NetTools V1.28.0

NetTools V1.28.1 - minor fix in LDAP Browser

General
NetTools no longer uses the ADSI APIs, all queries against the AD now only use the LDAP API, this provides a small performance increase but more importantly it provides consistency across all features.
The toolbar is now always displayed at the top of NetTools, and includes buttons for navigation, Connection Profiles, Resolver and Help and quick search by default, Pin items are displayed to the right of these buttons.

Connection Profiles *** New ***
With previous versions of NetTools, it would use the current user's credentials and domain join information of the workstation running NetTools to authenticate and select the directory that would be interrogated and there were only a few features that supported the use of different credentials via the Use LDAP Search Credentials option. This version introduces a new feature called Connection Profiles, which adds the extra capability to define the server connection and credentials that will be used by the tests and features and provides a common method to define and access the AD across all tests. See Connection Profiles.

Circular References *** New ***
A new feature to test if there are any infinite loops in your group memberships. See Circular References

Resolver *** New ***
A quick way to search for a single or multiple items, just copy and paste a a single or list of items that you want to find, and it will search the AD for the items and display if they exist in the directory or not. The copy and pasted list can be displayname, samaccountname, DN, SID, UPN, or email address. See Resolver

AD Properties Dialog
Added an extra tab to display the TokenGroups for user and computer objects

AD Site ISTG
A complete rewrite of the function from ADSI to LDAP API

Compare Objects
Updated to include the NTSecurityDescriptor attribute

LDAP Browser
Added an additional feature to display the attribute values as a hex dump
Fixed issue with the filter limiting the number of items displayed (v1.28.1)

LDAP Search
Table view context menu updated to include a Use Column with option to allow data in the column for common dialogs
Removed the Credential option, you now use Connection Profiles to specific different credentials and authentication methods
Updated Tab views so selected items count on the status bar is updated when a tab is selected

SCP
A complete rewrite of the function from ADSI to LDAP API

NetTools V1.27.7

General
A new Pin context menu option is available in the left hand option selector, which is used to create shortcut buttons for your commonly used options. See Basics
Default Copy to clipboard shortcut key has been changed to Ctrl-C, to align with standard copy and paste keys. now in any of the table views if one or more rows are selected and Ctrl-C is pressed, contents of the column directly under the cursor is copied to the clipboard

AD Properties
Updated to display Kerberos DES-CDC-CRC, DES-CDC-MD5, RC4 encryption options
Updated to use the LDAP enum decode function so attribute decodes are common across all dialogs

Compare Objects
Added a Compare Values context menu option which displays a visual side by side comparison of the values with the difference highlighted. See Compare Objects

LDAP Browser
Fixed bug in LDAP browser, where intermittently it would display the attribute values twice

LDAP Search
Updated the LDAP Session options to fix a bug with the GetDsName flags
Updated enums to support LargeInteger (int64) values
Updated the MsExchRecipientTypeDetails, msExchRemoteRecipientType, msExchModerationFlags, and MsExchRecipientDisplayType enums with O365 values
Updated the OmSyntax enums values
Added new Base64 Decode Type, to allow attribute values to be outputted in base64 format

RID Pool
Added an extra column to display the number of RID that are left in the pool for each domain controller

NetTools v1.27.0

Compare Objects *** New ***
A new option to provide the ability to compare two object, or the changes that have been made on a single object based on a previous snapshot. See Compare Objects

LDAP Browser *** New ***
I've copied the LDAP Browser feature from the LDAP Search option and now added it as it own item in the left hand pane. See LDAP Browser

AD Properties Dialog
Updated to display AES128 and AES256 encryption options

Attribute Replication
Added option to check attribute replication for objects in the the global catalog context

Find Trustee
Fixed intermittent exception error when checking for ownership permissions

LDAP Search
Added a tab output option, so results from each query is displayed on a new tab
Added enum decodes for msDs-SupportedEncryptionTypes
Updated the conditional attributes function so that meta data information is supported for both variable and results.
e.g. Validate;{if: meta.time.unicodepwd == pwdlastset : "Valid" : "Error"}

How To: Check that a user has actually changed their password

This is in response to a query raised on ActiveDir.org maillist about how to check if a user has actually changed their password and not just toggled the pwdlastset attribute to make it look like they have changed their password. When a user changes their password a number of attributes are updated as a result of the password change, these include dbcspwd, lmpwdhistory, ntpwdhistory, pwdlastset, supplementalcredentials, and unicodepwd. To be able to determine if the password has actually been changed, we have to look at the meta data for the object and check the last change date of the unicodepwd attribute, which contains the hash of the user’s password.

