Blog

NetTools v1.17.4

Schema History
Updated to support IBM Tivoli Storage Manager, Forefront TMG, HP Openview Configuration Manager

Schema Browser
Updated to include AttributeID OID
Now uses paged queries to support larger schemas

LDAP Browser
Updated to show the approximate number of objects in a container, if it is filtered

LDAP Search
Added decode for NTMixedDomain attribute

Site DC List
Updated to use a separate thread to improve screen updates on slow WAN networks

Replication Cursors
Updated to display the USN of the destination DC, with a delta to show how many updates are still waiting to be replicated

NetTools v1.17.0

RID Pool **New**
Displays the allocated RID for each domain controller in the selected domain

LDAP Search
Updated with new cleaner UI to allow larger viewable area
Updates to increase attribute decode performance
Updated the filter substitution options on the LDAP filter field to support a hex option i.e. (&(objectclass=group)(grouptype|={hex:0x8000002}))
New DecodeType for RIDAllocationPool, RIDPreviousAllocationPool, RIDAvailablePool,
New 64Date GTDATE decodes to return the date only
Fixed bug with 64TIME decoder
Updated Sort option to support multiple sort attributes.  While NetTools now supports multiple sort attributes, AD\LDS only supports a single sort attribute, if more than one attribute is specified a not supported control error is returned
Added timer to display how long the query has taken to execute
Certificate revocation updated to support Windows 2012 option and support for KB2661254, weak keys
Added support for connection to LDAP server using UDP (CLDAP) protocol. CLDAP only supports anonymous authentication type and must be set manually
Updated attribute help with the SID_REL decode which was missing
Updated to decode an object’s metadata details as an attributes:
     Meta.<Type>.<Attribute>
Type:    ver        Version number
            lusn      Local USN
            ousn     Originating USN
            time      Originating Time
            dc         Originating DC
Attribute: the name of the attribute
    e.g. meta.ver.objectclass, meta.ousn.cn

AD Browser
Updated to have three pane view, displays the tree structure, child objects of the selected object, and the attributes of the select object
Fixed intermittent issue that caused the browser to close the open LDAP server connection

Schema Versions
Updated to support Windows 2012, Windows 2008R2 TPM, Exchange 2010 SP3, Exchange 2013, Lync 2013 and FIM 2010R2 PCNS

Schema History
Updated to support Windows 2012, Windows 2008R2 TPM, Exchange 2010 SP3, Exchange 2013, Lync 2013 and FIM 2010R2 PCNS

Attributes dialog
Updated to support double click to display individual entries

AD Properties Dialog
Updated the included Password not required option
Fixed bug where Members tab was shown for all object types

SDProd
Updated to protect against circular group references, now has a hard coded limit of 100 nested groups

DecodeType List:
    DEFAULT - ASCII
    GTFTIME - Generalized Date & Time Format
    GTDATE - Generalized Date Format
    FILETIME - Win32 FileTime Format
    64TIME - Win32 64bit Date & Time Format
    64DATE - Win32 64bit Date Format
    GUID - Windows GUID
    RIDPOOL – RID pool allocations
    SID - Security Identifier
    SID_REL - Displays the relative name for a Security Identifier
    IP - DWORD IP address in windows order
    IPN - DWORD IP address in network order
    ATTRIBENUM - predefined enumerate
    DSA_SIG - DSA Signature
    NTDS_DSA_OPT - Returns the options for the Options of NTDSDSA
    NTDS_CONN_OPT - Returns the options for the Options of NTDSConnection
    SITE_LINK_OPT - Returns the options for the Options of SiteLink
    TRANSPORT_OPT - Returns the options for the Options of transport container
    NTDSSSITE_OPT - Returns the options for the Options of NTDS Sites Settings
    REPL_UTDV - NC Up ToDateness Vectors
    REPS_INFO - Replication neighbours RepsTo and RepsFrom
    SD - Security Descriptor in SDDL format
    SD_SID - Returns the SID of all entries in the SD
    SD_SID_DACL - Returns the SID of the DACL entries in the SD
    SD_SID_SACL - Returns the SID of the SACL entries in the SD
    SD_SID_OWNER - Returns the SID of the Owner in the SD
    SD_NAME - Returns the resolved names of all the entries in the SD
    SD_NAME_DACL - Returns the resolved names of the DACL entries in the SD
    SD_NAME_SACL - Returns the resolved names of the SACL entries in the SD
    SD_NAME_OWNER - Returns the resolved name of the owner in the SD
    BIN - Binary list
    SIZE - The size of the data returned
    COUNT - Returns the number of entries in the attribute
    DNSRECORD - DNS entries
    DNSRECORD.TYPE - return only the type type field
    DNSRECORD.VERSION - return only the version field
    DNSRECORD.RANK - return only the rank field
    DNSRECORD.SERIAL - return only the serial field
    DNSRECORD.TTL - return only the ttl field
    DNSRECORD.TIMEOUT - return only the timeout field
    DNSRECORD.TIMESTAMP - return only the timestamp field
    DNSRECORD.DATA - return only the data field
    BEROID - Basic Encoding Rules (BER) Organization Identifier
    DNSPROPERTY - DNS Properties entries
    CERT - Certificates
    CRL - Certificate Revocation List
    PWDSEC - Password secounds
    MSTRUST - Decoder for msds-TrustForestTrustInfo
    PERIOD - Certificate renewal period

