NetTools contains over 80 different tests and functions, that are grouped into 14 sessions. The high level details of the individual tests and features is provided below. See NetTools Basics for details on common operations used within NetTools. Details on how to run NetTools can be found here.
The ACL Browser provides a simple hierarchical method to browse the directory structure and display the associated permissions assigned and inherited by the selected object. SACL permissions are displayed when the SACL option is selected, and default schema permissions are displayed when browsing the schema partition and selecting the class object. See ACL Browser
Will scan the complete partition or from the selected location down, and will display the trustees that have been assigned permissions and how many times the trustee appears in the ACLs.
Control Access Rights
Displays the Control Access Rights that have been defined in the select directory. Selecting a Right will display which attributes the right applies to and the Property Sets the attributes that are included in the Right.
Display the extended rights that are defined in the directory.
Find Trustee Assignments
Will search the select directory or location for the specified trustee and display the location that the trustee has been assigned permissions. Can also search the Mailbox permissions for matches.
Property Set Search
Will search the property sets for the specified attribute and display all the property sets that include the attribute.
Is used to confirm that the specified attributes of the selected object have been replicated across all domain controllers.
Will display the number of updates that have been processed across all the domain controllers, in the forest or domain controllers hosting the selected domain context. See DC Update
Will display all the DSA GUIDs and Invocation GUIDs registered against the selected server.
Will display the directory services meta data for the selected object. See Object Metadata
Will display the directory replication cursors for the selected domain controllers.
This option provides the ability test the time taken to replicate a new object across all the domain controllers in the select partition. The test will create the select object type and then delete the object once the test is complete
This option displays the directory replication queues on the specified domain controller. Domain Admins or Replicating Directory Changes right is required to display the contents of the replication queues.
A simple test using DNS to find which domain controllers will be used based on a machine's IP address, or AD site name. The returned domain controllers will be tested to confirm that they respond to ping and LDAP and GC ports.
Will display which AD site the specified IP address to assigned to, or if you paste a list of IP addresses into the main pane, the AD site for the corresponding IP addresses will be displayed. See AD Subnets
A simple DNS test to return what AD sites are serviced by the specified domain controller.
DCs in site
another simple DNS test to return what domain controllers are registered against the specified AD site. The Site Name can be selected from a dropdown list.
Will display which domain controllers is performing the ISTG role for each site. see Site ISTG
A combined view allowing you to view the AD Site details in a simple hierarchical browser. The following details can be displayed, AD Sites, Subnets, Site Links, Domain Controllers, Query Policy, connections, Downstream Partners, Naming Contexts, Licensing, Site coverage, Link Costs, NTDS settings, and test domain controller connectivity. See Site Browser
Sites DC List
Displays the list of domain controllers in the specified forest, for each domain controller the site name, default domain context, roles, FQDN, and IP address is displayed. See Sites DC List
This will scan the IP addresses defined in the forest and display any IP address ranges that overlap another IP address range. See Overlapping Subnets
Provides the ability to display the Kerberos tickets that are associated to the current user context, or a specified Session. It possible to purge individual or all tickets, request a new ticket based on the specified SPN. See Kerberos Tickets
A simple test using the LogonUser API and allows you to specify the API parameters to test different authentication method and type. i.e. GPO User Rights configuration. If the logon is successful, the corresponding groups and privileges will be displayed. See Logon
A crude password checker to check if the specified password is being used by a list of accounts. The list is added by pasting the list of samaccountname into the pane.
Used to display the RID pool allocation, and the next RID, for all the domain controllers in the forest. The current RID pool master and next RID pool allocation is also displayed. See RID Pool
A simple test using the CreateProcessWithLogonW API to execute a program using the defined set of credentials. This was one of the first options added and could do with some love to update the form.
An option to allow you to search the directory the specified SCP. with the ability to search based on the service name or the GUID of the service.
Will display the existing logon sessions that exist on the local machines and display the processes that are associated to the logon session. See Sessions
A option to display and manage the SID history against a single user or group object.
