How To Troubleshot which GPOs have been applied

Sometime is not immediately obvious where to start when troubleshooting GPO delivery issues. NetTools provides a number of features that will let confirm the GPO configuration and then verify which GPOs have been applied to the computer and user by reading the results directly from the machine.

To start troubleshooting we need to find the computer in the Active Directory and confirm which GPO will be applied to the machines. In the quick search box enter the name of the computer that you want to troubleshoot.

Quick Search

In this case we are searching for the W2k19 which is a domain controller, click on the search button.

Search Results

The search results will show all objects that match the search name. Now if we right click on the required item and select Use With->GPO Allocation from the context menu.

GPO Allocation Menu

The view will change to the GPO Explorer and automatically navigate to the OU that contains the computer object. It will also display which GPOs have been assigned to the OU. In this view you can confirm which policies have the links enabled and any WMI filters that have been applied.

GPOs Applied

By clicking a policy the details of the policy are displayed in a split screen, so you can review the settings or configuration without leaving the OU view. While here check the version numbers of policy on the general tab, if the version number is zero, the policy will not apply as the policy engine will think its empty.

GPO Explorer tab views

General

Scope

Settings

Security

The Inherited Policies tab will show which policies have been inherited down the OU structure and the order in which the policies will be applied. This view also supports the split view capability. Confirm that the policy you are troubleshooting is listed.

Now if we select the Content tab the list of object that are in the OU are displayed. If there is more than 2000 objects in the OU, you will need to adjust the max entries field to display more.

Find your machine in the list and click on the machines and select GPO Results from the context menu.

GPO Results

This will open a separate window and display what policies have been applied to the machine. The icons indicate if the policy was successfully applied to the machine or not. Policies that were successfully applied will have a green indicator, while policies that failed to be applied will have a red indicator. If you expand the policy item in the list the details why the policy failed to apply will be displayed, items that red indicator that is the reason why the policy was not applied.

For the GPO Results to be displayed the machine must be on and connected to the network.

GPO Results

Once the GPO Result window is populated, using the Quick Search field on the main form, you can now search for the user and repeat the steps to see the GPO Allocation for the user object. You can to expand the users policies tree in the GPO Results window to see which policies were applied to the user.

For more details on the information displayed in the GPO Results window see the GPO Viewer page

Mapping Get-ADTrust attributes to the TDO Object

This post provides the details of the mapping between the the attributes displayed by the Get-ADTrust powershell command and the attributes of the TDO object.

Most of the properties returned by the Get-ADTrust command map to the TrustAttribute attribute of the TDO object, so the table below shows which values of the TrustAttribute map to corresponding Get-ADTrust Property. The NetTools Mnemonic column has the name of the mnemonic that NetTools will display if this value is set.

Get-ADTrust Parameter	TDO Attribute	NetTools Mnemonic
Direction	trustDirection
DisallowTransivity	TrustAttribute	Non-Transitive
DistinguishedName	DistinguishedName
ForestTransitive	TrustAttribute	Forest Transitive
IntraForest
IsTreeParent
IsTreeRoot
Name	Name
ObjectClass	ObjectClass
ObjectGUID	ObjectGUID
SelectiveAuthentication	TrustAttribute	Cross Organisation
SIDFilteringForestAware	TrustAttribute	SSIDHistory
SIDFilteringQuarantined	TrustAttribute	Quarantined
Source
Target	trustPartner
TGTDelegation	TrustAttribute	TGT Delegration
TrustAttributes
TrustType	trustType
TrustedPolicy
TrustingPolicy
UsesAESKeys	msDS-SupportedEncryptionTypes
UsesRC4Encryption	TrustAttribute	RC4 Encryption

This table shows the NetDom command argument that is used to change the corresponding TDO attribute.

Get-ADTrust Parameter	NetDom Parameter
Direction	twoway or oneside
ForestTransitive	Transitive
SelectiveAuthentication	SelectiveAuth
SIDFilteringForestAware	SIDHistory
SIDFilteringQuarantined	Quarantine
TGTDelegation	EnableTgtDelegation

This page provides the details of the netdom command parameters, and this page provides the details of the TrustAttribute attribute. This page provides the details of the SID filtering functionality and which SID will be filtered.

The screenshot below shows the enumerate or mnemonics as defined on NetTools.