NetTools provides a couple of ways to view the meta data of an object, via Meta data dialog, running an LDAP query, or in this use case the Last Logon, will display all the details required.

For a single user the Last Logon option will display both the pwdlastset and change date for the unicodepwd in the meta time column. This screenshot shows the results of a normal account password change, both the pwdlastset and meta time are the same.

For this user the pwdlastset has been toggled, and it shows that the pwdlastset and meta data times don't match

You can view the meta data on an object via the Meta Data Dialog, this option is provided throughout NetTools as a context menu option called Meta Data. The easiest place to demonstrate this on the User Search option, search the account in question and then right click on the user and select Meta Data from the right click context menu.

This shows an account that has had it's password changed.

This shows that the pwdlastset has changed but the other attributes have not changed, which is caused by the pwdlastset being toggled.

The above options are for single accounts, but it is also possible in to check multiple accounts at once. The LDAP Search option includes an option to return meta data as if it's an attribute of the object. This is done using the meta option in the attributes field. We can use an Input Mode of the LDAP Search to provide a list of the samaccountnames to check.

In this example we are checking the details of the five user accounts, and it shows that user1 meta data doesn't match the pwdlastset date and time.

Here is the favorite for the above query, see Favorites on how to import

[PwdLastSet Meta Data]
Options=880030209675869
Server=
BaseDN=##default
Filter=(&(objectclass=user)(samaccountname=##input))
Attributes=meta.time.unicodepwd, pwdlastset
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

With the introduction of v1.27, there is new query option that can be used to simplify this task. In v1.27 the conditional attributes have been extended to support meta data queries. This means we can do the checking in the query itself without any additional post query work.

[PwdLastSet Meta Data] 
Options=880030209675869 
Server= BaseDN=##default 
Filter=(&(objectclass=user)(samaccountname=##input)) 
Attributes=samaccountname, Pwd_Change;{if:meta.time.unicodepwd;date!=pwdlastset:"Invalid":"Valid"} 
DisplayFilter= 
Filename= 
Sort= 
Authentication=1158 
Separator=,

How To: Find Active Accounts

Finding which accounts are active should be simple, however, there are numerous ways to define if an account is active or not. There is the simple method of checking if the accounts are enable or not, however, things get more complicated quickly after that, i.e. when was the account last used, has the account expired, has the account ever been used.

This article provides a number of sample LDAP queries that can be used to determine if accounts are active or not, or you can combine these queries to generate a more complex query to meet your requirements. The first part of the article shows fragment of the query and the last section shows how to combine these to create the final query.

Account Enabled
With AD an account is active based on a value stored in UserAccountControl attribute, however, the attribute uses bit logic to represent a number of different values, so you can't check for a specific value. Details of the attribute can be here. The second bit of the UserAccountControl indicates if the account is enabled or not, when not set (0) the account is active, when set (2) the account is disabled. Using Matching Rule OID we can check the status of the individual bits in the attribute. i.e. (useraccountcontrol:1.2.840.113556.1.4.802:=2). The NetTools substitutions simplifies the entry of matching rules with a single character. See Substitutions.

Account is disabled (useraccountcontrol|=2)
Account is enabled (!useraccountcontrol|=2)

Account Expired
Accounts can be set to automatically expire after a specified date, after which point the user will no longer be able to logon. The date is stored in the AccountExpires attribute, this attribute uses a 64 bit integer to store the date. To add to the complexity the attribute can contain more than just a date, it might not be set, or contains a 0 (zero), or 9223372036854775807 then account is not set to expire. So a query check for expiry has to check for all the possible values to confirm if the account is active or not. Again the use of substitutions can simplify the entry of the Int64 date.

Account Expired (&(!accountExpires={-1:})(!accountExpires=0)(accountExpires<={idate:now}))
Account not Expired (|(!accountExpires=*)(accountExpires={-1:})(accountExpires=0)(accountExpires>={idate:now}))

Last Logon
Most account audits state that if an account has not been used to a set period of time, the account should be consider inactive. The last time the user logs on is stored in the LastLogon attribute, however this attribute is not replicated between domain controllers, so using this attribute you have to collect the LastLogon attribute from all domain controllers to determine the last logon. There is another attribute that is replicated between domain controllers called LastLogonTimeStamp, however this attribute has a specific replication cycle which means that it may not contain the most recent logon date (more details here), but is usually close enough for most cases. Again this attribute uses a 64 bit integer to store the date.

Not logged on for 60 days (lastlogontimestamp<={idate:now-60})
Logged on in the last 30 days (lastlogontimestamp>={idate:now-30})

Password Changes
In some cases the logonTime or the LastLogonTimeStamp will not be updated when a users logs on, these are normally associated to LDAP Simple binds or access through SharePoint. another method to determine if an account is still being used to check the last time the user's password was changed, this assumes that an account password expires.

