Category Archives: Versions

NetTools v1.29.0


A new option to display the existing logon sessions on the machines, and the ability to display what processes are associated to a logon session.

NetTools now includes over 280 predefined LDAP queries
Finally removed the default icon and added a new one
Added the option to add selected item to Resolver on the context menu

ACL Browser
Updated to include the Modify owner rights in the ACE pane
Updated flags view to display additional tag for each of the the various SD flags and flag values
Added context menu to copy the SD to clipboard in SDDL format

AD Properties Dialog
Updated to include the msExchRemoteRecipentType on the Exchange tab
Added capability to manage group membership of the member and memberof attributes
Updated TokenGroup tab to display the source SID rather than 'Error' if the SID can't be resolved
Added sMGS tab to display details associated to Group Managed Service Accounts, with the option to display and copy the current and previous passwords
Updated icons for Managed Service Accounts and Group Managed Service Accounts
Added BitLocker tab to display BitLocker recovery keys

Attribute Dialog
Added context menu to display the Attribute Value dialog with and without attribute Decode
Added context menu to allow the value to displayed in Hex Dump
Added context menu to display the schema definition of an attribute

Added a manual flag option, so you can specify the actual flags sent to server

Updated the Clipboard option to display the different data type available in the clipboard and the ability to display the data associated to each clipboard data type
Included the option to display a hex dump of the clipboard data

Connection Profiles
Updated AD Properties and Attributes dialog and Top Quotes to work correctly with Connection Profiles
Updated the Server tab to enable the global catalog to be specified, used specifically for the User Search, AD Properties dialog and the LDAP Search Use GC option
Fixed bug with Anonymous authentication type
Fixed intermittent issues causing the credentials dialog not being drawn correctly
Fixed bug where profile details were not displayed for the selected profile, if prompted to save unsaved changes

GPO Explorer
Updated to include WMI Filters and AD Sites
WMI Filter name now displayed on GPO allocation screens
Updated the XML parse for GPO Preferences to improve the displaying of settings
Added additional validation for preference so only items that have an XML file are shown as having settings

LDAP Browser
Added context menu to allow the DN of objects to be copied to the clipboard

Added a manual flag option, so you can specify the actual flags sent to server

LDAP Search
Fixed bug in Input Mode, where an exception could be caused if a row of input data is missing a column item
Added the option to add additional user specified server side controls
Updated to include Use GC option to use the GC server settings in the Connection Profile
Updated date substitutes to include StartofDay, EndofDay, StartofUTCDay, and EndofUTCDay constants, StartofDay and EndofDay returns times based on local time, while StartofUTCDay and endofUTCDay return time based on the UTC e.g. (&(whencreated>={zdate:startofday})(whencreated<={zdate:endofday})) or  (&(whencreated>={zdate:StartofUTCDay})(whencreated<={zdate:EndofUTCDay}))
Added new substitutes getdn, which will return the DN for the samaccountname provided as the parameter e.g. {getdn:domain admins}, {getdn:guests}, {getdn:user1}
Substitutions now available on the BaseDN field
Added addition DecodeTypes SD_DACL_COUNT and SD_SACL_COUNT returns the total number of ACE in the DACL or SACL. SD_DACL_EXPCOUNT and SD_SACL_EXPCOUNT returns the number of explicitly or no-inherited ACE in the ACL
Added additional DecodeTypes for Group Managed Service Accounts GMSAPWD, GMSAPWD.PWD, GMSAPWD.PPWD, GMSAPWD.QRY, GMSAPWD.UCG
Added additional DecodeTypes for RootKey - KDSPARAM
Added addtional DecodeType to WMI Time and date WMITIME and WMITIME_UTC
Updated LDAP Filter wizard to supported nested subst command and fixed formatting issues if brackets are included in the subst
Fixed bug in attribute update using escaped binary format
Change the priority order of the user defined DecodeType, so user defined settings take precedence
Added support for the use of environment variables in the filter and attribute fields i.e. (samaccountname=%username%)
Updated the auto complete feature to work with meta attributes and environment variables
Added the following static Decodes: 

msDS-ManagedPasswordId - GMSAPWDID
msKds-KDFParam  - BINARY
msKds-SecretAgreementParam - BIN
msKds-SecretAgreementParam - BIN
msKds-RootKeyData - BIN
crossCertificatePair - CERT
msds-ManagedPassword - GMSAPWD
msKds-CreateTime - 64TIME
msKds-UseStartTime - 64TIME
msDS-RequiredForestBehaviorVersion - ATTRIBENUM
msDS-RequireddomainBehaviorVersion - ATTRIBENUM
msWMICreationDate - WMITIME
msWMIChangeDate - WMITIME