TrustAttribute

How To: Display the time when members were added or removed from a group

Based on functionality in V1.30.3 and above

The standard AD tools don't expose the time when a member is added or removed from a group, and the normal method is to use the security event log to retrieve these details, however, this makes the assumptions that auditing was enabled when the change was made and the security event log hasn't wrapped and the details are still available, which is not always the case.

There is another way to get this information that doesn't rely on auditing being enabled or the size of the security event log to capture the details. The AD does maintain when changes happened in the replication data for group objects, and this data contains the exact details of the time when these membership changes occurred. The AD uses this information enable changes to be replicated to other domain controllers in the domain or forest. The replication data is not easily accessible with the standard AD tools, however NetTools has a simple feature to allows you to display all the membership changes for a group, including the time they happened. The time a member was added or removed shown in corresponding column.

Group Membership Changes

The option is available on the Members tab in the AD Properties dialog, at the bottom of the tab is the Changes button, when this is clicked a separate window is displayed with all the change details.

NetTools v1.30.0

ASN.1 Viewer
An option to display ASN.1 data structures, support for DER, PEM, PKCS#7, and PKCS#12 file formats, and manual input in hex and base64 formats. Includes support for common x.509 field types. See ASN.1 Viewer

DirSync
An option to run an LDAP query with the DirSync server side control to display what changes have been made in the select context. See DirSync

Domain Changes
An option to display which objects have been changed/created or replicated to the domain controller, based on the objects with updated USNChanged attribute. See Domain Changes

Object Counts
An option to count the number of different types of objects that exist under the selected OU structure. Selectable object types for Users, Groups, Computers, Active Users, OU and all objects. See Object Counts

User's Membership
An option to display a user's group membership, including nested groups and which group contributed to the user's groups. See User's Membership

General
Updated the icons and context menu icons.
Added additional command line options to allow a LDAP Search Favorite to specified and run from the command line, /f:<favorite name>, i.e. NetTools "/f:AD: RootDSE" The /Q option is also available which will cause NetTools to quit after the query has finished running.
Added a new Find feature to enable searching for items in the result.
Added Open Container context menu to open the parent container in LDAP Browser.
Added LDIF Export option to context menus to allow the objects to exported to file in ldif file format.
Time and Dates now displayed based on locale and regional settings, LDAP Search Substitution input entries also use locale date format for entry.
Options that require a username (SamAccountName) entry, now display a user search dialog if the entered name is not found.

ACL Browser
Added Group Members and Group Manager options to the context menus.
Fixed intermittent exception error when copying multiple items.
Fixed display issue associated to member attribute and add\remove self to group extended right.

AD Attributes
Updated to remove the dependency on the AllowedAttributes to allow the objects from non AD based directories to be displayed.

AD Properties
Updated the TokenGroups tab to include the SID of the names that are resolved against each entry. Also includes an option to use Absolute SID Resolution, this is to help identify any entries that are associated to SID History.
Updated Members tab to also display which members have been removed from the group and when.
Updated the object selector used to manage group membership to support a paste option, so multiple entries can be added to the selection list. Supports DN, samaccountname, upn, email, and name, with any combination of these.
Added option on Logon tab to perform a Last Logon scan.
Added option to display organisation structure from Organisation Tab.
Updated the Members and MemberOf lists to include the samaccountnames of included objects

Base64
Updated to use dynamic buffers rather than static to allow for larger decodes.
Added option to decode output to file.
Added option to be able to display hex or base64 outputs in the ASN.1 viewer.
Improved the handling of the extra space in the data input.
Updated to support Hex stream data input format.

Compare Groups
Updated so it can compare both member and memberof attributes, so it can be used to compare the membership of groups as well as users.

Copy To Windows
Improved the performance when displaying large list of items and better indication to the user when the program is busy.

DsGetDcName
Updated the selectable options to include DS8, DS9, DS10, and Key Lists.
Updated the flags decode to display the full flags names, and added support for DS9, DS10, Key Lists.

DC Resolution
Updated the ports option to allow lists of ports to be defined and selected, simplifying the testing of different services.

