dialog is accessed via the toolbar and items can be added to the dialog either from the context menu, pressing Ctrl+R, manual entry, or pasting a list of DN, samaccountname, email, upn or displaynames.  From the Resolver dialog the NetTools options and test can be selected from the context menu in the Resolver dialog.

Resolver Context Menu

NetTools saved configuration
NetTools uses a single configuration file called NetTools.ini, this is used to save any user defined configuration or lists.  NetTools will try to read the configuration from the same location as the exe from executed from.

How To Display which Fine Grain Password Policy is applied

In this post we look at how to display which Fine Grain Password Policy (FGPP) is being applied to a user.

Fine Grain Password Policies were introducted in Windows 2008, and provide the ability to define different password policies that can be assigned to users or members of a group.  The assigned FGPP will take precedence over the default domain policy, and can be used to provide a different settings depending on your requirements, this could be used to have a more strict password policy for admin accounts.

The FGPP configuration is stored in a Password Security Object or PSO and multiple PSO can be created with different settings.  These are stored in the Password Settings Container under the default name context i.e CN=Password Settings Container,CN=System,DC=w2k12,DC=local.

A user can be assigned multiple FGPP, but only one will be active and used to control the user password requirements.  The msDS-PSOApplied attribute is used to list all the PSO that are assigned directly to user or group objects.  The msDS-ResultantPSO attribute is used to show which FGPP is being applied to the user.

NetTools is able to display the FGPP polices and which FGPP is allocated to a user. (Version 1.30.7 and above required)

If we search for a user using the Quick Search field on the toolbar.

Quick Search

From the search results if we double click on the user's account and open the AD properties dialog, the Logon tab, shows which Fine Grain Policy is being applied and the Fine Grain Password tab shows the settings of that policy.

AD Properties - Logon
AD Properties - FGPP

How To Find Assigned Permissions in AD

In this post we will look at how to find where a user or group have been assigned permissions in the AD.

For this task we will use the Find Assigned Trustee option in NetTools, which will allow us to search the entire domain or a specific OU structure and report on any permissions that are assigned to the specified user or group.  As this will search every object in the AD, it's best to run this on a server or workstation that is on the same network segment as the Domain Controller, or on the Domain Controller itself.

First we need to find the user or group we are interested in, in the Quick Search box enter the name of the user or group and click the search button.  In this case we are searching for the user called greynolds.

Quick Search

The results of the search will be displayed in the User Search option, right click on the correct user or group from the list, and select Use With -> Find Trustee from the context menu.

Select Find Trustee menu option

NetTools will switch to the Find Trustee Assignment option and start searching for selected user or group in AD.  Depending on the size of your AD this might take a while as it will read the permissions of every object in the domain context.  Once the search is complete all the objects that user or group have been assigned direct permissions will be displayed.

Find Trustee Assignments

By clicking on one of the objects listed in the left results pane you can view the permissions that have been assigned to the user or group.

It's also worth completing a search of the Configuration partition in case permissions have been assigned there as well.  This can be done by changing the Context field to Configuration NC and pressing Go.

How To Display the Meta Data of an AD object

In this post we look at how to use NetTools to display the replication meta data of an AD object.

Displaying the replication meta data of an AD object is a core capability, and it is available as a context menu item throughout NetTools.  See Basics and Meta Data Dialog for more details.

In this post we will look at the two most common scenario, searching and browsing for objects that you want to view the replication meta data.

Searching Method

The search option is best for common AD objects such as users, groups, computers, etc, that are in the default domain context, If you want to view the meta data information for an object that is in the schema, configuration, DNS, or AD LDS (ADAM) partitions, use the Browse Method below.

To search for an object we can use the quick search field on the toolbar at the top of NetTools.  In the field enter the name of the object you are want to find and click the search button.

In this case we are search for the computer object for w2k19.  The Search screen will be displayed with the results of the search.

Search Results

If you right click on the required item and select the Meta Data menu items, the Meta Data dialog will be displayed.

