Microsoft uses Active Directory (AD) extensively, both in its operating system and in its applications. If you are a systems administrator, you are probably already well-versed in the tool. If you are new to using Active Directory for your user permissions system, there are lots of tips and tricks for you to pick up.
Not many people realize that they don’t have to rely on the management utilities of the Active Directory application. There are a lot of useful assistants that you can install to improve your AD management.
Active Directory’s standard facilities don’t provide automation or data tracking. These facilities are available from third-party software houses and many of them are free.
Here is our list of the best Active Directory tools:
- SolarWinds Access Rights Manager (FREE TRIAL)
- SolarWinds Admin Bundle for Active Directory (FREE TOOL)
- Paessler Active Directory Monitoring with PRTG (FREE TRIAL)
- ManageEngine ADManager Plus
- ManageEngine ADAudit Plus
- AD Tidy
- AD Permissions Reporter
- Specops Password Auditor
- Recovery Manager for Active Directory
- PowerBroker Auditor
- Privilege Explorer
- Microsoft Active Directory Topology Diagrammer
- Microsoft ADRestore.NET
- Microsoft Active Directory Explorer
- Active Directory Replication Status
You can read about these tools in the following sections.
The Access Rights Manager is part of the large SolarWinds stable of IT infrastructure management tools. SolarWinds is very competent at producing network and server monitoring systems and the Permissions Analyzer meets that high standard. This tool can be installed on all versions of Windows Server.
The tool has some great visualizations of user groups and inherited permissions. This is a factor that is often difficult to keep track of, so the attractive layout of the Access Right Manager dashboard is a great help. The tool will help you to manage:
- Active Directory
- Microsoft Exchange
- Windows File Share
You will be able to automate user account creation steps through forms and workflows and also keep track of the group profiles that you operate on your system. The provisioning utilities of the tool include a self-service portal to enable users to manage their own passwords and request different access levels.
Analysis functions help you confirm data security standards compliance and meet service level agreements. The tool includes logging features that enable you to track user activity and identify the efficiency of your permissions system.
SolarWinds offers a 30-day free trial of the Access Rights Manager. However, if you want to get an access manager without ever paying for it, you should check out the SolarWinds Permissions Analyzer for Active Directory. This is a “lite” version of the Access Rights Manager that is free to use.
The straightforward layout of the interface helps you keep track of user groups and permission inheritance. These concepts are relatively simple to understand, but can quickly become unmanageable if you don’t have a tool that can properly express the relationship between users, groups, and parent groups.
As the name of the tool suggests, there are also analytical facilities in the utility. You can get filtered data out of the tool to see which permissions have been allocated to which groups. You don’t get the comprehensive standards auditing, snazzy graphics, or security features of the Access Rights Manager with the Permissions Analyzer, but you do get a useful, easy-to-use AD management utility.
SolarWinds gives you another free option for monitoring AD with the Admin Bundle for Active Directory. This tool runs on all versions of Windows Server. The pack includes three tools:
- Inactive User Account Removal
- Inactive Computer Account Removal Tool
- User Import Tool
With these three utilities, you can create user accounts in bulk by importing them into Active Directory in a CSV file. The two activity monitors will show you which user accounts have not had any activity on them and which devices have not been accessed for a while. This will enable you to identify accounts that should have been deleted and facilities that have probably been retired.
These three tools are not as impressive as the Access Rights Manager. However, it is free and it will help you eliminate dead accounts and defunct records in your AD implementation.
Paessler’s PRTG is a network, server, and application monitoring tool. The system is composed of ‘sensors’. Each sensor is a monitoring utility and PRTG includes sensors that work with Active Directory.
The Active Directory coordination and monitoring capabilities of PRTG extend to a scrutiny of the replication and distribution functions of complex AD implementations for large organizations. If you deploy a series of AD domain controllers and if you have a forest of domains, the tool can check that replication between servers does not produce errors. It can help you ensure coordination where needed and separation where required.
