NetTools contains over 90 different tests and functions, that are grouped into 14 sessions.  The high-level details of the individual tests and features is provided below.  See NetTools Basics for details on common operations used within NetTools. Details on how to run NetTools can be found here.

Access Control

AD Effective Permissions  
A feature in the AD Permissions Browser and Permissions dialog to show what permissions a selected user will receive on the selected objects, this covers the DACL, SACL on all partitions, also the default schema and mailbox permissions.  Includes the option to model the impact of permissions changes when developing a delegation model.  See AD Effective Permissions

AD Permissions Browser
The ACL Browser provides a fast and simple method to browse the directory structure and display the associated permissions assigned and inherited by the selected object.  SACL permissions are displayed when the SACL option is selected, and default schema permissions are displayed when browsing the schema partition and selecting the class object.  See AD Permissions Browser

AD Permissions Editor
The AD permissions dialog, provides the ability to edit the permissions of objects in the Active Directory. See How To Edit an AD object's Permissions

AD Permissions Reporter  
A powerful feature to generate reports on who has access and rights in the AD, includes over 30 predefined reports.  See AD Permissions Reporter

Assigned Trustees
Will scan the complete partition or from the selected location down, and will display the trustees that have been assigned permissions and how many times the trustee appears in the ACLs.

Compare AD Permissions  
The capability to compare the permissions of two different AD objects. See Comparing AD Permissions

Control Access Rights
Displays the Control Access Rights that have been defined in the select directory.  Selecting a Right will display which attributes the right applies to and the Property Sets the attributes that are included in the Right.

Extended Rights
Display the extended rights that are defined in the directory.

Property Set Search
Will search the property sets for the specified attribute and display all the property sets that include the attribute.

SDDL Viewer  
A simple option to allow an SDDL string to be displayed in the NetTools permissions dialog See SDDL Viewer

This option is used to search for all user and group objects in the domain where the permissions of the object are controlled by the SDProp process.  There is also an option to reset the user permissions to restore users that have been orphaned by the process and to allow the SDProp process to reset permissions for users that are still members of a protected group.  See SDProp

AD Replication

Attribute Replication
Is used to confirm that the specified attributes of the selected object have been replicated across all domain controllers.

DC Updates
Will display the number of updates that have been processed across all the domain controllers, in the forest or domain controllers hosting the selected domain context. See DC Update 

Utilizes the LDAP DIRSYNC server-side control to display the updates that have been made on the domain controller. See DirSync

Domain Changes 
Displays the objects that have been updated on the domain controller based on the USNChanged attribute. See Domain Changes

Will display all the DSA GUIDs and Invocation GUIDs registered against the selected server.

Object Metadata
Will display the directory services meta data for the selected object. See Object Metadata

Object Replication  
Used to confirm that objects and attributes are replicating across the selected domain controllers.  See Object Replication

Replication Cursors
Will display the directory replication cursors for the selected domain controllers.

Replication Latency
This option provides the ability to test the time taken to replicate a new object across all the domain controllers in the select partition.  The test will create the selected object type and then delete the object once the test is complete

Replication Queues
This option displays the directory replication queues on the specified domain controller.  Domain Admins or Replicating Directory Changes right is required to display the contents of the replication queues.

AD Sites

AD Sites
A simple DNS test to find which domain controllers will be used based on a machine's IP address or AD site name.  The returned domain controllers will be tested to confirm that they respond to ping, LDAP,, and GC ports.

AD Subnets
Will display which AD site the specified IP address to assign to, or if you paste a list of IP addresses into the main pane, the AD site for the corresponding IP addresses will be displayed. See AD Subnets

DC Coverage
A simple DNS test to return what AD sites are serviced by the specified domain controller.

DCs in site
another simple DNS test to return what domain controllers are registered against the specified AD site.  The Site Name can be selected from a dropdown list.

It will display which domain controllers is performing the ISTG role for each site. See Site ISTG

Sites Browser
A combined view lets you view the AD Site details in a simple hierarchical browser.  The following details can be displayed, AD Sites, Subnets, Site Links, Domain Controllers, Query Policy, connections, Downstream Partners, Naming Contexts, Licensing, Site coverage, Link Costs, NTDS settings, and test domain controller connectivity. See Site Browser

Sites DC List
Displays the list of domain controllers in the specified forest, for each domain controller the site name, default domain context, roles, FQDN, and IP address is displayed. See Sites DC List

Overlapping Subnets
This will scan the IP addresses defined in the forest and display any IP address ranges that overlap another IP address range. See Overlapping Subnets


Kerberos Tickets
Provides the ability to display the Kerberos tickets that are associated with the current user context, or a specified Session.  It is possible to purge individual or all tickets, and request a new ticket based on the specified SPN.  See Kerberos Tickets

A simple test using the LogonUser API and allows you to specify the API parameters to test different authentication methods and types. i.e. GPO User Rights configuration.  If the login is successful, the corresponding groups and privileges will be displayed. See Logon

Password Checker
A crude password checker to check if the specified password is being used by a list of accounts.  The list is added by pasting the list of samaccountname into the pane.

