Browse All Articles > Active Directory Administrator's Tool Kit
The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star. However for the system admin who is willing to spend a little bit of time and do some learning these tools can make your life much easier and ease your stress as an Active Directory admin.
In my everyday work I spend a large amount of time working with Active Directory services. This article is written with the Active Directory admin in mind. This is by no means a definitive list of Active Directory tools, merely the ones that I find myself using on an almost daily basis and recommending to others in solutions on this board. For the most part these tools are available for free download. If you feel that I missed an important tool please feel free to add a post and let everyone know.
The DS series of tools
These tools for active directory are probably one of my favorites. This is a set of 6 command line executables that allow you to query, modify, and delete Active Directory objects via command line.
These tools come with many others bundled, available free from Microsoft at the following locations depending on your OS.
Windows XP, 2k3 - http://www.microsoft.com/downloads/en/details.aspx?FamilyId=86B71A4F-4122-44AF-BE79-3F101E533D95&displaylang=en
Windows Vista - http://www.microsoft.com/downloads/en/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en
Windows 7 - http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en
The DS tools consist of the following commands
DSQUERY – search for active directory objects matching criteria
DSGET – retrieves selected attributes from active directory objects
DSMOD - modify attributes for one or more active directory objects
DSADD – create active directory objects
DSMOVE – move active directory objects
DSRM – removes/deletes active directory objects
My most used command out of this group has to be DSQUERY but by itself it doesn’t really offer much other than returning distinguished names of objects that meet your search criteria. In thecode below dsquery is used to search for users whos account name starts with user
Dsquery user – samid user*
If one or more matching accounts were found you would see a list of the distinguished name for each. These tools really begin to get powerful when you begin to combine them by piping the results of one command to the other. In the code I do the same user search as above but this time I use DSGET to return more useful information than just a distinguished name.
Dsquery user –samid user* | dsget user –ln –fn –tel
This example searches for all user accounts that start with user and returns the lastname, firstname, and telephone number for them. Searching and returning data from active directory can be usefule for reporting purposes but sometimes your task will be to modify infrormation in active directory. In a small organization you could do this by hand but in a larger one you will want to automate this. The code below shows a simple example of using Dsquery piped to Dsmod that will do this.
Dsquery user –samid user* | dsmod user –disabled yes
The command above will search and disable any user account that starts with user. I have shown three really quick and simpe uses of the DS tools for demonstation purposes but there is loads more you can do with these tools. Since this is an article about many Active Directory tools and not just the DS tools I will save that for a later article.
DSREVOKE
This tool is not included in the DS series of tools mentioned above instead Microsoft has it as a separate download.
http://www.microsoft.com/downloads/en/details.aspx?familyid=77744807-c403-4bda-b0e4-c2093b8d6383&displaylang=en
This tool is used to view and modify permissions on active directory OUs. Although Microsoft provides a nice GUI interface for delegation of permissions they do not provide a way of evaluating and removing these permissions within the delegation wizard. This is where command line dsrevoke comes in. This tool allows you to select a user or security group and then enumerate all the locations in your Active Directory environment where they have permissions granted. Once found it optionally gives you the option to delete these permissions.
ADFIND/ADMOD
These tools are written by Joe Richards over at joeware.net.
http://www.joeware.net/freetools/index.htm
These two tools have similar operations to the Dstools mentioned above but also add many additional abilities that arent available in the DS tools. These tools are admittedly a little more advanced to use because they require you to know more about distinguished names, active directory attribute names, and ldap filters to return the information you are looking for. Because these toolsare built on LDAP and require more advanced user input they also allow more advanced output which allows modifications to active directory attributes that the DS tools can not.
As an example the Dsquery command mentioned above
Dsquery user –samid user* | dsget user –ln –fn –tel
Would equate to
adfind -f name=user* sn givenname telephonenumber
While these tools are very powerful I find myself using these less because of their complexity and the arrival of much more user friendly tools. I still occasionally will return to these when a very tricky/specific situation can not be achieved with the other tools mentioned in this article.
ADMODIFY.NET
Adomodify.net was a tool originally developed by microsoft professional support and then later released to the general public.
http://admodify.codeplex.com/
This tool provides a GUI method to add or modify bulk Active Directory attributes. Using this tool it is very easy to quickly make adjustments to hundreds or thousands of user or computer accounts without needing detailed scripting knowledge. Anyone familiar with the active directory users and computers interface will feel comfortable using this tool.
