Blog

NetTools v1.14.0

Site DC List **New**
Displays the servers in each AD site and the domain name context each server hosts

Schema History **New**
Displays the updates that have been added to the schema with the date information and with attributes and classes added. NetTools includes a set of predefined schema updates covering common updates.  The list of schema updates can be extended in the NetTools.ini file.

[SchemaUpdates]
<ldapdisplayname> = <Schema update>

WINS Lookup **New**
A WINS lookup client to query WINS servers

SID History Bulk
Now works, finally managed to sort out the compatibility issues. Once you have completed the validation checks, you will need a semi-colon separated file of source and target samaccountnames

LDAP Search
New Decoder for Certificate Revocation List, displays the CRL entry count and valid date and next update date.
New Decoder for DWORD IP addresses, supports Windows (most significant order) and network order (least significant order) encoding, decodes for mSSMSRangedIPHigh and mSSMSRangedIPLow
Update DNSRecord decoder to include version, ranking, timestamp, and scavenging
Inline filter substitution for IP addresses for Windows and Network order format,  Windows order: (ipaddress={ip:10.12.45.254})  Network order: (ipaddress={ipn:10.12.45.254})
Table view updated to honor the attribute order specified.
Input View updated to include Record Count option to return only the number of records returned by the query for that line
Logic updated so Input Mode is not selected when table view is disable but input mode is still selected.
Previous query history option added, records the last 10 queries performed
Count decoder added to return the number of entries per attribute

First column name to updated when the Input mode is selected.
SecurityDescriptor decoder updated to fix intermittent decode issue
SecuirtyDescriptor updated to include decode option to return individual entries of the security descriptor

SD_SID                         Returns the SID of all entries in the SD
SD_SID_DACL                Returns the SID of the DACL entries in the SD
SD_SID_SACL                Returns the SID of the SACL entries in the SD
SD_SID_OWNER             Returns the SID of the Owner in the SD
SD_NAME                      Returns the resolved names of all the entries in the SD
SD_NAME_DACL             Returns the resolved names of the DACL entries in the SD
SD_NAME_SACL             Returns the resolved names of the SACL entries in the SD
SD_NAME_OWNER         Returns the resolved name of the owner in the SD

SID Decoder updated to support absolute and relative name resolution.

SID_REL                        Returns the object name associated to the SID as return by the default API, if the SID is assigned via SID history the name of assigned object is returned not the name of the object from the foreign domain
SID_ABS                        Returns the object name of the SID by first resolving the domain reference of the SID and then querying that domain for the name.

Display Filter – This option provides a second level of filtering on the formatted results returned by the LDA server. This means that a filter can be created based on the decoded\formatted value of attributes for which a standard LDAP query can’t be constructed  If a display filter is specified only the returned entries that match the filter are displayed. The filter syntax is based on C\C++ formatting
The display filter has the following format:

<Attribute[;Type]> <Operator> <[Value][List Name]> [Logical Operator] [condition2] [Logical Operator] [condition3] [...]
Attribute            The name of the attribute, the attribute must be included in the results returned by the query
Type                 The type operator is used to convert the returned value to a different data type before comparison.  By default NetTools converts all data returned into text, to perform comparison with other data type you must convert the data into the correct data type. The follow data types are supported:

Int        convert to an integer
Date      Convert to a date

Operator           The comparison operator, supported operators are:

==        Equal
!=         Not Equal
>=        Greater than or equal
<=        less than or equal
>          Greater than
<          Less than
##        In list
!#         Not in list

Value                The value that is be compared against. Wildcard are allowed for string comparisons, tuple queries are supported.
List Name          The name of the list in the Member List tab to used with the ## and !# operators
Logical Operator The logic used to evaluate multiple conditions

&&        And comparison
||         Or comparison

Examples:

name == gary* && age;int >= 21
description == *room*
whencreated;date > 14/1/11
name ## List1
Limitation: Using the display filter with a list with a large number of members can seriously impact the speed and performance of searches.  The condition logic doesn’t support nested conditions, I’ll try add this functionality in a later version.

Manage Lists
This option is used in conjunction with the LDAP search display filter.  Up to 20 lists can be loaded and referenced in the display filter

LDAP Browser
Now has a filter option for the right pane to limit which items are displayed
Updated to support names that contain special characters  i.e. , / \ .
Updated with context menu option to copy entries to LDAP Search fields

Attributes Dialog
Updated with context menu options to copy selected entries to LDAP Search fields

DC Resolution
Removed the restriction that manually added servers must be a domain controller, any server that can be resolved in DNS can be port scanned

AD Properties Dialog
Updated so general page is displayed first for computer objects
Members and MemberOf updated to replace ASQ with direct queries to support GC and security principals in child and foreign domains.
Primary group details now added to the members group list

User Details
Fixed intermittent search results when using GC

Property Set Search
Fixed bug introduced in a previous version where the property set name wasn’t displayed but I only just noticed it!!