RID Pool
Used to display the RID pool allocation and the next RID for all the domain controllers in the forest.  The current RID pool master and the next RID pool allocation is also displayed. See RID Pool

A simple test using the CreateProcessWithLogonW API to execute a program using the defined set of credentials.  This was one of the first options added and could do with some love to update the form.

SCP Search
An option to allow you to search the directory of the specified SCP.  with the ability to search based on the service name or the GUID of the service.

Will display the existing logon sessions that exist on the local machines and display the processes that are associated with the logon session. See Sessions

SID History
An option to display and manage the SID history against a single user or group object.

SID History (Bulk)
A bulk update option to allow the SID History to be set on a number of objects based on a semi-colon-separated input file.  The option uses the DsAddSidHistory API which has a number of prerequisites which are tested by the validation step before you can import and update the SID History of the specified objects. See SID History Bulk

An option to search the directory for the specified Service Principal Name, the search uses the sPNMappings settings to search for alternative service names against the host. See SPN

Token Size
This option will display the token sizes for all objects that match the specified search criteria.  Once the list is returned it is possible to explore which direct and nested groups contribute to the overall token size. See Token Size

User Rights
This will display the groups and privileges that are assigned to the user context in which NetTools is running. See User Rights


Circular References
Used to find any circular references or infinite loops in group membership See Circular References

Group Compare
Provides the ability to compare the group membership between two users.  There are a number of different name resolution and comparison options available. See Group Compare

Group Manager
An option to allow the membership of a group to be updated, allows changes to be specified as SamAccountName, SID, UPN, email, or DN input. The changes are pasted into the right-hand pane. See Group Manager

Group Members
An option to display the members of a group, including recursive across nested groups, displaying which group delivered the membership.

Local Groups (NetGroupEnum)
An option to display the members of the local groups associated with the specified server.  See Local Groups

Will display the local or global groups associated with the specified server using the NetQueryDisplayInfo API.

Group Policies

GPO Explorer
Provides similar functionality to GPMC to browse the GPO defined in the specified forest, and also includes the test functionality of GPOTool.exe.  Provides the ability to view GPO allocations, settings, permissions, view the contents of the registry.pol file, and test the GPOs providing similar functionality as GPOTool.  See GPO Explorer


Server Info
Based on the NetServerGetInfo API, this option provides the ability to display the configuration information of the selected server

User Info
Based on the NetUserGetInfo API, this option provides the ability to display the details of the selected local user account.


Compare Objects
Provides the ability to compare differences between two objects or the changes that have been made to a single object.  See Compare Objects

LDAP Browser
This option allows you to browse the contents of a directory in a three-pane view. Including the ability to restore deleted AD objects. See LDAP Browser

LDAP Performance
This option performs a number of LDAP directory read operations and displays the time taken to perform these operations.  The number of time the tests are run can be configured and Min, Max, and Avg is displayed. See LDAP Performance

This option uses raw WinSocket packet injection to simulate the CLDAP protocol and allows the NeutralizeNT options to be bypassed. Still, there isn't much call for this option now that NT4\Windows 2000 hybrid domains have pretty much disappeared! See LDAP Ping

LDAP Search
A powerful and feature-rich LDAP client providing user-selectable data type decodes, server-side control, LDAP session options control, LDAP browser, display filters, save favourites, filter string substitution for common data types, table view, queries based on multiple inputs, LDAP filter wizard, batch multiple queries and feed the result into subsequent queries, create write\update queries, and much more.  See LDAP Search

Manage Lists
A sub-function of the LDAP Search feature, which allows lists of data to be set up and then used by the display filters. See Display Filters

Object Count
An option to count the number of different types of objects that exist under the selected OU structure.  Selectable object types for Users, Groups, Computers, Active Users and all objects. See Object Count


Schema Class Browser
Displays the schema classes as defined in the selected LDAP directory.  Provide a list of the defined schema classes, when selected it shows the attributes that are included in that class, as well the source class of the attributes.  It also displays the hierarchy for the selected class.  See Schema Class Browser

Schema History
This option displays the updates that have been performed on the schema and the name of the corresponding update based on the internal database and user-defined entries in the NetTools.ini, i.e. Windows 2008, 2012, 2019, Exchange CU update, and third-party schema providers etc.  See Schema History

Schema Versions
This option displays the current version of various schema, features and functions, included, Forest, Domain, and Domain Controller Functional Level, RODC, Schema Version, Exchange Schema, Forest, and Domain level, attribute and class counts against each Domain Controller in the forest.  Ideal for confirming that a schema update has been completed and replicated across the forest.  See Schema Version

Name Resolution

DC Resolution
This option provides the ability to check the consistency of the DNS, DSAPI, LDAP configuration for the domain controllers in the forest.  There is also the option to complete a port scan to confirm if the ports are available.  The list of servers and ports to be tested can be user defined.  The server list is defined by pasting the list of server IP addresses to be tested. See DC Resolution

This option provides the ability to call the DsGetDcName API directly with user-specified parameters.  The DsGetDcName is part of the NetLogon service and used is to find domain controllers in the forest\domain.  See DsGetDcName

The option allows the legacy NetGetDcName API to be called with user-specified parameters. See NetGetDcName

Local Groups
The option uses the legacy Windows networking NetServerEnum API to display the groups on the local or remote servers in the domain.