Some of the major highlights of this tool are its ability to use variables when modifying data fields, the ability to modify terminal services profile settings which many other programs can not, its ability to modify almost any active directory attribute, and its logging/undo functionality. This is one of the few tools that allow you a method to revert ifone of your bulk changes cause unintended consequences. This tool also allows easy selection of OU’s through its GUI and an ability to use LDAP filters to specify affected objects even further.
Quest Powershell CMDlets for Active Directory/ Microsoft Powershell AD CMDlets
http://www.quest.com/powershell/activeroles-server.aspx
http://technet.microsoft.com/en-us/library/ee617195.aspx
With the introduction of Server 2008 Microsoft has begun utilizing Powershell as the new command line interface to manage the majority of their products. Powershell includes many upgrades over the standard command prompt and is very much more flexible/extensible as to what can be completed. Powershell modules for exchange 2007, exchange 2010, SharePoint 2010, and other applications have already been bundled with the software.
The quest CMDlets were released before the Microsoft AD CMDlets and have been adopted successfully by many administrators. The basic commands can perform all of the account functions of those in the DS series of tools such as retrieving users, setting attribute values, getting group memberships, adding and deleting users, etc. However since Powershell is fully scriptable and can access and manipulate data on both local and remote systems the options as to what can be accomplished using it are almost endless.
The Powershell CMDlets are surely going to become the preferred tool of choice for Active Directory administrators. Whether you choose to use the Quest Powershell CMDlets or the Microsoft Powershell AD module is a matter of personal preference as both can do the job equally well.
OLDcmp
Another tool written by Joe Richards over at joeware.net
http://www.joeware.net/freetools/tools/oldcmp/index.htm
Over time Active Directory can become cluttered with old/inactive computer and user accounts. This is especially true in large organizations with multiple administrators or loosely defined account deletion procedures. This tool allows an active directory administrator to query their environment for computer and user accounts older than a certain age and optionally move, disable, or delete them. I find this tool works much better for querying inactive accounts than the DS tools and allows more options such as last logon time stamp, password reset, and computer account password change. When it is time for AD cleanup this is the tool I go to.
ADSI edit/AD explorer
http://technet.microsoft.com/en-us/library/bb124152(EXCHG.65).aspx
http://technet.microsoft.com/en-us/sysinternals/bb963907
These tools are similar in appearance to Active Directory users and computers but they function as a lower level LDAP editor and expose more of the Active Directory environment not visible in ADUC. Using these tools you are graphically able to edit fields in active directory that you cannot reach using the ADUC GUI. Because these tools expose more options in AD you must take extra care to know what you are changing otherwise you could cause some serious issues.
A simple but very useful feature of these tools for is determining the distinguished name of an object and easily copying and pasting this when a DN is necessary. ADexplorer also has the added ability to take a snapshot of the Active Directory database so you can view and compare your AD structure at different points in time.
Specops GPupdate
This tool extends your active directory users and computers snap in with some really handy right click options. Allows you to easily refresh GP settings, shutdown/reboot, initiate windows update, etc. There are two versions a free and a paid obviously the paid version has other nice features but either version of this tool is good to have in your arsenal.
http://www.specopssoft.com/products/specops-gpupdate
Account Lockout Tools
http://www.microsoft.com/downloads/en/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
This is another offering from Microsoft which answers a lot of administrators wishes for a good method to deal with troublesome accounts that continually lockout. This is actually a set of two separate tools the first, lockoutstatus.exe, allows you to query a user account and view when and on which domain controller bad passwords where generated or the account was locked out. The second tool in this pack is Eventcombmt.exe this is a tool that allows you to collect multiple event logs from many different servers. Extremely useful for finding lockout and bad password attempt Event ids across multiple domain controllers. These tools have helped me many times when dealing with a continually locking account.
WMI Code Creator
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=2cc30a64-ea15-4661-8da4-55bbc145c30e&displaylang=en
WMI Code Creator is a graphical tool that exposes the WMI Classes on a machine. This tool also quickly lets you query WMI for specific information on both local and remote computers. It can also create simple WMI scripts in three different languages. I find the most use of this tool when I am creating new WMI filters for group policies. This tool easily lets you check your reference machines WMI classes to determine the values you wish to use in your GPO WMI Filter.
WMIFtest
http://www.gpoguy.com/FreeTools/FreeToolsLibrary/tabid/67/agentType/View/PropertyID/93/Default.aspx
This is a very simple but effective tool written by gpoguy.com it will quickly let you view all of your WMI Filters available in your Active Directory environment and then let you remotely test them against any domain computer you want. I always use this tool whenever I create a WMI limited GPO to make sure I will get the expected results once applied. When using this tool for a WMI filtered GPO a value of TRUE means the GPO will be applied to that machine specified.
