LDAP Search – Populate

The LDAP Search Populate button is used to load a number of configuration options from the server, these details are then used to enable a number of other features in LDAP Search, this article provides the details of the features that are enabled.  The Populate button is shown below.

Server Bar

When the button is pressed the RootDSE for the server is retrieved and the following details are populated.

  • Sets the ##default, ##config, and ##schema variables with the corresponding naming contexts. See LDAP Search Favorites
  • Set the server field to the server that provided the RootDSE
  • Sets the BaseDN field to the default naming context in the RootDSE, if the server is not AD, this will be set to the first non Configration based NC
  • Instantiates the LDAP API so filter validation is enabled
  • If the Auto Complete option is enabled, the complete list of attributes is also downloaded from the server and the Attribute List button is enabled
  • The complete list of Attributes and classes are available in the LDAP Filter Wizard

NetTools v1.25.11

ACL Browser
Update ACL\ACE Flags option view to display the raw mask data and mask after processing, which will show if there are any unprocessed masks
Trustee Mode updated so only the ACE that apply to the trustee are displayed.
Trustee Information dialog updated to displays the SIDs and associated name for the trustee.  Now also includes the ability to add or remove SIDs to a trustee's SID list, to provide the ability to evaluate the impact of changing a trustee's permissions

SDProp
Updated SDProp to display the results in a list view
Added an option to trigger SDProp Process
Added context menu to reset ACL and AdminCount on selected users See SDProp for updated details

LDAP Search 
Update LDAP Filter Wizard to move change function on a separate button rather than linked to the type selection.
Added new Substitution option {-1:} which will be replaced with 9223372036854775807, which is 0xFFFFFFFFFFFFFFFF and is used on a number of attributes to indicate that the function\operation of the attribute is not set, as in the case for AccountExpires. e.g. (&(accountexpires=*)(!accountexpires=0)(!accountexpires={-1:}))  See LDAP Search Substitutions

Copy to new Window
The functionality of the Copy to new Window has been updated to include the ability filter the displayed results based on text and content filters.  See Copy to new Window for details

LDAP Favorites

This post provides a number of LDAP Search Favorites for common operations, copy the text of the query and import into the favorites, the samples will be saved in the favorites list as the name in square brackets, see Favorites for more information.

Inactive Users
Return a list of users that have not logged on in the last 60 days and excluded any accounts created in the last 60 days

[Users - Inactive Accounts]
Options=660045
Server=
BaseDN=##default
Filter=(&(objectclass=user)(objectcategory=user)(!useraccountcontrol|=2)(|(lastlogontimestamp<={idate:now-60})(&(whencreated<={zdate:now-60})(pwdlastset=0))))
Attributes=canonicalname, samaccountname, displayname, description, pwdlastset, accountexpires, lastlogontimestamp, msExchShadowDepartment, msExchWhenMailboxCreated, msExchRecipientDisplayType, msExchRecipientTypeDetails, homeMDB
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

Active Accounts
A simple active users query to display a list of users where the user has logged on or changed their password in the last 60 days, and any account that have been created in the last 60 days but the user has not set their password yet.

[Users - Active Accounts]
Options=660036
Server=
BaseDN=##default
Filter=(&(objectclass=user)(objectcategory=user)(!useraccountcontrol|=2)(|(lastlogontimestamp>={idate:now-60})(pwdlastset>={idate:now-60})(&(whencreated>={zdate:now-60})(pwdlastset=0))))
Attributes=canonicalname, samaccountname, displayname, description, pwdlastset, accountexpires, lastlogontimestamp, msExchShadowDepartment, msExchWhenMailboxCreated, msExchRecipientDisplayType, msExchRecipientTypeDetails, homeMDB
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

Active User with user input
This query is the same as the one above however the static 60 days used above is replaced with a prompt.  At execution time a dialog will be displayed to enter the Activity Period.  In the query the static 60 has been replaced with {userinput:Activity Period (Days)} to prompt for the value.  This Subst is used a number of times in the query but only prompted for once, as the first response is cached and used for subsequent entries with the same label.  See Substitutions

[Users - Active Accounts Input]
Options=8590594637
Server=
BaseDN=##default
Filter=(&(objectclass=user)(objectcategory=user)(!useraccountcontrol|=2)(|(lastlogontimestamp>={idate:now-{userinput:Activity Period (Days)})(pwdlastset>={idate:now-{userinput:Activity Period (Days)}})(&(whencreated>={zdate:now-{userinput:Activity Period (Days)}})(pwdlastset=0)))(|(accountExpires=0)(accountExpires=9223372036854775807)(accountExpires<={idate:now})))
Attributes=canonicalname, samaccountname, displayname, description, pwdlastset, accountexpires, lastlogontimestamp, msExchShadowDepartment, msExchWhenMailboxCreated, msExchRecipientDisplayType, msExchRecipientTypeDetails,accountExpires
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

Active Accounts Count
This is the same as the first active accounts queries, but this doesn't display any details of the users, just the count.

