Category Archives: Information

LDAP Search – Attributes

The Attributes field defines what attributes should be returned by the query, the attributes are specified as a comma separated list. The attributes field also support an number of additional functions for formatting, decode types, and updates.

The Attributes field has the following format:

Syntax: [Attribute[;Conditional Attribute][;DecodeType][;Type][=<Op><Value>]][,][Meta.<Type>.<Attribute>[,] []

Attribute - the name of the attribute to be returned, the list of attributes is provided in a comma separated list, i.e. name, whencreated, pwdlastset. If the attributes field is left blank all attributes of the object are returned, with the exception of constructed attributes.

Conditional Attributes - Conditional Attributes allow the user to define the value that is returned based on a true or false conditional statement. See Conditional Attributes

DecodeType - the option is used to change the default DecodeType of an attribute i.e. LastLogonTimeStamp;int64. See Decode Types for a full list of Decode Types

Type - These are the Microsoft supported options that provide additional server side functionality, they are:

Range:x-x
Binary

=Op - These are the parameters to complete update queries. See Update Query

Meta.<Type>.<Attribute> - This provides the ability to return the meta data details of an attribute in a query result. The meta data for an attribute includes the following fields - version number, local USN, originating server, time, and originating DC, any of these can be returned. The meta data is from the server being queried, to see the meta across all DC use the Meta Data option.

Type:

ver - Version
lusn - Local USN
ousn - Originating USN
time - Time of change
dc - Originating DC

Attribute - The name of the attribute

Examples:

meta.ver.objectclass
meta.time.pwdlastset
meta.dc.lastlogontimestamp

LDAP Search Favorites

LDAP Search option in Nettools has the ability to save queries as a favorites so they can be used again, there are also options to export and import queries. To save query as a favorite only takes a few steps, first, setup the query as required, second enter the name in the Favour field and then click on the Save button.

Previously saved favorites can be displayed by clicking on the drop down list at the end of the favorite field. Favorites are saved in the NetTools.ini file using standard ini formatting. Here is a example of a saved favorite called 'Active Users':

[Active Users]
Options=879892770722381
Server=localhost
BaseDN=cn=project
Filter=(&(objectclass=user)(!useraccountcontrol|=2))
Attributes=samaccountname
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

NetTools comes with over 280 predefined queries, the full list of queries are here. More examples and information on other favorites can be found here

Variables

The saved favorites support the use of variables to allow a saved queries to be used on any directory, not just the directory they were originally created against. The following variables are supported:
##default - This will be replaced with the default name context as defined by the defaultNamingContext in the RootDSE
##config - This will be replaced with the configuration name context as defined by the configurationNamingContext in the RootDSE
##root - This will be replaced with the root name context as defined by the rootDomainNamingContext in the RootDSE. V1.30.8 and above
##schema - This will be replaced with the schema name context as defined by the schemaNamingContext in the RootDSE
NULL - This is used to set the field to blank

By default if the field value is not defined in the ini, then field is not changed when the favorite is selected and current value is preserved.

The variable can be entered in the corresponding field before the favorite is saved or by editing the NetTools.ini after the favorite has been saved. The variable are populated when the Populate button is pressed (See LDAP Search Populate), and then by selecting the saved favorite the variable will be replaced with the relevant details.</span">

NetTools also supports the option to share your favorite using the import and export functions, at the end of the favorites field there is three button, to save, export and import a favorite to and from the clipboard. When the Import button is press the following dialog is displayed and the favorite text can be pasted into the dialog and added. The imported favorite will be saved based on the name in the the square bracket, if the favorite already exists it will be overwritten.

Context Favorites

LDAP Search also support context based favorites, these favorites are not listed in the favorite dropdown list, they are displayed under the Custom menu item on the context menu for the text pane. With Context Favorites, it is possible to pass the select text in the text output pane to the favorite.

To create a Context Favorite, the name used to save the Favorite must start with ##sel i.e. ##selGet Details. The favorite will be displayed as Get Details under the Custom on the context menu

The selected text from the Text view pane can be passed to the query by using the ##sel as a substitution for any field in the favorite.

