Featured post

NetTools Basics

nettools

NetTools has a number of common features which are used throughout the program. This post provides details on some of these features.

Navigation
The toolbar is used to navigate the tests and access a number of features in NetTools.  The toolbar has both fixed button and user selected buttons.

The Back and Forward buttons allow you to move backwards and forwards between tests you have used, this is useful if you select a linked option and want to go back to the previous test.  The Connection Profiles button opens the Connection Profiles dialog, which allows you to configure profiles that defines, the LDAP server, GC server, SSL, authentication, credentials and paging properties.  For more details see Connection Profiles. The Resolver button will open the Resolve dialog, which lets you resolve different input types and provides a temporary scratch pad when investigating an issue.  For more details see Resolver.  The Help button opens the help page on the NetTools.net website for the selected test.  The Quick search entry field provides a quick entry method to perform a search of the AD using the User - Search option.

Where to start
The number of options in NetTools can make it confusing where to start.  The best approach is to start with the Search option under Users or use the quick search option, this allows you to search the AD, be it at the Forest or Domain level for any object in the Active Directory, from there the context menu options allows you to then interrogate the returned objects.  See User Search.

To allow you to find your favorite option quickly, NetTools includes a Pin option, which will add user defined button to the toolbar to allow you to quickly select your commonly used options.  To Pin an item, select the option, then right click on the option name and select the Pin from the context menu, you will be prompted to select an icon for the button.  To remove a Pinned item, simply right click on the button on the toolbar and select Remove.

Option Pinning

Option or test Linking
For a number of the tests the output from one can be used as the input for other tests and options, by selecting the corresponding output entry and right clicking the context menu will display these options.  The User Search option has a number of linked options that are displayed under the use with sub menu.

Copy and Paste
The outputs from the tests can be copied into other functions in NetTools or to external programs.  The Copy and Paste option are displayed in the right click context menus. For table views it's possible to copy the data in a single column, the line, or the entire table. When using the copy column option, mouse position when the right click is pressed, is used to define which column will be selected.  For text based output fields it's possible to copy the text as with standard copy and paste. The Copy works with a single or multiple selected items, and when copying the details from all selected items is copied. A number of keyboard shortcuts are defined, Ctrl+C will copy the the details of from the column of the select items, Ctrl+L will copy all the details of the selected items, Ctrl+T will copy the entire contents of the table, include headers. The Copy to new Window context menu option will copy the contains of the view to a new detached window, which provide additional sort and filtering options.  See Copy to new Windows

AD or Server Connections
To define the connection details for the AD or LDAP directory and credentials that will be used use the Connection Profiles.  See Connection Profiles

Server Lists
In most of the options there is a field to specify the server or domain, this field also has a dropdown list, which is used to select a user defined entry or the Connection Profiles.  From the right click context menu you can save the current name and also manage the lists.  A separate list is used based on the enter field name, i.e. Server, Domain, LDAP filters etc.  The server and domain fields are optional, if no entry is provided NetTools will either connect to the domain the machine running NetTools to joined to, or the default profile, if one has been defined.

Messages\Results pane
On most options, there is a lower pane, this pane is used to display any errors or status report from the execution.  In most cases the error messages are what is returned by the API.

Exporting Objects
There is the ability to export objects in LDIF file format, this is available from the context menus. See LDIF Export for more details.

Common Dialogs
NetTools has three common dialogs which are available from most context menus in the test and options.  These are the AD Properties, Attributes, and Meta Data dialogs, these are usually listed at the bottom of the context menus as shown below.

Context Menu
AD Properties
Attributes
Meta Data

Resolver
The Resolver dialog provides a scratch pad to temporary store items that you are troubleshooting or investigating. The Resolver dialog is accessed via the toolbar and items can be added to the dialog either from the context menu, pressing Ctrl+R, manual entry, or pasting a list of DN, samaccountname, email, upn or displaynames.  From the Resolver dialog the NetTools options and test can be selected from the context menu in the Resolver dialog.

Resolver Context Menu

NetTools saved configuration
NetTools uses a single configuration file called NetTools.ini, this is used to save any user defined configuration or lists.  NetTools will try to read the configuration from the same location as the exe from executed from.

