Best Active Directory Tools

Microsoft Active Directory is one of the most widely-used services by network administrators. For most administrators, Microsoft Active Directory is one of the most important services at their disposal. However, despite Microsoft Active Directory’s wide utility, it can be quite inconvenient to use at times. The original user interface feels very slow and there is no automation. Fortunately, you can enhance the ability of this administration tool by relying on third-party software.

Here is our list of the best Active Directory tools:

  1. SolarWinds Permissions Analyzer for Active Directory EDITOR’S CHOICE A free interface that gives a better view of permissions than you can glean in Active Directory itself. Download free tool.
  2. ManageEngine ADManager Plus (FREE TRIAL) An interface to Active Directory that enables you to plan access rights more effectively. Start a 30-day free trial.
  3. ManageEngine ADAudit Plus (FREE TRIAL) Auditing features for Active Directory that helps you demonstrate data protection standards compliance. Start a 30-day free trial.
  4. Specops Command Interface to PowerShell and VBScripts to automate many Active Directory management tasks.
  5. Recovery Manager for Active Directory This tool recovers Active Directory objects without you needing to restart the Domain Controller.
  6. ManageEngine Free Active Directory Tools Free bundle of 12 tools to help you manage your Active Directory implementation.
  7. Netwrix Account Lockout Examiner This tool supports the investigations into why a user has suddenly lost access permissions.
  8. Bulk Password Control Password manager for Active Directory that includes bulk action facilities.
  9. Netwrix Inactive User Tracker Root out abandoned accounts in Active Directory with this tool.

The best Active Directory tools

Whether you’re looking for an automated alerts system, a more convenient user management interface, or reporting, then there is a product available for you.

What should you look for in Active Directory tools?

We reviewed the market for AD management software and analyzed the options based on the following criteria:

  • A facility to analyze the permissions structure
  • A system to automate user account and group creation
  • An audit trail that logs all changes to AD entries
  • An assessment feature that helps to tighten security
  • An abandoned account identifier
  • A free trial period or a money-back guarantee to aid risk-free assessment
  • A value for money package that is worth paying for or a free tool that is worth installing

When assessing Microsoft AD management tools that made our ‘best of’ list, our main considerations were the ease of getting the tools working and how easy it is to use, it’s robustness and reliability, the amount of support and regularity of updates the tool received and its overall relative value.

1. SolarWinds Permissions Analyzer for Active Directory (FREE TOOL)

SolarWinds Permissions Analyzer for Active Directory Best Active Directory Tools

First up on this list we have SolarWinds Permissions Analyzers for Active Directory. One of the most common complaints made of the original Active Directory program is that it offers poor permissions management. SolarWinds Permissions Analyzer for Active Directory is an AD management tool that seeks to rectify this by allowing you to view which users in your network have permission to which data.

Key Features

  • Free to use
  • Provides an overview
  • Shows permissions by group or user
  • Low processing power requirements
  • File permissions

This means that in a live networking environment you will be able to quickly identify which members of your team have access privileges to sensitive data. You can do this by viewing permissions by group or individual user. You can also see why a user has privileges to certain information.

Pros:

  • Highly visual and intuitive tool that is great for both small and large Active Directory environments
  • Top down view allows you to quickly spot permission issues based on shares, security groups, or individual users
  • Lightweight tools – won’t bog down important services running on AD
  • Great for auditing compliance
  • Completely free

Cons:

  • While the tool is easy to use, it features an advanced tab that contains a lot of options that can take time to fully explore

As an added bonus, SolarWinds Permissions Analyzer for Active Directory is available for free. This is great because you can start monitoring your network permissions without having to spend a fortune in order to be able to do so. SolarWinds Permissions Analyzer for Active Directory can be downloaded free.

EDITOR'S CHOICE

With SolarWinds Permission Analyzer for Active Directory you get a powerful dashboard that will give you insights on network shares, files and folders that users have access to. You can browse permission at the group or even individual levels. Lots of power for a free Active Directory tool.

Download Free Tool: solarwinds.com/free-tools/permissions-analyzer-for-active-directory

OS: Windows

2. ManageEngine ADManager Plus (FREE TRIAL)

ManageEngine ADManager Plus

ManageEngine ADManager Plus is an AD management tool that allows users to conduct Active Directory management and generate reports. In terms of management capabilities, you can manage AD objects, groups, and users from one location. This is beneficial because it allows you to sidestep the hassle of your Active Directory management and use the sleek ManageEngine GUI instead.

