Category Archives: Basics

GPO Explorer – GPO Test Details

Some of the Features and Tests listed here are only available in NetTools v1.31.4 and above

The Test feature in GPO Explorer provides similar functionality as provided by the retired Microsoft GPOTool.exe utility.  This post provides the details of the tests that are completed and how the results are compared to the other selected DCs.

The test feature appears in two locations in GPO Explorer, one as a tab on the individual policy details and other at the domain level to test multiple GPOs at once.  While how the results are display are different between the two test types, the same testing is completed for both instances.

The Domain option looks like this and provides a very similar output to the retired GPOTool.exe

GPO Testing Results

The individual test looks like this:

GPO Testing Results - Individual

DC Selection

By default the tests are performed against all the DCs in the domain, however, it's possible to define which DCs you want to include in the test.  The Domain level test, as shown above, provides a list of DCs that have been discovered, you can limit which DCs will be included in the test by selecting as required DCs.  This selection is then used for both the Domain and Individual tests.

Test Details

The testing is completed in two phases, first the details are collected from each of selected DCs and then in phase two the captured details are compared across all the selected DCs.  The first selected DC in the server list is used as the source and all the other DCs are compared against this DC, you can change this by using the context menu to moving another DC to the top of the list, and this will be used as the source DC.

During the Collection phase the following details are captured and tests performed:

  • Display Name of the Policy
  • Sysvol Path
  • Functionality Version
  • GPO Flags
  • GPO Version Number (User and Machine)
  • WMI Filter assigned
  • GPO Machine Extensions
  • GPO User Extensions
  • When Created
  • When Last Changed
  • AD Permissions
  • Number of sub AD objects under the GPO for both User and Machines settings
  • Check the Sysvol path is accessible
  • Capture the security permissions of the root of the policy folder
  • Check that the trustees assigned Apply Group Policy right in the AD have access to the following location in Sysvol path:
    • Root of the policy folder
    • GPT.ini
    • User folder
    • Machines folder
  • Capture the GPO version details from GPT.ini file (User and Machine)
  • Capture the file count, total file size, and directory count for these sub directories:
    • Machine
    • User

Once the details have been captured from all the selected DCs phase two will then compare each of these values to confirm the details are the same across all the DCs.  If there are any differences it will report an error or the traffic lights indicators for the test will be Red.   The Compare phase, in addition to comparing the details captured in phase one it will also complete the following tests:

  • Compare the AD DACL ACE Count
  • Compare the Sysvol DACL ACE Count
  • Confirm the ACE in the Sysvol DACL are in the same order
  • Compare the AD Security Descriptor
  • Compare the Sysvol Security Descriptor
  • Check for duplicate ACEs
  • Check the order of the permisions

The Individual test option displays the results as pass\fail and doesn't provide much in the way of  detail on the reason for the failure.  However the Domain level test does provide details of the information captured and failure details, when the Display Policy Details option is selected before running the test.

If any of the AD replication tests fail you can select the individual GPO and use the Context Menu option to run a Check AD Replication test on the GPO AD object, this will automatically populate the Attribute Replication test for you.

Check AD Permissions

Debug Option

The GPO test also provide additional debug information in the Domain level test, which is helpful if you are are trying to diagnose ACL issues as reported by the GPMC Status report.  This debug option is not enabled by default and can only be enabled by manually editing the NetTools.ini file.

  1. Open the NetTools.ini file
  2. Search for [SavedOptions]
  3. Add GPODebug=true after the heading
[SavedOptions] 
GPODebug=true

Mapping Get-ADTrust attributes to the TDO Object

This post provides the details of the mapping between the the attributes displayed by the Get-ADTrust powershell command and the attributes of the TDO object.

Most of the properties returned by the Get-ADTrust command map to the TrustAttribute attribute of the TDO object, so the table below shows which values of the TrustAttribute map to corresponding Get-ADTrust Property.  The NetTools Mnemonic column has the name of the mnemonic that NetTools will display if this value is set.

Get-ADTrust Parameter TDO Attribute NetTools Mnemonic
DirectiontrustDirection
DisallowTransivityTrustAttributeNon-Transitive
DistinguishedNameDistinguishedName
ForestTransitiveTrustAttributeForest Transitive
IntraForest
IsTreeParent
IsTreeRoot
NameName
ObjectClassObjectClass
ObjectGUIDObjectGUID
SelectiveAuthenticationTrustAttributeCross Organisation
SIDFilteringForestAwareTrustAttributeSSIDHistory
SIDFilteringQuarantinedTrustAttributeQuarantined
Source
TargettrustPartner
TGTDelegationTrustAttributeTGT Delegration
TrustAttributes
TrustTypetrustType
TrustedPolicy
TrustingPolicy
UsesAESKeysmsDS-SupportedEncryptionTypes
UsesRC4EncryptionTrustAttributeRC4 Encryption

This table shows the NetDom command argument that is used to change the corresponding TDO attribute.