Added a new tab to display the statistics associated to the access token

Object Compare
Fixed intermittent exception error, caused if the left object is deleted or moved between scans

The Resolver option has been updated to support user defined columns to allow additional attributes to be displayed
Updated to include a search of the proxyaddresses attribute for email address entries 
The context menus have been updated to allow items in output pane to be added to the Resolver and has a shortcut key of Crtl+R
Added status bar which displays total and selected items counts

Schema Class Browser
Added an extra columns that displays the security Property Set and DecodeType for each attribute
Fixed an intermittent exception error
Updated context menu on Where Used form so nested Where Used option can be performed

Schema Versions
Updated to include Exchange 2016 CU18 & 2019 CU7 schema updates

Updated so if an email address is specified then an additional search of the proxyaddresses attribute is included in the search request to the server
Updated to use the GC server details in the Connection Profile
Updated icons for Managed Service Accounts and Group Managed Service Accounts
Added status bar to show number of items returned and selected

User Rights
Added a new tab to display the statistics associated to the access token

Updated the redirection code to support additional record types

NetTools V1.28.0

NetTools V1.28.1 - minor fix in LDAP Browser

NetTools no longer uses the ADSI APIs, all queries against the AD now only use the LDAP API, this provides a small performance increase but more importantly it provides consistency across all features.
The toolbar is now always displayed at the top of NetTools, and includes buttons for navigation, Connection Profiles, Resolver and Help and quick search by default, Pin items are displayed to the right of these buttons.

Connection Profiles  *** New ***
With previous versions of NetTools, it would use the current user's credentials and domain join information of the workstation running NetTools to authenticate and select the directory that would be interrogated and there were only a few features that supported the use of different credentials via the Use LDAP Search Credentials option.  This version introduces a new feature called Connection Profiles, which adds the extra capability to define the server connection and credentials that will be used by the tests and features and provides a common method to define and access the AD across all tests.  See Connection Profiles.

Circular References  *** New ***
A new feature to test if there are any infinite loops in your group memberships. See Circular References

Resolver *** New ***
A quick way to search for a single or multiple items, just copy and paste a a single or list of items that you want to find, and it will search the AD for the items and display if they exist in the directory or not.  The copy and pasted list can be displayname, samaccountname, DN, SID, UPN, or email address.  See Resolver

AD Properties Dialog
Added an extra tab to display the TokenGroups for user and computer objects

A complete rewrite of the function from ADSI to LDAP API

Compare Objects
Updated to include the NTSecurityDescriptor attribute 

LDAP Browser
Added an additional feature to display the attribute values as a hex dump
Fixed issue with the filter limiting the number of items displayed (v1.28.1)

LDAP Search
Table view context menu updated to include a Use Column with option to allow data in the column for common dialogs
Removed the Credential option, you now use Connection Profiles to specific different credentials and authentication methods
Updated Tab views so selected items count on the status bar is updated when a tab is selected

A complete rewrite of the function from ADSI to LDAP API

NetTools V1.27.7

A new Pin context menu option is available in the left hand option selector, which is used to create shortcut buttons for your commonly used options.  See Basics
Default Copy to clipboard shortcut key has been changed to Ctrl-C, to align with standard copy and paste keys. now in any of the table views if one or more rows are selected and Ctrl-C is pressed, contents of the column directly under the cursor is copied to the clipboard

AD Properties
Updated to display Kerberos DES-CDC-CRC, DES-CDC-MD5, RC4 encryption options
Updated to use the LDAP enum decode function so attribute decodes are common across all dialogs 

Compare Objects
Added a Compare Values context menu option which displays a visual side by side comparison of the values with the difference highlighted. See Compare Objects