NetTools v1.16.0

AD Properties dialog
Updated to support copy option in all list fields
Double clicking on foreign security principals in member and memberof now opens the properties of that object
Added Mail nickname attribute to Exchange tab
Added account tab to computer objects

AD Subnets
Added paste option so multiple IP addresses can be resolved

DC Resolution
Fixed bug where the stop button was not displayed if an IP address is used for a manually entered server name.
Fixed bug in the port scan that prevented multiple copies of NetTools from doing scans

Group Members
Added status bar to display which group is currently being enumerated
Updated to resolve foreign security principals
Column sort
Now uses individual queries to resolve group membership a bit slow than ASQ but nested groups from trusted domains are displayed

LDAP Browser
Right pane will now display objects requiring additional server side LDAP controls, i.e. deleted objects

LDAP Search
Decodes updated with Windows Server 2012 details
Bit operator substitution updated to support multiple entries
Dropdown list fields now have auto save when up or down keys are pressed, just for those typo moments
Added decodes for Options attribute for the SiteLink, nTDSConnection, nTDSDSA, interSiteTransport, nTDSSiteSettings.  Due the same attribute name being used for all objects, the Options attribute will not be decoded by default.  However, if the attribute list contains the objectclass attribute before Options, the correct decode will be selected automatically.
DNSRECORD decode now has sub options to allow DNS record field decodes to be displayed
Bug fix – Input mode, Insert option now adds columns if no columns displayed
Bug fix – now displays correct output when single line and hex options are selected
Replication Latency
Fixed bug where the test wouldn’t finish if one or more servers fail

Site Browser
Updated to include Downstream replication partners
Updated to show automatically generated connectors
Updated to include Connection Options

User’s Groups
Added copy options

User Details
Added view Meta Data option to the context menu

General
Update left pane list so items are in alphabetic order for each section

DecodeType List:
    DEFAULT - ASCII
    GTFTIME - Generalized Time Format
    FILETIME - Win32 FileTime Format
    64TIME - Win32 64bit Time Format
    GUID - Windows GUID
    SID - Security Identifier
    IP - DWORD IP address in windows order
    IPN - DWORD IP address in network order
    ATTRIBENUM - predefined enumerate
    DSA_SIG - DSA Signature
    NTDS_DSA_OPT - Returns the options for the Options of NTDSDSA
    NTDS_CONN_OPT - Returns the options for the Options of NTDSConnection
    SITE_LINK_OPT - Returns the options for the Options of SiteLink
    TRANSPORT_OPT - Returns the options for the Options of transport container
    NTDSSSITE_OPT - Returns the options for the Options of NTDS Sites Settings
    REPL_UTDV - NC Up ToDateness Vectors
    REPS_INFO - Replication neighbours RepsTo and RepsFrom
    SD - Security Descriptor in SDDL format
    SD_SID - Returns the SID of all entries in the SD
    SD_SID_DACL - Returns the SID of the DACL entries in the SD
    SD_SID_SACL - Returns the SID of the SACL entries in the SD
    SD_SID_OWNER - Returns the SID of the Owner in the SD
    SD_NAME - Returns the resolved names of all the entries in the SD
    SD_NAME_DACL - Returns the resolved names of the DACL entries in the SD
    SD_NAME_SACL - Returns the resolved names of the SACL entries in the SD
    SD_NAME_OWNER - Returns the resolved name of the owner in the SD
    BIN - Binary list
    SIZE - The size of the data returned
    COUNT - Returns the number of entries in the attribute
    DNSRECORD - DNS entries
    DNSRECORD.TYPE - return only the type type field
    DNSRECORD.VERSION - return only the version field
    DNSRECORD.RANK - return only the rank field
    DNSRECORD.SERIAL - return only the serial field
    DNSRECORD.TTL - return only the ttl field
    DNSRECORD.TIMEOUT - return only the timeout field
    DNSRECORD.TIMESTAMP - return only the timestamp field
    DNSRECORD.DATA - return only the data field
    BEROID - Basic Encoding Rules (BER) Organization Identifier
    DNSPROPERTY - DNS Properties entries
    CERT - Certificates
    CRL - Certificate Revocation List
    PWDSEC - Password secounds
    MSTRUST - Decoder for msds-TrustForestTrustInfo
    PERIOD - Certificate renewal period