Get-ADTrust Parameter NetDom Parameter
Directiontwoway or oneside
ForestTransitiveTransitive
SelectiveAuthenticationSelectiveAuth
SIDFilteringForestAwareSIDHistory
SIDFilteringQuarantinedQuarantine
TGTDelegationEnableTgtDelegation

This page provides the details of the netdom command parameters, and this page provides the details of the TrustAttribute attribute.  This page provides the details of the SID filtering functionality and which SID will be filtered.

The screenshot below shows the enumerate or mnemonics as defined on NetTools.

TrustAttribute

NLTEST Flags – what does 0x20000 mean?

When running NLTEST /DSGETDC command against a domain controller that is Windows 2012R2 or later, the command will display the normal flags plus an extra flag called '0x20000', but what does the 0x20000 flag mean.  First of all it's not an error code, Microsoft have added an additional feature to Windows 2012R2 and later DCs, but NLTEST hasn't been updated to display this flag correctly, even the Windows 2019 version doesn't have this flag defined.

The results deplayed by NLTEST /DSGETDC is the information returned by the DsGetDcName API, this information if defined in the DOMAIN_CONTROLLER_INFO structure.

typedef struct DOMAIN_CONTROLLER_INFOA {
LPSTR DomainControllerName;
LPSTR DomainControllerAddress;
ULONG DomainControllerAddressType;
GUID DomainGuid;
LPSTR DomainName;
LPSTR DnsForestName;
ULONG Flags;
LPSTR DcSiteName;
LPSTR ClientSiteName;
} DOMAIN_CONTROLLER_INFOA, *PDOMAIN_CONTROLLER_INFOA;

The Flags member has the following definitions in the dsgetdc.h file

#define DS_PDC_FLAG 0x00000001 // DC is PDC of Domain
#define DS_GC_FLAG 0x00000004 // DC is a GC of forest
#define DS_LDAP_FLAG 0x00000008 // Server supports an LDAP server
#define DS_DS_FLAG 0x00000010 // DC supports a DS and is a Domain Controller
#define DS_KDC_FLAG 0x00000020 // DC is running KDC service
#define DS_TIMESERV_FLAG 0x00000040 // DC is running time service
#define DS_CLOSEST_FLAG 0x00000080 // DC is in closest site to client
#define DS_WRITABLE_FLAG 0x00000100 // DC has a writable DS
#define DS_GOOD_TIMESERV_FLAG 0x00000200 // DC is running time service (and has clock hardware)
#define DS_NDNC_FLAG 0x00000400 // DomainName is non-domain NC serviced by the LDAP server
#define DS_SELECT_SECRET_DOMAIN_6_FLAG 0x00000800 // DC has some secrets
#define DS_FULL_SECRET_DOMAIN_6_FLAG 0x00001000 // DC has all secrets
#define DS_WS_FLAG 0x00002000 // DC is running web service
#define DS_DS_8_FLAG 0x00004000 // DC is running Win8 or later
#define DS_DS_9_FLAG 0x00008000 // DC is running Win8.1 or later
#define DS_DS_10_FLAG 0x00010000 // DC is running WinThreshold or later
#define DS_KEY_LIST_FLAG 0X00020000 // DC supports key list requests
#define DS_PING_FLAGS 0x000FFFFF // Flags returned on ping
#define DS_DNS_CONTROLLER_FLAG 0x20000000 // DomainControllerName is a DNS name
#define DS_DNS_DOMAIN_FLAG 0x40000000 // DomainName is a DNS name
#define DS_DNS_FOREST_FLAG 0x80000000 // DnsForestName is a DNS name

As you can see 0x20000 is defined in the include file as support for Key List Requests, see the Kerberos Protocol Extension [MS-KILE] section 2.2.11 for more info.  NetTools includes this decode and the result from the same server shows the option for Key List Request are supported.

Process Flow for LDAP Search

This is a quick article that shows the process flow of the LDAP Search feature.  The LDAP Search function consists of a number of functions that are used to execute the query and display the results.  The main function is used to collect and validate the user inputs and connect to the server and execute the query, then a sub function is used to display the results and complete any attribute updates.  The process shown below starts when the user presses the Go button to execute the query.

Invalid characters for Office365 Sync

Office365 specifies a number of characters that can't be includes in a number of key attributes. These invalid characters vary depending on the attribute, for a full list of invalid characters in each attribute see this Microsoft article.