[##selGet Details (samaccountname)]
Options=879892770719309
Server=
BaseDN=##default
Filter=(samaccountname=##sel)
Attributes=displayname, accountexpires, pwdlastset, lastlogontimestamp, useraccountcontrol
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

In this example the selected text is expected to be the samaccountname, and the favorite will search and the details of the object. To prompt what details should be in the selected text, add this to the Favorite name as in the example.

See Favorites for more examples

LDAP Search Substitution

NetTools supports a number of Inline substitution options, that enables different data types to be entered in a user friendly formats, without the need to remember complicated data formats. These can be used in the filter to simplify filter entry or convert data format for attribute updates with Update Queries.

There are two types of substitutions available, data converters, and matching rule converters.

Data Converters
Data converters have the following format {<type>:[data]}

-1: int64 const of -1 e.g. (pwdlastset={-1:}) which will be replaced with 9223372036854775807
anr: Create an ANR filter based on the input string e.g. {anr:john smith}
getdn: return the DN for the specified samaccountname e.g. {getdn: domain admins} {getdn:user1}
guid: object guids e.g. (objectguid={guid:00AD5B16-8E22-49D5-B83A-BFDEA6DFF7DE})
hex: hexadecimal value e.g. (&(objectclass=group)(grouptype={hex:0x8000002}))
idate: 64bit Time e.g. (lastlogontimestamp={idate:31/12/2011})
ip: IP address in windows order e.g. (ipaddress={ip:10.12.45.254})
ipn: IP address in network order e.g. (ipaddress={ipn:10.12.45.254})
oid: oid identifiers e.g. (omobjectclass={oid:1.3.12.2.1011.28.0.702})
sdate: returns the date in dd/mm/yyyy format, when used in conjunction with Now constant e.g. {sdate:now}
sdatetime: returns the date in dd/mm/yyyy hh:mm:ss format, when used in conjunction with Now constant
sid: object sid e.g. (objectsid={sid: S-1-5-21-3499964120-3315823391-1593708255-164234})
unicode: return the specified string as escape hex string {unicode:new}
userinput: request user input e.g. {userinput:Date} responses are cached against the label, if the same label is used again the cached response is used
zdate: Generalized Time Format e.g. (whencreated={zdate:30/12/2011})

zdate, idate, sdate, and sdatetime types also support a number of constants 'Now', StartofDay, EndofDay, and can be used with with optional plus and minus days.
e.g. {zdate:now}, {zdate:now-365}, {idate:now+5}, {sdate:now}
{zdate:startofday}, {zdate:endofday}, {idate:startofday-5}

Nesting is supported on a number of the substitutions to convert from one format to another or converting a user input e.g {idate:{usernput:enter date}}

Matching Rules Converters
Matching rule converters use a single character as a substitute for the matching rule OIDs for LDAP filters, these are | & % $

|= is the Or bit logic operator e.g. (!useraccountcontrol |= 2) - expands to (!useraccountcontrol:1.2.840.113556.1.4.802:=2)

&= is the And bit logic operator e.g. (useraccountcontrol &= 2) - expands to (useraccountcontrol:1.2.840.113556.1.4.803:=2)

%= is the chain operator e.g. (memberof %= (cn=Group1,OU=groupsOU,DC=test,DC=com)) - expands to (memberof:1.2.840.113556.1.4.1941:= (cn=Group1,OU=groupsOU,DC=test,DC=com))

$= is the DN-Binary or DN-String search e.g. (msDS-HasInstantiatedNCs$=B:8:0000000D:CN=Configuration,DC=corp) - expands to (msDS-HasInstantiatedNCs:1.2.840.113556.1.4.2253:=B:8:0000000D:CN=Configuration,DC=corp)

Attribute Scope Query

The Attribute Scope Query (ASQ) is Server Side control that provides the ability to return the attributes of members of a Object(DN-DN) attribute, e.g. member. The specified attributes are returned for each DN that is included in the Object(DN-DN) attribute.