NetTools V1.15.5

Group Manager

Disabled referrals on paste lookups to increase performance in multi-domain environments
Added report option to display if the pasted list is currently a member of the selected group

LDAP Search

Added REP_INFO DecodeType for RepTo and RepFrom attributes to show Replication Neighbors and replication status
Added REPL_UTDV DecodeType for the replUpToDateVector attribute, for Replication Up Todateness Vectors
Added support for UTF-8 encoding on the filter field escaping Unicode characters
Fixed memory leak

DC Resolution

Fixed debug in the Add Ports option where the first ports in the existing list was removed

General
Major code review tiding up variables and memory allocation reducing the overall memory footprint

DecodeType list:

DEFAULT – ASCII
GTFTIME – Generalized Time Format
FILETIME – Win32 FileTime Format
64TIME – Win32 64bit Time Format
DSA_SIG – DSA Signature
GUID – Windows GUID
REP_INFO - RepTo and RepFrom replication neighbors
REPL_UTDV - Replication up to dateness vectors
SID – Security Identifier
IP – DWORD IP address in windows order
IPN – DWORD IP address in network order
ATTRIBENUM – predefined enumerate
SD – Security Descriptor in SDDL format
SD_SID - Returns the SID of all entries in the SD
SD_SID_DACL - Returns the SID of the DACL entries in the SD
SD_SID_SACL - Returns the SID of the SACL entries in the SD
SD_SID_OWNER - Returns the SID of the Owner in the SD
SD_NAME - Returns the resolved names of all the entries in the SD
SD_NAME_DACL - Returns the resolved names of the DACL entries in the SD
SD_NAME_SACL - Returns the resolved names of the SACL entries in the SD
SD_NAME_OWNER - Returns the resolved name of the owner in the SD
BIN – Binary list
SIZE – The size of the data returned
COUNT – Returns the number of entries in the attribute
DNSRECORD – DNS entries
BEROID - Basic Encoding Rules (BER) Organization Identifier
DNSPROPERTY – DNS Properties entries
CERT - Certificates
CRL – Certificate Revocation List
PWDSEC – Password seconds
MSTRUST – Decoder for msds-TrustForestTrustInfo
PERIOD – Certificate renewal period

NetTools v1.15.0

Site Browser **New**
Brings DNS site coverage, Site Links, Site Link Costs, IP Subnet allocation, and Naming Context coverage into a single view
Group Manager **New**
Bulk group membership management. Select the group, paste in the list of objects to add or remove to\from the group, select the objects and click Add or Remove.  The pasted list can be Distinguished Names, SIDs, or samaccountnames or any combination of them.  SID entries must be relative to the server\domain selected, to add objects from a foreign domain use DNs.
DSA GUID
Updated to support column sorts

LDAP Browser
Now has column sort
Filter button icon now changes when a user defined filter has been specified

AD Properties
Updated to use the ObjectSID attribute rather than the name attribute to resolves names for foreign security principals

Last Logon
Updated to disable buttons while a search is run to stop multiple press of the go button which causes exception errors
Added LogonCount to output

User Details
Updated to use DcGetDCName instead of using the ldap connection options to find a GC, as the ldap options are a little inconsistent and some time select a non-GC server