SID History (Bulk)
A bulk update option to allow the SID History to be set on a number of objects based on a semi-colon separated input file. The option uses the DsAddSidHistory API which has a number of prerequisites which are tested by the validation step before you can import and update the SID History of the specified objects. See SID History Bulk
An option to search the directory for the specified Service Principal Name, the search uses the sPNMappings settings to search for alternative service names against the host. See SPN
This option will display the token sizes for all objects that match the specified search criteria. Once the list is returned it's is possible to explore which direct and nested groups contribute to the overall token size. See Token Size
This will display the groups and privileges that are assigned to the user context in which NetTools is running. See User Rights
Used to find any circular references or infinite loops in group membership See Circular References
Provides the ability to compare the groups membership between two users. There are a number of different name resolution and comparison options available. See Group Compare
An option to allow the membership of a group to be updated, allows changes to be specified as SamAccountName, SID, UPN, email, or DN input. The changes are pasted in to the right hand pane. See Group Manager
An option to display the members of a groups, including recursive across nested groups, displaying which group delivered the membership.
An option to display the members of the local groups associated to the specified server. See NetGroupEnum
Will display the local or global groups associated to the specified server using the NetQueryDisplayInfo API.
Provides similar functionality to GPMC to browser the GPO defined in the specified forest. Provides the ability to view GPO allocations, settings, permissions, view the contents of the registry.pol file. See GPO Explorer
Based on the NetServerGetInfo API, this option provides the ability to display the configuration information of the selected server
Based on the NetUserGetInfo API, this option provides the ability to display the details of the selected local user account.
Provides the ability to compare two different between two objects or the changes that have been made to a single object. See Compare Objects
This option allows you to browse the contents of a directory in a three pane view. See LDAP Browser
This option performs a number of LDAP directory read operations and displays the time taken to perform these operations. The number of time the tests are run can be configured and Min, Max, and Avg is displayed. See LDAP Performance
This option uses raw WinSocket packet injection to simulate the CLDAP protocol and allows the NeutralizeNT options to be bypassed, but there isn't much call for this option now that NT4\Windows 2000 hybrid domains have pretty much disappeared! See LDAP Ping
A powerful and feature rich LDAP client providing user selectable data type decodes, server side control, LDAP session options control, LDAP browser, display filters, save favorites, filter string substitution for common data types, table view, queries based on multiple inputs, LDAP filter wizard, batch multiple queries and feed result into subsequent queries, create write\update queries, and much more. See LDAP Search
A sub function of the LDAP Search feature, which allows list of data to be setup and then used by the display filters. See Display Filters
Schema Class Browser
Displays the schema claases as defined in the selected LDAP directory. Provide a list of the defined schema classes, when selected it shows the attributes that are included in that class, as well the source class of the attributes. It also displays the hierarchy for the selected class. See Schema Class Browser
This option displays the updates that have been performed on the schema and the name of the corresponding update based on the internal database and user defined entries in the NetTools.ini, i.e. Windows 2008, 2012, 2019, Exchange CU update, and third party schema providers etc. See Schema History
This option displays the current version of various schema, feature and functions, included, Forest, Domain, and Domain Controller Functional Level, RODC, Schema Version, Exchange Schema, Forest, and Domain level, attribute and class counts against each Domain Controller in the forest. Ideal for confirming that a schema update has been completed and replicated across the forest. See Schema Version
This option provides the ability to check the consistency of the DNS, DSAPI, LDAP configuration for the domain controllers in the forest. There is also the option to complete a port scan to confirm if the ports are available. The list of servers and ports to be testes can be user defined. The server list is defined by pasting the list of servers IP addresses to be tested. See DC Resolution
This option provide the ability to call the DsGetDcName API directly with user specified parameters. The DsGetDcName is part of the NetLogon service and used is find domain controllers in the forest\domain. See DsGetDcName
The option allows the legacy NetGetDcName API to be called with user specified parameters. See NetGetDcName
The option uses the legacy Windows networking NetServerEnum API to display the groups on the local or remote servers in the domain.
