Microsoft’s Active Directory is a very widely used access management system. It controls user accounts for Exchange Server, SharePoint Server, and just about every Microsoft product that requires user credentials. The service extends its competence out beyond the product catalog of Microsoft because it is used by many other software systems and guards access to network-connected devices.
Here is our list of the ten best Active Directory management tools:
- N-able Passportal (GET DEMO) An online IT documentation platform and password manager.
- IT Glue Cloud-based password manager and documentation management system.
- ManageEngine ADManager Plus On-premises Active Directory monitoring software that runs on Windows Server and Windows.
- SolarWinds Access Rights Manager (FREE TRIAL) An Active Directory management system that includes a reporting module.
- XIA Configuration An IT infrastructure documentation tool that includes an Active Directory monitoring module.
- José Active Directory Reporting A simple, free tool for recording AD controller statuses. Available as a command-line utility or with a GUI interface.
- Active Directory Excel Report Generator A PowerShell script that generates Excel output from AD controller queries.
- ADScribe Lightweight Active Directory reporting tool that runs from the command line or through a Wizard.
- Active Directory Report Builder An AD report query builder that displays results within the app and allows data to be exported.
- Microsoft Active Directory Topology Diagrammer Free tool that shows the permissions hierarchy in an AD implementation.
With so many uses of Active Directory, mastering control of the Active Directory system is very important for system administrators. The terminology of Active Directory can sometimes be a little confusing. Sometimes, busy people with lots of other responsibilities can get a little mixed up between domains, forests, and trees. Without having a clear idea of the divisions, the hierarchies, commonalities, and segregation of domain controllers and permission relationships, things can get messy.
Managing Active Directory
The only way to keep on top of the complicated relationships between users, devices, and the Active Directory implementation structure is to document it all.
Launching an Active Directory documentation project is a difficult task. A big decision to make is over the structure of the documentation. However, somebody who particularly needs to get the system documented to help foster better understanding and improve management probably won’t be able to think up a documentation structure.
Fortunately, there is guidance available on the correct format of an Active Directory documentation store.
See also: Best AD Management Software
Active Directory data security
Writing out how the domain controllers are organized and listing the permissions contained in them creates a second source of the Active Directory data. That information shouldn’t be proliferated and duplicating it outside of the secure environment of Active Directory increases risk.
The data contained in Active Directory needs to be kept confidential. Having that data lying around the office in printed documents or accessible as text documents somewhere on a company server creates a security weakness. So, the Active Directory information store needs to be secured with encryption and user credentials for access. For the sake of disaster recovery, the store of Active Directory documentation should be held away from the company’s primary site.
Active Directory auditing
As a centralized access rights manager, Active Directory is very important to data security standards compliance. In order to get certification for security protection standards such as PCI-DSS or HIPAA, a company needs to demonstrate that it has proper access rights management in place. Auditing for these standards and to supply proof in case of GDPR legal action requires Active Directory documentation.
The best Active Directory documentation tools
You probably don’t have time to research all of the options for Active Directory documentation and auditing. This report has done the hard work for you, creating a shortlist for those looking to improve Active Directory management.
What should you look for in Active Directory documentation tools?
We reviewed the market for Active Directory documentation software and analyzed the options based on the following criteria:
- Secure storage for AD documentation with credential needed for access
- A query tool for exploring entries in Active Directory
- Utilities that enable you to assess account structures
- A system that highlights abandoned accounts
- Measures to analyze user group effectiveness
- An assessment period, such as a free trial
- Good value that is provided by a complete set if tools marketed at a reasonable price
You can read more about these tools in the following sections.
The N-able Passportal package contains a password manager and documentation manager tools. This bundle gives you the opportunity to back up your Active Directory entries and also store the documentation that you wrote about your AD implementation.
The password management system can sync with Active Directory. This gives you the backup facility to recover the system in case of disaster. The interface of the password manager is much easier to deal with than the standard Active Directory interface. It makes such tasks as automatic email rotation to force regular password changes easier to implement. Changes made in Passportal get rolled out to the Active Directory implementation automatically.
If you need to document Active Directory in order to prove compliance to data protection standards, you can run the necessary audit reports off Passportal instead of from Active Directory. Any documentation you do make about Active Directory can be uploaded into the SolarWinds Document Manager for storage.
N-able Passportal is a cloud-based service that includes remote storage space. This keeps your Active Directory settings and all of your stored system documentation safe from on-site disasters or tampering. Access to Passportal is guarded by credentials and storage and transmission of data are all protected by encryption.
- Supports automatic Active Directory sync via LDAP
- Can run access audits to easily identify internal changes made during a period of time
- Supports compliance reporting to identify weak passwords and force changes base on policy
- Users generate their own encryption key, securing their cloud data from third parties, including Passportal
- Smaller networks may not benefit from the MSP/enterprise-specific tools Passportal offers
Passportal is paid for by subscription. It is marketed as a tool for managed service providers (MSPs) so that they can add password management as a service that they offer to their clients. However, it would also be suitable for multi-site businesses that have centralized IT management. You can register for a demo to see it in action.
