Microsoft Active Directory is one of the most widely-used services by network administrators. For most administrators, Microsoft Active Directory is one of the most important services at their disposal. However, in spite of Microsoft Active Directory’s wide utility, it can be quite inconvenient to use at times. The original user interface feels very slow and there is no automation. Fortunately, you can enhance the ability of this tool by relying on third-party software.
Here is our list of the best Microsoft AD tools for 2020:
- SolarWinds Permissions Analyzer for Active Directory EDITOR’S CHOICE A free interface that gives a better view of permissions than you can glean in Active Directory itself. Download free tool.
- ManageEngine ADManager Plus An interface to Active Directory that enables you to plan access rights more effectively.
- ManageEngine ADAudit Plus Auditing features for Active Directory that help you demonstrate data protection standards compliance.
- Specops Command Interface to PowerShell and VBScripts to automate many Active Directory management tasks.
- Recovery Manager for Active Directory This tool recovers Active Directory objects without you needing restart the Domain Controller.
- Microsoft Active Directory Topology Diagrammer A great mapping tool to let you see your permissions hierarchy at a glance.
- ManageEngine Free Active Directory Tools Free bundle of 12 tools to help you manage your Active Directory implementation.
- IT Environment Health Scanner This tool looks at DNS records, network time servers, and site and subnet configurations to confirm the accuracy of your Active Directory records.
- BeyondTrust Privilege Explorer A simple interface that clarifies the user permissions and device access rights held in Active Directory.
- Netwrix Account Lockout Examiner This tool supports the investigations into why a user has suddenly lost access permissions.
- Bulk Password Control Password manager for Active Directory that includes bulk action facilities.
- Netwrix Inactive User Tracker Root out abandoned accounts in Active Directory with this tool.
- Lepide Last Login Report This tool gives activity reports that enable you to spot abandoned accounts.
The Best Active Directory Tools
Whether you’re looking for an automated alerts system, a more convenient user interface, or reporting, then there is a product available for you.
When assessing Microsoft AD management tools that made our ‘best of’ list, our main considerations where the ease of getting the tools working and how easy it is to use, it’s robustness and reliability, the amount of support and regularity of updates the tool received and its overall relative value.
First up on this list we have SolarWinds Permissions Analyzers for Active Directory. One of the most common complaints made of the original Active Directory program is that it offers poor permissions management. SolarWinds Permissions Analyzer for Active Directory is an AD management tool that seeks to rectify this by allowing you to view which users in your network have permission to which data.
This means that in a live networking environment you will be able to quickly identify which members of your team have access privileges to sensitive data. You can do this by viewing permissions by group or individual user. You can also see why a user has privileges to certain information.
As an added bonus, SolarWinds Permissions Analyzer for Active Directory is available for free. This is great because you can start monitoring your network permissions without having to spend a fortune in order to be able to do so. SolarWinds Permissions Analyzer for Active Directory can be downloaded free.
With SolarWinds Permission Analyzer for Active Directory you get a powerful dashboard that will give you insights on network shares, files and folders that users have access to. You can browse permission at the group or even individual levels. Lots of power for a free Active Directory tool.
Download Free Tool: solarwinds.com/free-tools/permissions-analyzer-for-active-directory
ManageEngine ADManager Plus is an AD management tool that allows users to conduct Active Directory management and generate reports. In terms of management capabilities, you can manage AD objects, groups, and users from one location. This is beneficial because it allows you to sidestep the hassle of your Active Directory management and use the sleek ManageEngine GUI instead.
With regards to reports, ManageEngine ADManager Plus can be used to automate the report generation process. This means that you can generate reports without having to do everything manually. This not only makes Active Directory more convenient but also reduces the time that would be wasted on navigating the Active Directory program.
It is also worth mentioning that ManageEngine ADManager Plus is a tool you should consider for regulatory compliance as well. If you need to complete a compliance audit for SOX or HIPAA, the ability to manage your Active Directory data and generate reports is invaluable.
Price-wise ManageEngine ADManager Plus is available for download on a 30-day free trial. We recommend this product to anyone wanting to make Active Directory Management more convenient as well as those who want to benefit from a high-quality report function.
See also: Access Rights Management Tools
AdAudit Plus from ManageEngine has a stronger focus on standards compliance than the company’s ADManager Plus tool. This system auditing utility is a powerful AD tool that gives you live user activity reports and includes automated insider threat detection systems. You will be able to block people who are allowed access to your resources from using them inappropriately.
One of the main reasons that you would be interested in ADAudit Plus is if you need to demonstrate compliance to data protection standards in order to win or keep service contracts. This tool has a great bundle of pre-formatted standards compliance reports, which follow the SOX, HIPAA, GLBA, PCI-DSS, and FISMA standards. So, you won’t need to customize the system or set up your own reports in order to demonstrate compliance.
ManageEngine produces three editions of ADAudit Plus. These are Free, Standard, and Professional. A great offer to look into is the 30-day free trial of the Standard edition. You don’t have to enter any payment details to get this offer and you won’t be charged automatically when the trial period ends. If you choose not to buy, your installation automatically switches over to the Free edition.