Meta Data Menu
Meta Data Dialog

For more details on the Search option see User Search

Browsing Method

The advantage of using the browse method, is it allows you to display the meta data for objects that are not in default domain context and wouldn't be found by the search method.  You can browser the required name context, configuration, schema and DNS, or AD LDS (ADAM) partitions.  To use the browse method you need to select the LDAP Browser option under LDAP in the left hand option selection pane.

LDAP Browser

Selecting the required partition from the drop down list in the DN field.

Select partition

You can select one of the root of the partition from the drop down list, or enter the required DN in the field, then click Go.  The view will be populated and you can browse the partition to find your object. You can right click the object in the navigate tree or the list view and select the Meta Data menu item to display the Meta Data of the selected object.

LDPA Browser - Meta Data Menu

This will show the replication Meta Data dialog.

Meta Data Dialog

For more details on the LDAP Browser option see LDAP Browser

How To Troubleshot which GPOs have been applied

Sometime is not immediately obvious where to start when troubleshooting GPO delivery issues.  NetTools provides a number of features that will let confirm the GPO configuration and then verify which GPOs have been applied to the computer and user by reading the results directly from the machine.

To start troubleshooting we need to find the computer in the Active Directory and confirm which GPO will be applied to the machines.  In the quick search box enter the name of the computer that you want to troubleshoot.

Quick Search

In this case we are searching for the W2k19 which is a domain controller, click on the search button.

Search Results

The search results will show all objects that match the search name.  Now if we right click on the required item and select Use With->GPO Allocation from the context menu.

GPO Allocation Menu

The view will change to the GPO Explorer and automatically navigate to the OU that contains the computer object.  It will also display which GPOs have been assigned to the OU.  In this view you can confirm which policies have the links enabled and any WMI filters that have been applied.

GPOs Applied

By clicking a policy the details of the policy are displayed in a split screen, so you can review the settings or configuration without leaving the OU view.  While here check the version numbers of policy on the general tab, if the version number is zero, the policy will not apply as the policy engine will think its empty.

General
Scope
Settings
Security

The Inherited Policies tab will show which policies have been inherited down the OU structure and the order in which the policies will be applied. This view also supports the split view capability.  Confirm that the policy you are troubleshooting is listed.

Now if we select the Content tab the list of object that are in the OU are displayed. If there is more than 2000 objects in the OU, you will need to adjust the max entries field to display more.

Find your machine in the list and click on the machines and select GPO Results from the context menu.

GPO Results

This will open a separate window and display what policies have been applied to the machine.  The icons indicate if the policy was successfully applied to the machine or not.  Policies that were successfully applied will have a green indicator, while policies that failed to be applied will have a red indicator.  If you expand the policy item in the list the details why the policy failed to apply will be displayed, items that red indicator that is the reason why the policy was not applied.

For the GPO Results to be displayed the machine must be on and connected to the network.

GPO Results

Once the GPO Result window is populated, using the Quick Search field on the main form, you can now search for the user and repeat the steps to see the GPO Allocation for the user object.  You can to expand the users policies tree in the GPO Results window to see which policies were applied to the user.

For more details on the information displayed in the GPO Results window see the GPO Viewer page

Mapping Get-ADTrust attributes to the TDO Object

This post provides the details of the mapping between the the attributes displayed by the Get-ADTrust powershell command and the attributes of the TDO object.

Most of the properties returned by the Get-ADTrust command map to the TrustAttribute attribute of the TDO object, so the table below shows which values of the TrustAttribute map to corresponding Get-ADTrust Property.  The NetTools Mnemonic column has the name of the mnemonic that NetTools will display if this value is set.