[Users - Active Accounts Count]
Options=8590594628
Server=
BaseDN=##default
Filter=(&(objectclass=user)(objectcategory=user)(!useraccountcontrol|=2)(|(lastlogontimestamp>={idate:now-60})(pwdlastset>={idate:now-60})(&(whencreated>={zdate:now-60})(pwdlastset=0))))
Attributes=1.1
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

Active Accounts (More Complex)
This query builds on the queries above and include the account expires attributes in the checking.

[Users - Active Accounts AE]
Options=8590594637
Server=
BaseDN=##default
Filter=(&(objectclass=user)(objectcategory=user)(!useraccountcontrol|=2)(|(lastlogontimestamp>={idate:now-60})(pwdlastset>={idate:now-60})(&(whencreated>={zdate:now-60})(pwdlastset=0)))(|(accountExpires=0)(accountExpires=9223372036854775807)(accountExpires<={idate:now})))
Attributes=canonicalname, samaccountname, displayname, description, pwdlastset, accountexpires, lastlogontimestamp, msExchShadowDepartment, msExchWhenMailboxCreated, msExchRecipientDisplayType, msExchRecipientTypeDetails, homeMDB
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

Disable users
This favorite is a input mode Update query which will disable the provided list of SamAccountNames, it will prompt for a change number which will be added to the Info field of each user.  See Update Queries for more information about update queries.

Warning: This is a Update Query which will make changes to your AD once the update feature is enabled

[Users - Disable Users]
Options=489626931805
Server=
BaseDN=##default
Filter=(samaccountname=##input)
Attributes=useraccountcontrol=|2:2, info==Account disabled as part of change {userinput:Enter Change Number}\n{attrib:info}
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

AD Tombstone Period
This query will display the current AD tombstone period for deleted\recycled objects.

[AD Tombstone Period]
Options=132677
Server=
BaseDN=CN=Directory Service,CN=Windows NT,CN=Services,##config
Filter=(objectclass=*)
Attributes=tombstonelifetime
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

AD Schema Version
This query will display the current AD schema version

[Schema Version - AD]
Options=132673
Server=
BaseDN=##schema
Filter=(objectclass=*)
Attributes=objectversion
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

 Exchange Schema Version
This query will display the current exchange schema version.

[Schema Version - Exchange]
Options=132673
Server=
BaseDN=CN=ms-Exch-Schema-Version-Pt,##schema
Filter=(objectclass=*)
Attributes=rangeupper
Filename=
Authentication=1158
User=
Domain=

OCS Schema Version
This query will display the current OCS\Link\SfB schema version.

[Schema Version - OCS]
Options=132673
Server=
BaseDN=CN=ms-RTC-SIP-SchemaVersion,##schema
Filter=(objectclass=*)
Attributes=rangeupper,rangelower
Filename=
Authentication=1158
User=
Domain=

Root DSE
This query will return the default values for the RootDSE

[RootDSE]
Options=656901
Server=
BaseDN=NULL
Filter=(objectclass=*)
Attributes=
DisplayFilter=
Filename=
Sort=
Authentication=0
Separator=,

RootDSE (Full)
This query will display both the default and optional values of the RootDSE, the values returned are based on the current DC OS and DFF level.

[RootDSE (Full)]
Options=132613
Server=
BaseDN=NULL
Filter=(objectclass=*)
Attributes=*,domainControllerFunctionality,domainFunctionality,forestFunctionality,msDS-ReplAllInboundNeighbors,msDS-ReplAllOutboundNeighbors,msDS-ReplConnectionFailures,msDS-ReplLinkFailures,msDS-ReplPendingOps,msDS-ReplQueueStatistics,msDS-TopQuotaUsage,supportedConfigurableSettings,supportedExtension,dsaVersionString,msDS-PortLDAP,msDS-PortSSL,msDS-PrincipalName,serviceAccountInfo,spnRegistrationResult,validfsmos,tokenGroups,usnAtRifm
Filename=
Authentication=1158
Separator=,