Specops Command is another tool that offers you a formidable Active Directory management experience. With this program, you use scripts to manage your network. Specops Command enables the use of Windows PowerShell and VBScripts to manage users and devices throughout your network. You can even execute commands straight through to client systems.
What makes the scripting feature interesting is that you can not only write your own scripts but import them straight from a file as well. In addition, you can schedule when a script will be executed. This gives you an additional measure of automation that allows you to take a step back.
Not wanting to be a one trick pony, SpecOps Command also allows you to generate reports as well. These reports are web-based and designed around script feedback. The advantage here is you can take extra time to analyze the feedback from what you’ve done.
Overall Specops Command is a product that offers a complementary mix of additional features of Active Directory. This product is recommended based on its scripting ability alone, but its support for reports also makes it useful for regulatory compliance as well. Specops Command can be downloaded for free.
As the name suggests, Recovery for Active Directory is a third-party tool for Active Directory that has been designed to help you recover data. Generally speaking, when an object is lost in Active Directory you have to restart the Domain Controller to recover it. Recovery Manager for Active Directory eliminates this inconvenience by allowing you to recover objects without restarting Active Directory.
With Recovery Manager for Active Directory you can restore objects such as users, computers, attributes, configurations, sites, subnets group policy objects, and organizational units. In other words, if you lose something you can recover it.
The advantage of this is far beyond convenience. By allowing you to recover without restarting, your service stays online and any damage done to your service is minimized. Whether the system fails due to a security event or a fault you can get the recovery process started immediately. There is also a reporting process that highlights any changes that have taken place since the last backup. This helps you to see if any undesirable changes have taken place.
However this isn’t all, as Recovery Manager for Active Directory also offers you Hybrid and Azure Active Directory Recovery as well. This means you have a wide coverage of basic network infrastructure as much as off-premises services.
The only issue with Recovery Manager for Active Directory is that it carries a hefty price tag. The unit price is $12.97 (£10.15) per unit but the minimum quantity you can order is 100 which gives this product a price of $1,297 (£1,015). While it is worth the investment if you have the budget, it is unsuitable for smaller companies with limited budgets. Download a free trial.
Microsoft Active Directory Topology Diagrammer is a product that brings a level of visualization to the mix that complements Active Directory well. With this program you can automatically create a Microsoft Visio diagram of your Active Directory topology. Diagrams include features such as administrative groups, domains, sites, servers, and organizational units. This allows you to look at your network from another perspective.
When taking information from Active Directory you can also opt to limit your diagram to one domain or site. This allows you to take a more specific approach to see how particular devices link together in isolation before looking at everything. You can also take your diagrams and add additional objects to them in Microsoft Office Visio for further interaction.
Microsoft Active Directory Topology Diagrammer supports Windows 2000 Server, Windows 7, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP, Microsoft .NET Framework Version 2.0, and Microsoft Office Visio 2003 and higher. Microsoft Active Directory Topology Diagrammer can be downloaded for free.
ManageEngine Free Active Directory Tools is essentially a group of utilities that help to manage Active Directory. Some of the utilities available include AD Query Tool, CSV Generator, Last Logon Reporter, Terminal Session Manager, AD Replication Manager, SharePoint Manager, DMZ Port Analyzer, Domain and DC Roles Reported, Local Users Manager, Password Policy Manager, and Exchange Health Monitor.
All of these utilities have the focus of making it easier to manage Active Directory. For example, there is a Free Password Expiry Notifier utility which reminds users to update their passwords via email or SMS. Similarly, the Duplicates Identifier allows you to see all duplicated objects in one click. The result is an Active Directory administrative experience that is more versatile than Active Directory alone.
Another interesting utility is the Terminal Session Manager. With the Terminal Session Manager the user can utilize a PowerShell cmdlet to find and manage a range of terminal sessions from a centralized location. This is particularly useful because it allows you to manage and disconnect multiple users from one location.
The ManageEngine Free Active Directory Tools bundle is well worth considering if you’re looking to add a range of new Active Directory functions to your tricks bag. One of the best things about this is that you won’t have to pay for the privilege of these utilities either because everything is free to dowload.
IT Environment Health Scanner is a product that aims to help you maintain the integrity of Active Directory. Active Directory needs to be maintained like any other service and IT Environment Health Scanner has been designed to allow users to do just that. You can use this tool to scan your Active Directory service to look for any problems or chinks in its armor.
You can use IT Environment Health Scanner to collect information on site and subnet configurations, DNS name resolution, health and configuration of the Network Time Protocol of domain controllers and configuration of network adapters of all domain controllers. This gives you the basics to ascertain if there are any problems with your Active Directory service.
In terms of size, IT Environment Health Scanner is suitable for small to midsize organizations. It comes recommended for up to 500 computers and 20 servers. As a result, this product is an excellent addition to your network tools if you want to make sure that your Active Directory service hasn’t been compromised. You can download IT Environment Health Scanner here.
