19 Feb

Active Directory Management Tools

I always enjoy seeing the different tools used across different IT shops. In fact, one of the most common questions clients ask is what other companies are using to perform various functions in AD. So, today I figured I’d continue on with the Active Directory theme (started by Christian’s post regarding AD Admin accounts on Monday) and do a quick roundup of AD management tools I’ve encountered.

Let’s start with the nice face-lift given to AD management in Server 2012.

Revamped Active Directory Management at Windows Server 2012

As of Windows Server 2012, most of the built in AD tools have been have been overhauled with most being completely rebuilt to run on PowerShell. PowerShell is Microsoft’s task automation and configuration management framework which is comprised of Cmdlets, or commands that act as little scripts you can feed parameters and variables into.

Microsoft went a step further and now even allows for the administrator to easily see which Cmdlets are being called in AD Administrative Center to perform tasks. For example, when you add a user in Windows Server 2012 (and 2012 R2), you can actually see the PowerShell used to implement the commands, copy and paste it, modify it, then save it as a .PS1 file to automate, batch or schedule the processes in the future!

PowerShell on display in Server 2012 (Click to Enlarge)

PowerShell on display in Server 2012 (Click to Enlarge)

Still, for many organizations Windows Server 2012 and beyond is still a ways off, and there are other things left to be desired that solid third party tools help with.

Third Party Tool Round Up

Dell PowerGUI/Quest ActiveRoles Server: These two tools distributed by Dell, used in conjunction with one another do the best job of simplifying AD management and adoption of PowerShell.

  • Utilizes PowerShell to perform tasks, which is the wave of the future in Windows Server
  • PowerGUI can generate reports from AD quickly and easily.
  • ActiveRoles provides an outstanding PowerShell debugger and IDE.
  • ActiveRoles makes automating work flows easy, which can be implemented as PowerShell scripts.
  • PowerGUI is free!

Softterra LDAP Browser: This tool is handy if you are required to work with multiple directory protocols (i.e. OpenLDAP, AD, Oracle Internet Directory).

  • Adds a lot of little features you wish Microsoft’s out of the box utilities had like copying entries directly out of the app and pasting into a spreadsheet, easy filtering and sorting and quick and easy searching
  • Simplified Import and Export tools with GUI support
  • Supports templates for object creation (as opposed to empty accounts that get endlessly copied and pasted).

ADSI Edit: Microsoft’s LDAP editing tool included in Windows Server 2008 R2 and above. This tool tends to be overlooked by a lot of systems engineers in my experience.

  • Much quicker access to object attributes than using other built in Active Directory tools.
  • Built in! No need to get permission to install or set anything up.

Bulk AD Users: A nice freeware tool that allows for simplified manipulation of AD data and features a familiar, simple interface.

  • Mass update AD data via CSV imports or even editing directly in Excel!
  • Features a rollback feature so that updates can easily be undone.
  • Requires no use of scripting language or command line tools.

LazyWinAdmin: A brilliant systems admin who has automated almost every annoying task a sys admin might ever have to deal with. I like using many of his scripts and resources to help my auditees along with my requests/process improvements.

My favorite solution is his solution for monitoring and reporting changes in group membership.

A special thanks to Josh Kaldor for his input on this post!

Know of some other great resources? Share!

5 thoughts on “Active Directory Management Tools

  1. I love the softerra browser! The free edition is all an auditor needs (or should have, as the paid version allows updating AD if you have the proper access).

    I played with ASDI Edit and don’t remember why I didn’t like it.

    Skyyler’s favorite is a command-line tool called adfind from http://www.joewware.net . He will be discussing this tool in an upcoming post, if I can get him to finish it. Joeware has a lot of great, FREE tools. Don’t let the photo on the front page of the site throw you off….

  2. One other thing….you guys are really pumping out the posts.
    Tell me you had a bunch of these in the hopper already and aren’t writing this up as you go along. Either way, impressive.

    Keep em coming!

    • @ITauditSecurity –

      We each write one post and review one post a week (write our own and review eachother’s). Depending on the subject matter and the amount of research a post may take a couple of days or weeks to write – so we have posts in progress almost all the time.

      It helps that we are actively doing this stuff, so we write up things as they come up too.

  3. No, there aren’t any in the hopper.

    I usually just collect notes and ideas during the week as I have conversations with different people or get asked different questions. Then I round the posts out early Sunday morning before my kids wake up.

    Sometimes blogging starts to feel like a second job that doesn’t pay. But it keeps me current and hopefully will lead to more work later down the road… 🙂

Leave a Reply