For ASQ queries the LDAP Search input fields must have the set as follows, The BaseDN field must be set to the DN of the object containing the Object(DN-DN) attribute, the Search Scope must be Base Level, the Filter field is applied to the members of the Object(DN-DN) attribute, and can be used to filter\limit which items are included in the search. The Attributes field, the first attribute named must be the name of the Object(DN-DN) attribute, followed by the list of attributes that are required.

In the above example, we are using the member attribute as the Object(DN-DN) attribute of the group object and its returns the last time the user logged on and when they last changed their password.

The filter field can be used to limit\filter the records that are returned, the filter is applied to the objects in the Object(DN-DN) attribute and will only return the objects that match the filter, i.e. setting the filter to (&(objectclass=*)(!userAccountControl|=2)) only accounts that are enabled will be returned. This filter is using the subst feature in the filter to simplify the entry of complicated filters, see Substitutions

Advanced operations - it’s possible to combine the Input Mode and ASQ options to query the Object(DN-DN) attribute of multiple objects in a single operation.

To do this first enable the Input Mode, by selecting the Table Input option, and select the Create Multiples option, and then paste a list of object DNs to be queried into the table view. Update the BasedDN to be ##input and click go. The results for DN in the Search Attribute will be displayed on an individual line.

LDAP Search Input Mode

LDAP Search supports an option called Input Mode, Input Mode allow you to run a query against a list of user inputs and the results are displayed against the input item. To enable Input Mode, the Table View and Table Input must be selected, this will enable a few extra options and items on the Table View context menu.

When the Input mode is selected the other options in the Table View options will be enabled. Also the column names in the table view will also change to ##Input<..>, if there is already data in the table and the table contents are preserved, or when the input lists are added. Input Mode supports up to 9 input lists.

The input lists are added to the table view by using the additional items in the context menu. These are Load Input, Paste Replace or Insert.

Load Input - will load the list from a file, the file must be tab separated
Paste Replace - this will paste the contents of the clipboard into the table view, clearing the contents of the table, copying the contents from a multiple column spreadsheet
Paste Insert - this will paste the contents of the clipboard into the table view, the existing contents of the table are preserved.

Above shows the table view after the input lists have been added. The column headings are updated to show the variable name for the list, these variable names can then be added to the query input fields.

In the example above only the first input variable is used in the filter, the second input is ignored. When the query is run, the query will be run for each of the items in the list with the ##input being substituted with the value in the list. If the query does return results the attributes are displayed on the same line as the entry.

In the example above, both variables are used in an Update Query, the ##input2 variable is used to update the department name of the user.

LDAP Search Update Queries

NetTools supports the ability to not just query the directory, but also perform update as well. Because writing to a directory comes with some risks, there are number of safe guards to make sure that you update the directory by intent and not by mistake.

<span">To use the Update option you have to input the required details in the Attributes field, see the syntax below, you then need to select the Enable Updates option. This will enable the preview mode by default as an extra safety net. Preview mode allow you to run the query and show the values that would be written to the attributes when the preview mode is turned off. When Preview mode is deselected the Go button turns red to show that the update mode is enabled and attributes could be changed when the query is run. Please note, there is no undo option for updates. When you run an update query the values returned against each of the attributes are the new value for the attributes after the update has been completed. If an error occurs during the update the LDAP error code is returned, in most case these are self explanatory and are usually due to a schema restriction. See the Single Update option below for more information on how to determine which update caused the error.

Update Queries will update the Attributes based on the values specified in the attributes field or data specified in the Input Mode columns. To update an attribute an Update Operator must be specified after the attribute name, follow with the value you wish to set. This is the Syntax for the update operation:

Syntax: <Attribute><Op><Value>

Attribute: The name of the attribute that you wish to update
<span">Op: The Update Operation that is to be performed

=+        Add Value to attribute
=-         Remove the Value from the Attribute, if no Value is specified the attribute is cleared
==        Set\Replace the current value of the attribute with Value
=|         Perform a bitwise operation of the current value of the attribute, this Op has a specific format for the Value, see mask details below
=#        Delete the object from the directory
=>        Move the object the new location specified by the Value, the Value should be encapsulated in quote marks

Value = <Mask>:<Data>

Mask - the bitwise mask Note: Input Mode substitution can’t be used on this field, only the data field
Data - is the bits to be set based on the bit mask
Value - the data to be written to the attribute

The Add operator ‘=+’ can fail due of the schema definition of an attribute that is being updated. If you use the Add operator to update an attribute that has a schema definition of single value, if there is no value assigned to the attribute the update will succeed. However, if there is a value already assigned, the update will fail. In the case of a single value attribute its better to use the Set ‘==’ operator to assign the new value, as this will set or replace the existing value.