Password change in the last 60 days (pwdlastset>={idate:now-60})

Unused New Accounts
In this scenario an account is created but has not used since it was created. The queries that is used to find these accounts depends on user provisioning process and which query should be used, if the user is required to change their password at first logon (scenario 1), or not (scenario 2). If the user is required to change their password, then we check to see when the password was changed, if not, we check if the lastlogontimestamp has been set.

Scenario 1
Not used in the last 60 days (&(whencreated>={zdate:now-60})(pwdlastset=0))
has been used in the last 60 days (&(whencreated>={zdate:now-60})(pwdlastset>={idate:now-60}))

Scenario 2
Not used in the last 60 days (&(whencreated>={zdate:now-60})(!lastlogontimestamp=*))
Created in the last 60 days and been used (&(whencreated>={zdate:now-60})(lastlogontimestamp=*))

Type of Accounts and indices
When creating queries it's best to create a query that limits the number of object that need to be searched and the number of attributes that are returned. Building a query using attributes that are indexed will increase the performance of the query, reduce the load on the server executing the query, and reduce the amount of network traffic generated (See this Microsoft article for details). Some of the queries shown above use attributes that are not indexed, so using these queries in the format show could be very inefficient. Limiting the queries to only search for specific object types will significantly increase the performance of the query, i.e only look at user account or computer accounts and the more indices that are used the better.

Users account (&(objectCategory=user)(objectclass=user))
Computer Accounts (&(objectCategory=computer)(objectclass=computer))

Combined Queries
This section shows a number of the above query fragments combination to create the full query:

Find active user accounts:
(&(objectCategory=user)(objectclass=user)(!useraccountcontrol|=2))

Find disabled user accounts
(&(objectCategory=user)(objectclass=user)(useraccountcontrol|=2))

Find active accounts, that have not expired
(&(objectCategory=user)(objectclass=user)(!useraccountcontrol|=2)(|(!accountExpires=*)(accountExpires={-1:})(accountExpires=0)(accountExpires>={idate:now})))

Find all inactive accounts, including expired, password not changed or logon in the last 60 days
(&(objectCategory=user)(objectclass=user) (!useraccountcontrol|=2)(lastlogontimestamp<={idate:now-60})(pwdlastset>={idate:now-60})(&(!accountExpires={-1:})(!accountExpires=0)(accountExpires<={idate:now})))

NetTools includes a number of predefined queries covering user accounts, see Predefined Queries

See Favorites for more examples

How To: Find what Schema updates have been performed

The AD schema can be extended by installing additional schema extensions, which add additional classes and\or attributes. There is no builtin method to determine what schema extensions have been installed. NetTools, however, does have an option to display the schema updates that have been added to the AD.

The Schema History option uses the WhenCreated attribute to determine when changes were made to the AD, and then using it's internal database to try and retrieve the name of the update based on what attributes or classes have been added.

See Schema History List

How To: Find which DCs have the FSMO roles

You don't have to work with AD for every long before you need to know or find out which domain controller is hosting a certain FSMO role e.g. Schema updates, or troubleshoot password issues etc. Luckily NetTools is able to display all the FSMO roles with just two clicks.

The Site DC List option in NetTools will display the FSMO roles for all the domain controllers in the forest.

Key for the Roles:

G - Global Catalog
D - Domain Master
I - Infrastructure Master
P - PDC Master
R - RID Master
S - Schema Master

How To: Find the DN of an object

In the Active Directory every object has a unique identifier - a DN or Distinguished Name, this is used by a number of different tools and services to reference the object, so be able to find the DN of an object is a basic task that is required when managing Active Directory.

In NetTools there are numerous options to find or display the DN of objects. Here are few of them:

User Search - will return a number of common objects for the items found, include the DN in the distinguishedName column. The DN can be copied using the right click context menu.

ACL Browser - you are able to browse the directory and display the structure in the left hand pane, the right click context menu has an option to copy the DN of the of the selected object.

GPO Explorer - you are also able to browser the directory, and the contents tab will show the objects in the selected OU or container. There is a DN column in the table of the contents tab which has the DN of the objects.

Output Tables
The table outputs for a number of options include the DN of the objects returned, the column is normally called DN, this can be copied using the right click context menu.

AD Properties - is a context menu item available throughout NetTools. The AD properties dialog has a simpler format as the properties dialog in AD User & Computers management console, there is a tab called Object which has the DN of the object.