Group Policy Inventory
http://www.microsoft.com/downloads/en/details.aspx?familyid=1d24563d-cac9-4017-af14-8dd686a96540&displaylang=en
This tool is primarily used to return group policy RSOP data from machines either selected out of active directory or from a supplied text file. This tool also has the ability to query WMI on these same machines and return many pieces of information about that group of computers. A great feature of this program is that the data being returned is fully customizable by editing a simple XML file. With a little bit of WMI scripting knowledge you can easily turn gpinventory into a very powerful computer hardware/software inventory tool.
ADrestore/ADrestore.net
http://technet.microsoft.com/en-us/sysinternals/bb963906
http://blogs.microsoft.co.il/files/folders/guyt/entry40811.aspx
Occasionally a user, computer, OU, or other active directory object is deleted when it shouldn’t have been. When this happens you have the option of doing an offline recovery of your Active Directory database. You also have the option to use a tool like ADrestore (command line) or adrestore.net (GUI) to reanimate the deleted item. This will essentially allow you to recover the deleted item in some form of fashion. The restored object will only retain some key attributes the original object had, the rest will be lost. However the important attributes such as SID and GUID are retained meaning that all permissions and access will remain on the restored object. This is not a tool for all situations but can be used successfully when in a pinch to help you avoid an offline restoration.
Active Directory Topology Diagrammer
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=cb42fc06-50c7-47ed-a65c-862661742764&displaylang=en
This isn’t a tool that you will use daily but I figured I’d add it because this is a great asset for any administrator who is trying to get an idea about what's out there in the Active Directory environment. This tool is ideal when you are working on an unfamiliar AD installation as it will allow you to quickly and easily create a customizable Visio drawing of AD. The ability to map domain controllers, site links, exchange servers, are all available within this tool. This is a great knowledge gathering and preplanning tool.
In my everyday work I spend a large amount of time working with Active Directory services. This article is written with the Active Directory admin in mind. This is by no means a definitive list of Active Directory tools, merely the ones that I find myself using on an almost daily basis and recommending to others in solutions on this board. For the most part these tools are available for free download. If you feel that I missed an important tool please feel free to add a post and let everyone know.
The DS series of tools
These tools for active directory are probably one of my favorites. This is a set of 6 command line executables that allow you to query, modify, and delete Active Directory objects via command line.
These tools come with many others bundled, available free from Microsoft at the following locations depending on your OS.
Windows XP, 2k3 - http://www.microsoft.com/downloads/en/details.aspx?FamilyId=86B71A4F-4122-44AF-BE79-3F101E533D95&displaylang=en
Windows Vista - http://www.microsoft.com/downloads/en/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en
Windows 7 - http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en
The DS tools consist of the following commands
DSQUERY – search for active directory objects matching criteria
DSGET – retrieves selected attributes from active directory objects
DSMOD - modify attributes for one or more active directory objects
DSADD – create active directory objects
DSMOVE – move active directory objects
DSRM – removes/deletes active directory objects
My most used command out of this group has to be DSQUERY but by itself it doesn’t really offer much other than returning distinguished names of objects that meet your search criteria. In thecode below dsquery is used to search for users whos account name starts with user
Dsquery user – samid user*
If one or more matching accounts were found you would see a list of the distinguished name for each. These tools really begin to get powerful when you begin to combine them by piping the results of one command to the other. In the code I do the same user search as above but this time I use DSGET to return more useful information than just a distinguished name.
Dsquery user –samid user* | dsget user –ln –fn –tel
This example searches for all user accounts that start with user and returns the lastname, firstname, and telephone number for them. Searching and returning data from active directory can be usefule for reporting purposes but sometimes your task will be to modify infrormation in active directory. In a small organization you could do this by hand but in a larger one you will want to automate this. The code below shows a simple example of using Dsquery piped to Dsmod that will do this.
Dsquery user –samid user* | dsmod user –disabled yes
The command above will search and disable any user account that starts with user. I have shown three really quick and simpe uses of the DS tools for demonstation purposes but there is loads more you can do with these tools. Since this is an article about many Active Directory tools and not just the DS tools I will save that for a later article.
