Health Check

Checking Groups for Changes

Previously you looked at the group membership history starting with a user object. This view also works in the other direction – that is, starting with a group. To find out what changes have been made, for example, in the Domain Admins group, you need to view the group in one of the NetTools views. The easiest way to do this is to use the search box at the top of the toolbar. Uncheck Return Users Only ; otherwise, the search will fail. You also need to pay attention to the spelling of the group names. In this case, one AD domain controller was a German server; accordingly, the group name was Domänen-Admins (Figure 4), but this is just a side note.

Figure 4: Group Changes lets you track the latest group changes for a user account.

To find out what activities have taken place in this group, navigate to the context menu by right-clicking and then selecting AD Properties . In the Properties, focus on the Members tab to view the current members of the group. Unlike in the Users and Computers console, the Removals field here already displays the latest accounts to have been removed from the group. You can go into even more detail by pressing the Changes button. Another window provides data on when accounts were added and removed.

In this context, I need to mention once again the LDAP catalog, with its diverse query options. It also includes queries relating to group administration, especially for administrative groups. Note also that the group names in the queries might need to be adjusted to match the language of the domain controller. The LDAP queries are all based on the built-in group names in English.

Schema – Under the Hood

Administrators are pretty sure to be familiar with the history and updates of their schemas; after all, this is "their" Active Directory and the info is essential. What happens, though, if you need to investigate the schema, versions, and update history of someone else's AD? The functions in the Schema category can be helpful. The Schema Versions item helps you find out what changes have been made to the schema, for both the Active Directory and Exchange schemas. Schema History takes this one step further and shows you the schema history (i.e., when which update was made to the schema).

In addition to the quite extensive NetTools functions, a number of minor functions can brighten up your everyday life as an administrator. For example, the unique security identifier (SID) of an Active Directory object or the name of a SID is displayed by the SID converter. You have probably viewed the event log of a domain controller that revealed a problem with a user that had a SID of 123 et cetera , but who is this user? Of course, you have PowerShell cmdlets or the wmic useraccount command with the get sid or get name parameters, but it's good to know that NetTools has a converter, especially if you are working in the NetTools GUI and with identities anyway.

Speaking of converters: The Time Converter lets you convert a time to some other format, including 64-bit. This function certainly is not used on a daily basis, but if you ever need it, it is reassuring to know it can be found in the toolbox.

Conclusions

When you work with NetTools, it becomes clear what a wealth of information Active Directory offers. Experienced administrators who have managed without NetTools so far will have loads of fun with it. You will be surprised to see the bouquet of utilities that squeeze the last snippet of information out of Active Directory.

Great attention has been paid to detail in the functions themselves, which definitely helps in daily operations. Despite all the praise, people are bound to look for things that could be improved, and for the many admins who like to avoid mouse pushing, a call for a command-line interface might be justified, considering NetTools sees itself as a purely GUI-based tool.