LDAP Browser
Fixed bug in LDAP browser, where intermittently it would display the attribute values twice

LDAP Search
Updated the LDAP Session options to fix a bug with the GetDsName flags
Updated enums to support LargeInteger (int64) values
Updated the MsExchRecipientTypeDetails, msExchRemoteRecipientType, msExchModerationFlags, and MsExchRecipientDisplayType enums with O365 values
Updated the OmSyntax enums values 
Added new Base64 Decode Type, to allow attribute values to be outputted in base64 format

RID Pool
Added an extra column to display the number of RID that are left in the pool for each domain controller

NetTools v1.27.0

Compare Objects  *** New ***
A new option to provide the ability to compare two object, or the changes that have been made on a single object based on a previous snapshot. See Compare Objects

LDAP Browser  *** New ***
I've copied the LDAP Browser feature from the LDAP Search option and now added it as it own item in the left hand pane. See LDAP Browser

AD Properties Dialog
Updated to display AES128 and AES256 encryption options

Attribute Replication
Added option to check attribute replication for objects in the the global catalog context

Find Trustee
Fixed intermittent exception error when checking for ownership permissions

LDAP Search
Added a tab output option, so results from each query is displayed on a new tab
Added enum decodes for msDs-SupportedEncryptionTypes
Updated the conditional attributes function so that meta data information is supported for both variable and results.
    e.g.   Validate;{if: meta.time.unicodepwd == pwdlastset : "Valid" : "Error"}

NetTools V1.26.0

Group Changes  ** New **
An audit function to show the group membership changes for the specified user.  See Group Changes

ACL Browser
Added the List objects permissions into the properties list view
Changed the default behavior when changing between ACL’s so any column sort orders are removed, and ACE are displayed in the order in the ACL.
Changed the first column to include the ACL Index number

Attribute Replication
Fix a scope issue so the attributes in the root object can be checked 

Copy to new Window
Added an context menu option to open a new window with the list unique column details
Now supports the Dynamic and Sort column sorts

Extended Rights
Fixed bug where GUID was not displayed

Added help button on each page which links back to the NetTools website for more information

Group Manger
Added support for email\upn in user input
Added Select All\Deselect All context menu options

LDAP Browser
Fixed indexing error when browsing a directory via the global catalog

LDAP Search
The current filter is now displayed in the text pane for each iteration of the query when in Input Mode

Last Logon Time
Added extra column for PwdLastSet 

Meta Data
Removed the 1000 item display limit on replication details.

Overlapping Subnets
Updated the display adding green and yellow indicator to show if the IP address range is assigned to different sites

Added context menu option to request a privilege

Schema Browser
Added the Index column to show if an attribute is Indexed or not

NetTools v1.25.11

ACL Browser
Update ACL\ACE Flags option view to display the raw mask data and mask after processing, which will show if there are any unprocessed masks
Trustee Mode updated so only the ACE that apply to the trustee are displayed.
Trustee Information dialog updated to displays the SIDs and associated name for the trustee.  Now also includes the ability to add or remove SIDs to a trustee's SID list, to provide the ability to evaluate the impact of changing a trustee's permissions

Updated SDProp to display the results in a list view
Added an option to trigger SDProp Process
Added context menu to reset ACL and AdminCount on selected users See SDProp for updated details

LDAP Search 
Update LDAP Filter Wizard to move change function on a separate button rather than linked to the type selection.
Added new Substitution option {-1:} which will be replaced with 9223372036854775807, which is 0xFFFFFFFFFFFFFFFF and is used on a number of attributes to indicate that the function\operation of the attribute is not set, as in the case for AccountExpires. e.g. (&(accountexpires=*)(!accountexpires=0)(!accountexpires={-1:}))  See LDAP Search Substitutions

Copy to new Window
The functionality of the Copy to new Window has been updated to include the ability filter the displayed results based on text and content filters.  See Copy to new Window for details

NetTools v1.24.4

ACL Browser
Fixed issue were attribute GUID are not loaded into the cache intermittently
LDAP Search
Added option to displayed extended error reporting
Updated string substitutions to include {sdate:now} and {sdatetime:now} to display the current date or date and time. Date format is fixed as DD/MM/YYYY.
Updated the copy favorites to clipboard option to copy the settings currently being displayed
Updated favorites to support ##inputn in the BaseDN field
UNC Check
Updated UNC dropdown to display the MRU UNC path from the Run dialog

NetTools v1.25.4

ACL Browser
Updated the flags so the inherited flag is reported correctly for schema based permissions

Schema Versions
Updated to include Exchange 2019 and CU1, CU2. See Schema Versions.