How To Find Active Directory Effective Rights

NetTools includes the ACL Browser option, which also allows you to see the effective rights for a nominated trustee, it also provides the ability to change the trustees rights to assess the impact this will have trustees access to objects in the AD.   In this post we will look at how to use this option to view the effective rights of a user.

ACL Browser

To configure ACL Browser to show the Effective Rights we need complete the following steps.

How To Display Active Directory Effective Permissions

    Select the ACL Browser

    Open NetTools and select the ACL Browser option under Access Control in the left hand pane.

    Display AD Permissions

    Select the Connection Profile or server to connect to.  See Connection Profiles

    Select the Context you wish to view

    Click Refresh

    You can now navigate through the AD to see the permissions set on the objects

    Select Trustee

    To display the effective rights for a trustee, we need to select the trustee using the Trustee Information dialog, click on the Trustee button

    Trustee Information

    Press the Select button to select the Trustee, enter the name of the trustee, this can be a user, computer, or group.  The click Select.

    Select Trustee

    The Trustee Information dialog will be updated with the SIDs that user in a member of, this is the user's access token, this information will be used to determine the effective rights of the user.

    Trustee Information

    View Effective Rights

    The ACL list is now filtered showing only the permissions that will be applied to the trustee when they try to access the AD object.  In this example for the selected user only one effective permission is shown on the Computers folder and this will be applied to the user when they access the object.

    See the ACL Browser page for information on the icons and there meanings.

    ACL Browser - Effective Permissions

    Modelling Effective Rights

    One of the features of the Trustee Information dialog is that we can model changes to the trustees effective rights.  By using the add and remove buttons we can add or remove groups included in the trustee's access token, which is used to display the effective rights, this allows you to model how group  changes will impact Trustee's access.

    Trustee Information - Added Domain Admins

    In this example above, the access token of the Trustee has been modified to include the Domain Admins group.  Below is the ACL Browser is showing the effective permissions based on the updated access token for the Trustee.  Now two permissions are shown based on the updated access token.

    ACL Browser - Effective Rights

    You can now browser the AD to see what rights that the Trustee has on the objects in AD.  To turn off the Effective Rights view, click on the Clear button in the Trustee Information dialog.

    How To: Clear the group membership for a list of users

    In this post we will look at how to remove the membership of a number of users using the NetTools LDAP Search option. This action is typical in a user deprovisioning activity where user accounts are moved to a separate OU and group membership of the users are removed.

    We could also use LDAP Search to move the user objects to the OU as well, but we will assume that the user accounts are already in the target OU.

    To complete this operation we need to complete the following steps:

    Clear Group Membership Steps

      Get a list of groups that users are a member of

      First go to the LDAP Search option and click on the populate button.

      Populate

      Click on the OU Selector and select the OU that contains the users that need their group membership cleared.

      OU Selector

      The Base DN will be set to the required OU.

      To limit the scope of the query to only the users that are disabled and have group membership, change the filter to (&(objectclass=user)(useraccountcontrol|=2)(memberof=*))

      Set the Attributes field to memberof

      Change the Search Scope to either One Level or Subtree as required

      Click the More button

      Select the Single Line option -  this will cause each of the user’s group memberships to be displayed on a separate line

      You should have something like this:

      List Group Membership

      Click Go

      You should get a complete list of the group membership for all the users, with each group membership on a separate line in the table view.  The DN field is the DN of the user, and Memberof is the group that the user is a member of.

      Group List Output

      Remove users from groups based on list produced in step 1

      We are going to use the input mode functionality with an update query to remove the users from the groups.  As users are added to groups, so the update query will target the groups and remove the users from each group.

      Right click on the table view and select the Table Input Mode or select Table Input in the options

      Input Mode

      The column headers will change to ##Input and ##Input2, the entries in the columns can now be used as input to the query.   See Input Mode for more details.

      Change the Base DN field to read ##input2 -  which will target the group based on the list of DNs in the ##input2 column in the table

      Input Mode Column Headers

      We now need to change the query to remove the users from the groups.

      Change the Filter to (objectclass=group)

      Change the Attributes field to member=-##input

      Change the Search Scope to Base Level

      Select the Enable Updates options, for more details see Update Queries.

      Deselect the Display Results – this is to increase performance, the remaining membership of the group will not be displayed.

      Remove Group Members

      With the Preview option selected click Go.