PRTG notes which users are connected to the system and which are not. It is able to manage permission groups and represent the inheritance of permission between groups.
The Active Directory monitoring functions of PRTG requires the activation of four sensors – two of which would need to be customized. Paessler gives all customers the full version of the package. The price bands for the tool are dictated by the number of sensors that get activated. You can use PRTG for free if you only activate up to 100 sensors. You can get a 30-day free trial of PRTG with unlimited sensors. The software installs on Windows Server.
ManageEngine ADManager Plus gives you a front-end to all of your AD domain controllers. The interface acts as a central control console and unifies all of your domain and global administration tasks. This interface is a lot more user-friendly than the standard AD front-end and it has more features and controls. You can manage Office 365, Exchange, G-Suite, and Skype domains through the interface.
This tool is web-based, so you can access it from anywhere. ManageEngine even provides an app that allows you to access the console from your mobile device.
A number of standard Active Directory user, group, and object management tasks can be automated through ADManager Plus and it also enables you to create, adapt, or remove objects in bulk. Facilities in the tool enable you to identify defunct object records and inactive user accounts.
The reporting module of ADManager Plus includes pre-written formats that include compliance reporting standards for SOX and HIPAA among others. Reports can be scheduled to run automatically. The interface can be adapted to Help Desk teams and limited control versions of the dashboard allow you to grant access to the console to support team members safely.
There are three editions of ADManager Plus: Free, Standard, and Professional. The Free edition only allows you to manage one domain. The standard version has a wider scope and the Professional edition includes the Help Desk modules. The download for the Free and Professional version is the same. You get a 30-day free trial of the full version and if you choose not to buy at the end of the trial, the package switches to the Free version.
ManageEngine produces a number of Active Directory-related tools. The ADAudit Plus utility compliments ADManager Plus. It gives deeper reporting and system checking facilities than ADManager Plus. The tool is web-based, so it can be accessed from any computer and also from mobile devices.
One of the main duties of ADAudit Plus is to track user connections and log them. Two intruder activities that this service could highlight include the signs of a compromised account, such as logins from far-apart locations, and repeated failed login attempts.
The auditing and reporting feature of the tool is designed in accordance with a range of industry data security standards including SOX, PCI-DSS, FISMA, HIPAA, and GLBA. You get extensive Active Directory auditing functions with the Standard edition of ADAudit Plus.
The Professional edition also includes auditing of Active Directory records. There is also a Free edition, which is restricted to monitoring 25 workstations. You can get a 30-day free trial of the Professional edition. When the trial period expires, the system will switch to the Free edition if you don’t want to pay for the Standard or the Professional Edition.
ManageEngine also produces a number of free Active Directory utilities. These include the Active Director Query Tool, AD Replication Manager, the CSV Generator, which extracts AD records, and the Last Login Reporter.
6. AD Tidy
Cjwdev produces a few Active Directory tools that any systems administrator would find useful. The developer is a former sysadmin who started developing tools for himself and then decided to share them with the world.
AD Tidy enables you to check on the status of user accounts and objects listed in your domain controller. Accounts that show no activity can be removed. The tool’s interface has the ability to disable, move, and remove members from groups. It is also possible to reset the passwords of accounts to strings of random characters.
This small utility offers a better interface to your domain controllers than the native Active Directory front-end. Search results from the tool can be exported to XLS or CSV files. Searches can be saved in order to be re-executed with ease.
You can switch between domains and even hop between organizational units, as well as display the records from the domain controllers to search timestamps in order to identify inactivity. Two utilities built into the tool give you extra checks on the continued existence of an object. These are a DNS lookup and a Ping test.
The tool is available in free and paid versions. The free version has all of the features of the paid edition except for the ability to reverse actions and the availability of automation rules, which create automatic clean up actions. Both editions run on any Windows version above XP.
