Sites DC List

This option will display the list of Domain Controllers in the forest, and which sites that DCs are allocated.  Additional information is also provided, the default context for the DC, the FSMO roles installed, dns hostname, and IP address, if the Perform DC DNS resolution option is selected.

The FSMO Roles uses the following abbreviations:

G - Global Catalog
D - Domain Master
I - Infrastructure Master
P - PDC Master
R - RID Master
S - Schema Master

RID Pool

This option will display information about the current RID pool allocations in the selected domain, if no domain is specified, it will report on the domain of the computer running NetTools.  The current RID Master is displayed with the overall allocation size and the current RID pool allocation for each of the domain controllers in the domain.

RID Master


This is a simple logon test using the LogonUser API to test if a set of credentials are valid.  If the logon is successful then the account's groups and privileges are displayed.  There are number of options to select the type of logon to be performed, this can be used to confirm that user rights have been configured correctly on the local computer.

Logon - Groups
Logon - Privileges

User Rights

This option will display the the groups and privileges for the user context under which NetTools is running.  This information is retrieved from by calling GetTokenInformation against the current process, and then displays the contents of the access token.  The groups tab has all the groups in the access token, the Privileges tab contains all the rights that have been assigned to the current user.  There is an context menu option on the Privileges tab to request a privilege

The Attributes column has the following meaning:

M - Mandatory
ED - Enabled by Default
E - Enabled
O - Owner
ID - Logon ID
IE - Integrity Enabled
I - Integrity
L - Local Group
D - Deny Only

User Rights - Groups
User Rights - Privileges

UNC Check

The UNC Check option provides the ability to confirm accessibility of a UNC share.  The entered UNC is broken down into it's elements and each element is test separately and the results of each test is displayed.  The path of the UNC path is displayed and colour coded based on the results of the tests


Name Resolution
Ping IP Address
Portqry against Endpoint mapper port 135
Retrieve a complete list of shares
Check the share exists
Checks the permissions to read the share
then checks that the full path is accessible

UNC Check Passed
UNC Check - Failed path
UNC Check - Failed share
UNC Check - Shares


The NetGroupEnum option uses the API from the legacy Network Management API to display the groups and group membership.  This option uses the NetGroupEnum API to get the list of local groups on the specified server, and then by selecting the group, the members are then displayed.  This provide a quick method to check the local group membership on a local or remote server.

Token Size

This option shows an indicative number of SIDs that will be added to a user's or computer's access token when they authenticate against the the domain. The Base DN defined the start point for the search, if left blank, the entire directory is searched.  There are also a number of options that can be used to limit the items that are returned, by default only the the top 100 entries are displayed, however this can be changed.

Limiting the search to only Groups is a method to determine if there are any groups which have a high number of nested groups, which could impact the size of a user's access token if users are added to the group.

The size column is for reference only, this is the size of the data returned by TokenGroups attribute for the corresponding object, while it can be used as an indication of the resulting token size it is not exact, see the Microsoft article for the formula for calculating the token size.

The right click context menu provides a number of options to investigate the token size further, the Display SID Inheritance option allows you to drill down into the access token to see which items are causing the token bloat.

Background: Windows use a buffer to hold the user's access access token, the size of this buffer varies in size between different versions of Windows, see:  While you can increase the size of the token supported by the OS, there is no way to increase the maximum size supported by IIS prior to version 6.  User who is a member of 100+ groups thy may experience intermittent access to resources, over 300 they will have IIS\Sharepoint issues, over 1015 and the user will not be able to logon.  The use of SID History for migration or consolidations only makes the token size issue worse.  This is quite a good white paper on the issue

DC Update

This option will display the number of updates that have been processed across all the domain controllers in the forest or domain controllers hosting the selected domain context.  The metrics are updated based on the interval selected. For each domain controller the following metrics are displayed based, the number of updates processed since the last update, the highest number of updates seen between updates, the total number of updates since the monitoring started and the current time on the domain controller.

Setting the Domain Context will limit domain controllers that are monitor to the DCs that host the specified context. This should be entered in DN format i.e. DC=nettools,DC=net.


The SPN option is used to search for Service Principal Names in the AD.  The format of the search string entered in the SPN field is service\host name, e.g. cifs/dc01. wildcards card be used e.g. mssqlsvc/* to get all the SQL SPN in the domain.  Avoid using wildcards for the host name for service names that are included in the sPNMappings attribute as this will cause the details of all the computer objects to be returned. 

The option uses the sPNMappings settings to search for alternative service names against the host name.  These are the service names that are associated to host service name included in the SPMMappings attribute - alerter, appmgmt, cisvc, clipsrv, browser, dhcp, dnscache, replicator, eventlog, eventsystem, policyagent, oakley, dmserver, dns, mcsvc, fax, msiserver, ias, messenger, netlogon, netman, netdde, netddedsm, nmagent, plugplay, protectedstorage, rasman, rpclocator, rpc, rpcss, remoteaccess, rsvp, samss, scardsvr, scesrv, seclogon, scm, dcom, cifs, spooler, snmp, schedule, tapisrv, trksvr, trkwks, ups, time, wins, www, http, w3svc, iisadmin, msdtc.

The Requested SPN Only option is used to limit the item displayed from the found SPNs to the same as requested service name, if this option is deselected, then all the SPN entries assigned to the account are displayed.