NetTools includes a predefined query that will show which user objects contain these invalid characters. The query is called Users: Invalid characters for O365, which is available in the LDAP Search option. These are the attributes that are included in the search

        • givenName
        • sn
        • mailNickname
        • proxyAddresses
        • UserPrincipalName 
        • mail

To run the query first select the LDAP Search Option in the left hand pane, then click on the Populate button, shown in the red square below, to connect to the AD and populate the Base DN field.

queries

Once the Populate has finished, select the Users: Invalid characters for O365 query from the Favorites dropdown list. If required, change the BaseDN field to limit the scope of the search and then click Go.  A list of all the user objects that contain invalid characters will be displayed.

The query uses the Regex Display filter option to only display the user objects that have invalid characters.  Here are the the query properties:

[Users: Invalid characters for O365]
Options=879892770722381
Server=
BaseDN=##default
Filter=(&(objectclass=user)(objectcategory=person)(!userAccountControl|=2))
Attributes=userPrincipalName, proxyAddresses;SMTP, givenName, sn,displayName,mailNickname, mail
DisplayFilter=userPrincipalName regx [\"|,/:<>+=;?*'] || givenName regx [\"|,/:<>+=;?*'] || sn regx [\"|,/:<>+=;?*'] || mailNickname regx [\"|,/:<>+=;?*'] || mail regx [\"|,/:<>+=;?*'] || proxyaddresses regx [\"|,/:<>+=;?*']
Filename=
Sort=
Controls=
Authentication=1158
Separator=,

For more information on the available queries see Redefined LDAP Queries  
For details on the favorites option see Favorites

Workaround for SmartScreen

When running NetTools on a Windows 10 machine, it can sometimes trigger the Microsoft Defender SmartScreen and block the execution of NetTools.  This is because NetTools is not signed and SmartScreen blocks apps that have been downloaded.  This is an example of the SmartScreen dialog that is be displayed.

To prevent SmartScreen from blocking NetTools, open the properties of NetTools.exe and check the Unblock option and click OK.

LDAP Search – Credentials

Note: The Credentials option was deprecated in version 1.28.0 and replaced with Connection Profiles

LDAP Search provides the ability to specific the credentials under which a query will be executed, it also provides the ability to select the authentication method that will be used to pass the credentials to the server.

The Credentials dialog is found when the More button is pressed.

credentials

There are nine different authentication methods available:

LDAP_AUTH_SIMPLE, this method requires the DN of the account and password, domain is not required
LDAP_AUTH_DIGEST, Digest authentication package
LDAP_AUTH_DPA, Distributed password authentication. Used by Microsoft Membership System
LDAP_AUTH_MSN, Microsoft Network Authentication Service
LDAP_AUTH_NTLM, this method uses NTLM to authenticate against the directory
LDAP_AUTH_SICILY, covers package negotiation to MSN servers
LDAP_AUTH_DIGEST, this method requires the samaccountname and password
LDAP_AUTH_NEGOTIATE, this method requires either, samaccountname or UPN and password, the domain is optional
ANONYMOUS, the username and password are not required.

See the following MS Article for more details ldap_bind_s

Warning: With the simple bind method the password is sent in clear text to the server, you should use this method in association with an SSL based connection to protect the password.

The default behavior of NetTools is use the negotiate method, when connecting to an Active Directory, you don't need to provide any credentials, the current user's context will be used based on Kerberos authentication.

A number of other options in NetTools use the credentials provided in this dialog to run the option under a different or elevated set of credentials, this is shown as Use the LDAP Search Credentials.

NetTools Basics

nettools

 

NetTools has a number of common features which are used throughout the program. This post provides details on some of these features.

The screenshot below shows the common features of the NetTools interface.

Nav

These buttons are used to navigate the tests that have been previously run.

Connection Profiles

This button opens the Connection Profile dialog used to manage Connection Profiles to connect to specific domain controllers or domains. 

Resolver

This button opens the Resolver dialog, which can be used to resolve multiple names and track which objects have been visited.

Help

This button will open the help page on the NetTools website for the selected test option.

Quick Search

This option is used as a quick search of the AD, and is a shortcut for the Search option.

Pinned Option

Options that the user has pinned will be displayed here.

Available Tests

The list of available tests are displayed here. The tests are grouped in categories to help find the appropriate test. 

Test Options

For each test, the test options are displayed here, use these to configure the test, the associated button is used to start the test.

Result Option

The results of the tests are displayed in this area.  Use the right click context menu to access additional features.

Info

This area is used to display additional information about the test or error messages that are generated during the test execution.