SPN Search
Updated to use DcGetDCName instead of using the ldap connection options to find a GC, as the ldap options are a little inconsistent and some time select a non-GC server

LDAP Search
Added help button for Decode Type options
Added help button for the Display Filter options
New DecodeType for the DSASignature attribute
New DecodeType GUID_RAW displays the GUID in hex in byte order.  GUID_LDAP displays the GUID in escaped hex format as used for LDAP binary search
Fixed bug in display filter logic, where if the last condition in a multiple And equation was a Not statement it returned the wrong value.
Updated Display filter to support a new comparison operator, if contains options to return attributes that contain an item in a list.

The full list of Comparison Operators
Operator           The comparison operator, supported operators are:
==        Equal
!=         Not Equal
>=        Greater than or equal
<=        less than or equal
>          Greater than
<          Less than
##        In list  (exact match)
!#         Not in list  (exact match)
%%      Contain an item in the list  **New**
!%        does not contain an item in the list **New**

Manage Lists
Fix bug where items were not removed correctly from the list (Thanks to Joe for reporting the issue)

Schema Browser
Fixed intermittent issue where Schema definition dialog would be shown on the right hand pane

Sites DC List
Updated GC logic so GC allocation is displayed correctly for single domain forests

User’s Groups
Updated to a list view to allow sorting

General
I have been working on a number of other LDAP projects, which have resulted in performance and functional improvements in my base LDAP class.  These improves have been incorporated into NetTools.

DecodeType list:

DEFAULT – ASCII
GTFTIME – Generalized Time Format
FILETIME – Win32 FileTime Format
64TIME – Win32 64bit Time Format
DSA_SIG – DSA Signature
GUID – Windows GUID
SID – Security Identifier
IP – DWORD IP address in windows order
IPN – DWORD IP address in network order
ATTRIBENUM – predefined enumerate
SD – Security Descriptor in SDDL format
SD_SID - Returns the SID of all entries in the SD
SD_SID_DACL - Returns the SID of the DACL entries in the SD
SD_SID_SACL - Returns the SID of the SACL entries in the SD
SD_SID_OWNER - Returns the SID of the Owner in the SD
SD_NAME - Returns the resolved names of all the entries in the SD
SD_NAME_DACL - Returns the resolved names of the DACL entries in the SD
SD_NAME_SACL - Returns the resolved names of the SACL entries in the SD
SD_NAME_OWNER - Returns the resolved name of the owner in the SD
BIN – Binary list
SIZE – The size of the data returned
COUNT – Returns the number of entries in the attribute
DNSRECORD – DNS entries
BEROID - Basic Encoding Rules (BER) Organization Identifier
DNSPROPERTY – DNS Properties entries
CERT - Certificates
CRL – Certificate Revocation List
PWDSEC – Password seconds
MSTRUST – Decoder for msds-TrustForestTrustInfo
PERIOD – Certificate renewal period

NetTools v1.14.4

Site DC List
Updated to display FSMO roles and GC assignment
Context menu to configure LDAP Search

DC Resolution
Updated to support FQDN server names

AD Sites
Updated so the GC indictor displays the correct results

LDAP Browser
Context menu bug fixed, so context menu displays attributes for the selected item
Treeview icon updated to indicate if the list is filtered by the maximum entries count

NetTools v1.14.0

Site DC List **New**
Displays the servers in each AD site and the domain name context each server hosts

Schema History **New**
Displays the updates that have been added to the schema with the date information and with attributes and classes added. NetTools includes a set of predefined schema updates covering common updates.  The list of schema updates can be extended in the NetTools.ini file.

[SchemaUpdates]
<ldapdisplayname> = <Schema update>

WINS Lookup **New**
A WINS lookup client to query WINS servers

SID History Bulk
Now works, finally managed to sort out the compatibility issues. Once you have completed the validation checks, you will need a semi-colon separated file of source and target samaccountnames