Get-ADTrust ParameterTDO AttributeNetTools Mnemonic
DirectiontrustDirection
DisallowTransivityTrustAttributeNon-Transitive
DistinguishedNameDistinguishedName
ForestTransitiveTrustAttributeForest Transitive
IntraForest
IsTreeParent
IsTreeRoot
NameName
ObjectClassObjectClass
ObjectGUIDObjectGUID
SelectiveAuthenticationTrustAttributeCross Organisation
SIDFilteringForestAwareTrustAttributeSSIDHistory
SIDFilteringQuarantinedTrustAttributeQuarantined
Source
TargettrustPartner
TGTDelegationTrustAttributeTGT Delegration
TrustAttributes
TrustTypetrustType
TrustedPolicy
TrustingPolicy
UsesAESKeysmsDS-SupportedEncryptionTypes
UsesRC4EncryptionTrustAttributeRC4 Encryption

This table shows the NetDom command argument that is used to change the corresponding TDO attribute.

Get-ADTrust ParameterNetDom Parameter
Directiontwoway or oneside
ForestTransitiveTransitive
SelectiveAuthenticationSelectiveAuth
SIDFilteringForestAwareSIDHistory
SIDFilteringQuarantinedQuarantine
TGTDelegationEnableTgtDelegation

This page provides the details of the netdom command parameters, and this page provides the details of the TrustAttribute attribute.  This page provides the details of the SID filtering functionality and which SID will be filtered.

The screenshot below shows the enumerate or mnemonics as defined on NetTools.

TrustAttribute

How To: Display the time when members were added or removed from a group

Based on functionality in V1.30.3 and above

The standard AD tools don't expose the time when a member is added or removed from a group, and the normal method is to use the security event log to retrieve these details, however, this makes the assumptions that auditing was enabled when the change was made and the security event log hasn't wrapped and the details are still available, which is not always the case.

There is another way to get this information that doesn't rely on auditing being enabled or the size of the security event log to capture the details.  The AD does maintain when changes happened in the replication data for group objects, and this data contains the exact details of the time when these membership changes occurred.  The AD uses this information enable changes to be replicated to other domain controllers in the domain or forest.  The replication data is not easily accessible with the standard AD tools, however NetTools has a simple feature to allows you to display all the membership changes for a group, including the time they happened. The time a member was added or removed shown in corresponding column.

Group Membership Changes

The option is available on the Members tab in the AD Properties dialog, at the bottom of the tab is the Changes button, when this is clicked a separate window is displayed with all the change details.

AD Properties - Group Changes

NetTools v1.30.0

ASN.1 Viewer      
An option to display ASN.1 data structures, support for DER, PEM, PKCS#7, and PKCS#12 file formats, and manual input in hex and base64 formats.  Includes support for common x.509 field types. See ASN.1 Viewer

DirSync      
An option to run an LDAP query with the DirSync server side control to display what changes have been made in the select context. See DirSync

Domain Changes      
An option to display which objects have been changed/created or replicated to the domain controller, based on the objects with updated USNChanged attribute. See Domain Changes

Object Counts      
An option to count the number of different types of objects that exist under the selected OU structure.  Selectable object types for Users, Groups, Computers, Active Users, OU and all objects. See Object Counts

User's Membership    
An option to display a user's group membership, including nested groups and which group contributed to the user's groups. See User's Membership

General
Updated the icons and context menu icons.
Added additional command line options to allow a LDAP Search Favorite to specified and run from the command line, /f:<favorite name>, i.e. NetTools "/f:AD: RootDSE"  The /Q option is also available which will cause NetTools to quit after the query has finished running.
Added a new Find feature to enable searching for items in the result.
Added Open Container context menu to open the parent container in LDAP Browser.
Added LDIF Export option to context menus to allow the objects to exported to file in ldif file format.
Time and Dates now displayed based on locale and regional settings, LDAP Search Substitution input entries also use locale date format for entry.
Options that require a username (SamAccountName) entry, now display a user search dialog if the entered name is not found.

ACL Browser
Added Group Members and Group Manager options to the context menus.
Fixed intermittent exception error when copying multiple items.
Fixed display issue associated to member attribute and add\remove self to group extended right.