      Check all the entries to confirm that each line has a DN and member entry added.  If one or both of these fields are missing on a line, it means that, the group on that line doesn’t exist.  This shouldn’t happen as we just exported the group membership, but someone else might have changed the group membership between the steps being run.

      Preview Results

      Once confirmed unselect the Preview option and click Go

      You will get a warning message, click Yes

      The member field will be changed to Updated if the user was successfully removed from the group, if the update failed an error message will be displayed.

      Update Results

      The details in the table view can be copied and pasted into a spreadsheet to record what changes have been made.  It can also be used to undo the changes that have been made.  By change the Attributes field to member=+##input and running the update query again, the users will be added back into the groups.

      NLTEST Flags – what does 0x20000 mean?

      Requires NetTools 1.29.31 beta or later

      When running NLTEST /DSGETDC command against a domain controller that is Windows 2012R2 or later, the command will display the normal flags plus an extra flag called '0x20000', but what does the 0x20000 flag mean.  First of all it's not an error code, Microsoft have added an additional feature to Windows 2012R2 and later DCs, but NLTEST hasn't been updated to display this flag correctly, even the Windows 2019 version doesn't have this flag defined.

      The results deplayed by NLTEST /DSGETDC is the information returned by the DsGetDcName API, this information if defined in the DOMAIN_CONTROLLER_INFO structure.

      typedef struct DOMAIN_CONTROLLER_INFOA {
      LPSTR DomainControllerName;
      LPSTR DomainControllerAddress;
      ULONG DomainControllerAddressType;
      GUID DomainGuid;
      LPSTR DomainName;
      LPSTR DnsForestName;
      ULONG Flags;
      LPSTR DcSiteName;
      LPSTR ClientSiteName;
      } DOMAIN_CONTROLLER_INFOA, *PDOMAIN_CONTROLLER_INFOA;

      The Flags member has the following definitions in the dsgetdc.h file

      #define DS_PDC_FLAG 0x00000001 // DC is PDC of Domain
      #define DS_GC_FLAG 0x00000004 // DC is a GC of forest
      #define DS_LDAP_FLAG 0x00000008 // Server supports an LDAP server
      #define DS_DS_FLAG 0x00000010 // DC supports a DS and is a Domain Controller
      #define DS_KDC_FLAG 0x00000020 // DC is running KDC service
      #define DS_TIMESERV_FLAG 0x00000040 // DC is running time service
      #define DS_CLOSEST_FLAG 0x00000080 // DC is in closest site to client
      #define DS_WRITABLE_FLAG 0x00000100 // DC has a writable DS
      #define DS_GOOD_TIMESERV_FLAG 0x00000200 // DC is running time service (and has clock hardware)
      #define DS_NDNC_FLAG 0x00000400 // DomainName is non-domain NC serviced by the LDAP server
      #define DS_SELECT_SECRET_DOMAIN_6_FLAG 0x00000800 // DC has some secrets
      #define DS_FULL_SECRET_DOMAIN_6_FLAG 0x00001000 // DC has all secrets
      #define DS_WS_FLAG 0x00002000 // DC is running web service
      #define DS_DS_8_FLAG 0x00004000 // DC is running Win8 or later
      #define DS_DS_9_FLAG 0x00008000 // DC is running Win8.1 or later
      #define DS_DS_10_FLAG 0x00010000 // DC is running WinThreshold or later
      #define DS_KEY_LIST_FLAG 0X00020000 // DC supports key list requests
      #define DS_PING_FLAGS 0x000FFFFF // Flags returned on ping
      #define DS_DNS_CONTROLLER_FLAG 0x20000000 // DomainControllerName is a DNS name
      #define DS_DNS_DOMAIN_FLAG 0x40000000 // DomainName is a DNS name
      #define DS_DNS_FOREST_FLAG 0x80000000 // DnsForestName is a DNS name

      As you can see 0x20000 is defined in the include file as support for Key List Requests, see the Kerberos Protocol Extension [MS-KILE] section 2.2.11 for more info.  NetTools includes this decode and the result from the same server shows the option for Key List Request are supported.

      How To: Using Search Stats OID 1.2.840.113556.1.4.970

      Active Directory and LDS provide a server side control which when added to a query will provides statistics on the efficiency of the query that was executed, the specific control is OID 1.2.840.113556.1.4.970 - LDAP_SERVER_GET_STATS_OID and the details can be found here.

