Locked Accounts

This option will display all the locked accounts in the domain, additional details are also display for the accounts, including when the user's password was lasted changed, locked out time and last bad password time.  

The details returned are the value of the attributes stored on the specified server, as some attributes are not replicated between Domain Controller, and are the local values on the specified server, and may not represent the most up to date value.  To retrieve the most up value from all the Domain Controllers you should use the Last Logon option, which a linked option from the right click context menu which will automatically display the details for the selected item. See Last Logon

The unlock button can be used to unlock the selected accounts, this can be a single or multiple accounts.

Group Manager

Group Manager provides the ability to bulk update the membership of groups. Lists of users or groups can be used to update the group membership of the selected group.  The group to be managed is specified as either the SamAccountName or DN, when the Refresh button is pressed the current membership of the group is displayed on the left hand pane.   The right hand pane is used to paste the list of users and groups that are to be added or removed from the group. The list that is pasted into the right pane can contain SamAccountNames, UPN, email, DN or SIDs or any combination of these.

Once the list has been imported, clicking on the Report button will display which objects in the list are members of the group.

To add or remove objects from the group, you need to tick the corresponding objects you which to change, then click on the Add or Remove button.  There are right click context menus that help selecting and deselecting of objects.

In the above screenshot the list of 5 users have been added to the group.  This shows that an error was returned by AD for the first users as they were already members of the group, the remain three users were added successfully to the group.  Once the Add is complete the left hand pane is updated to the current list of members. 

The Include Cross forest lookup option, allows for the details of objects in different domains in the same forest to be displayed.  This option is not selected by default to improve the performance in a multi-domain environment.

SID History Bulk

The SID History (Bulk) option is used to add SID History to objects which is used to support domain migrations.  This function is based on the DsAddSidHistory API, this API has a list of requirements that must be in place before it can update the SID history attribute on the target objects. Details of the requirements can be found here.  The function has to successfully complete a validation on the details before the file import and run options are enabled.

Source Domain: this is the domain that has the source objects
Target Domain: this is the domain where the SID from the source object, will be added to the SID History attribute of the target object.

NetTools needs to be run on the domain controller in the target domain.  The validation details need to be entered and then click the Validate button.

sid history validation

This is the output of the validation test for a successful validation, if there are any issues, the details will be displayed.  The validation test doesn't check for the audit requirements but will be reported as a error when you try to execute the change.  Check the Microsoft article above for details of the audit requirements.

Validating Source Domain Information
Uplevel Domain
Source Domain: TARGET
Source DC: dc03.target.net
Source domain local group exists
Source Domain Validation Complete
Validating Target Domain Information
Uplevel Domain
Target Domain: NETTOOLS
Target DC: dc01.nettools.net
Target Domain Validation Complete
Validating Target Domain SPN Bind
Bound to target DC
Validation complete

Once the validation is complete the Import file and execute buttons are enabled.  The input file is a semi-comma separated list of source and target object names, the object names need to be based on the SamAccountName.  Once the file has been imported the source and target objects pairs are displayed in the import pane.  When the execute button is pressed, the result of the changes are displayed in the status column.

Side Note:  I have completed numerous domain migrations, with and without SID history and while SID history does make the initial phase of the migration simpler, it does mean you move the remediation of permissions and the removal of SID History to the end of the migration\project. Usually this means that there limited time or appetite to complete this work, and as a result SID History never gets removed.  This does have the side effect of increasing the size of the user's access token and while the introduction of Windows 2012, and the introduction of larger access token buffers, which can reduced this impact, it can still cause intermittent authentication issues, especially with IIS.  My advise is not to use SID History and complete the remediation of the permissions before migrating the users as this will ensure that you can identify and resolve issues earlier in the project timeline, which then removes the possibility of SID History issues waiting to bit you in the future.

Group Changes

Group Changes is an audit feature that shows the group membership changes for the specified user.  This is more than just displaying the group memberships for the user, the function will scan the AD replication properties of all groups in the domain, forest or selected OU for any changes associated to the user and display the corresponding operations, covering both addition and removal from groups.


The function scans the object Meta data contained in the msDS-ReplValueMetaData attribute of the group objects to identify changes associated to the user.  

As the function will scan all of the group objects in the selected scope, depending on the number of groups, the scan can take an extended period of time to complete. Due to the amount of data that is read from the AD, it's best to run NetTools on the DC or from a machine with a high speed network connection (LAN). 

LDAP Search – Base DN Formats

Active Directory support a number of different formats for the Base DN field, these are Distinguished Name, GUID and SID 

Distinguished Name is based on RFC 4514 e.g. CN=user1,CN=users,DC=domain,DC=com

GUID provides the GUID of an object which will be used as the base for searches, i.e <GUID=01f04883-d68e-4367-8ad1-a2faa79a2e5a>

SID format is the same as GUID but the entry is based on a SID i.e. <SID=S-1-5-21-2816452191-2840564649-4223122534-1000>

The SID and GUID option with the Search Scope set to Base Level can be used as quick search for users or other objects in the AD based on the GUID or SID.  The SIDs and GUIDs are entered in standard readable format.

LDAP Search – Enums

NetTools includes over 50 predefined enumeration to decode the values assigned to specific attributes, these include the meaning of associated values assigned to teh attributes. An example would be the UserAccountControl attribute, which is shown below. To display the Enums dialog box click on the button at the end of the filter field.

The dialog box can used to browse the predefined entries and from the context menus, the values can then be used in filters.

