Category Archives: HowTo

How To: Find which DCs have the FSMO roles

You don't have to work with AD for every long before you need to know or find out which domain controller is hosting a certain FSMO role e.g. Schema updates, or troubleshoot password issues etc.  Luckily NetTools is able to display all the FSMO roles with just two clicks.

The Site DC List option in NetTools will display the FSMO roles for all the domain controllers in the forest.

Key for the Roles:

G - Global Catalog
D - Domain Master
I - Infrastructure Master
P - PDC Master
R - RID Master
S - Schema Master

How To: Find the DN of an object

In the Active Directory every object has a unique identifier - a DN or Distinguished Name, this is used by a number of different tools and services to reference the object, so be able to find the DN of an object is a basic task that is required when managing Active Directory.

In NetTools there are numerous options to find or display the DN of objects. Here are few of them:

User Search -  will return a number of common objects for the items found, include the DN in the distinguishedName column.  The DN can be copied using the right click context menu.

ACL Browser - you are able to browse the directory and display the structure in the left hand pane, the right click context menu has an option to copy the DN of the of the selected object.

GPO Explorer - you are also able to browser the directory, and the contents tab will show the objects in the selected OU or container.  There is a DN column in the table of the contents tab which has the DN of the objects.

Output Tables
The table outputs for a number of options include the DN of the objects returned, the column is normally called DN, this can be copied using the right click context menu.

AD Properties - is a context menu item available throughout NetTools.  The AD properties dialog has a simpler format as the properties dialog in AD User & Computers management console, there is a tab called Object which has the DN of the object.

AD Attributes - is another context menu item that is available, this dialog will display all the attributes on an object, the distinguished Name attributes is also displayed.

How To: Check if workstations are still active

There are a number of different ways to check if an AD domain join workstation is still being used or active in the environment.   This article provides a couple of different approaches depending on the number of workstations or type of information required. All approaches are based on the standard assumption that an active workstation will update the pwdlastset, lastlogon, lastlogontimestamp attributes while connected to the domain\network.

Which attribute you use to validate if the workstation is still active will depend on the configuration of the AD:

PwdLastSet – this will change each time the workstation changes it’s password and this change is replicated to all domain controllers, so the time reported by one domain controller will be the same on all.  The frequency at which the password is changed is controlled by the Domain Member: Maximum machine account password age and Domain Member: Disable machine account password changes, GPO settings.  The default maximum password age is 30 days, however, if the password update is disabled, then the PwdLastSet attribute will not changed.  Also in some scenarios if the workstation is used remotely, and not connected to the network for long periods of time, then the pwdlastset will not be updated.

LastLogon – this is the last time that the workstation logged on, however, this attribute is not replicated between domain controllers and you have to retrieve the attribute from all the domain controllers to get the last logon time.  As with the PwdLastSet attribute, if the workstation is used remotely for long periods of time, this attribute may not be updated.

LastLogonTimeStamp -  this attributes is also replicated between domain controllers, however, the replication of this attribute doesn’t happen every time the workstation logs on, by default it will be updated every 14 days, details here , so if 14 days is close enough then this is the best attribute to use.

Single Workstation:

The quickest method is search for the workstation using the Search option under Users to find the workstation’s object in AD, from there right click on the required workstation and from the context menu, select Use With -> Last Logon.  All three attributes are displayed in the one view. The Last Logon column displays the lastlogon attribute from each of the domain controllers in the domain, sorting this column to display the last logon time, the lastlogontimestamp and pwdlastset will be the same across all servers.

Another method to check for activity, but not specifically based on the lastlogon attribute, you can use the object Meta Data to get the list of attributes that have been changed, and then compare the time the changes were made to confirm if the workstation is still active.  To display the Meta Data for an object, complete the search as describe above, from the context menu, select Meta Data, and then sort the form based on the time column. The attributes that are relevant are dBCsPwd, lmPwdHistory, ntPwdHistory, pwdLastSet, supplementalCredentials, unicodePwd which are updated when a password is updated.

