NetTools contains over 90 different tests and functions, that are grouped into 14 sessions. The high-level details of the individual tests and features is provided below. See NetTools Basics for details on common operations used within NetTools. Details on how to run NetTools can be found here.
AD Effective Permissions
A feature in the AD Permissions Browser and Permissions dialog to show what permissions a selected user will receive on the selected objects, this covers the DACL, SACL on all partitions, also the default schema and mailbox permissions. Includes the option to model the impact of permissions changes when developing a delegation model. See AD Effective Permissions
AD Permissions Browser
The ACL Browser provides a fast and simple method to browse the directory structure and display the associated permissions assigned and inherited by the selected object. SACL permissions are displayed when the SACL option is selected, and default schema permissions are displayed when browsing the schema partition and selecting the class object. See AD Permissions Browser
AD Permissions Reporter
A powerful feature to generate reports on who has access and rights in the AD, includes over 30 predefined reports. See AD Permissions Reporter
Will scan the complete partition or from the selected location down, and will display the trustees that have been assigned permissions and how many times the trustee appears in the ACLs.
Compare AD Permissions
The capability to compare the permissions of two different AD objects. See Comparing AD Permissions
Control Access Rights
Displays the Control Access Rights that have been defined in the select directory. Selecting a Right will display which attributes the right applies to and the Property Sets the attributes that are included in the Right.
Display the extended rights that are defined in the directory.
Property Set Search
Will search the property sets for the specified attribute and display all the property sets that include the attribute.
A simple option to allow an SDDL string to be displayed in the NetTools permissions dialog See SDDL Viewer
This option is used to search for all user and group objects in the domain where the permissions of the object are controlled by the SDProp process. There is also an option to reset the user permissions to restore users that have been orphaned by the process and to allow the SDProp process to reset permissions for users that are still members of a protected group. See SDProp
Is used to confirm that the specified attributes of the selected object have been replicated across all domain controllers.
Will display the number of updates that have been processed across all the domain controllers, in the forest or domain controllers hosting the selected domain context. See DC Update
Utilizes the LDAP DIRSYNC server-side control to display the updates that have been made on the domain controller. See DirSync
Displays the objects that have been updated on the domain controller based on the USNChanged attribute. See Domain Changes
Will display all the DSA GUIDs and Invocation GUIDs registered against the selected server.
Will display the directory services meta data for the selected object. See Object Metadata
Used to confirm that objects and attributes are replicating across the selected domain controllers. See Object Replication
Will display the directory replication cursors for the selected domain controllers.
This option provides the ability to test the time taken to replicate a new object across all the domain controllers in the select partition. The test will create the selected object type and then delete the object once the test is complete
This option displays the directory replication queues on the specified domain controller. Domain Admins or Replicating Directory Changes right is required to display the contents of the replication queues.
A simple DNS test to find which domain controllers will be used based on a machine's IP address or AD site name. The returned domain controllers will be tested to confirm that they respond to ping, LDAP,, and GC ports.
Will display which AD site the specified IP address to assign to, or if you paste a list of IP addresses into the main pane, the AD site for the corresponding IP addresses will be displayed. See AD Subnets
A simple DNS test to return what AD sites are serviced by the specified domain controller.
DCs in site
another simple DNS test to return what domain controllers are registered against the specified AD site. The Site Name can be selected from a dropdown list.
It will display which domain controllers is performing the ISTG role for each site. See Site ISTG
A combined view lets you view the AD Site details in a simple hierarchical browser. The following details can be displayed, AD Sites, Subnets, Site Links, Domain Controllers, Query Policy, connections, Downstream Partners, Naming Contexts, Licensing, Site coverage, Link Costs, NTDS settings, and test domain controller connectivity. See Site Browser
Sites DC List
Displays the list of domain controllers in the specified forest, for each domain controller the site name, default domain context, roles, FQDN, and IP address is displayed. See Sites DC List
This will scan the IP addresses defined in the forest and display any IP address ranges that overlap another IP address range. See Overlapping Subnets
Provides the ability to display the Kerberos tickets that are associated with the current user context, or a specified Session. It is possible to purge individual or all tickets, and request a new ticket based on the specified SPN. See Kerberos Tickets
A simple test using the LogonUser API and allows you to specify the API parameters to test different authentication methods and types. i.e. GPO User Rights configuration. If the login is successful, the corresponding groups and privileges will be displayed. See Logon
A crude password checker to check if the specified password is being used by a list of accounts. The list is added by pasting the list of samaccountname into the pane.