      The NetTools LDAP Search option provides a simple checkbox option to enable this server side control to be added to queries.  The option is found in the Server Side Controls section, called Search Statistics.  When the query is run and the user has the appropriate permissions the search statistics will be returned.

      When the query is executed the Statistics are displayed in the output panel after the results of the query.  Below are the statistics returned by Windows 2016 server.

      The version of the operating system running on the server, will determine the statistics that will be returned.  As Windows evolved the level details returned by the server has also increased.  Windows 2000 only provided 4 different statistics, Windows 2003 increased this to 6, and for Windows 2008 this increased to 15 and it also introduced a new format which provides more details but the fields are dynamic, rather than the older static fields.

      NetTools detects the Domain Controller Functional level of the server and automatically adjust the control parameters to select the highest level of detail available for the server.

      The table below shows which statistics level are returned by each version of Windows

      2000 2003/R2 2008/R2 2012/R2 2016 2019
      StatsResponseValueV1 x
      StatsResponseValueV2 x
      StatsResponseValueV3 x x x x
      StatsResponseValueV4 x x x x

      The details for each set of Stats can be found below.  

      While NetTools will automatically select the stats level based on the domain controller functional level, it is possible to manually specify the required stats level using the Server Side Controls dialog.  To do this, first uncheck the Search Statistics option, then click on the Controls button in the Server Side Control section and add a control as shown below, the Value to 1 for the corresponding V1,V2, or V3 supported by the server or a Value of 5 for the V4 stats.

      These are the Statistics returned by a Windows 2019 server with the Value set to 1:

      Search Stats:
        Thread Count: 1
        Call Time (ms): 0
        Entries Returned: 3
        Entries Visited: 4
        Filter: ( & (objectClass=user) (name=gary*) ) 
        Index: idx_name:4:N;
        Pages Referenced: 126
        Pages Read: 0
        Pages Pre-Read: 0
        Clean Pages Modified: 0
        Dirty Pages Modified: 0
        Log Records Generated: 0
        Log Records Bytes Generated: 0

      These are the Statistics returned by the same query, with the Value set to 5

      Search Stats:
        Thread count: 1
        Call time (in ms): 0
        Entries Returned: 0
        Entries Visited: 0
        Used Filter: ( & (objectClass=user) (name=gary*) ) 
        Used Indexes: idx_name:4:N;
        Pages Referenced: 27
        Pages Read From Disk: 0
        Pages Pre-read From Disk: 0
        Clean Pages Modified: 0
        Dirty Pages Modified: 0
        Log Records Generated: 0
        Log Record Bytes Generated: 0
        Indices required to optimize: 
        Query optimizer state: ( & (objectClass=user:878204) (name=gary*:4) ) 
        Atq Delay: 0
        CPU Time: 0
        Search Signature: b4cce897-7577-b624-5d18-2f5a9e90754f
        Memory Usage: 26744
        JET LV Read: 0
        JET LV Created: 0
        Total call time (in ms): 0
        Total CPU time: 0
        Number of retries: 0
        Correlation ID: e2a4641a-0714-44cc-b1bf-a0b0ca8e055c
        Links Added: 0
        Links Deleted: 0

      These are the various Stats data lists:

      StatsResponseValueV1 ::= SEQUENCE {
        threadCountTag            INTEGER
        threadCount               INTEGER
        coreTimeTag               INTEGER
        coreTime                  INTEGER
        callTimeTag               INTEGER
        callTime                  INTEGER
        searchSubOperationsTag    INTEGER
        searchSubOperations       INTEGER
      }
      StatsResponseValueV2 ::= SEQUENCE {
        threadCountTag        INTEGER
        threadCount           INTEGER
        callTimeTag           INTEGER
        callTime              INTEGER
        entriesReturnedTag    INTEGER
        entriesReturned       INTEGER
        entriesVisitedTag     INTEGER
        entriesVisited        INTEGER
        filterTag             INTEGER
        filter                OCTET STRING
        indexTag              INTEGER
        index                 OCTET STRING
       }
      
