NetTools contains over 90 different tests and functions, that are grouped into 14 sessions.  The high level details of the individual tests and features is provided below.  See NetTools Basics for details on common operations used within NetTools. Details on how to run NetTools can be found here.

Access Control

AD Permissions Browser
The ACL Browser provides a fast and simple method to browse the directory structure and display the associated permissions assigned and inherited by the selected object.  SACL permissions are displayed when the SACL option is selected, and default schema permissions are displayed when browsing the schema partition and selecting the class object.  See AD Permissions Browser
AD Permissions Reporter 
A powerful feature to generate reports on who has access and rights in the AD, includes over 30 predefined reports.  See AD Permissions Reporter
Assigned Trustees
Will scan the complete partition or from the selected location down, and will display the trustees that have been assigned permissions and how many times the trustee appears in the ACLs.
Compare AD Permissions 
The capability to compare the permissions of two different AD objects. See Comparing AD Permissions
Control Access Rights
Displays the Control Access Rights that have been defined in the select directory.  Selecting a Right will display which attributes the right applies to and the Property Sets the attributes that are included in the Right.
Extended Rights
Display the extended rights that are defined in the directory.
Property Set Search
Will search the property sets for the specified attribute and display all the property sets that include the attribute.
SDDL Viewer 
A simple option to allow an SDDL string to be displayed in the NetTools permissions dialog See SDDL Viewer
This option is used to search for all user and group objects in the domain where the objects permissions are control by the SDProp process.  There is also an option to reset the user permissions to restore users that have been orphaned by the process and to allow the SDProp process to reset permissions for users that are still members of a protected group.  See SDProp

AD Replication

Attribute Replication
Is used to confirm that the specified attributes of the selected object have been replicated across all domain controllers.
DC Updates
Will display the number of updates that have been processed across all the domain controllers, in the forest or domain controllers hosting the selected domain context. See DC Update 
Utilizes the the LDAP DIRSYNC server side control to display the updates that have been made on the domain controller. See DirSync
Domain Changes 
Displays the objects that have been updated on the domain controller based on the USNChanged attribute. See Domain Changes
Will display all the DSA GUIDs and Invocation GUIDs registered against the selected server.
Object Metadata
Will display the directory services meta data for the selected object. See Object Metadata
Object Replication 
Used to confirm that objects and attributes are replicating across the selected domain controllers.  See Object Replication
Replication Cursors
Will display the directory replication cursors for the selected domain controllers.
Replication Latency
This option provides the ability test the time taken to replicate a new object across all the domain controllers in the select partition.  The test will create the select object type and then delete the object once the test is complete
Replication Queues
This option displays the directory replication queues on the specified domain controller.  Domain Admins or Replicating Directory Changes right is required to display the contents of the replication queues.

AD Sites

AD Sites
A simple test using DNS to find which domain controllers will be used based on a machine's IP address, or AD site name.  The returned domain controllers will be tested to confirm that they respond to ping and LDAP and GC ports.
AD Subnets
Will display which AD site the specified IP address to assigned to, or if you paste a list of IP addresses into the main pane, the AD site for the corresponding IP addresses will be displayed. See AD Subnets
DC Coverage
A simple DNS test to return what AD sites are serviced by the specified domain controller.
DCs in site
another simple DNS test to return what domain controllers are registered against the specified AD site.  The Site Name can be selected from a dropdown list.
Will display which domain controllers is performing the ISTG role for each site. see Site ISTG
Sites Browser
A combined view allowing you to view the AD Site details in a simple hierarchical browser.  The following details can be displayed, AD Sites, Subnets, Site Links, Domain Controllers, Query Policy, connections, Downstream Partners, Naming Contexts, Licensing, Site coverage, Link Costs, NTDS settings, and test domain controller connectivity. See Site Browser
Sites DC List
Displays the list of domain controllers in the specified forest, for each domain controller the site name, default domain context, roles, FQDN, and IP address is displayed. See Sites DC List
Overlapping Subnets
This will scan the IP addresses defined in the forest and display any IP address ranges that overlap another IP address range. See Overlapping Subnets