GPO Explorer
Added AD Sites view with indication if policies are applied to a site.
Double click to WMI filter viewer to display policy details.
Added GPO Results to context menu to the Content tab of the GPO Allocation view to display which policies have been applied to a selected machines.
Updated to display the wireless and wired GPO settings.
Updated to display which client side extensions are assigned to the GPO.
Updated the Settings view for the registry items to display all the registry entries in the registry.pol as a single list, the option is available by clicking on the Settings item at the top of the registry tree.
Updated a number of context menus to include some of the standard options, which were missing.
Updated GPO List view to include the split screen option to display the selected GPO properties below the list.
Added context menu item to display all OUs that have block Inheritance enabled.
Added additional error handle to GPO that don't have the display name set or gplink attributes with invalid format

Last Logon Time
Added accumulative logon Count across all domain controllers and DN
Added context menu option to input a new entry

LDAP Search
Conditional Attributes - updated logic so an attribute with no value set is also tested against the condition statement. i.e. location!=london will be true if no value is set.
Conditional Attributes - updated so the position of the wildcard character is position sensitive, if the wildcard character is placed at the begin of the search criteria i.e. *disable, then 'disable' will match any where in the attribute. If the wildcard is placed at the end of the search citeria i.e. disable*, the a match only occurs if disable is at the start of the attribute.
Conditional Attributes - the entered case of static entries is now persevered.
Custom Controls updated to allow data encoding type to be defined, data can now be defined as String or Integer encoded using BER encoding, or Non-BER encoded Integer.
Option to display server controls that are sent and returned as a hex dump and ASN.1 structure dump in the text output view, option is selected in the Manage Controls dialog.
Updated Search Statistics option to automatically change which sets of search stats are returned based on the domain controller functional level.
Updated Attributes field to also support the getdn substitution, so they can be used in the update queries.
Updated the MSTRUST DecodeType for the msds-TrustForestTrustInfo attribute to provide details of excluded routing suffixes.
Updated Filter processing to remove the case sensitivity of boolean expressions.
When the Display Results option is not selected with Update Queues, it will prevent the attribute pre-read before updates which significantly improves the performance when updating attributes with more than a few thousand values.
Updated REPS_INFO DecodeType, used by repsto and repsfrom attributes, to support V2 data structure format.
Updated file output logic, so when file output is selected and Display Results is not selected, the results are written to the file. Fixed bug with single line option so all entries are now written to the file. Fixed bug with tab separated character.
Updated Use column with context menu to include add to Resolver.
Added new GPLINKS DecodeType to return a list of GPO DNs in the gplink attribute
Added a shift key function to disable html parser when pasting items in Input Mode.
Added new METAP DecodeType, used for the replPropertyMetaData attribute.

LDAP Search - Predefined Queries
The following predefined queries have been added:

AD: Schema Attributes ANR Indexed
AD: Schema Attributes Confidential
AD: Schema Attributes Constructed
AD: Schema Attributes in GC
AD: Schema Attributes Indexed
AD: Schema Attributes Not Replicated
AD: Schema Attributes Tuple Indexed

The following predefined queries have been updated:

GPOs: All
GPOs: All deleted
GPOs: Computer Targeted Policies
GPOs: Created in Last 30 Days
GPOs: Created in Last 60 Days
GPOs: Created in Last 7 Days
GPOs: Created in Last 90 Days
GPOs: Created Today
GPOs: Created Yesterday
GPOs: Deleted in the last 24 hours
GPOs: Deleted in the last 48 hours
GPOs: Modified in Last 30 Days
GPOs: Modified in Last 60 Days
GPOs: Modified in Last 7 Days
GPOs: Modified in Last 90 Days
GPOs: Modified Today
GPOs: Modified Yesterday
GPOs: Non Active
GPOs: Policies with a WMI Filter
GPOs: User & Computer Targeted Policies
GPOs: User Targeted Policies
GPOs: WMI Filters
Groups: All
SCCM: Management Points
SCCM: Site Boundaries
SCCM: Sites
Users: Active Users Who Haven't Logged On In Last x Days - user defined period
Users: Without Home Directory

Meta Data Dialog
Updated Value replication table to include local and originating USN details.

NetGroupEnum
Renamed the option to Local Groups.

Organisation Structure
Change the default view to display reporting lines, including peers and direct reports as separate items. Still has the option to display the old tree view as this is more useful in some scenario.

Replication Queues
Updated authentication to use DSBindWithCred instead to DsBind to allow the credentials from the Connection Profiles to be used.

Resolver
Included a key shortcut to allow new entries to be manually entered using the Insert key.
Context menu updated to be object sensitive and will enable and disable options based on the object selected.
Display GPO Results added to the Use with context menu.
Fixed bug where the item count may be incorrect.
Updated to allow tracking of objects that have been opened or used with context menus
Added Object History option, so all object opened or linked via context menus are automatically added to the the Resolver list
Updated so each new entry added also records the server name.