DecodeType list:

DEFAULT – ASCII
GTFTIME – Generalized Time Format
FILETIME – Win32 FileTime Format
64TIME – Win32 64bit Time Format
GUID – Windows GUID
SID – Security Identifier
IP – DWORD IP address in windows order
IPN – DWORD IP address in network order
ATTRIBENUM – predefined enumerate
SD – Security Descriptor in SDDL format
SD_SID - Returns the SID of all entries in the SD
SD_SID_DACL - Returns the SID of the DACL entries in the SD
SD_SID_SACL - Returns the SID of the SACL entries in the SD
SD_SID_OWNER - Returns the SID of the Owner in the SD
SD_NAME - Returns the resolved names of all the entries in the SD
SD_NAME_DACL - Returns the resolved names of the DACL entries in the SD
SD_NAME_SACL - Returns the resolved names of the SACL entries in the SD
SD_NAME_OWNER - Returns the resolved name of the owner in the SD
BIN – Binary list
SIZE – The size of the data returned
COUNT – Returns the number of entries in the attribute
DNSRECORD – DNS entries
BEROID - Basic Encoding Rules (BER) Organization Identifier
DNSPROPERTY – DNS Properties entries
CERT - Certificates
CRL – Certificate Revocation List
PWDSEC – Password seconds
MSTRUST – Decoder for msds-TrustForestTrustInfo
PERIOD – Certificate renewal period

NetTools v1.13.2

DC Update **New**
Displays the number of Directory updates performed on a Domain Controller or AD LDS in the user specified interval

Token Size **New**
Shows the number of SIDs that are associated to objects, in the case of user and computer objects this is the number of SIDs that will be added to the access token.  For Groups this is the number of SIDs that will be added to an objects access token when they are added to the group.  The size is for reference only, this is the size of the data returned by TokenGroups attribute for the corresponding object, while it can be used as an indication of the resulting token size it is not exact, see the MS article for the formula for calculating the token size (I may add this as an option in future versions).
Background: Windows has a maximum buffer size for an access token which varies in size between different versions of Windows, see: http://support.microsoft.com/kb/327825.  While you can increase the size of the token supported by the OS, there is no way to increase the maximum size supported by IIS.  100+ groups the user may experience intermittent access to resources, over 300 IIS\Sharepoint issues, over 1015 and the user will not be able to logon.  The use of SID History for migration or consolidations only makes the token size issue worse.  This is quite a good white paper on the issue http://www.giac.org/paper/gsec/5111/kerberos-access-token-limitations/104962

LDAP Search
Note: The attribute separation character has changed from a semicolon to a comma. The use of semicolon was starting to compromise the quality of the code and the ability to add new functionality as semicolon is already used by the Microsoft implementation of LDAP for attribute ranges and binary options. NetTools will automatic convert existing saved Favorites to the new format
Added import and export options for Favorites to allow sharing of pre-defined searches
Update inline substitution function to support multiple instances of the same ## variable in the same field.
New Decodes for sdRightsEffective, msDS-User-Account-Control-Computed
New Decoder type SIZE, this will display the size of the data returned by LDAP directory. Note: that the size returned is not necessarily the size of the data store in the directory.
Updated Search Stats to support all Windows 2008R2 search stats
Ability to specify the decoder per attribute in the Attributes textbox, <attribute>;<DecodeType> i.e. whenchanged;default  or lastlogontimestamp;binary The same DecodeType names are used in the nettools.ini attributes listed below, note BINARY has changed to BIN

AD Properties dialog
Updated to support foreign security principals

Object Meta Data
Update to include both Attribute and Value replication data

LDAP Browser
Fixed memory leak

Base64
Added Context menu option to generate a new random GUID

SPN Search
Updated to support different host searches

User Details
Updated to include GC searches

User’s Groups
Rewrite to use LDAP API instead of ADSI to increase performance and provide better support for AD LDS instances

General
A number of user interface updates to improve performance on list refreshes

DecodeType list:

DEFAULT – ASCII
GTFTIME – Generalized Time Format
FILETIME – Win32 FileTime Format
64TIME – Win32 64bit Time Format
GUID – Windows GUID
SID – Security Identifier
ATTRIBENUM – predefined enumerate
SD – Security Descriptor
BIN – Binary list
SIZE – The size of the data returned
DNSRECORD – DNS entries
BEROID - Basic Encoding Rules (BER) Organization Identifier
DNSPROPERTY – DNS Properties entries
CERT - Certificates
PWDSEC – Password secounds
MSTRUST – Decoder for msds-TrustForestTrustInfo
PERIOD – Certificate renewal period

NetTools v1.12.6

Schema Version **New**
Displays the forest, domain, schema, Exchange, OCS, and User, group and computer attribute counts

Version update checking **New**
Now includes automatic version checking and download option

DC Resolution
Removed domain suffix option, it now uses the dnsHostName entry of the server from the AD
Editable list of ports scanned

Group Members
Ability to select naming context if RootDSE doesn’t have DefaultNamingContext set i.e. ADAM\DS LDS

LDAP Search
Decodes for aelita-amm-extension1, aelita-amm-extension2, aelita-amm-extension3, aelita-amm-extension4, aelita-amm-extension5, aelita-amm-extension6
LDAP Browser option added to tableview context menu

NetTools v1.12.0

Server Info **New**
Displays the info from NetServerGetInfo with 100, 101 and 102 information structures

Group Members **New **
Displays the members of a group and the members of all nested groups in the target group

Base64 **New**
Ability to convert text, GUID and hex to Base64 and via versa

LDAP Search
New Decodes for – LCS 2003, OCS2005, Lync 2010 (including: msrtcsip-archivingenabled, msrtcsip-archivingserverversion, msrtcsip-enablefederation, msrtcsip-meetingflags, msrtcsip-optionflags, msrtcsip-poolfunctionality, msrtcsip-pooltype, msrtcsip-poolversion, msrtcsip-serverversion, msrtcsip-sourceobjecttype, msrtcsip-trustedserverversion, msrtcsip-ucflags, msrtcsip-archivedefaultflags),
New Decodes for – trustdirection, domainFunctionality, forestFunctionality, trustattributes, trusttype, msds-TrustForestTrustInfo
New Decodes for – caCertificate, mspkidefaultkeyspec, mspki-enrollment-flag, flags, mspki-certificate-name-flag, mspki-private-key-flag, pkikeyusage, pKIExpirationPeriod, pKIOverlapPeriod
New Decoders – FILETIME, TrustForestInfo, and Certificate renewal period attributes
Certificate decoder updated to include start and end date
Inline filter substitution for Generalized Time Format (GTF) and 64bit Time i.e. (whencreated={zdate:30/12/2011}) or (lastlogontimestamp={idate:31/12/2011 })
“Now” constant can be used with zdate\idate inline filter substitutions, with optional plus and minus days.  i.e. {zdate:now}, {zdate:now-365}, {idate:now+5}
Fixed column sort bug in table view
Fixed ‘1.1’ attribute column bug in table view
Fixed display issue when displaying  ;binary attributes
Added Object Properties dialog option to context menus
Object Properties dialog – Added meta data view option
Attribute dialog – added Schema definition option to context menu
Updated context menus to be enabled based on selection
Added extra error handling for attributes with odd values!
Fixed continuous loop bug for attributes that returns no values

LDAP Browser
Added user definable columns
Fixed binary view
Fixed performance issue introduced on 1.11

Schema Class Browser
Added Inherited classes option – selects if inherited classes are displayed
Double click option on attributes to follow classes
Added WhenCreated column
Added Column sorts
Added Copy and Attribute options
Icons for different class types

Last Logon
Added domain suffix option to allow searches in different forests\domains

User Details
Changed query to a paged search so return count is not limited by the MaxPagedSize
Ability to select naming context if RootDSE doesn’t have DefaultNamingContext set i.e. ADAM\DS LDS
Added save option to the server inputbox

LDAP Performance
Fixed the bug in the averaging results
Added screen refresh to support tests cycles over 50 tests

AD Attributes dialog
Added right click option to display enumerate values

Nettools+.ini
Updated the add configuration file logic to only add options that don’t already exist in the current configuration file.  Sample configuration file included the zip covering the different configuration file options.
Configuration file with sample LDAP queries
FSMO roles – PDC, Domain, Infrastructure, RID, Schema
Schema Versions – AD, Exchange, OCS
Users - active, inactive and disabled
AD details, trusts, rootdse, tombstone, sites, GC, IP subnets

General
Added Ctrl+A select all options and key shortcuts for copying to all tables and lists
Full list of supported dynamic override decode in the configuration file (nettools.ini):
[AttributeDecodes]
<attributename>=<DecodeType>

DecodeType list:

DEFAULT – ASCII
GTFTIME – Generalized Time Format
FILETIME – Win32 FileTime Format
64TIME – Win32 64bit Time Format
GUID – Windows GUID
SID – Security Identifier
ATTRIBENUM – predefined enumerate
SD – Security Descriptor
BINARY – Binary list
DNSRECORD – DNS entries
BEROID - Basic Encoding Rules (BER) Organization Identifier
DNSPROPERTY – DNS Properties entries
CERT - Certificates
PWDSEC – Password secounds
MSTRUST – Decoder for msds-TrustForestTrustInfo
PERIOD – Certificate renewal period

Know Issues
Bulk SID history – compatibility issues with the link library means that it only works on Windows 7, trying to find a solution for XP that doesn’t require two separate versions.

NetTools v1.11.0

SPN - Rewrite of the SPN search feature to use the Global Catalog, now uses LDAP API set instead of ADSI APIs for increased performance.
Kerberos Tickets – added feature to request a ticket for a registered SPN.  Can be used to test that the AD is configured correctly for a given SPN
Schema Class Browser – Option to view AD properties of the Attributes
LDAP Search
New LDAP Session options feature to allow complete control over the LDAP session, and display return Session options from a search
New decodes for – dnsrecord, dnsproperty, omobjectclass, msDS-MaximumPasswordAge, msDS-MinimumPasswordAge, msDS-LockoutObservationWindow, msDS-LockoutDuration, userCertificate, userSMIMECertificate, attributeCertificateAttribute for certificates it displays the subject name, or SAN, or UPN whichever is set
Dynamic Attributes updated to use a new Hashing algorithm for improved performance on attribute lookups
Improved reporting for LDAP Referrals
Improved support for non MS LDAP servers
Display multiple attributes one per line
Inline filter substitution for guid, sid and oid i.e. (omobjectclass={oid:1.3.12.2.1011.28.0.702}) or (objectisd={sid: S-1-5-21-3499964120-3315823391-1593708255-164234}) or (objectguid={guid:00AD5B16-8E22-49D5-B83A-BFDEA6DFF7DE})
Object Properties
Updated to report User Account Control settings
New members of and member list with more detail, with load on demand to improve display times
SPN and delegation details
Support for computer objects
User Rights – updated to display user privileges

HowTo: Run NetTools

NetTools consists of a single executable, which doesn't need to be installed and can be run from any location, be it a network share, local drive or removal storage.  The location can be read-only however, in this case the option to save lists and favorite queries will not be available.

The NetTools.ini configuration file should be located in the same directory as the executable.

NetTools Basics

NetTools has a number of common features which are used throughout the program. This post provides details on some of these features.

Where to start
The number of options in NetTools can make it confusing where to start.  The best approach is to start with the Search option under Users, this allows you to search the AD, be it at the Forest or Domain level for any object in the Active Directory, from there the context menu options allows you to then interrogate the returned objects.  See User Search.

Option or test Linking
For a number of the tests the output from one can be used as the input for other tests and options, by selecting the corresponding output entry and right clicking the context menu will display these options.  The Search option has a number of linking options that are displayed under the use with sub menu.

Copy and Paste
The outputs from the tests can be copied into other functions in NetTools or to external programs.  The Copy and Paste option are displayed in the right click context menus. For table views it's possible to copy the data in a single column, the line, or the entire table. When using the copy column option, mouse position when the right click is pressed, is used to define which column will be selected.  For text based output fields it's possible to copy the text as with standard copy and paste.  The Copy to new Window context menu option will copy the contains of the view to a new detached window, which provide additional sort and filtering options.  See Copy to new Windows

Server Lists
In most of the options there is a server or domain enter field, this is a dropdown list.  The right click context menu you save the current name and also manage the lists.  A separate list is used based on the enter field name, i.e. Server, Domain, LDAP filters etc.

Server and Domain Fields
The server and domain fields are optional, by default NetTools will use the domain information of the computer that is running NetTools.  By default the server name will use the name returned by the DsGetDcName API.  For the domain filed , the name of the domain that the machine running NetTools will be used.

Credentials
By default NetTools will run in the context of the session that is running NetTools.  It's possible to use the RunAs option to use a different account with elevated permissions. Some of the option have an option to use the credentials that are provided in the LDAP Search option.  See Credentials

Messages\Results pane
On most options, there is a lower pane, this pane is used to display any errors or status report from the execution.

NetTools saved configuration
NetTools uses a single configuration file called NetTools.ini, this is used to save any user defined configuration or saved lists.  NetTools will try to read the configuration from the same location as the exe from executed from.