Used to display the RID pool allocation and the next RID for all the domain controllers in the forest. The current RID pool master and the next RID pool allocation is also displayed. See RID Pool
A simple test using the CreateProcessWithLogonW API to execute a program using the defined set of credentials. This was one of the first options added and could do with some love to update the form.
An option to allow you to search the directory of the specified SCP. with the ability to search based on the service name or the GUID of the service.
Will display the existing logon sessions that exist on the local machines and display the processes that are associated with the logon session. See Sessions
An option to display and manage the SID history against a single user or group object.
SID History (Bulk)
A bulk update option to allow the SID History to be set on a number of objects based on a semi-colon-separated input file. The option uses the DsAddSidHistory API which has a number of prerequisites which are tested by the validation step before you can import and update the SID History of the specified objects. See SID History Bulk
An option to search the directory for the specified Service Principal Name, the search uses the sPNMappings settings to search for alternative service names against the host. See SPN
This option will display the token sizes for all objects that match the specified search criteria. Once the list is returned it is possible to explore which direct and nested groups contribute to the overall token size. See Token Size
This will display the groups and privileges that are assigned to the user context in which NetTools is running. See User Rights
Used to find any circular references or infinite loops in group membership See Circular References
Provides the ability to compare the group membership between two users. There are a number of different name resolution and comparison options available. See Group Compare
An option to allow the membership of a group to be updated, allows changes to be specified as SamAccountName, SID, UPN, email, or DN input. The changes are pasted into the right-hand pane. See Group Manager
An option to display the members of a group, including recursive across nested groups, displaying which group delivered the membership.
Local Groups (NetGroupEnum)
An option to display the members of the local groups associated with the specified server. See Local Groups
Will display the local or global groups associated with the specified server using the NetQueryDisplayInfo API.
Provides similar functionality to GPMC to browse the GPO defined in the specified forest, and also includes the test functionality of GPOTool.exe. Provides the ability to view GPO allocations, settings, permissions, view the contents of the registry.pol file, and test the GPOs providing similar functionality as GPOTool. See GPO Explorer
Based on the NetServerGetInfo API, this option provides the ability to display the configuration information of the selected server
Based on the NetUserGetInfo API, this option provides the ability to display the details of the selected local user account.
Provides the ability to compare differences between two objects or the changes that have been made to a single object. See Compare Objects
This option allows you to browse the contents of a directory in a three-pane view. Including the ability to restore deleted AD objects. See LDAP Browser
This option performs a number of LDAP directory read operations and displays the time taken to perform these operations. The number of time the tests are run can be configured and Min, Max, and Avg is displayed. See LDAP Performance
This option uses raw WinSocket packet injection to simulate the CLDAP protocol and allows the NeutralizeNT options to be bypassed. Still, there isn't much call for this option now that NT4\Windows 2000 hybrid domains have pretty much disappeared! See LDAP Ping
A powerful and feature-rich LDAP client providing user-selectable data type decodes, server-side control, LDAP session options control, LDAP browser, display filters, save favourites, filter string substitution for common data types, table view, queries based on multiple inputs, LDAP filter wizard, batch multiple queries and feed the result into subsequent queries, create write\update queries, and much more. See LDAP Search
A sub-function of the LDAP Search feature, which allows lists of data to be set up and then used by the display filters. See Display Filters
An option to count the number of different types of objects that exist under the selected OU structure. Selectable object types for Users, Groups, Computers, Active Users and all objects. See Object Count
Schema Class Browser
Displays the schema classes as defined in the selected LDAP directory. Provide a list of the defined schema classes, when selected it shows the attributes that are included in that class, as well the source class of the attributes. It also displays the hierarchy for the selected class. See Schema Class Browser
This option displays the updates that have been performed on the schema and the name of the corresponding update based on the internal database and user-defined entries in the NetTools.ini, i.e. Windows 2008, 2012, 2019, Exchange CU update, and third-party schema providers etc. See Schema History
This option displays the current version of various schema, features and functions, included, Forest, Domain, and Domain Controller Functional Level, RODC, Schema Version, Exchange Schema, Forest, and Domain level, attribute and class counts against each Domain Controller in the forest. Ideal for confirming that a schema update has been completed and replicated across the forest. See Schema Version
This option provides the ability to check the consistency of the DNS, DSAPI, LDAP configuration for the domain controllers in the forest. There is also the option to complete a port scan to confirm if the ports are available. The list of servers and ports to be tested can be user defined. The server list is defined by pasting the list of server IP addresses to be tested. See DC Resolution
This option provides the ability to call the DsGetDcName API directly with user-specified parameters. The DsGetDcName is part of the NetLogon service and used is to find domain controllers in the forest\domain. See DsGetDcName
The option allows the legacy NetGetDcName API to be called with user-specified parameters. See NetGetDcName
The option uses the legacy Windows networking NetServerEnum API to display the groups on the local or remote servers in the domain.