SID Converter
Updated output view to use a table view to simplify the output and easier to copy details between options.
Added the option to display SID details from a Base64 format input.
Fixed bug where comma separated SIDs were not resolved correctly.

Schema Versions
Updated to include support for Exchange 2019 CU8, CU9 &CU10, 2016 CU19, 20 & CU21

Schema History
Updated with details of SCCM, Mapi Lab, EMC schema extensions
Updated to display Unknown if the schema extension is not in the internal database.

Time Converter
Updated to display the time outputs in a table view.
The time and date input are now based on the locale time\date format. The locale time\date format is displayed as the supported formats section.

Token Size
Updated the size column to reflect the Token Size based on the MS algorithm to calculate Token Size.

User Search
Updated Use With context menu to include Local Groups option, to allow the local groups of member machines to be viewed.
Updated Use With context menu to include GPO Results on computer objects that are returned.
Updated icons so there is a separate icon for expired users
Updated to include an advanced option to allow searching of specific attributes on nominated object.

How To Find Active Directory Effective Permissions

Some of the features shown here are only available in NetTools 1.31.9 and above.

NetTools includes the Permissions Browser option, which also allows you to see the effective rights for a nominated trustee, it also provides the ability to change the trustees rights to assess the impact this will have trustees access to objects in the AD. In this post we will look at how to use this option to view the effective rights of a user.

Permissions Browser

To configure Permissions Browser to show the Effective Rights we need complete the following steps.

How To Display Active Directory Effective Permissions

Select the Permissions Browser

Open NetTools and select the Permissions Browser option under Access Control in the left hand pane.

Display AD Permissions

Select the Connection Profile or server to connect to. See Connection Profiles

Select the Context you wish to view

Click Refresh

You can now navigate through the AD to the object that you want to check the effective permissions

Select Trustee

To display the effective rights for a trustee, we need to select the trustee using the Trustee Information dialog, click on the Trustee button

Trustee Information

Press the Select button to select the Trustee, and enter the name of the trustee. This can be a user, computer, or group. The Current User button can be used to retrieve the current group list from the currently authenticated user, if UAC is enabled, any disabled groups will be excluded from the token. Then click Select.

Select Trustee

The Trustee Information dialog will be updated with the SIDs that user in a member of, this is the user's access token, this information will be used to determine the effective rights of the user.

Trustee Information

View Effective Permissions

The ACL list is now filtered showing only the permissions that will be applied to the trustee when they try to access the AD object. In this example for the selected user has a number of permissions that are granted by the their access token. The lower section displays the effective permissions of the user on the selected object.

See the AD Permissions Browser page for information on the icons and there meanings.

See the AD Effective Permissions page for more information on the details and available options.

Trustee Mode - Effective Permissions

Alternative Method

The alternative and simpler method is to use the Use With context menu from the user search option. Either select the Search or use the quick search option, search for the user you want to check the effective permissions for.

Use With - Effective Permissions

The right click on the corresponding user and select Effective Permissions under the Use With context menu. This will switch to the AD Permissions Browser option and set the Trustee. You can now browse the directory and view the effective permissions as you browser.

Modelling Effective Rights

One of the features of the Trustee Information dialog is that we can model changes to the trustees effective rights. By using the add and remove buttons we can add or remove groups included in the trustee's access token, which is used to display the effective rights, this allows you to model how group changes will impact Trustee's access.

Trustee Information - Added Domain Admins

In this example above, the access token of the Trustee has been modified to include the Domain Admins group. Below is the Permissions Browser is showing the effective permissions based on the updated access token for the Trustee. Now two permissions are shown based on the updated access token.

AD Permissions Browser - Effective Rights

You can now browser the AD to see what rights that the Trustee has on the objects in AD. To turn off the Effective Rights view, click on the Clear button in the Trustee Information dialog.

How To: Clear the group membership for a list of users

In this post we will look at how to remove the membership of a number of users using the NetTools LDAP Search option. This action is typical in a user deprovisioning activity where user accounts are moved to a separate OU and group membership of the users are removed.

We could also use LDAP Search to move the user objects to the OU as well, but we will assume that the user accounts are already in the target OU.

To complete this operation we need to complete the following steps:

Clear Group Membership Steps

Get a list of groups that users are a member of

First go to the LDAP Search option and click on the populate button.