LDAP Search
New Decoder for Certificate Revocation List, displays the CRL entry count and valid date and next update date.
New Decoder for DWORD IP addresses, supports Windows (most significant order) and network order (least significant order) encoding, decodes for mSSMSRangedIPHigh and mSSMSRangedIPLow
Update DNSRecord decoder to include version, ranking, timestamp, and scavenging
Inline filter substitution for IP addresses for Windows and Network order format,  Windows order: (ipaddress={ip:10.12.45.254})  Network order: (ipaddress={ipn:10.12.45.254})
Table view updated to honor the attribute order specified.
Input View updated to include Record Count option to return only the number of records returned by the query for that line
Logic updated so Input Mode is not selected when table view is disable but input mode is still selected.
Previous query history option added, records the last 10 queries performed
Count decoder added to return the number of entries per attribute

First column name to updated when the Input mode is selected.
SecurityDescriptor decoder updated to fix intermittent decode issue
SecuirtyDescriptor updated to include decode option to return individual entries of the security descriptor

SD_SID                         Returns the SID of all entries in the SD
SD_SID_DACL                Returns the SID of the DACL entries in the SD
SD_SID_SACL                Returns the SID of the SACL entries in the SD
SD_SID_OWNER             Returns the SID of the Owner in the SD
SD_NAME                      Returns the resolved names of all the entries in the SD
SD_NAME_DACL             Returns the resolved names of the DACL entries in the SD
SD_NAME_SACL             Returns the resolved names of the SACL entries in the SD
SD_NAME_OWNER         Returns the resolved name of the owner in the SD

SID Decoder updated to support absolute and relative name resolution.

SID_REL                        Returns the object name associated to the SID as return by the default API, if the SID is assigned via SID history the name of assigned object is returned not the name of the object from the foreign domain
SID_ABS                        Returns the object name of the SID by first resolving the domain reference of the SID and then querying that domain for the name.

Display Filter – This option provides a second level of filtering on the formatted results returned by the LDA server. This means that a filter can be created based on the decoded\formatted value of attributes for which a standard LDAP query can’t be constructed  If a display filter is specified only the returned entries that match the filter are displayed. The filter syntax is based on C\C++ formatting
The display filter has the following format:

<Attribute[;Type]> <Operator> <[Value][List Name]> [Logical Operator] [condition2] [Logical Operator] [condition3] [...]
Attribute            The name of the attribute, the attribute must be included in the results returned by the query
Type                 The type operator is used to convert the returned value to a different data type before comparison.  By default NetTools converts all data returned into text, to perform comparison with other data type you must convert the data into the correct data type. The follow data types are supported:

Int        convert to an integer
Date      Convert to a date

Operator           The comparison operator, supported operators are:

==        Equal
!=         Not Equal
>=        Greater than or equal
<=        less than or equal
>          Greater than
<          Less than
##        In list
!#         Not in list

Value                The value that is be compared against. Wildcard are allowed for string comparisons, tuple queries are supported.
List Name          The name of the list in the Member List tab to used with the ## and !# operators
Logical Operator The logic used to evaluate multiple conditions

&&        And comparison
||         Or comparison

Examples:

name == gary* && age;int >= 21
description == *room*
whencreated;date > 14/1/11
name ## List1
Limitation: Using the display filter with a list with a large number of members can seriously impact the speed and performance of searches.  The condition logic doesn’t support nested conditions, I’ll try add this functionality in a later version.

Manage Lists
This option is used in conjunction with the LDAP search display filter.  Up to 20 lists can be loaded and referenced in the display filter

LDAP Browser
Now has a filter option for the right pane to limit which items are displayed
Updated to support names that contain special characters  i.e. , / \ .
Updated with context menu option to copy entries to LDAP Search fields

Attributes Dialog
Updated with context menu options to copy selected entries to LDAP Search fields

DC Resolution
Removed the restriction that manually added servers must be a domain controller, any server that can be resolved in DNS can be port scanned

AD Properties Dialog
Updated so general page is displayed first for computer objects
Members and MemberOf updated to replace ASQ with direct queries to support GC and security principals in child and foreign domains.
Primary group details now added to the members group list

User Details
Fixed intermittent search results when using GC

Property Set Search
Fixed bug introduced in a previous version where the property set name wasn’t displayed but I only just noticed it!!