Cjwdev has a modular approach to Active Directory management. There are actually several tools for AD available form this developer. Others include AD Info, which is a query tool for Active Directory domain controllers. There is also a utility, called AD Photo Edit, which inserts images into AD records, so you can associate a picture of a user with each account. The Group Manager helps you manage the allocation of members to groups in Active Directory. AD Account Reset Tool enables users or administrators to reset passwords.
The AD Permissions Reporter is a great little tool for querying the permissions available on objects in your Active Directory domain. Specifically, this reporter will list the permissions granted on documents within your system.
The tool is available in free and paid versions. You can export search results to CSV and HTML format in the free version and ADPR and XLS formats are also available in the paid version. The paid version is available in a command line version to enable searches of the object permissions to be integrated into scripts.
Specops specializes in password verification and fortification tools. The company’s Password Auditor is a free tool that runs on Windows Server 2008 and higher.
This utility strengthens security by helping you to design a password policy, which includes requirements to renew passwords and the enforcement of password compositions that are harder to guess or crack. The utility operates on Active Directory entries.
The tool will search through your domain controllers, identifying accounts with weak passwords. The tool will also identify inactive user accounts. The results of this scan are a series of reports, which will identify accounts that represent security weaknesses. These system checks and reports also enable you to prove standards compliance for NIST, PCI, Microsoft, and SANS.
Specops Password Auditor doesn’t include remediation scripts, so you will have to address stale accounts and weak password issues with some other tool, or manually. However, this tool is quick and easy to follow so it will prove an essential utility for your system security.
Recovery Manager for Active Directory is a comprehensive backup system to protect your authentication system. This tool will run on Windows Server versions from 2008 and Windows Vista and later. There is also an app so that you can contact the manager’s console from a mobile device.
The recovery manager will back up your Active Directory databases and restore them. The location of the backup can be anywhere that is contactable over the network, including on the Cloud. You can also backup Azure Active Directory. So, you can have either or both your AD server and your backup server on premises or in the Cloud. Backup transfers can be scheduled for quiet hours.
This is a paid tool, but you can get a 30-day free trial. There is also a version of Recovery Manager for Active Directory that specializes in global implementations. The software house that produces the Recovery Manager for Active Directory has a large range of AD-related products. These include Enterprise Reporter for Active Directory, Change Auditor for Active Directory, Active Roles, Active Administrator for Active Directory Health, and GPOADmin.
BeyondTrust produces a large number of system security monitoring tools including several for managing Active Directory and others for monitoring system access through reading and manipulating Active Directory. Of these tools, you should particularly look at PowerBroker Auditor if you are following data security standards and need to demonstrate compliance.
The PowerBroker Auditor for Active Directory meets a number of data security standards, including PCI, SOX, and HIPAA. The tool keeps an eye on your AD domain controllers and raises an alert when any changes are made. This is a real-time monitoring system, but it also logs every change, so administrators can still get information of unauthorized AD changes if they happen to be out of the office.
Each alert and log message records the user account that the change was made from and the user’s location. The before and after status of each changed line is also recorded. This information enables you to rollback unexpected changes in your AD databases. The controllers can be anywhere, just as long as they are reachable over a network or the internet. The PowerBroker Recovery for Active Directory tool integrates with the PowerBroker Auditor to automate rollback of unauthorized changes to your Active Directory databases. You can get a free trial of the PowerBroker Auditor and a free trial of PowerBroker Recovery is also available through the same link.
The PowerBroker Privilege Explorer is another Active Directory tool from BeyondTrust. This tool is an alternative interface to the AD database that substitutes for the Active Directory native front-end. The permissions displayed by the tool include access rights for users and permissions on files held on the network.
The Privilege Explorer is also a logging tool. It records: all access by all users and all the times that each file is opened or changed, and which user performed that action. This logging system is a great benefit if you are implementing data security standards because the records created by Privilege Explorer and the reports that the tool generates are compliant with SOX, HIPAA, and PCI.
The PowerBroker Privilege Explorer integrates with the PowerBroker Auditor to improve record keeping and reporting and enables you to get a comprehensive overview of the permissions structure that has been implemented at your company.