Populate

Click on the OU Selector and select the OU that contains the users that need their group membership cleared.

OU Selector

The Base DN will be set to the required OU.

To limit the scope of the query to only the users that are disabled and have group membership, change the filter to (&(objectclass=user)(useraccountcontrol|=2)(memberof=*))

Set the Attributes field to memberof

Change the Search Scope to either One Level or Subtree as required

Click the More button

Select the Single Line option - this will cause each of the user’s group memberships to be displayed on a separate line

You should have something like this:

List Group Membership

Click Go

You should get a complete list of the group membership for all the users, with each group membership on a separate line in the table view. The DN field is the DN of the user, and Memberof is the group that the user is a member of.

Group List Output

Remove users from groups based on list produced in step 1

We are going to use the input mode functionality with an update query to remove the users from the groups. As users are added to groups, so the update query will target the groups and remove the users from each group.

Right click on the table view and select the Table Input Mode or select Table Input in the options

Input Mode

The column headers will change to ##Input and ##Input2, the entries in the columns can now be used as input to the query. See Input Mode for more details.

Change the Base DN field to read ##input2 - which will target the group based on the list of DNs in the ##input2 column in the table

Input Mode Column Headers

We now need to change the query to remove the users from the groups.

Change the Filter to (objectclass=group)

Change the Attributes field to member=-##input

Change the Search Scope to Base Level

Select the Enable Updates options, for more details see Update Queries.

Deselect the Display Results – this is to increase performance, the remaining membership of the group will not be displayed.

Remove Group Members

With the Preview option selected click Go.

Check all the entries to confirm that each line has a DN and member entry added. If one or both of these fields are missing on a line, it means that, the group on that line doesn’t exist. This shouldn’t happen as we just exported the group membership, but someone else might have changed the group membership between the steps being run.

Preview Results

Once confirmed unselect the Preview option and click Go

You will get a warning message, click Yes

The member field will be changed to Updated if the user was successfully removed from the group, if the update failed an error message will be displayed.

Update Results

The details in the table view can be copied and pasted into a spreadsheet to record what changes have been made. It can also be used to undo the changes that have been made. By change the Attributes field to member=+##input and running the update query again, the users will be added back into the groups.

NLTEST Flags – what does 0x20000 mean?

When running NLTEST /DSGETDC command against a domain controller that is Windows 2012R2 or later, the command will display the normal flags plus an extra flag called '0x20000', but what does the 0x20000 flag mean. First of all it's not an error code, Microsoft have added an additional feature to Windows 2012R2 and later DCs, but NLTEST hasn't been updated to display this flag correctly, even the Windows 2019 version doesn't have this flag defined.

The results deplayed by NLTEST /DSGETDC is the information returned by the DsGetDcName API, this information if defined in the DOMAIN_CONTROLLER_INFO structure.

typedef struct DOMAIN_CONTROLLER_INFOA {
LPSTR DomainControllerName;
LPSTR DomainControllerAddress;
ULONG DomainControllerAddressType;
GUID DomainGuid;
LPSTR DomainName;
LPSTR DnsForestName;
ULONG Flags;
LPSTR DcSiteName;
LPSTR ClientSiteName;
} DOMAIN_CONTROLLER_INFOA, *PDOMAIN_CONTROLLER_INFOA;

The Flags member has the following definitions in the dsgetdc.h file

#define DS_PDC_FLAG 0x00000001 // DC is PDC of Domain
#define DS_GC_FLAG 0x00000004 // DC is a GC of forest
#define DS_LDAP_FLAG 0x00000008 // Server supports an LDAP server
#define DS_DS_FLAG 0x00000010 // DC supports a DS and is a Domain Controller
#define DS_KDC_FLAG 0x00000020 // DC is running KDC service
#define DS_TIMESERV_FLAG 0x00000040 // DC is running time service
#define DS_CLOSEST_FLAG 0x00000080 // DC is in closest site to client
#define DS_WRITABLE_FLAG 0x00000100 // DC has a writable DS
#define DS_GOOD_TIMESERV_FLAG 0x00000200 // DC is running time service (and has clock hardware)
#define DS_NDNC_FLAG 0x00000400 // DomainName is non-domain NC serviced by the LDAP server
#define DS_SELECT_SECRET_DOMAIN_6_FLAG 0x00000800 // DC has some secrets
#define DS_FULL_SECRET_DOMAIN_6_FLAG 0x00001000 // DC has all secrets
#define DS_WS_FLAG 0x00002000 // DC is running web service
#define DS_DS_8_FLAG 0x00004000 // DC is running Win8 or later
#define DS_DS_9_FLAG 0x00008000 // DC is running Win8.1 or later
#define DS_DS_10_FLAG 0x00010000 // DC is running WinThreshold or later
#define DS_KEY_LIST_FLAG 0X00020000 // DC supports key list requests
#define DS_PING_FLAGS 0x000FFFFF // Flags returned on ping
#define DS_DNS_CONTROLLER_FLAG 0x20000000 // DomainControllerName is a DNS name
#define DS_DNS_DOMAIN_FLAG 0x40000000 // DomainName is a DNS name
#define DS_DNS_FOREST_FLAG 0x80000000 // DnsForestName is a DNS name