IT Glue is a property of Kaseya and it is aimed at MSPs. However, it could also be used by the IT department of a multi-site company. This tool is very similar to Passportal because it includes password and document management.
Documenting Active Directory with IT Glue is really easy. The system includes a library of templates that act as add-ons to the functionality of the tool. One of these templates specifically relates to Active Directory implementations.
Part of the Active Directory template’s function is the ability to document the current status of the Active Directory controllers in your business and their contents. The Active Directory monitor in IT Glue includes links to documentation related to AD. This interface acts as an index to your AD documentation and also gives you a road map to what documents need to be created,
The Active Directory monitor is part of the password management module in IT Glue. The system is a cloud-based service and includes storage space. This makes an ideal package for documenting Active Directory because the document management module also includes an editor. This means that it is possible to create your documentation within the IT Glue environment and store it there.
Data transfers and document storage with IT Glue are all password protected and encrypted for security.
- Works well in MSP environments as well as in mid-size organizations
- Offers a robust library of templates to get started quickly
- Manages documentation as well as credentials
- Smaller networks may not benefit from the MSP/enterprise-specific tools the product offers
The IT Glue service is charged per user per month with a minimum subscription of five users. The system is offered in three editions: Basic, Select, and Enterprise. All versions include the password manager with Active Directory monitoring and the document management and storage system.
Related post: IT Documentation Software Solutions
If you prefer to host your AD monitoring software on-site rather than accessing it at a cloud service, then ManageEngine ADManager Plus is probably your best option. This package is a very comprehensive interface to Active Directory and crucially, includes a reporting engine that will help you document your Active Directory implementations.
The reports generated by ADManager Plus cover users, distribution lists, security groups, computers, and contacts. It covers cloud-based AD implementations as well as onsite Active Directory statuses. The tool is also able to cover Exchange Server, Skype, and other applications that utilize Active Directory for access rights.
- Detailed reporting, can generate compliance reports for all major standards (PCI, HIPAA, etc)
- Supports multiple domains
- Supports delegation for NOC or helpdesk teams
- Allows you to visually view share permissions and the details of security groups
- Has a steeper learning curve than similar tools
ADManager Plus is available in three versions: Free, Standard, and Professional. The Free edition is limited to managing one domain. The Standard version has a wider scope and the Professional edition includes Help Desk modules. The Free edition download file is exactly the same as the Professional edition file. ManageEngine offers the Professional on a 30-day free trial. Once that month expires, the program switches to the limited Free edition.
The SolarWinds Access Rights Manager covers Active Directory, Microsoft Exchange, Windows File Share, and Microsoft SharePoint. The tool shows visual representations of the current objects in your AD implementation. Factors that can be seen include user groups and permission inheritance.
As well as permissions management functions and a self-service portal for users, the tool includes analysis functions that support data security standards compliance and help you meet service level agreement conditions. The tool includes activity logging.
The AD analyzer includes data sorting and filtering functions. These enable you to assemble your own reports. The tool also includes a reporting module that has pre-written formats that comply with data protection standards auditing requirements.
- Provides a clear look into permission and file structures through automatic mapping and visualizations
- Preconfigured reports make it easy to demonstrate compliance
- Any compliance issues are outlined after the scan and paired with remediation actions
- Sysadmins can customize access rights and control in Windows and other applications
- SolarWinds Access Rights Manager is an in-depth platform designed for sysadmin which may take time to fully learn
The software installs on Windows Server and is available for a 30-day free trial. SolarWinds also produces a free alternative, called SolarWinds Permissions Analyzer for Active Directory. This free tool doesn’t have all of the data visualizations or management functions of the Access Rights Manager.
XIA Configuration from Centrel Solutions is an IT infrastructure documentation system. The tool will also record all equipment configurations and software versions and alert system administrators of unauthorized changes, offering the opportunity to rollback configurations.
The documentation system includes formats that are required for system security standards compliance. The Active Directory module of this documentation tool audits all of the statuses of your AD controllers. These reports can be edited and stored and they can also be branded. The XIA Configuration system can be multi-tenanted, allowing it to be used by MSPs for use supporting clients.
The XIA Configuration system is available as on-premises software or as a service hosted in the cloud. The cloud version does not have as many features as the on-premises software – it doesn’t allow advanced security options, branding, or report editing.
The system is available in three editions: Technician, Enterprise, and Unlimited Enterprise. The technician and Unlimited Enterprise editions will document all of the equipment in your system with one license. The Enterprise version is charged per device, so you would have to buy multiple licenses to document your whole system with that version.