AD Attributes
Updated to remove the dependency on the AllowedAttributes to allow the objects from non AD based directories to be displayed.

AD Properties
Updated the TokenGroups tab to include the SID of the names that are resolved against each entry.    Also includes an option to use Absolute SID Resolution, this is to help identify any entries that are associated to SID History.
Updated Members tab to also display which members have been removed from the group and when.
Updated the object selector used to manage group membership to support a paste option, so multiple entries can be added to the selection list.  Supports DN, samaccountname, upn, email, and name, with any combination of these.
Added option on Logon tab to perform a Last Logon scan.
Added option to display organisation structure from Organisation Tab.
Updated the Members and MemberOf lists to include the samaccountnames of included objects

Base64
Updated to use dynamic buffers rather than static to allow for larger decodes.
Added option to decode output to file.
Added option to be able to display hex or base64 outputs in the ASN.1 viewer.
Improved the handling of the extra space in the data input.
Updated to support Hex stream data input format.

Compare Groups
Updated so it can compare both member and memberof attributes, so it can be used to compare the membership of groups as well as users.

Copy To Windows
Improved the performance when displaying large list of items and better indication to the user when the program is busy.

DsGetDcName
Updated the selectable options to include DS8, DS9, DS10, and Key Lists.
Updated the flags decode to display the full flags names, and added support for DS9, DS10, Key Lists.

DC Resolution
Updated the ports option to allow lists of ports to be defined and selected, simplifying the testing of different services.

GPO Explorer
Added AD Sites view with indication if policies are applied to a site.
Double click to WMI filter viewer to display policy details.
Added GPO Results to context menu to the Content tab of the GPO Allocation view to display which policies have been applied to a selected machines.
Updated to display the wireless and wired GPO settings.
Updated to display which client side extensions are assigned to the GPO.
Updated the Settings view for the registry items to display all the registry entries in the registry.pol as a single list, the option is available by clicking on the Settings item at the top of the registry tree.
Updated a number of context menus to include some of the standard options, which were missing.
Updated GPO List view to include the split screen option to display the selected GPO properties below the list.
Added context menu item to display all OUs that have block Inheritance enabled.
Added additional error handle to GPO that don't have the display name set or gplink attributes with invalid format

Last Logon Time
Added accumulative logon Count across all domain controllers and DN
Added context menu option to input a new entry

LDAP Search
Conditional Attributes - updated logic so an attribute with no value set is also tested against the condition statement. i.e. location!=london will be true if no value is set.
Conditional Attributes - updated so the position of the wildcard character is position sensitive, if the wildcard character is placed at the begin of the search criteria i.e. *disable, then 'disable' will match any where in the attribute. If the wildcard is placed at the end of the search citeria i.e. disable*, the a match only occurs if disable is at the start of the attribute.
Conditional Attributes - the entered case of static entries is now persevered.
Custom Controls updated to allow data encoding type to be defined, data can now be defined as String or Integer encoded using BER encoding, or Non-BER encoded Integer.
Option to display server controls that are sent and returned as a hex dump and ASN.1 structure dump in the text output view, option is selected in the Manage Controls dialog.
Updated Search Statistics option to automatically change which sets of search stats are returned based on the domain controller functional level.
Updated Attributes field to also support the getdn substitution, so they can be used in the update queries.
Updated the MSTRUST DecodeType for the msds-TrustForestTrustInfo attribute to provide details of excluded routing suffixes.
Updated Filter processing to remove the case sensitivity of boolean expressions.
When the Display Results option is not selected with Update Queues, it will prevent the attribute pre-read before updates which significantly improves the performance when updating attributes with more than a few thousand values.
Updated REPS_INFO DecodeType, used by repsto and repsfrom attributes, to support V2 data structure format.
Updated file output logic, so when file output is selected and Display Results is not selected, the results are written to the file.  Fixed bug with single line option so all entries are now written to the file. Fixed bug with tab separated character.
Updated Use column with context menu to include add to Resolver.
Added new GPLINKS DecodeType to return a list of GPO DNs in the gplink attribute
Added a shift key function to disable html parser when pasting items in Input Mode.
Added new METAP DecodeType, used for the replPropertyMetaData attribute.