As you can see 0x20000 is defined in the include file as support for Key List Requests, see the Kerberos Protocol Extension [MS-KILE] section 2.2.11 for more info. NetTools includes this decode and the result from the same server shows the option for Key List Request are supported.

Also See

DsGetDcName
DC Resolution

How To: Using Search Stats OID 1.2.840.113556.1.4.970

Active Directory and LDS provide a server side control which when added to a query will provides statistics on the efficiency of the query that was executed, the specific control is OID 1.2.840.113556.1.4.970 - LDAP_SERVER_GET_STATS_OID and the details can be found here.

The NetTools LDAP Search option provides a simple checkbox option to enable this server side control to be added to queries. The option is found in the Server Side Controls section, called Search Statistics. When the query is run and the user has the appropriate permissions the search statistics will be returned.

When the query is executed the Statistics are displayed in the output panel after the results of the query. Below are the statistics returned by Windows 2016 server.

The version of the operating system running on the server, will determine the statistics that will be returned. As Windows evolved the level details returned by the server has also increased. Windows 2000 only provided 4 different statistics, Windows 2003 increased this to 6, and for Windows 2008 this increased to 15 and it also introduced a new format which provides more details but the fields are dynamic, rather than the older static fields.

NetTools detects the Domain Controller Functional level of the server and automatically adjust the control parameters to select the highest level of detail available for the server.

The table below shows which statistics level are returned by each version of Windows

	2000	2003/R2	2008/R2	2012/R2	2016	2019
StatsResponseValueV1	x
StatsResponseValueV2		x
StatsResponseValueV3			x	x	x	x
StatsResponseValueV4			x	x	x	x

The details for each set of Stats can be found below.

While NetTools will automatically select the stats level based on the domain controller functional level, it is possible to manually specify the required stats level using the Server Side Controls dialog. To do this, first uncheck the Search Statistics option, then click on the Controls button in the Server Side Control section and add a control as shown below, the Value to 1 for the corresponding V1,V2, or V3 supported by the server or a Value of 5 for the V4 stats.

These are the Statistics returned by a Windows 2019 server with the Value set to 1:

Search Stats:
  Thread Count: 1
  Call Time (ms): 0
  Entries Returned: 3
  Entries Visited: 4
  Filter: ( & (objectClass=user) (name=gary*) ) 
  Index: idx_name:4:N;
  Pages Referenced: 126
  Pages Read: 0
  Pages Pre-Read: 0
  Clean Pages Modified: 0
  Dirty Pages Modified: 0
  Log Records Generated: 0
  Log Records Bytes Generated: 0

These are the Statistics returned by the same query, with the Value set to 5

Search Stats:
  Thread count: 1
  Call time (in ms): 0
  Entries Returned: 0
  Entries Visited: 0
  Used Filter: ( & (objectClass=user) (name=gary*) ) 
  Used Indexes: idx_name:4:N;
  Pages Referenced: 27
  Pages Read From Disk: 0
  Pages Pre-read From Disk: 0
  Clean Pages Modified: 0
  Dirty Pages Modified: 0
  Log Records Generated: 0
  Log Record Bytes Generated: 0
  Indices required to optimize: 
  Query optimizer state: ( & (objectClass=user:878204) (name=gary*:4) ) 
  Atq Delay: 0
  CPU Time: 0
  Search Signature: b4cce897-7577-b624-5d18-2f5a9e90754f
  Memory Usage: 26744
  JET LV Read: 0
  JET LV Created: 0
  Total call time (in ms): 0
  Total CPU time: 0
  Number of retries: 0
  Correlation ID: e2a4641a-0714-44cc-b1bf-a0b0ca8e055c
  Links Added: 0
  Links Deleted: 0