General - Column Sort
Updated 64Date sort function to correctly handle '-' entries

Locked Accounts
Added extra fields to the view - Bad Password Time, Account Expires, Lockout Time, Password Last Set
Added a bulk unlock function for selected accounts
Added status bar with the total and selected items

Updated search logic so the useraccountcontrol, accountexpires, lockoutime attributes are displayed correctly in the output.
Fixed issue where the current column list is not displayed in the column selection dialog
Changed the options to be non-volatile

NetTools v1.25.0

GPO Explorer *** New ***
A new option to browser GPOs and GPO allocation. Supports similar functionality as the Group Policy Manager, allowing viewing of GPO configuration, permissions, OU structure browsing, with policy inheritance, display the raw settings in the policies, covering registry, scripts, GptTmpl, GPP settings. Includes the option to view and edit policies using gpedit or GPMC editor, if it's installed.

Object Metadata *** New ***
This option will display the metadata of an attribute on a specific object across all domain controllers, to allow checking of replication consistency

Top Quotas *** New ***
Option to display the quota usage of the top users. Includes an option to display the quota allocation to an individual user. With the ability to select the quota per partition.

ACL Browser
Added Meta data and Attributes to the content menu of the left hand pane
Updated to display deleted and recovery items, corresponding permissions required
Added Trustee mode, allows you to select a trustee and the ACE icon will display a green tick on all the ACE that the trustee has been assigned
Updated ACE pane so the ADS_RIGHT_DS_CONTROL_ACCESS right is displayed as Control access against the property. This provides simpler visibility of Confidential Attribute configuration

AD Properties Dialog
Added icon for locked accounts

AD Subnets
Updated to support column sorting

Control Access Rights
Updated screen redraw to increase display speeds

DC Resolution
Updated ports dialog to allow multiple ports to be removed
Fixed bug where a server could be displayed multiple test due to case sensitive

Extended Rights
Added column for Rights GUID

Last Logon Time
Fixed intermittent Index error when sorting

LDAP Browser
Changed ObjectClass order so Options attributes are decoded correctly

LDAP Search
Add inline filter substitution for Match rule OID LDAP_MATCHING_RULE_DN_WITH_DATA introduced in Windows 2012R2. The substitution characters for this rule is $= e.g. (msDS-HasInstantiatedNCs $= B:8:0000000D:DC=corp), which expands to (msDS-9HasInstantiatedNCs:1.2.840.113556.1.4.2253:=B:8:0000000D:DC=corp)
Fixed bug in the range option on attributes
Added DecodeType for Unicode strings, it also supports Byte Order Mark (BOM) to define the Unicode format
Updates to the screen draw in table view, provides about 25% increase in displaying results
Added 'Display on Complete' option to increase the display speed, screen updates are suppressed until all results are displayed

Locked Accounts
Added context menu for AD Properties and Attributes

Updated to include icons to represent users and groups
Updated context menu to include AD properties for the select trustee

Updated to support column sorting

Schema Class Browser
Update to display the hierarchy of the selected schema class

Schema History
Added extra column to display OID
Added Windows 2019
Added Exchange 2016 CU7
Schema Version
Updated Windows 2019
Changed Unknown to Not Set for items that don't exist
Added option to display the raw values rather than the decoded values

SD Prop
Complete rewrite to support new functionality
Added context menu to display AD properties
Added option to clear the AdminCount attribute and reset ACL inheritance on user accounts that have AdminCount attribute set

Site Browser
Added option to display the list of IP subnets
Added option to display the list of AD Site Links

Time Converter
Updated to support yyyy/mm/dd hh:mm:ss time\date format
Updated to support yyyy-mm-ddThh:mm:ss.mmm Azure time\date format