Kerberos Tickets
Provides the ability to display the Kerberos tickets that are associated to the current user context, or a specified Session.  It possible to purge individual or all tickets, request a new ticket based on the specified SPN.  See Kerberos Tickets
A simple test using the LogonUser API and allows you to specify the API parameters to test different authentication method and type. i.e. GPO User Rights configuration.  If the logon is successful, the corresponding groups and privileges will be displayed. See Logon
Password Checker
A crude password checker to check if the specified password is being used by a list of accounts.  The list is added by pasting the list of samaccountname into the pane.
RID Pool
Used to display the RID pool allocation, and the next RID, for all the domain controllers in the forest.  The current RID pool master and next RID pool allocation is also displayed. See RID Pool
A simple test using the CreateProcessWithLogonW API to execute a program using the defined set of credentials.  This was one of the first options added and could do with some love to update the form.
SCP Search
An option to allow you to search the directory the specified SCP.  with the ability to search based on the service name or the GUID of the service.
Will display the existing logon sessions that exist on the local machines and display the processes that are associated to the logon session. See Sessions
SID History
A option to display and manage the SID history against a single user or group object.
SID History (Bulk)
A bulk update option to allow the SID History to  be set on a number of objects based on a semi-colon separated input file.  The option uses the DsAddSidHistory API which has a number of prerequisites which are tested by the validation step before you can import and update the SID History of the specified objects. See SID History Bulk
An option to search the directory for the specified Service Principal Name, the search uses the sPNMappings settings to search for alternative service names against the host. See SPN
Token Size
This option will display the token sizes for all objects that match the specified search criteria.  Once the list is returned it's is possible to explore which direct and nested groups contribute to the overall token size. See Token Size
User Rights
This will display the groups and privileges that are assigned to the user context in which NetTools is running. See User Rights


Circular References
Used to find any circular references or infinite loops in group membership See Circular References
Group Compare
Provides the ability to compare the groups membership between two users.  There are a number of different name resolution and comparison options available. See Group Compare
Group Manager
An option to allow the membership of a group to be updated, allows changes to be specified as SamAccountName, SID, UPN, email, or DN input. The changes are pasted in to the right hand pane. See Group Manager
Group Members
An option to display the members of a groups, including recursive across nested groups, displaying which group delivered the membership.
Local Groups (NetGroupEnum)
An option to display the members of the local groups associated to the specified server.  See Local Groups
Will display the local or global groups associated to the specified server using the NetQueryDisplayInfo API.

Group Policies

GPO Explorer
Provides similar functionality to GPMC to browser the GPO defined in the specified forest, and also includes the test functionality of GPOTool.exe.  Provides the ability to view GPO allocations, settings, permissions, view the contents of the registry.pol file. See GPO Explorer


Server Info
Based on the NetServerGetInfo API, this option provides the ability to display the configuration information of the selected server
User Info
Based on the NetUserGetInfo API, this option provides the ability to display the details of the selected local user account.


Compare Objects
Provides the ability to compare two different between two objects or the changes that have been made to a single object.  See Compare Objects
LDAP Browser
This option allows you to browse the contents of a directory in a three pane view. Including the ability to restore deleted AD objects. See LDAP Browser
LDAP Performance
This option performs a number of LDAP directory read operations and displays the time taken to perform these operations.  The number of time the tests are run can be configured and Min, Max, and Avg is displayed. See LDAP Performance
This option uses raw WinSocket packet injection to simulate the CLDAP protocol and allows the NeutralizeNT options to be bypassed, but there isn't much call for this option now that NT4\Windows 2000 hybrid domains have pretty much disappeared! See LDAP Ping
LDAP Search
A powerful and feature rich LDAP client providing user selectable data type decodes, server side control, LDAP session options control, LDAP browser, display filters, save favorites, filter string substitution for common data types, table view, queries based on multiple inputs, LDAP filter wizard, batch multiple queries and feed result into subsequent queries, create write\update queries, and much more.  See LDAP Search
Manage Lists
A sub function of the LDAP Search feature, which allows list of data to be setup and then used by the display filters. See Display Filters
Object Count
An option to count the number of different types of objects that exist under the selected OU structure.  Selectable object types for Users, Groups, Computers, Active Users and all objects. See Object Count


Schema Class Browser
Displays the schema claases as defined in the selected LDAP directory.  Provide a list of the defined schema classes, when selected it shows the attributes that are included in that class, as well the source class of the attributes.  It also displays the hierarchy for the selected class.  See Schema Class Browser
Schema History
This option displays the updates that have been performed on the schema and the name of the corresponding update based on the internal database and user defined entries in the NetTools.ini, i.e. Windows 2008, 2012, 2019, Exchange CU update, and third party schema providers etc.  See Schema History
Schema Versions
This option displays the current version of various schema, feature and functions, included, Forest, Domain, and Domain Controller Functional Level, RODC, Schema Version, Exchange Schema, Forest, and Domain level, attribute and class counts against each Domain Controller in the forest.  Ideal for confirming that a schema update has been completed and replicated across the forest.  See Schema Version

Name Resolution

DC Resolution
This option provides the ability to check the consistency of the DNS, DSAPI, LDAP configuration for the domain controllers in the forest.  There is also the option to complete a port scan to confirm if the ports are available.  The list of servers and ports to be testes can be user defined.  The server list is defined by pasting the list of servers IP addresses to be tested. See DC Resolution
This option provide the ability to call the DsGetDcName API directly with user specified parameters.  The DsGetDcName is part of the NetLogon service and used is find domain controllers in the forest\domain.  See DsGetDcName
The option allows the legacy NetGetDcName API to be called with user specified parameters. See NetGetDcName
Local Groups
The option uses the legacy Windows networking NetServerEnum API to display the groups on the local or remote servers in the domain.
WINS Lookup
A command line style function that let you query WINS servers. Supports user defined record types in queries.