These are the various Stats data lists:

StatsResponseValueV1 ::= SEQUENCE {
  threadCountTag            INTEGER
  threadCount               INTEGER
  coreTimeTag               INTEGER
  coreTime                  INTEGER
  callTimeTag               INTEGER
  callTime                  INTEGER
  searchSubOperationsTag    INTEGER
  searchSubOperations       INTEGER
}

StatsResponseValueV2 ::= SEQUENCE {
  threadCountTag        INTEGER
  threadCount           INTEGER
  callTimeTag           INTEGER
  callTime              INTEGER
  entriesReturnedTag    INTEGER
  entriesReturned       INTEGER
  entriesVisitedTag     INTEGER
  entriesVisited        INTEGER
  filterTag             INTEGER
  filter                OCTET STRING
  indexTag              INTEGER
  index                 OCTET STRING
 }


StatsResponseValueV3 ::= SEQUENCE {
  threadCountTag INTEGER
  threadCount INTEGER
  callTimeTag INTEGER
  callTime INTEGER
  entriesReturnedTag INTEGER
  entriesReturned INTEGER
  entriesVisitedTag INTEGER
  entriesVisited INTEGER
  filterTag INTEGER
  filter OCTET STRING
  indexTag INTEGER
  index OCTET STRING
  pagesReferencedTag INTEGER
  pagesReferenced INTEGER
  pagesReadTag INTEGER
  pagesRead INTEGER
  pagesPrereadTag INTEGER
  pagesPreread INTEGER
  pagesDirtiedTag INTEGER
  pagesDirtied INTEGER
  pagesRedirtiedTag INTEGER
  pagesRedirtied INTEGER
  logRecordCountTag INTEGER
  logRecordCount INTEGER
  logRecordBytesTag INTEGER
  logRecordBytes INTEGER
}

StatsResponseValueV4 ::= SEQUENCE OF SEQUENCE {
      statisticName         OCTET STRING
      CHOICE {
         intStatistic [0]       INTEGER
         stringStatistic [1]    OCTET STRING
      }
}

Process Flow for LDAP Search

This is a quick article that shows the process flow of the LDAP Search feature. The LDAP Search function consists of a number of functions that are used to execute the query and display the results. The main function is used to collect and validate the user inputs and connect to the server and execute the query, then a sub function is used to display the results and complete any attribute updates. The process shown below starts when the user presses the Go button to execute the query.

How To: Display what members were removed from a group

Features shown are only available in NetTools v1.29.11 or later

In this post we look at how to show which members, i.e. users, computers, groups etc, have been removed from a group. Within NetTools this is a simple task using the AD Properties dialog, the Members tab shows the current members of the group and also which objects have been removed and when, as shown in the screenshot below.

2021-01-08 20_43_12-192.168.1.245 - Remote Desktop Connection

To understand how NetTools is able to display this information, we need to look at the msDS-ReplValueMetaData attribute for the group. This attribute contains the details of the metadata for each value of an attribute for the object. We can view the details of the attribute in the Meta Data dialog, which can be opened from the AD Properties dialog using the Meta Data button or from the various context menus within Nettools.

2021-01-08 20_45_54-192.168.1.245 - Remote Desktop Connection

Here is the Meta Data dialog for the same group shown above, the top section of the dialog shows the details of the msDS-ReplAttributeMetaData attribute used to store the replication details for the attributes of the object, the lower section shows the meta data details from the msDS-ReplValueMetaData attribute showing the replicated values for attributes that have Object (DN-DN) data types, i.e. member.

In this example you can see the list of changes that have be made to the member’s attribute of the object, each change to the member attribute is listed as a separate line, the line includes a Originated, Create and Delete time columns. The Create and Delete columns are used to record when an item was added or removed from the attribute. When an item is added, only the created time is populated, and then when the item is subsequentially removed both the create and delete times are set. The created time still exists to ensure that the AD replication is consistent. NetTools AD Properties dialog will enumerate the msDS-ReplValueMetaData entries and display the entries that have the deleted time set in the Removals section of the Member tab.

Also See:
NetTools Basics
NetTools AD Properties Dialog
How Group Changes Works
Display when members were added or removed from a group