There are two type of Enums defined in NetTools, Bit and Value.  The Bit enums are used for attributes that use a bit mask to define the function of the attribute, and a single bit in the value is used to represent an enabled or disabled state of an option.  The Value type is used for attributes that have a single value to represent the function.

The Enums are used by attributes that have the ATTRIBENUM or ATTRIBENUM_NONUM decode type assigned, the attribute name is then used to lookup the corresponding enums assigned to that attribute.  Currently there is no method for a user to add additional Enum to NetTools, they are statically defined in the program. 

LDAP Search – Credentials

LDAP Search provides the ability to specific the credentials under which a query will be executed, it also provides the ability to select the authentication method that will be used to pass the credentials to the server.

The Credentials dialog is found when the More button is pressed.


There are four different authentication methods available:

LDAP_AUTH_SIMPLE, this method requires the DN of the account and password, domain is not required
LDAP_AUTH_DIGEST, this method requires the samaccountname and password
LDAP_AUTH_NEGOTIATE, this method requires either, samaccountname or UPN and password, the domain is optional
ANONYMOUS, the username and password are not required.

Warning: With the simple bind method the password is sent in clear text to the server, you should use this method in association with an SSL based connection to protect the password.

The default behavior of NetTools is use the negotiate method, when connecting to an Active Directory, you don't need to provide any credentials, the current user's context will be used based on Kerberos authentication.

A number of other options in NetTools use the credentials provided in this dialog to run the option under a different or elevated set of credentials, this is shown as Use the LDAP Search Credentials.

LDAP Search

The LDAP Search option is a feature rich LDAP Client that provides the ability to query, browse, update LDAP directories.  It includes the following features:

      • Supports browsing and editing of LDAP directories
      • A Windows GUI based client
      • Support for SSL based connection
      • The option to bypass native certificate validation process
      • Ability to display the SSL certificate used for the bind
      • Supports Connectionless LDAP queries
      • Support for Simple, Digest, Negotiate, and Anonymous authentication types
      • Supports server side controls
      • Transparent support for paged and ranged based queries
      • Display the attributes of selected Attributes
      • Support for conditional attributes
      • Output results as text or table format
      • Auto-complete of attributes and classes for ease of entry
      • Run update queries to modify attributes on single, or multiple objects
      • Support to move and delete objects
      • Support for over 40 different attribute decode types
      • Support for automatic and manual selection for attribute decodes
      • Attribute based dynamic decode and sort feature
      • Browser the 50 in-built attribute enumeration 
      • Query output to text and csv files
      • Copy and paste support, so results can be pasted directly in spreadsheets
      • Configuration of LDAP Session Options
      • Includes an LDAP Browser
      • Secondary display filters to enable client side filtering of results returned from server
      • The ability to display deleted and recycled objects in Active Directory
      • Show AD search statistics 
      • Inline shortcut substitution to simplify query creation
      • LDAP Filter Wizard to simplify complex queries generation
      • Input Mode to allow for user input based queries, including updates
      • Ability to save queries as favorites so they can be reused
      • The ability to export and import saved queries for easy sharing
      • Context based variables to allow saved queries to run on different directories without modification
      • The ability to batch queries and feed the results into the next query
      • The ability to create custom context based menu items to call saved favorites
      • Ability to sort and filter returned results, similar to Excel column filters

Copy to new Window

The Copy to new Window context menu, provides the ability to copy the results from the current output pane in NetTools to a new separate detached window.  The new window provides the ability to sort and filter the view based on a number of selection criteria.

By right clicking on the column headers, the filter dialog box will be displayed.  This allows the entries in the column to be filtered based on a text filter or a contents selection.  You can select a text or context filter, or both.


The Text Filter provides the following filter options:

      • Equals
      • Does not Equal
      • Begins With
      • Does not begin with
      • Ends with
      • Does not end with
      • Contains
      • Does not contain

The Column Filter section displays all the unique items in the column, using the check boxes you can select which items will be displayed. 

When a column filter is applied the heading of the column to appended with the text '- (filtered)'.  The Clear All button, will remove all the filters that have been applied. 

The filter function support up to a maximum of 200 columns, if the output field contains more than 200 columns, a warning message is displayed and filtering option is disabled.


LDAP Search – LDAP Filter Wizard

The LDAP Filter Wizard provides the ability to display and edit LDAP filters in a hierarchical view. 

The LDAP Filter Wizard provides the following features:

      • Drag and drop to move items around
      • Insert new operators and conditions
      • Change existing operators and conditions
      • Selection of classes and Attributes from dropdown list

The Operators, AND, OR, NOT, and Filter, have a dual function, one to show the operation of the currently selected item, and two to select the operation for the New and Change operations.  When the New Parent, or New Child buttons are pressed the new item will be added based on the selected Operator.  When the Change button is pressed the selected item will change to the selected Operator.  With the Filter Operator you can select the required attribute or class from the dropdown list, additional text can be added to complete the condition before the items is added.

The Delete Button will delete all items under the selected item.  If you wish to preserve any of the items under the selected items, they must be moved to another point in the filter before the item is deleted.

If you click twice on an items in the hierarchical view, it will allow you to edit the details of the item.

The MS LDAP API and NetTools will accept fully compliant RFC4515 Not statements or the abbreviated alternative.  With RFC4515 the Not statement must be constructed as such (!(condition)) i.e. (!(objectclass=user)), while the MS LDAP API will accept the abbreviated form of (!condition) i.e. (!objectclass=user).  When the RFC4515 option is selected the wizard will return compliant Not statements.  The LDAP Filter Wizard is able to read both formats.

The example shown is using a number of the substitution options, see LDAP Search Substitution