 

 

NetTools v1.24.4

ACL Browser
Fixed issue were attribute GUID are not loaded into the cache intermittently
LDAP Search
Added option to displayed extended error reporting
Updated string substitutions to include {sdate:now} and {sdatetime:now} to display the current date or date and time. Date format is fixed as DD/MM/YYYY.
Updated the copy favorites to clipboard option to copy the settings currently being displayed
Updated favorites to support ##inputn in the BaseDN field
UNC Check
Updated UNC dropdown to display the MRU UNC path from the Run dialog

LDAP Search – Conditional Attributes

Conditional Attributes allow the user to define the value that is returned based on a true or false conditional statement that is assessed for each object returned by the query. The condition comprises of two variables and a logic operator, and two results. The variables and results can be based on an attributes or static entries.

<span">A Conditional Attribute has the following Syntax:

<Attribute>;{if:<Variable1>[;DataType] <Op> <Variable2>:<True Result>:<False Result>}{;DecodeType}

Attribute -The name that the value will be returned against, the name will displayed as if it's an attribute of the object.
Variable1, Variable2 - These are values that will be compared, these can be attributes of the object or static value. Attributes are referenced by specifying the name of the attribute. The meta type can also be used as the attribute. For Static values, encapsulate the value in quote marks.  A wildcard character * can be used in a static value for Variable2, to find the value anywhere in the value returned by the attribute i.e. "*disable"

Op - Defines the logical operator used to compare the two variables:

== Equal
!= Not Equal
>= Greater or equal
<= Less or equal
> Greater than
< Less than

DataTypes - defines if the variable needs to be converted into a different format before the comparison is completed, if the DataType is only provided for one variable then both variables are converted to the specific DataType.
The following DataTypes are supported:

Int - Convert the variable to an Integer
Date - Convert the variable to a Date
Len - Returns the length of the variable, if the DataType of the other variable is not specified then Int DataType is assumed

True Result The value that will be returned if the condition is true
False Result The value that will be returned if the condition is false
The result values can also be attributes or static values and use the same formatting as the variables.  The attribute can also use the meta data datatype.

DecodeType - This is used to convert the output using the DecodeTypes.  See Decode Types

Examples:

Updated;{if:usnchanged!=usncreated:"Updated":"Unchanged"}
Active;{if:useraccountcontrol=="*disable":"False":"True"}
LogonTime;{if:lastlogon;date>lastlogontimestamp:lastlogon:lastlogontimestamp}
Changed;{if:meta.time.unicodepwd!=pwdlastset:"invalid":"valid"}

Both the Variables and Results can use any of the filter substitution options, in this case they must be defined as static entries, i.e. encapsulated in quote marks. See Substitutions

LDAP Search – Attributes

The Attributes field defines what attributes should be returned by the query, the attributes are specified as a comma separated list. The attributes field also support an number of additional functions for formatting, decode types, and updates.

The Attributes field has the following format:

Syntax: [Attribute[;Conditional Attribute][;DecodeType][;Type][=<Op><Value>]][,][Meta.<Type>.<Attribute>[,] []

Attribute - the name of the attribute to be returned, the list of attributes is provided in a comma separated list, i.e. name, whencreated, pwdlastset.  If the attributes field is left blank all attributes of the object are returned, with the exception of constructed attributes.  

Conditional Attributes - Conditional Attributes allow the user to define the value that is returned based on a true or false conditional statement. See Conditional Attributes

DecodeType - the option is used to change the default DecodeType of an attribute i.e. LastLogonTimeStamp;int64.  See Decode Types for a full list of Decode Types 

Type - These are the Microsoft supported options that provide additional server side functionality, they are:

Range:x-x
Binary

=Op - These are the parameters to complete update queries. See Update Query

Meta.<Type>.<Attribute> - This provides the ability to return the meta data details of an attribute in a query result.  The meta data for an attribute includes the following fields - version number, local USN, originating server, time, and originating DC, any of these can be returned.  The meta data is from the server being queried, to see the meta across all DC use the Meta Data option.

Type:

ver - Version
lusn - Local USN
ousn - Originating USN
time - Time of change
dc - Originating DC

Attribute - The name of the attribute

Examples:

meta.ver.objectclass 
meta.time.pwdlastset
meta.dc.lastlogontimestamp

LDAP Search Favorites

LDAP Search option in Nettools has the ability to save queries as a favorites so they can be used again, there are also options to export and import queries.  To save query as a favorite only takes a few steps, first, setup the query as required, second enter the name in the Favour field and then click on the Save button.