AD or Server Connections

If NetTools is run on a machine that is joined to an AD domain, by default NetTools will connect to the domain controllers of that domain without needing to specify the server. It will also use the credentials of the user running NetTools to make the connection. If you want to connect to a specific domain controller, different domain, or use a different set of credentials, you use Connection Profiles.  See Connection Profiles for more details.

Server Lists
In most of the options there is a field to specify the server or domain, this field is used to enter a server name or select a Connection Profiles that the test will be run against.  The server and domain fields are optional, if no entry is provided NetTools will either connect to the domain the machine running NetTools to joined to, or use the default Connection Profile, if one has been defined.

Navigation
The toolbar is used to navigate the tests and access a number of features in NetTools.  The toolbar has both fixed buttons and user selected buttons.

The Back and Forward buttons allow you to move backwards and forwards between tests you have used, this is useful if you select a linked option and want to go back to the previous test.  The Connection Profiles button opens the Connection Profiles dialog, which allows you to configure profiles that defines, the LDAP server, GC server, SSL, authentication, credentials and paging properties.  For more details see Connection Profiles. The Resolver button will open the Resolve dialog, which lets you resolve different input types and provides a temporary scratch pad when investigating an issue.  For more details see Resolver.  The Help button opens the help page on the NetTools.net website for the selected test.  The Quick search entry field provides a quick entry method to perform a search of the AD using the User - Search option.

Permissions
You don't need any specific permissions to run NetTools, only execute right on the file system.  With a typical AD implementation a normal user can read a lot of the details in the AD, there are few features that might need elevated rights, i.e. viewing deleted objects or low level replication data shown in the Replication Queues option, where elevated permissions are required this is included in the corresponding Option's web page.  Only other scenario where permissions can be an issue is when NetTools is run on a Domain Controller that has User Access Control (UAC) enabled, the results returned by the local Domain Controller will be reduced unless NetTools is executed with Run as Administrator option.

Where to start
The number of options in NetTools can make it confusing where to start.  The best approach is to start with the Search option under Users or use the quick search option, this allows you to search the AD, be it at the Forest or Domain level for any object in the Active Directory, from there the context menu options allows you to then interrogate the returned objects.  See User Search.

To allow you to find your favorite option quickly, NetTools includes a Pin option, which will add user defined button to the toolbar to allow you to quickly select your commonly used options.  To Pin an item, select the option, then right click on the option name and select the Pin from the context menu, you will be prompted to select an icon for the button.  To remove a Pinned item, simply right click on the button on the toolbar and select Remove.

Option Pinning

Option or test Linking
For a number of the tests the output from one can be used as the input for other tests and options, by selecting the corresponding output entry and right clicking the context menu will display these options.  The User Search option has a number of linked options that are displayed under the use with sub menu.

Copy and Paste
The outputs from the tests can be copied into other functions in NetTools or to external programs.  The Copy and Paste options are displayed in the right click context menus. For table views it's possible to copy the data in a single column, the line, or the entire table. When using the copy column option, mouse position when the right click is pressed, is used to define which column will be selected.  For text based output fields it's possible to copy the text as with standard copy and paste. The Copy works with a single or multiple selected items, and when copying the details from all selected items is copied. A number of keyboard shortcuts are defined, Ctrl+C will copy the the details of from the column of the select items, Ctrl+L will copy all the details of the selected items, Ctrl+T will copy the entire contents of the table, include headers. The Copy to new window context menu option will copy the contains of the view to a new detached window, which provide additional sort and filtering options.  See Copy to new window

Messages/Results pane
On most options, there is a lower pane, this pane is used to display any errors or status report from the execution.  Any error messages or codes returned by the APIs are displayed here.

Exporting Objects
There is the ability to export objects in LDIF file format, this is available from the context menus. See LDIF Export for more details.

Common Dialogs
NetTools has four common dialogs which are available from most context menus on in the results and options.  These are the AD Properties, Attributes, Meta Data,  and Permissions dialogs which is used to display and edit an object's permissions, these dialogs are accessed via the context menu and are listed at the bottom of menu, as shown below.

Context Menu
AD Properties
Attributes
Meta Data
Permissions

Resolver
The Resolver dialog provides a scratch pad to temporary store items that you are troubleshooting or investigating. The Resolver dialog is accessed via the toolbar and items can be added to the dialog either from the context menu, pressing Ctrl+R, manual entry, or pasting a list of DN, samaccountname, email, upn or displaynames.  From the Resolver dialog the NetTools options and test can be selected from the context menu in the Resolver dialog.

Resolver Context Menu

NetTools saved configuration
NetTools uses a single configuration file called NetTools.ini, this is used to save any user defined configuration or lists.  NetTools will try to read the configuration from the same location as the exe from executed from.