This security utility tracks changes in Active Directory to see whether unauthorized access has occurred and to rollback unexpected changes in the authentication hierarchy. This is a great defense against hackers who often adjust permissions on a system in order to give the stolen account that they are using more access rights.
PowerBroker Privilege Explorer is a paid product, but you can get a free trial to run it through its paces.
Microsoft produces its own tools that augment the functionality of Active Directory. Of those, The Topology Diagrammer is probably the most impressive. This tool produces visualizations of the contents of your Active Directory permissions hierarchy.
The tool gives you a choice over exactly which category of AD data gets mapped. You can view data from the perspective of a domain, an organizational unit, a server, or a group.
You need to have Microsoft Visio installed in order to use the Topology Diagrammer. The software installs on Windows Server from version 2000 and up, or on Windows Vista, XP, or Windows 7.
The tool is free to use and you can download it from the Microsoft website.
13. Netwrix Auditor
Netwrix Auditor is not specifically tailored to Active Directory. However, it does include functions that manage Active Directory entries. The tool is a system-wide auditing utility that will help you protect your network and servers from intrusion and accidental damage.
The organization of Netwrix Auditor is designed to serve the needs of administrators who are adhering to HIPAA, GDPR, SOX, PCI DSS, NIST, FERPA, GLBA, FISMA, CJIS, NERC CIP, and ISO/IEC 27001 data protection standards.
The tool will protect your Active Directory implementations, including Azure AD, Microsoft Exchange Server, Windows 365, and the Windows File Server system. The tool will log activities relating to user activities using the AD records in your domain controllers and it will also log all access to the authentication database. You can back up Active Directory data through the tool, controlling any changes that occur and restoring records individually or en masse if your AD system gets damaged or compromised by intruders.
This is a paid tool, but you can check it out on a 20-day free trial. The software installs on all versions of Windows Server and it is also available as a virtual appliance to run over Hyper-V and VMWare.
Active Directory Explorer is a front-end to Active Directory domain controllers that has the look and feel of the standard Windows File Explorer utility. This is a free tool that can be downloaded directly from the Microsoft website.
The left panel in the tool shows a tree structure view of your domain permissions. The right panel shows details of the item selected in the left panel. The interface enables you to search for a specific entry, and then delete it, or edit it. The Explorer is a quick tool that gives you all of the basic functions that you need in order to manage Active Directory. However, it doesn’t have many features. For example, there is no automation in the tool either for account provisioning or for security tracking.
Netwrix produces a number of free system security tools and the Inactive User Tracker is a handy utility for tidying up Active Directory.
This quick tool searches through your domain controllers and checks on the last login dates for each listed account. This catches stale accounts. Inactive accounts are great opportunities for hackers, so they represent a security weakness.
The report that comes out of a run of this tool lists inactive accounts with their last active dates. Those reports also form useful documentation for your security standards compliance file.
This tool is a cut-down version of the Netwrix Auditor. It doesn’t have the automation features of the paid tool. However, if you are prepared to put in the work to remove accounts manually, you will save a lot of money by going for this free option.
Active Directory Management
This guide has given you a lot of option for monitoring and managing your Active Directory implementations. The range of tools listed here includes very simple interfaces, such as the Microsoft Active Directory Explorer through to very sophisticated tools such as the SolarWinds Access Rights Manager.
Your favorite from this list will probably depend on the size of your network, the size of your administration team, and the amount of money that you have available for new tools. The presence of free tools on this list should help you if you have no budget at all for tools. However, keep in mind that the paid tools are charged for and still attract plenty of customers, so they represent a value of money that appeals to systems administrators all over the world. If you are curious about what exactly makes these tools worth paying for, you can at least check them out by accessing the free trials that their creators offer.
Do you use any Active Directory management tools? Have you tried any of the tools on this list? Leave a message in the Comments section below and share your experience with the community.