- Monitors configuration changes and can be configured to alert contacts to new changes
- Multi-tenant features make it a good choice for MSPs
- Integrates easily into Active Directory
- The cloud version lacks some features found on the on-premise version such as reporting or custom branding
- Enterprise pricing is based on device, rather than number of technicians
XIA Configuration is a very interesting system documentation and configuration protection tool. Centrel Solutions offers the software on a 30-day free trial.
José Active Directory Reporting is a small, free piece of software that produces nice, presentable screens of information about an Active Directory controller. Reports are produced in HTML, but they could be printed to PDF or cut and pasted into a Word document.
The tool has a GUI interface, which allows the user to select which information should be extracted from the AD controller. There is also a command-line version that enables reports to be launched through scripts.
The tool was originally written with German-language text but is now also available in English. It installs on Windows and Windows Server. This is a great tool for small companies that just want to record the current status of their AD controllers. The zip file that contains the program also includes a command-line script that will run all of the standard AD status reports that a typical systems administrator wants. For status monitoring, it would be possible to run this batch file periodically on a schedule.
- Completely free
- A lightweight tool – runs well even on older systems
- Supports a CLI version
- Better suited for smaller companies
- Automation and scheduling is clunky, involving batch files and Task Scheduler
- The interface doesn’t offer much customization or visual options
- Not suited for larger networks
The Active Directory Excel Report Generator is a PowerShell script that creates an AD status report that can be opened in Microsoft Excel. The program is available for free and it runs on Windows environments.
The information included in the report includes account statuses and highlighting inactive accounts. It also shows which accounts are locked and which have expired passwords.
- Very simple PowerShell utility that provides simple visual insights
- Completely free
- Can be customized in dozens of ways through PowerShell
- Depends on Microsoft Excel
- Steeper learning curve for non-technical users
ADScribe from Leadum Software is a simple Active Directory reporting tool that runs on Windows and Windows Server. Output can be stored as HTML, the CHM help format, or Microsoft Word. This is a lightweight tool that runs quickly. It can be launched through a Wizard or at the command line. The reports generated by the tool list the objects in the AD controlled with the details for each.
- Can be controlled through the CLI tool
- Very lightweight
- Automatically generates common reports on users, objects, and OU structure
- Antiquated interface
- Very little data visualization offered
- Steeper learning curve than similar tools
The Sysmalogic Active Directory Report Builder can produce reports for all the domains in your Active Directory implementation. The tool’s output is in either CSV or Excel-ready format.
The GUI interface for the tool is a query builder that allows the user to specify which Active Directory details will appear in the report. The results of the report query execution are displayed in the Report Builder screen and can then be saved for access by other applications. It is also possible to copy and paste data into other editors.
- Supports flexible reporting output formats
- Highly customizable query builder allows users to build their own reports
- Reports can be saved and ran again
- Available for free and as a paid option
- Can be difficult to use for users who have never used query builders before
- The interface uses a lot of nested menus, which can make finding things difficult
The tool is available in both free and paid versions. The full version is available on a 30-day free trial. If you decide not to pay at the end of the trial period, the software switches over to the free version.
Get a visual representation of your Active Directory permissions structure with this free tool from Microsoft. The user can specify which category of Active Directory data should be used to compile the map. Reports can show AD content from the perspective of a domain, an organizational unit, a server, or a group.
The output is generated in Microsoft Visio format, so you need to have that tool in order to use the diagrammer. The software installs on Windows Server from version 2000 and up or on Windows Vista, XP, or Windows 7.
- Completely free tool
- Features a lot of different icons and graphics options
- Great for presentations or breaking down complicated AD environments
- Strictly for visual representation doesn’t actually map to any live devices
- Only exports in Visio format
The tool is free to use and is available for download from the Microsoft website.
Choosing an AD documentation tool
You might just need a tool that enables you to get a clearer view of your Active Directory objects and their relationships or you might need a full data protection standards auditing tool. This list contains a wide range of Active Directory documentation tools and hopefully, one of them will match your needs.
Some of the tools on this list are free to use, while most of the others offer free trial periods. Try out a few of the tools for free to help you decide which is best for you.
Do you already have a preferred Active Directory documentation tool? Do you use any of the tools on this list? Leave a message in the Comments section below and share your experience with the community.
Active Directory documentation FAQs
Is Active Directory data encrypted?
Active Directory uses Kerberos authentication. This allows encryption options. The default encryption cipher used in Active Directory through Kerberos at present is AES with a 256-bit key.
What is Active Directory hardening?
Active directory hardening refers to measures that improve the security of Active Directory implementations – particularly the domain controllers. Top tips for this process include regular checks on the validity of objects such as user accounts, groups, and devices. Remove accounts or groups that are no longer used and delete references to devices that no longer exist. You should also limit access to AD domain controllers and reduce the number of user accounts that have elevated privileges.