Certificate Checker 
An feature to allow you to verify the certificates that used to protect websites, and show the results of the revocation checks.  See Certificate Checker
HTTP Headers
An option to display the HTTP headers that are returned by the website, with the option to follow or not follow directions See HTTP Headers
IP Geo Location
An option to query the ip-api.com API service to query the GEO location of a specific IP address or name. See IP GEO Location
A multiple threaded ping function that allows you to ping multiple IP addresses at once. The devices that are to be ping are pasted into the pane, the list can be IP addresses, FQDN, or shortnames. See Ping
Trace Route
A multiple threaded trace route function that check all hops simultaneously to provide the fastest possible results. See Trace Route
An option to query the WHOIS database for the details of the specified domain name, with an option to follow referral to sub WHOIS database authority. See WhoIs
UNC Check
This option will test the specified UNC path and confirm each component of the path is correct including, name resolution, ping, share existance, permissions and directory is searchable. See UNC Check
URL Check
Combines the HTTP header, IP GEO Location, Trace Route, WhoIs, Ping and DNS resolution tests against the specified domain name, the referral and redirects are defined by the individual tests. See URL Check


Domain Tree
This option will display the list of the domains and domain controllers in the specified forest.
This option will display the trusts that are returned by the DsTrust API against the specified server.
This option will display the trusts that are returned by the LsaOpenPolicy and LsaEnumerateTrustedDomains APIs against the specified server.  Administrator rights are required for this API.


Group Changes
An audit function to display the group membership changes that have been preformed on the selected user.  This will display which groups the user has been added and removed from. See Group Changes
Last Logon
This option will display the last logon details for the specified user against all the domain controllers in the domain containing the user, including last logon time per DC, last password change, lock time, bad password time. There is a single click button to unlock the account.  There is also an option to trace back through the event logs on the domain controllers and the member servers in the authentication request to find the details why an account has been locked out.  This functionality requires Security Log read rights and is dependent on the event log details not be lost by event wrapping. See Troubleshooting account lockouts
Last Logon Time
The option will query all the domain controllers in the domain to get the LastLogon attribute and display the latest time.  The option support querying multiple users, the list of users is pasted into the pane. See Last Logon Time
Locked Accounts
The option will display all accounts that are currently locked in the specified domain and provides the option to bulk unlock selected accounts. See Locked Accounts
This option will allow the browsing of the local groups on member servers and the users assigned to the groups.
Org Structure
An option to browse the organisational structure of the specified user based on the user's manager and direct report attributes, for the selected user a common set of attributes are displayed, if defined the associated thumbnail picture is also displayed.
This option uses ANR based searches to search for the specified user, or other objects in the domain or forest.  From the search results it possible to link the select user or object to other options using the context menu. See User Search
Top Quota Usage
The top quota assignments are displayed against the selected domain context or all context in the domain.  It's also possible to search for the quotas of a specifying a user.
User's Groups
This option will display the users group membership as returned by the TokenGroup attributes associated to the user.
User's Membership
This option will display the nested group membership of a users, and which nested groups contributed to the user's group membership.  See User's Membership


ASN.1 Viewer
This option is used to display ASN.1 data structures, support for DER, PEM, PKCS#7, and PKCS#12 file formats, and manual input in hex and base64 formats.  Includes support for common x.509 field types. See ASN.1 Viewer
An option to convert text, GUID, or Hex to Base64 and back.  There is also an option to create a new GUID if required from the context menu. See Base64
Clipboard Formats
This is a simple option to display the details of the data that is currently held in the clipboard buffer.
Error Messages
An option to display the error messages associated to an error number based on the DisplayMessage API.  There is also option to display LSA and LDAP based errors.
GUID Search
Provides the ability to search for a GUID against a number of GUID stored in the directory See GUID Search.
Mail Conflicts
A rather specific option to test for potential mail address conflicts that may occur during a domain migration.
Mail Unique
A rather specific option to test for potential mail address conflicts that may occur during a domain migration.
Relative Identifiers
This option search against the select domain for the specified RID.
SID Converter
A option to resolve a name to the corresponding SID and via versa, the number of different formats are displayed. See SID Converter
Time Converter
An option to convert time and date into a number of different formats. Supported formats include Generalized Time, Int64, Azure format and returned across local and UTC time zones. See Time Converter