Token Size
Fixed double click on Token Size List so sub group list is opened

User's Groups
Context menu updated to include option to open AD properties

User Search
Fixed bug where stored LDAP Search credentials are used when displaying Attributes Dialog
Add context menu for Find Trustee, GPO Allocation, Quota Usage
Added icon for locked user accounts, GC search must be disabled for locked accounts to be displayed

WINS Lookup
Improved error reporting and added Set Debug option

DecodeTypes list:
    64DATE - Win32 64bit Date Format
    64TIME - Win32 64bit Date & Time Format, local time
    64TIME_UTC - Win32 64bit Date & Time Format, UTC
    ATTRIBENUM - predefined enumerate
    ATTRIBENUM_NONUM - predefined enumerate only symbolics are displayed
    BEROID - Basic Encoding Rules (BER) Organization Identifier
    BIN - Binary list
    CERT - Certificates
    COUNT - Returns the number of entries in the attribute
    CRL - Certificate Revocation List
    DNSPROPERTY - DNS Properties entries
    DNSRECORD - DNS entries
    DNSRECORD.DATA - return only the data field
    DNSRECORD.RANK - return only the rank field
    DNSRECORD.SERIAL - return only the serial field
    DNSRECORD.TIMEOUT - return only the timeout field
    DNSRECORD.TIMESTAMP - return only the timestamp field
    DNSRECORD.TTL - return only the ttl field
    DNSRECORD.TYPE - return only the type type field
    DNSRECORD.VERSION - return only the version field
    DSA_SIG - DSA Signature
    FILETIME - Win32 File Date & Time Format
    GTFTIME - Generalized Time Format, local time
    GTFTIME_UTC - Generalized Time Format, UTC
    GUID - Windows COM GUID format
    GUID_LDAP - GUID in LDAP filter format
    GUID_RAW - Hex GUID format
    HEX - Display a number if Hex format
    IP - DWORD IP address in windows order
    IPN - DWORD IP address in network order
    MSTRUST - Decoder for msds-TrustForestTrustInfo
    NTDS_CONN_OPT - Returns the options for the Options of NTDSConnection
    NTDS_DSA_OPT - Returns the options for the Options of NTDSDSA
    NTDSSSITE_OPT - Returns the options for the Options of NTDS Sites Settings
    PARENTCN - Returns the parent container of the CanonicalName
    PARENTDN - Returns the parent container of the distinguishedName
    PERIOD - Certificate renewal period
    PSMTP - Display primary smtp entry
    PWDSEC - Password secounds
    PX400 - Display primary x400 entry
    PX500 - Display primary x500 entry
    REPL_UTDV - NC Up ToDateness Vectors
    REPS_INFO - Replication neighbours RepsTo and RepsFrom
    RIDPOOL - RID Pool Allocations
    SD - Security Descriptor in SDDL format
    SD_NAME - Returns the resolved names of all the entries in the SD
    SD_NAME_DACL - Returns the resolved names of the DACL entries in the SD
    SD_NAME_GROUP – Return the primary group assigned in the SD
    SD_NAME_OWNER - Returns the resolved name of the owner in the SD
    SD_NAME_SACL - Returns the resolved names of the SACL entries in the SD
    SD_SID - Returns the SID of all entries in the SD
    SD_SID_DACL - Returns the SID of the DACL entries in the SD
    SD_SID_GROUP – Returns the primary group assigned in the SD
    SD_SID_OWNER - Returns the SID of the Owner in the SD
    SD_SID_SACL - Returns the SID of the SACL entries in the SD
    SID - Display Security Identifier in text form
    SID_ABS - Display the absolute name of the SID
    SID_REL - Display the relative name of the SID
    SITE_LINK_OPT - Returns the options for the Options of SiteLink
    SIZE - The size of the data returned
    SMTP - Display only smtp entries
    TRANSPORT_OPT - Returns the options for the Options of transport container
    UNICODE - Return a string in Unicode format, with BOM decode support
    X400 - Display only x400 entries
    X500 - Display only x500 entries

NetTools v1.24.0

A few new functions introduced with this version as I have been doing more work around websites and internet based services. A interesting note that I found while writing the Trace Route function, the standard method to complete the TTL ICMP echo is using the standard winsocket RAW method, however, I found that the default settings of the Windows firewall would block this traffic and would require the user to allow this traffic for the function to work correctly. This was unexpected especially as this is not required for the MS command line tracert utility and there are no default rules to allow this traffic. After a bit of playing around, I used the IcmpSendEcho API, and these packets bypass the firewall completely and there is no way to block them. I wonder how many other MS APIs bypass the firewall completely and means you can’t block this traffic!