AD Attributes - is another context menu item that is available, this dialog will display all the attributes on an object, the distinguished Name attributes is also displayed.

NetTools V1.26.0

Group Changes ** New **
An audit function to show the group membership changes for the specified user. See Group Changes

ACL Browser
Added the List objects permissions into the properties list view
Changed the default behavior when changing between ACL’s so any column sort orders are removed, and ACE are displayed in the order in the ACL.
Changed the first column to include the ACL Index number

Attribute Replication
Fix a scope issue so the attributes in the root object can be checked

Copy to new Window
Added an context menu option to open a new window with the list unique column details
Now supports the Dynamic and Sort column sorts

Extended Rights
Fixed bug where GUID was not displayed

General
Added help button on each page which links back to the NetTools website for more information

Group Manger
Added support for email\upn in user input
Added Select All\Deselect All context menu options

LDAP Browser
Fixed indexing error when browsing a directory via the global catalog

LDAP Search
The current filter is now displayed in the text pane for each iteration of the query when in Input Mode

Last Logon Time
Added extra column for PwdLastSet

Meta Data
Removed the 1000 item display limit on replication details.

Overlapping Subnets
Updated the display adding green and yellow indicator to show if the IP address range is assigned to different sites

Rights
Added context menu option to request a privilege

Schema Browser
Added the Index column to show if an attribute is Indexed or not

How To: Check if workstations are still active

There are a number of different ways to check if an AD domain join workstation is still being used or active in the environment. This article provides a couple of different approaches depending on the number of workstations or type of information required. All approaches are based on the standard assumption that an active workstation will update the pwdlastset, lastlogon, lastlogontimestamp attributes while connected to the domain\network.

Which attribute you use to validate if the workstation is still active will depend on the configuration of the AD:

PwdLastSet – this will change each time the workstation changes it’s password and this change is replicated to all domain controllers, so the time reported by one domain controller will be the same on all. The frequency at which the password is changed is controlled by the Domain Member: Maximum machine account password age and Domain Member: Disable machine account password changes, GPO settings. The default maximum password age is 30 days, however, if the password update is disabled, then the PwdLastSet attribute will not changed. Also in some scenarios if the workstation is used remotely, and not connected to the network for long periods of time, then the pwdlastset will not be updated.

LastLogon – this is the last time that the workstation logged on, however, this attribute is not replicated between domain controllers and you have to retrieve the attribute from all the domain controllers to get the last logon time. As with the PwdLastSet attribute, if the workstation is used remotely for long periods of time, this attribute may not be updated.

LastLogonTimeStamp - this attributes is also replicated between domain controllers, however, the replication of this attribute doesn’t happen every time the workstation logs on, by default it will be updated every 14 days, details here , so if 14 days is close enough then this is the best attribute to use.

Single Workstation:

The quickest method is search for the workstation using the Search option under Users to find the workstation’s object in AD, from there right click on the required workstation and from the context menu, select Use With -> Last Logon. All three attributes are displayed in the one view. The Last Logon column displays the lastlogon attribute from each of the domain controllers in the domain, sorting this column to display the last logon time, the lastlogontimestamp and pwdlastset will be the same across all servers.

Another method to check for activity, but not specifically based on the lastlogon attribute, you can use the object Meta Data to get the list of attributes that have been changed, and then compare the time the changes were made to confirm if the workstation is still active. To display the Meta Data for an object, complete the search as describe above, from the context menu, select Meta Data, and then sort the form based on the time column. The attributes that are relevant are dBCsPwd, lmPwdHistory, ntPwdHistory, pwdLastSet, supplementalCredentials, unicodePwd which are updated when a password is updated.

Multiple Workstations:

If you want to check the details of a number of workstations, the Last Logon Time option is the easiest option to use. This option requires a list of samaccountnames of the workstation, with workstations the samaccountname must include the trailing $ character. Once the list is pasted into the right hand pane, and Go pressed, it will check each entry against all the domain controllers in the domain and it will display the latest time recorded against all the domain controllers.

If you require additional information about the workstations other than the lastlogon details, then the LDAP Search is the best option, the save query below uses Input Mode to return the details, you paste a list of workstations into the Input pane and return any information you require about the workstations, include Operating System, Version, etc.

[Active Workstations]
Options=879892770722397
Server=
BaseDN=##default
Filter=(&(objectclass=computer)(samaccountname=##input))
Attributes=lastLogon,lastLogonTimestamp,operatingSystem,operatingSystemVersion
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

In this example it assumes that the workstation SamAccountNames will have the trailing $, however, changing the filter to the following and the trailing $ is not required:

Filter=(&(objectclass=computer)(samaccountname=##input$))