      
      StatsResponseValueV3 ::= SEQUENCE {
        threadCountTag INTEGER
        threadCount INTEGER
        callTimeTag INTEGER
        callTime INTEGER
        entriesReturnedTag INTEGER
        entriesReturned INTEGER
        entriesVisitedTag INTEGER
        entriesVisited INTEGER
        filterTag INTEGER
        filter OCTET STRING
        indexTag INTEGER
        index OCTET STRING
        pagesReferencedTag INTEGER
        pagesReferenced INTEGER
        pagesReadTag INTEGER
        pagesRead INTEGER
        pagesPrereadTag INTEGER
        pagesPreread INTEGER
        pagesDirtiedTag INTEGER
        pagesDirtied INTEGER
        pagesRedirtiedTag INTEGER
        pagesRedirtied INTEGER
        logRecordCountTag INTEGER
        logRecordCount INTEGER
        logRecordBytesTag INTEGER
        logRecordBytes INTEGER
      
      StatsResponseValueV4 ::= SEQUENCE OF SEQUENCE {
            statisticName         OCTET STRING
            CHOICE {
               intStatistic [0]       INTEGER
               stringStatistic [1]    OCTET STRING
            }
      }

      Process Flow for LDAP Search

      This is a quick article that shows the process flow of the LDAP Search feature.  The LDAP Search function consists of a number of functions that are used to execute the query and display the results.  The main function is used to collect and validate the user inputs and connect to the server and execute the query, then a sub function is used to display the results and complete any attribute updates.  The process shown below starts when the user presses the Go button to execute the query.

      How To: Display what members were removed from a group

      Features shown are only available in NetTools v1.29.11 or later

      In this post we look at how to show which members, i.e. users, computers, groups etc, have been removed from a group.  Within NetTools this is a simple task using the AD Properties dialog, the Members tab shows the current members of the group and also which objects have been removed and when, as shown in the screenshot below.

      To understand how NetTools is able to display this information, we need to look at the msDS-ReplValueMetaData attribute for the group. This attribute contains the details of the metadata for each value of an attribute for the object. We can view the details of the attribute in the Meta Data dialog, which can be opened from the AD Properties dialog using the Meta Data button or from the various context menus within Nettools.

      Here is the Meta Data dialog for the same group shown above, the top section of the dialog shows the details of the msDS-ReplAttributeMetaData attribute used to store the replication details for the attributes of the object, the lower section shows the meta data details from the msDS-ReplValueMetaData attribute showing the replicated values for attributes that have Object (DN-DN) data types, i.e. member.

      In this example you can see the list of changes that have be made to the member’s attribute of the object, each change to the member attribute is listed as a separate line, the line includes a Originated, Create and Delete time columns.  The Create and Delete columns are used to record when an item was added or removed from the attribute.  When an item is added, only the created time is populated, and then when the item is subsequentially removed both the create and delete times are set. The created time still exists to ensure that the AD replication is consistent.  NetTools AD Properties dialog will enumerate the msDS-ReplValueMetaData entries and display the entries that have the deleted time set in the Removals section of the Member tab.

      Also See:
      NetTools Basics
      NetTools AD Properties Dialog
      How Group Changes Works

      How To: Decode LogonHours Attribute

      In this post we look at the LogonHours attribute, which is used to restrict when a user is allowed to logon, and how to decode this attribute.

      The LogonHours attribute has a octet data type that is used to store a 21 byte value which defines when a user is allowed to logon, outside of these hours the user will receive the following error message when they try to logon:

      This may be seen as one of the following errors:

      Error 1327: Account restrictions are preventing this user from signing in. For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced

      Error 1328: Your account has time restrictions that keep you from signing in right now.

      The LogonHours attribute is used to define when a user is permitted to log on, it uses the 21 byte data structure to represent the day’s of the week.  It uses three bytes to represent each day of the week. The three bytes represent the hours of the day, the diagram below shows the mapping of the bytes to days and hours.

      The user's permitted logon hours are displayed in the properties of the user in Active Directory User and Computers under the Account tab. 

      One of the challenges with decoding the LogonHours attribute is that the data is saved based on UTC, as shown in the mapping above, however, Active Directory Users and Computers will display the details based on the local time zone of the computer running ADUC, and will adjust the times based on the time zone offset.   Below we can see that the left hand picture shows the Logon Hours on a computer with the time zone set to UTC, while the right shows the same details but the computer has a time zone set to Melbourne (UTC+10).

      The time zone of the Domain Controller, which authenticates the user will be used to determine, if they can log on, or not.