The value provided to update attributes can use the same substitution options that are available in the filter field i.e sid, oid, ip, ipn, idate, zdate, hex, guid, unicode, and userinput. There is additional substitutions options for the attributes field, these are attrib and code characters. The attrib substitution option can be used to retrieve the value of attributes on the object being updated, this is useful for updating multiple line single value attributes like the Info field. To retrieve the value of a specific attribute, this doesn’t have to be the same attribute as the one that is being updated, you only need to specify the attribute name in the subst command i.e. {attrib:info}. The support for the retrieval of a value is limited to attributes that only have a single value set. If multiple values are assigned to the attribute the retrieval will fail and report an error that multiple values exist. The substitution also supports the use of the standard C\C++ Escape characters to include control character or binary values, these are listed below.

<span">C\C++ Escape Characters:

\a         07        Alarm (Beep, Bell)
\b         08        Backspace
\f          0C        Formfeed
\n         0A        Newline (Line Feed); see notes below
\r          0D       Carriage Return
\t          09        Horizontal Tab
\v         0B        Vertical Tab
\\ 5C       Backslash
\'          27        Single quotation mark
\" 22        Double quotation mark
\?         3F         Question mark
\hh       any       The character whose numerical value is given by hh interpreted as a hexadecimal number

The batch mode feature provides the ability to run a number of saved queries in a specified order. It can be used to complete management tasks, one example is the automation of disabling inactive accounts. This is achieved by creating a query that returns all accounts that are inactive based on your audit requirement, then the next query in the batch list is an update query that is configured as input query taking the results from the first query as an input, these accounts are then disabled by the second query.

The subst option userinput can be used to prompt the user for input. The userinput will prompt the user for an input, the input has a label which is shown on the dialog box, the label is specified in the subst command. The user inputs are cached against the label, if a label is used a second time the cached response is used and the user is not prompted. The userinput subst can be nested in other subst options e.g. (pwdpastset>={idate:{userinput:Date}}) the user will be prompted to enter the date, then the idate subst will convert this into a 64bit date code.

Examples:

ExtensionAttribute1==Office1 - Sets the ExtensionAttribute1 to Office1
ProxyAddresses=+smtp:www.world.com - Adds the value to the ProxyAddresses, the existing values are preserved
ProxyAddresses=-smtp:www.world.com - Removes the specific value from the attribute
ProxyAddresses=- - Clear the attribute, i.e. set to not set
UserAccountControl=|2:2 - Sets the 2 bit of the attribute to 1
UserAccountControl=|2:0 - Clears the 2 bit of the attribute to 0
UserAccountControl=|6:4 - Clears the 2 bit and sets the 4 bit of the attribute
dn=>”cn=users,dc=domain,dc=com” - Move the selected object to the specified location
dn=# - Delete the object from Active Directory
UserAccountControl=|2:##input2 - sets bit 2 to the value of ##input2
Info=={attrib:info}\n user updated as part of change 31012
Info=={attrib:info}{attrib:mail} user updated as part of change 31012
Objectversion=={attrib:objectversion}1
Binary=+\23\34\01\5a\4f\00

The Update mode can be combined with the multi-column Input Mode to update the attributes of objects with different values. For example if you wanted to update the department and telephone numbers for a number of users. If you paste three columns of data into the table view containing a list of samaccountname, department name, and new telephone number and then by setting the Filter field to (samaccountname=##input) and the attribute field to Department==##input2, telephone==##input3 you can update all the users details in one operation. Another example if you have a list of users that need to be disabled and another list of users that need to be enabled. If you combine the list of samaccountname and in the second column specify 0 for an account you want to enable and 2 for an account you want to disable. Pasting these columns into the table view and set the Filter field the same as with the previous example but setting the Attribute field to UserAccountControl=|2:##input2, this will update all the accounts in one operation.