DSREVOKE
This tool is not included in the DS series of tools mentioned above instead Microsoft has it as a separate download.
http://www.microsoft.com/downloads/en/details.aspx?familyid=77744807-c403-4bda-b0e4-c2093b8d6383&displaylang=en
This tool is used to view and modify permissions on active directory OUs. Although Microsoft provides a nice GUI interface for delegation of permissions they do not provide a way of evaluating and removing these permissions within the delegation wizard. This is where command line dsrevoke comes in. This tool allows you to select a user or security group and then enumerate all the locations in your Active Directory environment where they have permissions granted. Once found it optionally gives you the option to delete these permissions.
ADFIND/ADMOD
These tools are written by Joe Richards over at joeware.net.
http://www.joeware.net/freetools/index.htm
These two tools have similar operations to the Dstools mentioned above but also add many additional abilities that arent available in the DS tools. These tools are admittedly a little more advanced to use because they require you to know more about distinguished names, active directory attribute names, and ldap filters to return the information you are looking for. Because these toolsare built on LDAP and require more advanced user input they also allow more advanced output which allows modifications to active directory attributes that the DS tools can not.
As an example the Dsquery command mentioned above
Dsquery user –samid user* | dsget user –ln –fn –tel
Would equate to
adfind -f name=user* sn givenname telephonenumber
While these tools are very powerful I find myself using these less because of their complexity and the arrival of much more user friendly tools. I still occasionally will return to these when a very tricky/specific situation can not be achieved with the other tools mentioned in this article.
ADMODIFY.NET
Adomodify.net was a tool originally developed by microsoft professional support and then later released to the general public.
http://admodify.codeplex.com/
This tool provides a GUI method to add or modify bulk Active Directory attributes. Using this tool it is very easy to quickly make adjustments to hundreds or thousands of user or computer accounts without needing detailed scripting knowledge. Anyone familiar with the active directory users and computers interface will feel comfortable using this tool.
Some of the major highlights of this tool are its ability to use variables when modifying data fields, the ability to modify terminal services profile settings which many other programs can not, its ability to modify almost any active directory attribute, and its logging/undo functionality. This is one of the few tools that allow you a method to revert ifone of your bulk changes cause unintended consequences. This tool also allows easy selection of OU’s through its GUI and an ability to use LDAP filters to specify affected objects even further.
Quest Powershell CMDlets for Active Directory/ Microsoft Powershell AD CMDlets
http://www.quest.com/powershell/activeroles-server.aspx
http://technet.microsoft.com/en-us/library/ee617195.aspx
With the introduction of Server 2008 Microsoft has begun utilizing Powershell as the new command line interface to manage the majority of their products. Powershell includes many upgrades over the standard command prompt and is very much more flexible/extensible as to what can be completed. Powershell modules for exchange 2007, exchange 2010, SharePoint 2010, and other applications have already been bundled with the software.
The quest CMDlets were released before the Microsoft AD CMDlets and have been adopted successfully by many administrators. The basic commands can perform all of the account functions of those in the DS series of tools such as retrieving users, setting attribute values, getting group memberships, adding and deleting users, etc. However since Powershell is fully scriptable and can access and manipulate data on both local and remote systems the options as to what can be accomplished using it are almost endless.
The Powershell CMDlets are surely going to become the preferred tool of choice for Active Directory administrators. Whether you choose to use the Quest Powershell CMDlets or the Microsoft Powershell AD module is a matter of personal preference as both can do the job equally well.
OLDcmp
Another tool written by Joe Richards over at joeware.net
http://www.joeware.net/freetools/tools/oldcmp/index.htm
Over time Active Directory can become cluttered with old/inactive computer and user accounts. This is especially true in large organizations with multiple administrators or loosely defined account deletion procedures. This tool allows an active directory administrator to query their environment for computer and user accounts older than a certain age and optionally move, disable, or delete them. I find this tool works much better for querying inactive accounts than the DS tools and allows more options such as last logon time stamp, password reset, and computer account password change. When it is time for AD cleanup this is the tool I go to.
ADSI edit/AD explorer
http://technet.microsoft.com/en-us/library/bb124152(EXCHG.65).aspx
http://technet.microsoft.com/en-us/sysinternals/bb963907
These tools are similar in appearance to Active Directory users and computers but they function as a lower level LDAP editor and expose more of the Active Directory environment not visible in ADUC. Using these tools you are graphically able to edit fields in active directory that you cannot reach using the ADUC GUI. Because these tools expose more options in AD you must take extra care to know what you are changing otherwise you could cause some serious issues.
