Active Directory management with NetTools
Health Check
Active Directory administrators have a massive choice of tools, starting with the integrated administration tools on Windows Server and including a variety of free and commercial programs. This toolbox can be nicely rounded off with the free NetTools: in total, more than 90 utilities that simplify troubleshooting and administration.
NetTools [1] notches some initial brownie points directly after you download its single EXE file. You don't need to install a tool palette, with no dependencies on frameworks or DLLs. However, this doesn't translate to a hodgepodge of command-line tools; instead, everything is available in a central management interface without the need for context changes. The only add-on is an INI file with work files for the current configuration and user-specific information. If nettools.ini
does not exist, it is created at program launch time. Software can be that simple and makes installation on a domain controller less critical because it avoids any risk of trouble with components installed at the same time.
On the website you can look forward to some very good and, above all, up-to-date documentation – not necessarily a matter of course in the world of freeware. The FAQ section is helpful, especially for newcomers, and helps you find your way around. A list of all functions and a carefully maintained blog round off the information collection. The author offers readers tips and tricks for the utilities, accompanied by plenty of examples. NetTools starts exactly where the on-board tools leave off. Therefore, it is not intended to be an alternative to existing tools, but deliberately closes functional gaps.
Targeted Profiles
By default, you work with the toolbox in the context in which you have logged on. For more flexibility, you can create profiles that include both connection data for a specific domain controller, or even a different domain, along with the user account. A profile can be specified in the course of a specific action, which means you do not need to be interactively logged in as a domain admin to act in the context of the domain admin's authorizations. All profile information is stored in the INI file – except for the passwords. The passwords are not stored anywhere but need to be retyped each time.
Even at first glance, the tools' graphical user interface (GUI) is neat and tidy and the buttons are self-explanatory. For newcomers, it is still advisable to consult the help on the website, which simplifies getting started with the GUI and includes instructions on how to handle the profiles.
Integrated GUI Functions
The NetTools feature set is not just the individual tools lined up ready for use on the left side of a GUI. Useful elements are also embedded directly in the GUI (e.g., in the context menus of the objects). Taking a user object as an example, you can easily search for it by typing the name or part of it, without wildcards, in the search bar at the top of the screen. The results appear in the main window, and from this list you can select an element by right-clicking. The treasure trove of information in the context menu is a revelation for any admin.
Last Logon , for example, shows detailed information about the respective object: When and how often did the user log in recently? Which domain controller processed the login? Was the password entered incorrectly? When was it last changed? The Use With menu has even more to offer: The Group Changes subitem gives you information on the history of group assignments in addition to group memberships. You can easily see when a user has been removed from or added to a group, for example. The various options in the context menu invite admins to browse and try them out.
Finding Differences
Comparing two objects is a fairly common scenario. Staying with the user object, I will look at an example related to permissions in Active Directory. A comparison in NetTools always involves two steps: First, select an element from the list of users (or other objects), again using the context menu, this time with the menu item Select left SD to compare (where SD stands for security descriptor, the place where permissions are stored for a user object).
After selecting the option, the GUI remembers the object. In this example, assume you have selected the Christa user account. Now you can display the second object with another search. If you open the context menu again, you will see the Compare to 'Christa' SD item. A new window then shows the differences between the two user objects in tabular form. This view contains a column header at the top. Worth noting is the column with the asterisk (* ) header (Figure 1) that shows the results of comparisons between values in the columns as special symbols, allowing you to identify whether permissions are identical, partially identical, or not available for comparison for one of the two objects. The developer chose this symbolism to illustrate the several possibilities. Clicking on the * shows hints about the different symbols; what's more, you have the option to select a filtering character for the display, which means you can reduce the list to elements of the objects that are identical or precisely not identical.
Buy this article as PDF
(incl. VAT)