LDAP Search - Predefined Queries
The following predefined queries have been added:

AD: Schema Attributes ANR Indexed
AD: Schema Attributes Confidential
AD: Schema Attributes Constructed
AD: Schema Attributes in GC
AD: Schema Attributes Indexed
AD: Schema Attributes Not Replicated
AD: Schema Attributes Tuple Indexed

The following predefined queries have been updated:

GPOs: All
GPOs: All deleted
GPOs: Computer Targeted Policies
GPOs: Created in Last 30 Days
GPOs: Created in Last 60 Days
GPOs: Created in Last 7 Days
GPOs: Created in Last 90 Days
GPOs: Created Today
GPOs: Created Yesterday
GPOs: Deleted in the last 24 hours
GPOs: Deleted in the last 48 hours
GPOs: Modified in Last 30 Days
GPOs: Modified in Last 60 Days
GPOs: Modified in Last 7 Days
GPOs: Modified in Last 90 Days
GPOs: Modified Today
GPOs: Modified Yesterday
GPOs: Non Active
GPOs: Policies with a WMI Filter
GPOs: User & Computer Targeted Policies
GPOs: User Targeted Policies
GPOs: WMI Filters
Groups: All
SCCM: Management Points
SCCM: Site Boundaries
SCCM: Sites
Users: Active Users Who Haven't Logged On In Last x Days - user defined period
Users: Without Home Directory

Meta Data Dialog
Updated Value replication table to include local and originating USN details.

NetGroupEnum
Renamed the option to Local Groups.

Organisation Structure
Change the default view to display reporting lines, including peers and direct reports as separate items.  Still has the option to display the old tree view as this is more useful in some scenario.

Replication Queues
Updated authentication to use DSBindWithCred instead to DsBind to allow the credentials from the Connection Profiles to be used.

Resolver
Included a key shortcut to allow new entries to be manually entered using the Insert key.
Context menu updated to be object sensitive and will enable and disable options based on the object selected.
Display GPO Results added to the Use with context menu.
Fixed bug where the item count may be incorrect.
Updated to allow tracking of objects that have been opened or used with context menus
Added Object History option, so all object opened or linked via context menus are automatically added to the the Resolver list
Updated so each new entry added also records the server name.

SID Converter
Updated output view to use a table view to simplify the output and easier to copy details between options.
Added the option to display SID details from a Base64 format input.
Fixed bug where comma separated SIDs were not resolved correctly.

Schema Versions
Updated to include support for Exchange 2019 CU8, CU9 &CU10, 2016 CU19, 20 & CU21

Schema History
Updated with details of SCCM, Mapi Lab, EMC schema extensions
Updated to display Unknown if the schema extension is not in the internal database.

Time Converter
Updated to display the time outputs in a table view.
The time and date input are now based on the locale time\date format.  The locale time\date format is displayed as the supported formats section.

Token Size
Updated the size column to reflect the Token Size based on the MS algorithm to calculate Token Size.

User Search
Updated Use With context menu to include Local Groups option, to allow the local groups of member machines to be viewed.
Updated Use With context menu to include GPO Results on computer objects that are returned.
Updated icons so there is a separate icon for expired users
Updated to include an advanced option to allow searching of specific attributes on nominated object.

How To Find Active Directory Effective Rights

NetTools includes the ACL Browser option, which also allows you to see the effective rights for a nominated trustee, it also provides the ability to change the trustees rights to assess the impact this will have trustees access to objects in the AD.   In this post we will look at how to use this option to view the effective rights of a user.

ACL Browser

To configure ACL Browser to show the Effective Rights we need complete the following steps.

How To Display Active Directory Effective Permissions

    Select the ACL Browser

    Open NetTools and select the ACL Browser option under Access Control in the left hand pane.