A simple but very useful feature of these tools for is determining the distinguished name of an object and easily copying and pasting this when a DN is necessary. ADexplorer also has the added ability to take a snapshot of the Active Directory database so you can view and compare your AD structure at different points in time.
Specops GPupdate
This tool extends your active directory users and computers snap in with some really handy right click options. Allows you to easily refresh GP settings, shutdown/reboot, initiate windows update, etc. There are two versions a free and a paid obviously the paid version has other nice features but either version of this tool is good to have in your arsenal.
http://www.specopssoft.com/products/specops-gpupdate
Account Lockout Tools
http://www.microsoft.com/downloads/en/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
This is another offering from Microsoft which answers a lot of administrators wishes for a good method to deal with troublesome accounts that continually lockout. This is actually a set of two separate tools the first, lockoutstatus.exe, allows you to query a user account and view when and on which domain controller bad passwords where generated or the account was locked out. The second tool in this pack is Eventcombmt.exe this is a tool that allows you to collect multiple event logs from many different servers. Extremely useful for finding lockout and bad password attempt Event ids across multiple domain controllers. These tools have helped me many times when dealing with a continually locking account.
WMI Code Creator
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=2cc30a64-ea15-4661-8da4-55bbc145c30e&displaylang=en
WMI Code Creator is a graphical tool that exposes the WMI Classes on a machine. This tool also quickly lets you query WMI for specific information on both local and remote computers. It can also create simple WMI scripts in three different languages. I find the most use of this tool when I am creating new WMI filters for group policies. This tool easily lets you check your reference machines WMI classes to determine the values you wish to use in your GPO WMI Filter.
WMIFtest
http://www.gpoguy.com/FreeTools/FreeToolsLibrary/tabid/67/agentType/View/PropertyID/93/Default.aspx
This is a very simple but effective tool written by gpoguy.com it will quickly let you view all of your WMI Filters available in your Active Directory environment and then let you remotely test them against any domain computer you want. I always use this tool whenever I create a WMI limited GPO to make sure I will get the expected results once applied. When using this tool for a WMI filtered GPO a value of TRUE means the GPO will be applied to that machine specified.
Group Policy Inventory
http://www.microsoft.com/downloads/en/details.aspx?familyid=1d24563d-cac9-4017-af14-8dd686a96540&displaylang=en
This tool is primarily used to return group policy RSOP data from machines either selected out of active directory or from a supplied text file. This tool also has the ability to query WMI on these same machines and return many pieces of information about that group of computers. A great feature of this program is that the data being returned is fully customizable by editing a simple XML file. With a little bit of WMI scripting knowledge you can easily turn gpinventory into a very powerful computer hardware/software inventory tool.
ADrestore/ADrestore.net
http://technet.microsoft.com/en-us/sysinternals/bb963906
http://blogs.microsoft.co.il/files/folders/guyt/entry40811.aspx
Occasionally a user, computer, OU, or other active directory object is deleted when it shouldn’t have been. When this happens you have the option of doing an offline recovery of your Active Directory database. You also have the option to use a tool like ADrestore (command line) or adrestore.net (GUI) to reanimate the deleted item. This will essentially allow you to recover the deleted item in some form of fashion. The restored object will only retain some key attributes the original object had, the rest will be lost. However the important attributes such as SID and GUID are retained meaning that all permissions and access will remain on the restored object. This is not a tool for all situations but can be used successfully when in a pinch to help you avoid an offline restoration.
Active Directory Topology Diagrammer
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=cb42fc06-50c7-47ed-a65c-862661742764&displaylang=en
This isn’t a tool that you will use daily but I figured I’d add it because this is a great asset for any administrator who is trying to get an idea about what's out there in the Active Directory environment. This tool is ideal when you are working on an unfamiliar AD installation as it will allow you to quickly and easily create a customizable Visio drawing of AD. The ability to map domain controllers, site links, exchange servers, are all available within this tool. This is a great knowledge gathering and preplanning tool.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (6)
Commented:
Excellent, well written resource.
Commented:
Good Article and Well Written...!
Cheers,
Prem
Commented:
Keep up the good work, and THANKS
Commented:
Commented:
SysProSoft's Policy Reporter - Great for reading usernv and other log files
PortQry - great scanner to help troubleshoot port issues, telnet is another nice tool in this space
Active Directory Utilities on CodePlex ReplDiag being a nice one in that set, written by a Microsoft PFE
PAL Tool - Another nice tool written by a Microsoft PFE, helps diagnose performance logs
View More