Trace Route ** New **
A multi-threaded Trace Route option that provides the fastest possible result by testing all hops at the same time, displaying the complete route in under 3 seconds
WhoIS ** New **
An option to query WhoIs databases for both IP and domain details
IP Geo Location ** New **
An option to display the Geo location information of an IP address
HTTP Headers ** New **
An option to display the HTTP headers of a website
UNC Check ** New **
New option to check a UNC path, this will check that server’s IP address is resolvable, share exists and permissions to access the file systems and display which part of the path is valid or not
URL Check ** New **
An option that combines all of the above web based tests against a domain name
Added additional error handling around ini file reads and writes to prevent exception caused by disconnected shares
ACL Browser
Updated so the GUID and SID caches are not cleared between searches for the same domain to improve performance, manual clear Cache option added
Updated ACL Flags option to display allow and deny flags in the ACL
Added context menu option to display AD properties dialog
Fixed bug that could cause an exception error
AD Properties Dialog
Added the object name to the title of the dialog
Update ProxyAddresses to allow multiple line selection
Updated members and memberOf to use the domain context of the displayed object rather than the server’s default context, so the PrimaryGroupID is resolved correctly
AD Sites
Change the site option to a dropdown list of available AD sites
Fixed issues with Hex decode not showing the last line of the text dump
DCs in Sites
Change the site option to a dropdown list of available AD sites
Find Trustee Assignments
Updated so the search can include the Owner in the results
LDAP Search
Defined parentGUID, msExchOnPremiseObjectGuid, msDC-ConsistencyGuid as GUID decode type
Added option in LDAP Filter wizard select if Not queries comply with RFC4515. MS LDAP supports the format as in RFC4515 and an abbreviated version that doesn’t require extra parenthesis around the filter for Not statements, i.e. RFC4515 format: (!(objectclass=user)), MS format (!objectclass=user)
Updated LDAP Location Selector to use BaseDN rather than the DC’s default domain context
Conditional attributes updated to include the Len option, which returns the string length of the variable
LDAP Browser
Updated shift start functionality on the LDAP Search option to start in a new instance so multiple browsers can be opened
Updated to support LDAP directories that don’t use the AllowedAttributes on the list available attributes on objects
Meta Data Dialog
Updated with an option to display times in UTC or local time
Updated to include the machine\domain reference of the trustees
Org Structure
Added option to only display direct reports that have active accounts
Added option to specify Naming Context to support non-contiguous name spaces
Fixed exception error when the manager attribute is not set
Overlapping Subnets
Updated the results text from errors to overlaps to reflect changes in MS recommendations on catch all entries
Fixed bug that could cause an exception if output to file selected but no filename specified
Updated to the success and failed results are displayed correctly and clears the previous results before tests start
Schema Browser
Updated screen redraw to improve display speed
Schema History
Added Exchange 2016 CU7
Schema Version
Updated to include Exchange CU5-7
Added the Exchange Forest Version
SID Converter
Updated the output to display the SID in a number of different formats, including LDAP filter, ADSI, Hex and Base64
Site Browser
Added extra column to display the replication type on the list site view
Added stop button on the site coverage to stop the current lookups
Updated to display Site Settings for each site
Updated to display Policy Query settings for the setting and domain controllers, if a new policy has not been defined, the default policy is displayed
Time Converter
Updated to display the time entered as UTC, local to UTC, and UTC to local
User Rights & Logon
Changed the output to be tab and table based to allow easier viewing and copying
User Search
Updated search to support downlevel name format <domain>\<identity>
Updated Use With option for Org Structure to pass the server context if it’s changed from the default
Changed GC Option to clear the current list to prevent GC\No-GC lookups issues
Fixed bug where the scope list would not be updated correctly if an error occurs while getting domain list