A command line style function that let you query WINS servers. Supports user defined record types in queries.
An option to display the HTTP headers that are returned by the website, with the option to follow or not follow directions See HTTP Headers
IP Geo Location
An option to query the ip-api.com API service to query the GEO location of a specific IP address or name. See IP GEO Location
A multiple threaded ping function that allows you to ping multiple IP addresses at once. The devices that are to be ping are pasted into the pane, the list can be IP addresses, FQDN, or shortnames. See Ping
A multiple threaded trace route function that check all hops simultaneously to provide the fastest possible results. See Trace Route
An option to query the WHOIS database for the details of the specified domain name, with an option to follow referral to sub WHOIS database authority. See WhoIs
This option will test the specified UNC path and confirm each component of the path is correct including, name resolution, ping, share existance, permissions and directory is searchable. See UNC Check
Combines the HTTP header, IP GEO Location, Trace Route, WhoIs, Ping and DNS resolution tests against the specified domain name, the referral and redirects are defined by the individual tests. See URL Check
This option will display the list of the domains and domain controllers in the specified forest.
This option will display the trusts that are returned by the DsTrust API against the specified server.
This option will display the trusts that are returned by the LsaOpenPolicy and LsaEnumerateTrustedDomains APIs against the specified server. Administrator rights are required for this API.
An audit function to display the group membership changes that have been preformed on the selected user. This will display which groups the user has been added and removed from. See Group Changes
This option will display the last logon details for the specified user against all the domain controllers in the domain containing the user, including last logon time per DC, last password change, lock time, bad password time. There is a single click button to unlock the account. There is also an option to trace back through the event logs on the domain controllers and the member servers in the authentication request to find the details why an account has been locked out. This functionality requires Security Log read rights and is dependent on the event log details not be lost by event wrapping. See Troubleshooting account lockouts
Last Logon Time
The option will query all the domain controllers in the domain to get the LastLogon attribute and display the latest time. The option support querying multiple users, the list of users is pasted into the pane.
The option will display all accounts that are currently locked in the specified domain and provides the option to bulk unlock selected accounts. See Locked Accounts
This option will allow the browsing of the local groups on member servers and the users assigned to the groups.
An option to browse the organisational structure of the specified user based on the user's manager and direct report attributes, for the selected user a common set of attributes are displayed, if defined the associated thumbnail picture is also displayed.
This option uses ANR based searches to search for the specified user, or other objects in the domain or forest. From the search results it possible to link the select user or object to other options using the context menu. See User Search
Top Quota Usage
The top quota assignments are displayed against the selected domain context or all context in the domain. It's also possible to search for the quotas of a specifying a user.
This option will display the users group membership as returned by the TokenGroup attributes associated to the user.
An option to convert text, GUID, or Hex to Base64 and back. There is also an option to create a new GUID if required from the context menu. See Base64
This is a simple option to display the details of the data that is currently held in the clipboard buffer.
An option to display the error messages associated to an error number based on the DisplayMessage API. There is also option to display LSA and LDAP based errors.
Provides the ability to search for a GUID against a number of GUID stored in the directory.
A rather specific option to test for potential mail address conflicts that may occur during a domain migration.
A rather specific option to test for potential mail address conflicts that may occur during a domain migration.
This option search against the select domain for the specified RID.
This option is used to search for all user and group objects in the domain where the objects permissions are control by the SDProp process. There is also an option to reset the user permissions to restore users that have been orphaned by the process to allow the SDProp process to the set permissions for users that are still members of a protected group. See SDProp
A option to resolve a name to the corresponding SID and via versa, the number of different formats are displayed. See SID Converter
An option to convert time and date into a number of different formats. Supported formats include Generalized Time, Int64, Azure format and returned across local and UTC time zones.