Previously saved favorites can be displayed by clicking on the drop down list at the end of the favorite field. Favorites are saved in the NetTools.ini file using standard ini formatting.  Here is a example of a saved favorite called 'Active Users':

[Active Users]
Options=879892770722381
Server=localhost
BaseDN=cn=project
Filter=(&(objectclass=user)(!useraccountcontrol|=2))
Attributes=samaccountname
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

NetTools comes with over 280 predefined queries, the full list of queries are here.  More examples and information on other favorites can be found here

Variables

The saved favorites support the use of variables to allow a saved queries to be used on any directory, not just the directory they were originally created against. The following variables are supported:
##default - This will be replaced with the default name context as defined by the defaultNamingContext in the RootDSE
##config - This will be replaced with the configuration name context as defined by the configurationNamingContext in the RootDSE
##root - This will be replaced with the root name context as defined by the rootDomainNamingContext in the RootDSE. V1.30.8 and above
##schema - This will be replaced with the schema name context as defined by the schemaNamingContext in the RootDSE
NULL - This is used to set the field to blank

By default if the field value is not defined in the ini, then field is not changed when the favorite is selected and current value is preserved.

The variable can be entered in the corresponding field before the favorite is saved or by editing the NetTools.ini after the favorite has been saved. The variable are populated when the Populate button is pressed (See LDAP Search Populate), and then by selecting the saved favorite the variable will be replaced with the relevant details.</span">

NetTools also supports the option to share your favorite using the import and export functions, at the end of the favorites field there is three button, to save, export and import a favorite to and from the clipboard.  When the Import button is press the following dialog is displayed and the favorite text can be pasted into the dialog and added.  The imported favorite will be saved based on the name in the the square bracket, if the favorite already exists it will be overwritten.

 

Context Favorites

LDAP Search also support context based favorites, these favorites are not listed in the favorite dropdown list, they are displayed under the Custom menu item on the context menu for the text pane.  With Context Favorites, it is possible to pass the select text in the text output pane to the favorite.

To create a Context Favorite, the name used to save the Favorite must start with ##sel i.e. ##selGet Details.  The favorite will be displayed as Get Details under the Custom on the context menu

The selected text from the Text view pane can be passed to the query by using the ##sel as a substitution for any field in the favorite. 

[##selGet Details (samaccountname)]
Options=879892770719309
Server=
BaseDN=##default
Filter=(samaccountname=##sel)
Attributes=displayname, accountexpires, pwdlastset, lastlogontimestamp, useraccountcontrol
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

In this example the selected text is expected to be the samaccountname, and the favorite will search and the details of the object.  To prompt what details should be in the selected text, add this to the Favorite name as in the example.

See Favorites for more examples

LDAP Search Substitution

NetTools supports a number of Inline substitution options, that enables different data types to be entered in a user friendly formats, without the need to remember complicated data formats.  These can be used in the filter to simplify filter entry or convert data format for attribute updates with Update Queries.

There are two types of substitutions available, data converters, and matching rule converters.

Data Converters
Data converters have the following format {<type>:[data]}

-1: int64 const of -1 e.g. (pwdlastset={-1:}) which will be replaced with 9223372036854775807
anr: Create an ANR filter based on the input string e.g. {anr:john smith}
getdn: return the DN for the specified samaccountname e.g. {getdn: domain admins} {getdn:user1}
guid: object guids e.g. (objectguid={guid:00AD5B16-8E22-49D5-B83A-BFDEA6DFF7DE})
hex: hexadecimal value e.g. (&(objectclass=group)(grouptype={hex:0x8000002}))
idate: 64bit Time e.g. (lastlogontimestamp={idate:31/12/2011})
ip: IP address in windows order e.g. (ipaddress={ip:10.12.45.254})
ipn: IP address in network order e.g. (ipaddress={ipn:10.12.45.254})
oid: oid identifiers e.g. (omobjectclass={oid:1.3.12.2.1011.28.0.702})
sdate: returns the date in dd/mm/yyyy format, when used in conjunction with Now constant e.g. {sdate:now}
sdatetime: returns the date in dd/mm/yyyy hh:mm:ss format, when used in conjunction with Now constant
sid: object sid e.g. (objectsid={sid: S-1-5-21-3499964120-3315823391-1593708255-164234})
unicode: return the specified string as escape hex string {unicode:new}
userinput: request user input e.g. {userinput:Date} responses are cached against the label, if the same label is used again the cached response is used
zdate: Generalized Time Format e.g. (whencreated={zdate:30/12/2011})

zdate, idate, sdate, and sdatetime types also support a number of constants 'Now', StartofDay, EndofDay, and can be used with with optional plus and minus days.
e.g. {zdate:now}, {zdate:now-365}, {idate:now+5}, {sdate:now}
{zdate:startofday}, {zdate:endofday}, {idate:startofday-5}