A command line style function that let you query WINS servers. Supports user-defined record types in queries.
This feature allows you to verify the certificates that are used to protect websites and show the results of the revocation checks. See Certificate Checker
An option to display the HTTP headers that are returned by the website, with the option to follow or not follow directions See HTTP Headers
IP Geo Location
An option to query the ip-api.com API service to query the GEO location of a specific IP address or name. See IP GEO Location
A multiple-threaded ping function that allows you to ping multiple IP addresses at once. The devices that are to be ping are pasted into the pane, the list can be IP addresses, FQDN, or shortnames. See Ping
A multiple-threaded trace route function that checks all hops simultaneously to provide the fastest possible results. See Trace Route
An option to query the WHOIS database for the details of the specified domain name, with an option to follow referral to sub WHOIS database authority. See WhoIs
This option will test the specified UNC path and confirm each component of the path is correct including, name resolution, ping, share existence, permissions and directory is searchable. See UNC Check
Combines the HTTP header, IP GEO Location, Trace Route, WhoIs, Ping and DNS resolution tests against the specified domain name, the referral and redirects are defined by the individual tests. See URL Check
This option will display the list of the domains and domain controllers in the specified forest.
This option will display the trusts that are returned by the DsTrust API against the specified server.
This option will display the trusts that are returned by the LsaOpenPolicy and LsaEnumerateTrustedDomains APIs against the specified server. Administrator rights are required for this API.
An audit function to display the group membership changes that have been performed on the selected user. This will display which groups the user has been added and removed from. See Group Changes
This option will display the last logon details for the specified user against all the domain controllers containing the user, including the last logon time per DC, last password change, lock time, and bad password time. There is a single-click button to unlock the account. There is also an option to trace back through the event logs on the domain controllers and the member servers in the authentication request to find the details of why an account has been locked out. This functionality requires Security Log read rights and is dependent on the event log details not being lost by event wrapping. See Troubleshooting account lockouts
Last Logon Time
The option will query all the domain controllers in the domain to get the LastLogon attribute and display the latest time. The option support querying multiple users, the list of users is pasted into the pane. See Last Logon Time
The option will display all accounts that are currently locked in the specified domain and provides the option to bulk unlock selected accounts. See Locked Accounts
This option will allow the browsing of the local groups on member servers and the users assigned to the groups.
An option to browse the organisational structure of the specified user based on the user's manager and direct report attributes, for the selected user a common set of attributes is displayed, and if defined the associated thumbnail picture is also displayed.
This option will show all the direct and indirect reports for the selected user. See Reports
This option uses ANR based searches to search for the specified user or other objects in the domain or forest. From the search results it is possible to link the select user or object to other options using the context menu. See User Search
Top Quota Usage
The top quota assignments are displayed against the selected domain context or all contexts in the domain. It's also possible to search for the quotas of a specifying user.
This option will display the user's group membership as returned by the TokenGroup attributes associated with the user.
This option will display the nested group membership of users, and which nested groups contributed to the user's group membership. See User's Membership
This option is used to display ASN.1 data structures, support for DER, PEM, PKCS#7, and PKCS#12 file formats, and manual input in hex and base64 formats. Includes support for common x.509 field types. See ASN.1 Viewer
An option to convert text, GUID, or Hex to Base64 and back. There is also an option to create a new GUID if required from the context menu. See Base64
This is a simple option to display the details of the data that is currently held in the clipboard buffer.
An option to display the error messages associated with an error number based on the DisplayMessage API. There is also an option to display LSA and LDAP based errors.
Provides the ability to search for a GUID against a number of GUID stored in the directory. See GUID Search.
A rather specific option to test for potential mail address conflicts that may occur during a domain migration.
A rather specific option to test for potential mail address conflicts that may occur during a domain migration.
This option search against the selected domain for the specified RID.
An option to resolve a name to the corresponding SID and visa versa, the number of different formats are displayed. See SID Converter
An option to convert time and date into a number of different formats. Supported formats include Generalized Time, Int64, Azure format and returned across local and UTC time zones. See Time Converter