      This is the value of the attribute based on the permitted logon hours of Monday to Friday 6am to 7pm on a machine with time zone set to UTC, as shown in the left picture above.

      DN> CN=Teena Lee,OU=Domain Users,DC=w2k12,DC=local
      > logonHours: 00 00 00 C0 FF 03 C0 FF 03 C0 FF 03 C0 FF 03 C0 FF 03 00 00 00

      We can see that this aligns with the mapping above, with the Sunday and Saturday bytes set to zeros. Next, this is the value set for the same time window on a machine with the time zone set to Melbourne (UTC+10)

      DN> CN=Teena Lee,OU=Domain Users,DC=w2k12,DC=local
      > logonHours: 00 00 F0 FF 01 F0 FF 01 F0 FF 01 F0 FF 01 F0 FF 01 00 00 00 00

      The Sunday bytes now have values set, as the time was adjusted by -10 hours before it was saved. Next, this is the value set for the same time window on a machine with the time zone set to Pacific Time (UTC-10)

      DN> CN=Teena Lee,OU=Domain Users,DC=w2k12,DC=local
      > logonHours (BIN): 00 00 00 00 C0 FF 07 C0 FF 07 C0 FF 07 C0 FF 07 C0 FF 07 00 00 

      With this one, the hours data is now written into the Saturday bytes due to the UTC-10 offset.

      The LogonHours functionality is limited to a single time zone, and can potentially cause logon issues, if a user travels, or authenticates to a Domain Controller which has a different time zone set.

      The AD Properties dialog in NetTools (Version 1.29.7 beta and above) has a Restrictions tab which displays the Logon Hours, by default it will use the local time zone to display this information, however, there is an option to allow you to manually adjust the time zone to see the impact the user's ability to logon.

      Below is the code used to display the LogonHours in NetTools, the function is called for each square in the grid, the ACol and ARow defining the square that is being queried, the function will colour the square blue, if the LogonHour is set.  The function also automatically adjusts the LogonHours based on the local or user selected time zone.

      void dgHoursDrawCell(TObject *Sender, int ACol, int ARow, TRect &Rect, TGridDrawState State)
      {
      int Index, Col,Row, Mask;
      int Val, Bias;
      
         // use Col and Row to reflect tz offset
         Col = ACol;
         Row = ARow;
      
         // change start of week to Monday
         if (Row==6){
            Row = 0;
         } else {
            Row++;
         }
      
         if (chkLocalTime->Checked){
            Bias = tz.Bias/60;  // get local time zone, tz populated when form is loaded
         } else {
            try {
                Bias = StrToInt(cmbTZOffset->Text);  // get user selection
            }
            catch(...){
                Bias = 0;
            }
         }
      
         Col += Bias;  // add time zone offset
      
         if (Col > 23) {  // rap pointer to start of next day
            Row++;
            Col -= 24;
         }
      
         if (Col < 0) {  // rap pointer to end of the previous day
            Row--;
            Col += 24;
         }
      
         if (Row > 6) Row = 0; // rap pointer to valid data
         if (Row < 0) Row = 6;
      
         if (Col >=0 && Col <=7) Index=0;  // select the correct hours offset bytes
         if (Col >=8 && Col <=15) Index=1;
         if (Col >=16 && Col <=23) Index=2;
      
         Index += (3 * Row);  // get correct byte
         Mask = 0x1 << (Col % 8);  // create bit mask for hour based on col number
      
         Val = HourBuffer[Index] & Mask;  // apply mask to check if set
      
         if (Val){  // Val is non zero set square to blue
             dgHours->Canvas->Brush->Color = clBlue;
         } else {
             dgHours->Canvas->Brush->Color = clWhite;
         }
      
         dgHours->Canvas->FillRect(Rect);  // draw the square
      
      }

       

      How To: Dump the Active Directory Database

      Sometimes when troubleshooting it could be useful to dump the contents of the AD database, this can then be used to confirm an object exists, or to retrieve the DNT of an object, which will enable other troubleshooting activities, or just being a bit geeky and wanting to look under the hood.

      In this post we will be looking at the RootDSE Modify Operations.  There are a number of RootDSE Modify Operations that are available which provide advanced operations on the domain controllers.  The full list of available modifiers is available here.