WINS Lookup
A command line style function that let you query WINS servers. Supports user-defined record types in queries.


Certificate Checker  
This feature allows you to verify the certificates that are used to protect websites and show the results of the revocation checks.  See Certificate Checker

HTTP Headers
An option to display the HTTP headers that are returned by the website, with the option to follow or not follow directions See HTTP Headers

IP Geo Location
An option to query the ip-api.com API service to query the GEO location of a specific IP address or name. See IP GEO Location

A multiple-threaded ping function that allows you to ping multiple IP addresses at once. The devices that are to be ping are pasted into the pane, the list can be IP addresses, FQDN, or shortnames. See Ping

Trace Route
A multiple-threaded trace route function that checks all hops simultaneously to provide the fastest possible results. See Trace Route

An option to query the WHOIS database for the details of the specified domain name, with an option to follow referral to sub WHOIS database authority. See WhoIs

UNC Check
This option will test the specified UNC path and confirm each component of the path is correct including, name resolution, ping, share existence, permissions and directory is searchable. See UNC Check

URL Check
Combines the HTTP header, IP GEO Location, Trace Route, WhoIs, Ping and DNS resolution tests against the specified domain name, the referral and redirects are defined by the individual tests. See URL Check


Domain Tree
This option will display the list of the domains and domain controllers in the specified forest.

This option will display the trusts that are returned by the DsTrust API against the specified server.

This option will display the trusts that are returned by the LsaOpenPolicy and LsaEnumerateTrustedDomains APIs against the specified server.  Administrator rights are required for this API.


Group Changes
An audit function to display the group membership changes that have been performed on the selected user.  This will display which groups the user has been added and removed from. See Group Changes

Last Logon
This option will display the last logon details for the specified user against all the domain controllers containing the user, including the last logon time per DC, last password change, lock time, and bad password time. There is a single-click button to unlock the account.  There is also an option to trace back through the event logs on the domain controllers and the member servers in the authentication request to find the details of why an account has been locked out.  This functionality requires Security Log read rights and is dependent on the event log details not being lost by event wrapping. See Troubleshooting account lockouts

Last Logon Time
The option will query all the domain controllers in the domain to get the LastLogon attribute and display the latest time.  The option support querying multiple users, the list of users is pasted into the pane. See Last Logon Time

Locked Accounts
The option will display all accounts that are currently locked in the specified domain and provides the option to bulk unlock selected accounts. See Locked Accounts

This option will allow the browsing of the local groups on member servers and the users assigned to the groups.

Org Structure
An option to browse the organisational structure of the specified user based on the user's manager and direct report attributes, for the selected user a common set of attributes is displayed, and if defined the associated thumbnail picture is also displayed.

This option will show all the direct and indirect reports for the selected user.  See Reports

This option uses ANR based searches to search for the specified user or other objects in the domain or forest.  From the search results it is possible to link the select user or object to other options using the context menu. See User Search

Top Quota Usage
The top quota assignments are displayed against the selected domain context or all contexts in the domain.  It's also possible to search for the quotas of a specifying user.

User's Groups
This option will display the user's group membership as returned by the TokenGroup attributes associated with the user.

User's Membership
This option will display the nested group membership of users, and which nested groups contributed to the user's group membership.  See User's Membership


ASN.1 Viewer
This option is used to display ASN.1 data structures, support for DER, PEM, PKCS#7, and PKCS#12 file formats, and manual input in hex and base64 formats.  Includes support for common x.509 field types. See ASN.1 Viewer

An option to convert text, GUID, or Hex to Base64 and back.  There is also an option to create a new GUID if required from the context menu. See Base64

Clipboard Formats
This is a simple option to display the details of the data that is currently held in the clipboard buffer.

Error Messages
An option to display the error messages associated with an error number based on the DisplayMessage API.  There is also an option to display LSA and LDAP based errors.

GUID Search
Provides the ability to search for a GUID against a number of GUID stored in the directory. See GUID Search.

Mail Conflicts
A rather specific option to test for potential mail address conflicts that may occur during a domain migration.

Mail Unique
A rather specific option to test for potential mail address conflicts that may occur during a domain migration.

Relative Identifiers
This option search against the selected domain for the specified RID.

SID Converter
An option to resolve a name to the corresponding SID and visa versa, the number of different formats are displayed. See SID Converter

Time Converter
An option to convert time and date into a number of different formats. Supported formats include Generalized Time, Int64, Azure format and returned across local and UTC time zones. See Time Converter