Enable Updates - When selected the the update query is available

Single Update - is the default when the Update mode is selected, this causes all the required updates to be performed as a single update operation when the query is run. The disadvantage to using single update is if you update multiple attributes at once and one of the updates fails i.e. due to a schema restriction, the resulting error message which is reported is against the first attribute that is displayed and not the attribute that caused the update to fail. By deselected Single Update option, each update is performed separately and if that update fails the error message is display against the attribute that caused the update to fail.

Object Deletion - the delete operator is only available when this option is selected

Delete Tree - when selected the delete operation is preformed as a delete tree operation and all sub items will also be deleted. If this option is not selected and there are child items the delete will fail

Preview - this option is enabled by default when the Enable Updates option is selected, if the query is run with the preview options selected the returned values are the values that would be written to the attributes when the preview option is not selected. After an update query is run the preview option is automatically selected again

Display Results - This option is used to suppress the displaying of the results, this is useful if you are updating an attribute that contains a large number of values, i.e. group memberships, and will significantly increase the performance of the update query.

Note: with the delete and move operators, the attribute used to specify the delete operator, must have a value for the operation to be executed. The best attribute to use in this case is one that must have an attribute i.e. dn or objectclass

Troubleshooting Account Lockouts

In most case the user’s account will get locked because user’s old or incorrect password is still being used, usually this occurs after the user has changed their password. The issue is trying to find out what and where the old or incorrect password has been used, this could be a mapped drive that has user credentials, a RDP session that has not closed correctly and leaves a disconnected session, mobile phone, remote email access, or cached credentials on the workstation.

To help find the cause of the lock out you can use NetTools which includes a number of tools\reports to show how and when the account was locked.

From NetTools, select Last Logon under Users in the Left hand pane. Enter the user's samaccountname in the username field and click Go. You only need to enter the server name in the server field, if the user account is in a different domain.

NetTools will collect the logon details from each of the domain controllers in the domain and display the details held for that account.

The Columns have the following means:

Column Name	Description
Server	The name of the domain controller the details are from
Last Logon*	The last time the domain controller successfully authenticated the user’s credentials
LastLogonTime	AD attribute LastLongTimeStamp attribute see this article for more info http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx
Locked	Indicates if the account is locked on this domain controller
Locked Time	The time the account was locked out
Bad Pwd*	The number of bad password attempts has been seen by this domain controller
Pwd Set	When the password was last set
LastBadPwd	The time when the last bad password attempt was received by this domain controller
Logon Count*	The number of times the account has been successfully authenticated by the domain controller
Meta Time	AD meta data Time of the last change to the unicodepwd attribute
Ver	AD meta data version number of the unicodepwd attribute

* Some attributes are not replicated between domain controllers these are highlight with an asterisks after the name. Due to this each domain controller has its own set of details for each user account and you need to review all domain controllers when trying to work out why and when an account is locked.

This is the same account after the account has been locked, you can see not all the domain controllers think the account is locked, this is caused by AD replication latency, over time all the domain controller will have the same view.

To troubleshoot when and why an account is locked out we first need to sort the results, click on the Last BadPwd column so the times are in descending order. The top most entry is when the account was last locked. If the bad password time, is not a time when the user would be using the account, this could indicate that the account was locked by saved credentials.

The security event logs on the domain controllers and the member servers of the domain contains the details of the account lockout. NetTools can search the event logs to find event relevant to the account on the select domain controller and then search the event logs of any member servers in the authentication chain, it will then display the information on the cause of the lockout.

To find the lockout details, select the domain controller with the last lockout time and right click and select Display Event Details from the context menu. This will enumerate the security logs for any failed authentication request for the user account.

HowTo: Check that a user has actually changed their password

For more information on why and how accounts get locked out see this article, https://technet.microsoft.com/en-us/library/hh994566(v=ws.10).aspx