DecodeType list:

DEFAULT – ASCII
GTFTIME – Generalized Time Format
FILETIME – Win32 FileTime Format
64TIME – Win32 64bit Time Format
GUID – Windows GUID
SID – Security Identifier
IP – DWORD IP address in windows order
IPN – DWORD IP address in network order
ATTRIBENUM – predefined enumerate
SD – Security Descriptor in SDDL format
SD_SID - Returns the SID of all entries in the SD
SD_SID_DACL - Returns the SID of the DACL entries in the SD
SD_SID_SACL - Returns the SID of the SACL entries in the SD
SD_SID_OWNER - Returns the SID of the Owner in the SD
SD_NAME - Returns the resolved names of all the entries in the SD
SD_NAME_DACL - Returns the resolved names of the DACL entries in the SD
SD_NAME_SACL - Returns the resolved names of the SACL entries in the SD
SD_NAME_OWNER - Returns the resolved name of the owner in the SD
BIN – Binary list
SIZE – The size of the data returned
COUNT – Returns the number of entries in the attribute
DNSRECORD – DNS entries
BEROID - Basic Encoding Rules (BER) Organization Identifier
DNSPROPERTY – DNS Properties entries
CERT - Certificates
CRL – Certificate Revocation List
PWDSEC – Password seconds
MSTRUST – Decoder for msds-TrustForestTrustInfo
PERIOD – Certificate renewal period

NetTools v1.13.2

DC Update **New**
Displays the number of Directory updates performed on a Domain Controller or AD LDS in the user specified interval

Token Size **New**
Shows the number of SIDs that are associated to objects, in the case of user and computer objects this is the number of SIDs that will be added to the access token.  For Groups this is the number of SIDs that will be added to an objects access token when they are added to the group.  The size is for reference only, this is the size of the data returned by TokenGroups attribute for the corresponding object, while it can be used as an indication of the resulting token size it is not exact, see the MS article for the formula for calculating the token size (I may add this as an option in future versions).
Background: Windows has a maximum buffer size for an access token which varies in size between different versions of Windows, see: http://support.microsoft.com/kb/327825.  While you can increase the size of the token supported by the OS, there is no way to increase the maximum size supported by IIS.  100+ groups the user may experience intermittent access to resources, over 300 IIS\Sharepoint issues, over 1015 and the user will not be able to logon.  The use of SID History for migration or consolidations only makes the token size issue worse.  This is quite a good white paper on the issue http://www.giac.org/paper/gsec/5111/kerberos-access-token-limitations/104962

LDAP Search
Note: The attribute separation character has changed from a semicolon to a comma. The use of semicolon was starting to compromise the quality of the code and the ability to add new functionality as semicolon is already used by the Microsoft implementation of LDAP for attribute ranges and binary options. NetTools will automatic convert existing saved Favorites to the new format
Added import and export options for Favorites to allow sharing of pre-defined searches
Update inline substitution function to support multiple instances of the same ## variable in the same field.
New Decodes for sdRightsEffective, msDS-User-Account-Control-Computed
New Decoder type SIZE, this will display the size of the data returned by LDAP directory. Note: that the size returned is not necessarily the size of the data store in the directory.
Updated Search Stats to support all Windows 2008R2 search stats
Ability to specify the decoder per attribute in the Attributes textbox, <attribute>;<DecodeType> i.e. whenchanged;default  or lastlogontimestamp;binary The same DecodeType names are used in the nettools.ini attributes listed below, note BINARY has changed to BIN

AD Properties dialog
Updated to support foreign security principals

Object Meta Data
Update to include both Attribute and Value replication data

LDAP Browser
Fixed memory leak

Base64
Added Context menu option to generate a new random GUID

SPN Search
Updated to support different host searches

User Details
Updated to include GC searches

User’s Groups
Rewrite to use LDAP API instead of ADSI to increase performance and provide better support for AD LDS instances

General
A number of user interface updates to improve performance on list refreshes

DecodeType list:

DEFAULT – ASCII
GTFTIME – Generalized Time Format
FILETIME – Win32 FileTime Format
64TIME – Win32 64bit Time Format
GUID – Windows GUID
SID – Security Identifier
ATTRIBENUM – predefined enumerate
SD – Security Descriptor
BIN – Binary list
SIZE – The size of the data returned
DNSRECORD – DNS entries
BEROID - Basic Encoding Rules (BER) Organization Identifier
DNSPROPERTY – DNS Properties entries
CERT - Certificates
PWDSEC – Password secounds
MSTRUST – Decoder for msds-TrustForestTrustInfo
PERIOD – Certificate renewal period