BeyondTrust Privilege Explorer is another permissions utility that allows the user to see who has access to what. This utility is one of the better permissions management tools because it keeps things simple. The user interface has a simple classic design that allows you to see who had access to Active Directory when a certain network event was happening.
You also have the ability to be able to track user permissions over time. For example, you can view the permissions for a specific device and view the logs within the PowerBroker Auditor to see if permissions have been changed. This allows you to look out for any unusual behavior and address it promptly.
In the event that you spot something amiss, you can generate a report to document the event in further detail. You can then use advanced filtering to aim target resources to specific groups, permissions, and dates. Whether you’re sending this on to a manager or documenting ahead of an audit, it provides you with the paper trail needed to show how permissions have changed.
If you’re looking for a lightweight permissions manager that you can’t go wrong with, then look no further than BeyondTrust Privilege Explorer. This program leaves next to no room for error and allows you to track permission changes easily over time. The only problem is that you have to contact the company directly in order to view a quote. That being said you can download a free trial.
There are many occasions in Active Directory where a user is locked out of Active Directory at the most inconvenient time. Netwrix Account Lockout Examiner has been designed for the expressed purpose of getting to the bottom of Active Directory lockouts. This tool notifies administrators when an account has been locked out of Active Directory so that they can take a closer look at why this is the case.
You can use Netwrix Account Lockout Examiner to ascertain why the user has been locked out with relative ease. Whether it’s on account of a disconnected desktop or a task obscuring the service you will be able to tell. This allows you to tell if you need to take further action or if its a temporary blip.
Once an administrator has seen that an account has been locked out they can unlock that account through the centralized console or a mobile device. This enables the user to get user accounts unlocked ASAP. As a consequence, normal service can be resumed much quicker than it would be trying to go it alone with Active Directory.
Netwrix Account Lockout Examiner is a tool that provides a solid account monitoring experience. In the event that a user gets locked out this tool is invaluable at getting the account unlocked so that they can get back to business quickly. This product can be downloaded for free.
Bulk Password Control is a tool designed to help users with password management on Active Directory. As a password manager, Bulk Password Control is very fast paced. You can change passwords on multiple accounts at once. You can do this through the use of a password generator which creates passwords for each account. In the event that you want to make this more simple, you can set every account password to the same code. In other words, you can manage passwords in bulk.
However you aren’t limited to resetting passwords for user accounts either; you can also unlock, enable or disable user accounts as well. This gives you a high degree of control over your active directory users so that if you need to restructure or remove an unsuitable account you can do so with ease.
The bulk password management ability of this product makes it ideal for larger enterprise environments with lots of different users and accounts. Bulk Password Control can be downloaded for free.
Netwrix Inactive User Tracker is a tool that is used to flag up Active Directory accounts that aren’t in use and helps to put them to rest. This tool scans for inactive user accounts and then provides you with information on for how long the accounts have been dormant. In effect, the tool automatically keeps you updated on the state of your connected accounts so that you can take action if need be.
Once you can see that an account has been inactive for a substantial length of time you can deactivate it. Deactivating inactive accounts will reduce the risk of a malicious entity gaining access to your data. Likewise, it will also help if you are audited because it shows that you are taking a proactive approach towards cybersecurity and record management.
Netwrix Inactive User Tracker is a tool that is worth its weight in gold for those moments where you need to clean up your Active Directory accounts. Doing this regularly will not only get rid of records you don’t need but will also eliminate vulnerable accounts that can be accessed for malicious purposes. Netwrix Inactive User Tracker can be downloaded for free.
Finally, we have Lepide Last Login Report. Lepide Last Login Report is a tool that allows you to view information on when users last logged into Active Directory. You can view login times in bulk alongside usernames and common names. There is also a search function which allows you to search through the records listed in the table until you find what you’re looking for.
Once you’ve finished searching for the last login times you can then generate reports in CSV and HTML for further analysis. All you need to do to generate a report is to enter the Domain Name/IP of the Domain Controller and the user’s login name and password. You can simply click report to start generating the document.
Lepide Last Login Report is a tool you should definitely consider if you require a tool to monitor access to Active Directory. Lepide Last Login Report is completely free as well so you don’t have to spend a fortune to be able to enjoy this useful product. You can download this tool for free.
Choosing an AD management tool
Active Directory may be a popular service but it’s not without significant flaws in terms of management and convenience. By incorporating third-party tools to your administrative toolkit you can greatly improve your experience of Active Directory and start to manage your data more effectively. Whether you’re implementing permissions management or a health checker, you will be able to exercise much more control over your system.
Stand out tools from this list include SolarWinds Permissions Analyzer for Active Directory, Recovery Manager for Active Directory, and Bulk Password Control. SolarWinds Permissions Analyzer for Active Directory allows you to provide a little more scrutiny over who has access to what data. On the health maintenance side of things, Recovery Manager for Active Directory acts as a backup plan in the event that something goes wrong.
It goes without saying that Bulk Password Control allows you to allocate and manage user passwords on an automated basis. Combining these tools together, or similar tools provide you with a strong cross-section of tools to redefine your Active Directory experience.
See also: PowerShell Cheat Sheet