Nesting is supported on a number of the substitutions to convert from one format to another or converting a user input e.g  {idate:{usernput:enter date}}

Matching Rules Converters
Matching rule converters use a single character as a substitute for the matching rule OIDs for LDAP filters, these are |  & % $

|= is the Or bit logic operator e.g. (!useraccountcontrol |= 2)  - expands to (!useraccountcontrol:1.2.840.113556.1.4.802:=2)

&= is the And bit logic operator e.g. (useraccountcontrol &= 2)  - expands to (useraccountcontrol:1.2.840.113556.1.4.803:=2)

%= is the chain operator e.g. (memberof %= (cn=Group1,OU=groupsOU,DC=test,DC=com)) - expands to (memberof:1.2.840.113556.1.4.1941:= (cn=Group1,OU=groupsOU,DC=test,DC=com))

$= is the DN-Binary or DN-String search e.g. (msDS-HasInstantiatedNCs$=B:8:0000000D:CN=Configuration,DC=corp) - expands to (msDS-HasInstantiatedNCs:1.2.840.113556.1.4.2253:=B:8:0000000D:CN=Configuration,DC=corp)

Attribute Scope Query

The Attribute Scope Query (ASQ) is Server Side control that provides the ability to return the attributes of members of a Object(DN-DN) attribute, e.g. member.  The specified attributes are returned for each DN that is included in the Object(DN-DN) attribute.

For ASQ queries the LDAP Search input fields must have the set as follows, The BaseDN field must be set to the DN of the object containing the Object(DN-DN) attribute, the Search Scope must be Base Level, the Filter field is applied to the members of the Object(DN-DN) attribute, and can be used to filter\limit which items are included in the search.  The Attributes field, the first attribute named must be the name of the Object(DN-DN) attribute, followed by the list of attributes that are required.

In the above example, we are using the member attribute as the Object(DN-DN) attribute of the group object and its returns the last time the user logged on and when they last changed their password.

The filter field can be used to limit\filter the records that are returned, the filter is applied to the objects in the Object(DN-DN) attribute and will only return the objects that match the filter, i.e. setting the filter to (&(objectclass=*)(!userAccountControl|=2)) only accounts that are enabled will be returned.  This filter is using the subst feature in the filter to simplify the entry of complicated filters, see Substitutions

Advanced operations -  it’s possible to combine the Input Mode and ASQ options to query the Object(DN-DN) attribute of multiple objects in a single operation.

To do this first enable the Input Mode, by selecting the Table Input option, and select the Create Multiples option, and then paste a list of object DNs to be queried into the table view.  Update the BasedDN to be ##input and click go.  The results for DN in the Search Attribute will be displayed on an individual line.

LDAP Search Input Mode

LDAP Search supports an option called Input Mode, Input Mode allow you to run a query against a list of user inputs and the results are displayed against the input item.  To enable Input Mode, the Table View and Table Input must be selected, this will enable a few extra options and items on the Table View context menu.  

When the Input mode is selected the other options in the Table View options will be enabled. Also the column names in the table view will also change to ##Input<..>, if there is already data in the table and the table contents are preserved, or when the input lists are added.  Input Mode supports up to 9 input lists.

The input lists are added to the table view by using the additional items in the context menu. These are Load Input, Paste Replace or Insert.

Load Input - will load the list from a file, the file must be tab separated
Paste Replace - this will paste the contents of the clipboard into the table view, clearing the contents of the table, copying the contents from a multiple column spreadsheet
Paste Insert - this will paste the contents of the clipboard into the table view, the existing contents of the table are preserved. 

Above shows the table view after the input lists have been added.  The column headings are updated to show the variable name for the list, these variable names can then be added to the query input fields.

In the example above only the first input variable is used in the filter, the second input is ignored.  When the query is run, the query will be run for each of the items in the list with the ##input being substituted with the value in the list.  If the query does return results the attributes are displayed on the same line as the entry.

In the example above, both variables are used in an Update Query, the ##input2 variable is used to update the department name of the user.