    Display AD Permissions

    Select the Connection Profile or server to connect to.  See Connection Profiles

    Select the Context you wish to view

    Click Refresh

    You can now navigate through the AD to see the permissions set on the objects

    Select Trustee

    To display the effective rights for a trustee, we need to select the trustee using the Trustee Information dialog, click on the Trustee button

    Trustee Information

    Press the Select button to select the Trustee, enter the name of the trustee, this can be a user, computer, or group.  The click Select.

    Select Trustee

    The Trustee Information dialog will be updated with the SIDs that user in a member of, this is the user's access token, this information will be used to determine the effective rights of the user.

    Trustee Information

    View Effective Rights

    The ACL list is now filtered showing only the permissions that will be applied to the trustee when they try to access the AD object.  In this example for the selected user only one effective permission is shown on the Computers folder and this will be applied to the user when they access the object.

    See the ACL Browser page for information on the icons and there meanings.

    ACL Browser - Effective Permissions

    Modelling Effective Rights

    One of the features of the Trustee Information dialog is that we can model changes to the trustees effective rights.  By using the add and remove buttons we can add or remove groups included in the trustee's access token, which is used to display the effective rights, this allows you to model how group  changes will impact Trustee's access.

    Trustee Information - Added Domain Admins

    In this example above, the access token of the Trustee has been modified to include the Domain Admins group.  Below is the ACL Browser is showing the effective permissions based on the updated access token for the Trustee.  Now two permissions are shown based on the updated access token.

    ACL Browser - Effective Rights

    You can now browser the AD to see what rights that the Trustee has on the objects in AD.  To turn off the Effective Rights view, click on the Clear button in the Trustee Information dialog.

    How To: Clear the group membership for a list of users

    In this post we will look at how to remove the membership of a number of users using the NetTools LDAP Search option. This action is typical in a user deprovisioning activity where user accounts are moved to a separate OU and group membership of the users are removed.

    We could also use LDAP Search to move the user objects to the OU as well, but we will assume that the user accounts are already in the target OU.

    To complete this operation we need to complete the following steps:

    Clear Group Membership Steps

      Get a list of groups that users are a member of

      First go to the LDAP Search option and click on the populate button.

      Populate

      Click on the OU Selector and select the OU that contains the users that need their group membership cleared.

      OU Selector

      The Base DN will be set to the required OU.

      To limit the scope of the query to only the users that are disabled and have group membership, change the filter to (&(objectclass=user)(useraccountcontrol|=2)(memberof=*))

      Set the Attributes field to memberof

      Change the Search Scope to either One Level or Subtree as required

      Click the More button

      Select the Single Line option -  this will cause each of the user’s group memberships to be displayed on a separate line

      You should have something like this:

      List Group Membership

      Click Go

      You should get a complete list of the group membership for all the users, with each group membership on a separate line in the table view.  The DN field is the DN of the user, and Memberof is the group that the user is a member of.

      Group List Output

      Remove users from groups based on list produced in step 1

      We are going to use the input mode functionality with an update query to remove the users from the groups.  As users are added to groups, so the update query will target the groups and remove the users from each group.

      Right click on the table view and select the Table Input Mode or select Table Input in the options

      Input Mode

      The column headers will change to ##Input and ##Input2, the entries in the columns can now be used as input to the query.   See Input Mode for more details.

      Change the Base DN field to read ##input2 -  which will target the group based on the list of DNs in the ##input2 column in the table

      Input Mode Column Headers

      We now need to change the query to remove the users from the groups.

      Change the Filter to (objectclass=group)

      Change the Attributes field to member=-##input

      Change the Search Scope to Base Level

      Select the Enable Updates options, for more details see Update Queries.

      Deselect the Display Results – this is to increase performance, the remaining membership of the group will not be displayed.

      Remove Group Members

      With the Preview option selected click Go.