Multiple Workstations:

If you want to check the details of a number of workstations, the Last Logon Time option is the easiest option to use.  This option requires a list of samaccountnames of the workstation, with workstations the samaccountname must include the trailing $ character.  Once the list is pasted into the right hand pane, and Go pressed, it will check each entry against all the domain controllers in the domain and it will display the latest time recorded against all the domain controllers.

If you require additional information about the workstations other than the lastlogon details, then the LDAP Search is the best option, the save query below uses Input Mode to return the details, you paste a list of workstations into the Input pane and return any information you require about the workstations, include Operating System, Version, etc.

[Active Workstations]
Options=879892770722397
Server=
BaseDN=##default
Filter=(&(objectclass=computer)(samaccountname=##input))
Attributes=lastLogon,lastLogonTimestamp,operatingSystem,operatingSystemVersion
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

In this example it assumes that the workstation SamAccountNames will have the trailing $, however, changing the filter to the following and the trailing $ is not required:

Filter=(&(objectclass=computer)(samaccountname=##input$))

Related Items

Troubleshooting Account Lockouts
User Search
LDAP Search
Input Mode
Favorites

How To: Search for multiple users based on email address

This article show how to create an LDAP query that can be used to search for users based on an email or UPN.  The query uses Input Mode to allow a list of email\UPN to be searched at one time.  It will search for the user's email address in the mail, UPN and proxyaddresses attributes.

You will notice in the filter that the proxyaddresses section of search includes SMTP: in the filter, this is to ensure that only smtp entries are returned, but also to improve the performance of the search, rather than using wildcards.

Here is the Favorite, see Favorites for details on how to import this query into NetTools.

[User Mail Search]
Options=879892770722397
Server=
BaseDN=##default
Filter=(&(objectclass=user)(|(userPrincipalName=##input)(mail=##input)(proxyaddresses=stmp:##input)))
Attributes=displayname, userAccountControl,accountExpires, lastlogontimestamp
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

Once the query has been imported and selected, paste a list of email addresses into the table view and click Go.

Related Items:

LDAP Search Options
Input Mode
Favorites
Saved Favorites

 

How To: Display the properties of the members of a group

This articles explains how to use the ASQ server side control to return the display name and email address of all the members of a specific group.

First go to the Search option under Users in the left hand pane, deselect the Return Users Only option, and then enter the name of the group in the username field, click Go.

Select the required group from the list of returned results and then right click on the item, from the context menu, select Use With -> LDAP Search.  This will populate the LDAP Search option with the details of the group.

Click on the More button, In the Server Side controls section, select the Attribute Scope Query option, and set the Search Scope to Base Level.

In the Attributes field enter, ‘Member, displayname, mail’ and click Go.

In this example we are only returning the display name and email address for the members, however, you can specify any of the user’s attributes you want to display, they just need to be added to the Attributes list.

With this example we don’t specifying which objects to return, we can restrict the results to only user accounts, by changing the filter to (objectclass=user) or (objectclass=group) to only return the groups that are members.

[Search]
Options=879892770981453
Server=NULL
BaseDN=
Filter=(objectclass=*)
Attributes=Member, displayname, mail
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

Related items:

ASQ details
User Search
LDAP Search - Options
LDAP Favorties

How To: Display deleted objects

By default, objects deleted in Active Directory are not visible.  NetTools provides the ability to quickly and easily to display deleted and recycled objects.  From the LDAP Search click on the More button to display the Advanced options, select the Deleted and Recycled objects options.

Deleted

With these options selected, queries will include the Deleted Objects contain in searches.  Also with these options selected the LDAP Browser, and OU Selector will display the Deleted Objects Container.

To use these server side controls the user context that runs the query or browsing the directory, must have administrator rights.  You can use the Credentials option to specify a user context that has rights.

Related Items:

LDAP Search - Options
LDAP Search
LDAP Browser

How To: Run NetTools

NetTools consists of a single executable, which doesn't need to be installed and can be run from any location, be it a network share, local drive or removal storage.  The location can be read-only however, in this case the option to save lists and favorite queries will not be available.

The NetTools.ini configuration file should be located in the same directory as the executable.