      We will be looking at the DumpDatabase operator which allows us to dump the contents of the AD to a single text file.  The dump file will be written to the NTDS folder on the domain controller.  By default this is %systemroot%\NTDS with the file name of NTDS.dmp.

      Note: as this is going to dump every object in the AD database, make sure you have sufficient space available on the volume hosting the NTDS directory on the selected domain controller before running this query.

      By default the dump file contains the following fields:

      DNT
      PDNT
      CNT
      NCDNT
      OBJ
      DelTime
      RecTime
      INST
      RDNTyp
      RDN

      We can also specify additional attributes to be included in the dump file, however some security sensitive fields can't be included i.e. passwords.  We are going to use one of the NetTools predefined queries to complete this task.  This task can be completed on the domain controller itself or executed remotely, you just need domain admin rights on the domain controller to run the query. 

      In NetTools select the LDAP Search option in the left hand pane under the LDAP section

      As the AD database dump query is an update query we need to complete a few extra steps to run the query:

          1. Click on the Populate button
          2. Select the AD: RootDSE Modify - Dump Database from the list of Favorites
          3. Click on the More button to display the more options
          4. Uncheck the Preview option
          5. Click Go
          6. Confirm that you want to run the query

      Once the query is complete the ntds.dmp will be created in the NTDS directory on the domain controller specified in the Server field. The query is configured to include the description and cn attributes in the dump file, you can specify additional attributes if required, the entry in the speech marks on the Attributes field needs to be updated with a space-separated list of attributes.  If a security sensitive attribute is specified the dump file will contain an error message that the attribute was not found.   

      One of the limitations of the database dump, is that it will limit the number of characters that are returned per field, so if you are trying to dump the contents of a long binary field i.e. NTSecurityDescriptor the field will be truncated.

      Here is a sample of the database dump: 

      Invalid characters for Office365 Sync

      Office365 specifies a number of characters that can't be includes in a number of key attributes. These invalid characters vary depending on the attribute, for a full list of invalid characters in each attribute see this Microsoft article.

      NetTools includes a predefined query that will show which user objects contain these invalid characters. The query is called Users: Invalid characters for O365, which is available in the LDAP Search option. These are the attributes that are included in the search

            • givenName
            • sn
            • mailNickname
            • proxyAddresses
            • UserPrincipalName 
            • mail

      To run the query first select the LDAP Search Option in the left hand pane, then click on the Populate button, shown in the red square below, to connect to the AD and populate the Base DN field.

      queries

      Once the Populate has finished, select the Users: Invalid characters for O365 query from the Favorites dropdown list. If required, change the BaseDN field to limit the scope of the search and then click Go.  A list of all the user objects that contain invalid characters will be displayed.

      The query uses the Regex Display filter option to only display the user objects that have invalid characters.  Here are the the query properties:

      [Users: Invalid characters for O365]
      Options=879892770722381
      Server=
      BaseDN=##default
      Filter=(&(objectclass=user)(objectcategory=person)(!userAccountControl|=2))
      Attributes=userPrincipalName, proxyAddresses;SMTP, givenName, sn,displayName,mailNickname, mail
      DisplayFilter=userPrincipalName regx [\"|,/:<>+=;?*'] || givenName regx [\"|,/:<>+=;?*'] || sn regx [\"|,/:<>+=;?*'] || mailNickname regx [\"|,/:<>+=;?*'] || mail regx [\"|,/:<>+=;?*'] || proxyaddresses regx [\"|,/:<>+=;?*']
      Filename=
      Sort=
      Controls=
      Authentication=1158
      Separator=,
      

      For more information on the available queries see Redefined LDAP Queries  
      For details on the favorites option see Favorites

      How To: Retrieve BitLocker Passwords

      If you have configured BitLocker to store the recovery keys in AD, you can use NetTools to retrieve the BitLocker Recovery Key.  With NetTools the process to retrieve the recovery key is really simple.

      Select the User - Search option in the left hand pane and make sure that the Return Users Only is deselected, and then complete the following steps:

      1. Enter the name of the computer
      2. Click Go
      3. Open the AD Properties for the computer

      Select the BitLocker tab

      Select the Recovery Key ID that is displayed on the BitLocker Recovery screen

      Note: the BitLocker tab will only be displayed if msFVE-RecoveryInformation object exist on the computer object and you have the rights to read the object