      Check all the entries to confirm that each line has a DN and member entry added.  If one or both of these fields are missing on a line, it means that, the group on that line doesn’t exist.  This shouldn’t happen as we just exported the group membership, but someone else might have changed the group membership between the steps being run.

      Preview Results

      Once confirmed unselect the Preview option and click Go

      You will get a warning message, click Yes

      The member field will be changed to Updated if the user was successfully removed from the group, if the update failed an error message will be displayed.

      Update Results

      The details in the table view can be copied and pasted into a spreadsheet to record what changes have been made.  It can also be used to undo the changes that have been made.  By change the Attributes field to member=+##input and running the update query again, the users will be added back into the groups.

      NLTEST Flags – what does 0x20000 mean?

      When running NLTEST /DSGETDC command against a domain controller that is Windows 2012R2 or later, the command will display the normal flags plus an extra flag called '0x20000', but what does the 0x20000 flag mean.  First of all it's not an error code, Microsoft have added an additional feature to Windows 2012R2 and later DCs, but NLTEST hasn't been updated to display this flag correctly, even the Windows 2019 version doesn't have this flag defined.

      The results deplayed by NLTEST /DSGETDC is the information returned by the DsGetDcName API, this information if defined in the DOMAIN_CONTROLLER_INFO structure.

      typedef struct DOMAIN_CONTROLLER_INFOA {
      LPSTR DomainControllerName;
      LPSTR DomainControllerAddress;
      ULONG DomainControllerAddressType;
      GUID DomainGuid;
      LPSTR DomainName;
      LPSTR DnsForestName;
      ULONG Flags;
      LPSTR DcSiteName;
      LPSTR ClientSiteName;
      } DOMAIN_CONTROLLER_INFOA, *PDOMAIN_CONTROLLER_INFOA;

      The Flags member has the following definitions in the dsgetdc.h file

      #define DS_PDC_FLAG 0x00000001 // DC is PDC of Domain
      #define DS_GC_FLAG 0x00000004 // DC is a GC of forest
      #define DS_LDAP_FLAG 0x00000008 // Server supports an LDAP server
      #define DS_DS_FLAG 0x00000010 // DC supports a DS and is a Domain Controller
      #define DS_KDC_FLAG 0x00000020 // DC is running KDC service
      #define DS_TIMESERV_FLAG 0x00000040 // DC is running time service
      #define DS_CLOSEST_FLAG 0x00000080 // DC is in closest site to client
      #define DS_WRITABLE_FLAG 0x00000100 // DC has a writable DS
      #define DS_GOOD_TIMESERV_FLAG 0x00000200 // DC is running time service (and has clock hardware)
      #define DS_NDNC_FLAG 0x00000400 // DomainName is non-domain NC serviced by the LDAP server
      #define DS_SELECT_SECRET_DOMAIN_6_FLAG 0x00000800 // DC has some secrets
      #define DS_FULL_SECRET_DOMAIN_6_FLAG 0x00001000 // DC has all secrets
      #define DS_WS_FLAG 0x00002000 // DC is running web service
      #define DS_DS_8_FLAG 0x00004000 // DC is running Win8 or later
      #define DS_DS_9_FLAG 0x00008000 // DC is running Win8.1 or later
      #define DS_DS_10_FLAG 0x00010000 // DC is running WinThreshold or later
      #define DS_KEY_LIST_FLAG 0X00020000 // DC supports key list requests
      #define DS_PING_FLAGS 0x000FFFFF // Flags returned on ping
      #define DS_DNS_CONTROLLER_FLAG 0x20000000 // DomainControllerName is a DNS name
      #define DS_DNS_DOMAIN_FLAG 0x40000000 // DomainName is a DNS name
      #define DS_DNS_FOREST_FLAG 0x80000000 // DnsForestName is a DNS name

      As you can see 0x20000 is defined in the include file as support for Key List Requests, see the Kerberos Protocol Extension [MS-KILE] section 2.2.11 for more info.  NetTools includes this decode and the result from the same server shows the option for Key List Request are supported.