Key Features

  • Offers a front end to AD
  • Unify the management of many instances
  • Compliance reporting
  • Easy to navigate

With regards to reports, ManageEngine ADManager Plus can be used to automate the report generation process. This means that you can generate reports without having to do everything manually. This not only makes Active Directory management more convenient but also reduces the time that would be wasted on navigating the Active Directory program.

It is also worth mentioning that ManageEngine ADManager Plus is a tool you should consider for regulatory compliance as well. If you need to complete a compliance audit for SOX or HIPAA, the ability to manage your Active Directory data and generate reports is invaluable.

Pros:

  • Detailed reporting, can generate compliance reports for all major standards (PCI, HIPAA, etc.)
  • Supports multiple domains
  • Supports delegation for NOC or helpdesk teams
  • Allows you to visually view share permissions and the details of security groups

Cons:

  • Has a steeper learning curve than similar tools

Price-wise ManageEngine ADManager Plus is available for download on a 30-day free trial. We recommend this product to anyone wanting to make Active Directory Management more convenient as well as those who want to benefit from a high-quality report function.

ManageEngine ADManager Plus Download 30-day FREE Trial

See also: Access Rights Management Tools

3. ManageEngine ADAudit Plus (FREE TRIAL)

ADAudit Plus

ADAudit Plus from ManageEngine has a stronger focus on standards compliance requirements than the company’s ADManager Plus tool. This system auditing utility is a powerful AD tool that gives you live user activity reports and includes automated insider threat detection systems. You will be able to block people who are allowed access to your resources from using them inappropriately.

Key Features

  • Compliance enforcement
  • User activity tracking
  • Insider threat detection

One of the main reasons that you would be interested in ADAudit Plus is if you need to demonstrate compliance with data protection standards to win or keep service contracts. This tool has a great bundle of per-formatted standards compliance reports, which follow the SOX, HIPAA, GLBA, PCI-DSS, and FISMA standards. So, you won’t need to customize the system or set up your own reports in order to demonstrate compliance.

Pros:

  • Focused heavily on compliance requirements, making it a good option for maintaining industry compliance
  • Pre-configured compliance reports allow you to see where you stand in just a few clicks
  • Features insider threat detection, can detect snooping staff members or blatant malicious actors who have infiltrated the LAN
  • Supports automation and scripting
  • Great user interface

Cons:

  • Upgrading can often break features and cause issues
  • Custom reporting has a steep learning curve

ManageEngine produces three editions of ADAudit Plus. These are Free, Standard, and Professional. A great offer to look into is the 30-day free trial of the Standard edition. You don’t have to enter any payment details to get this offer and you won’t be charged automatically when the trial period ends. If you choose not to buy, your installation automatically switches over to the Free edition.

ManageEngine ADAudit Plus Download 30-day FREE Trial

4. Specops Command

Specops Command

Specops Command is another tool that offers you a formidable Active Directory management experience. With this program, you use scripts to manage your network. Specops Command enables the use of Windows PowerShell and VBScripts to manage users and devices throughout your network. You can even execute commands straight through to client systems.

Key Features

  • Supports PowerShell and VBScripts functions
  • Manages scripts
  • Generate AD reports

What makes the scripting feature interesting is that you can not only write your own scripts but import them straight from a file as well. In addition, you can schedule when a script will be executed. This gives you an additional measure of automation that allows you to take a step back.

Not wanting to be a one trick pony, SpecOps Command also allows you to generate reports as well. These reports are web-based and designed around script feedback. The advantage here is you can take extra time to analyze the feedback from what you’ve done.

Pros:

  • Extremely lightweight, runs from PowerShell
  • Very flexible, allows for VBScript and PowerShell commands
  • Can generate reports
  • Designed for professionals that want a bare-bones option

Cons:

  • Much steeper learning curve than similar tools
  • No real graphical interface
  • Reporting is limited
  • No pre-configured actions or reports

Overall Specops Command is a product that offers a complementary mix of additional features of Active Directory. This product is recommended based on its scripting ability alone, but its support for reports also makes it useful for regulatory compliance as well. Specops Command can be downloaded for free.

5. Recovery Manager for Active Directory

Recovery Manager tool for Microsft AD

As the name suggests, Recovery for Active Directory is a third-party tool for Active Directory that has been designed to help you recover data. Generally speaking, when an object is lost in Active Directory you have to restart the Domain Controller to recover it. Recovery Manager for Active Directory eliminates this inconvenience by allowing you to recover objects without restarting Active Directory.

Key Features

  • Fast recovery of AD objects
  • Also operates for Azure
  • Visualize hierarchies

With Recovery Manager for Active Directory you can restore objects such as users, computers, attributes, configurations, sites, subnets, group policy objects, and organizational units. In other words, if you lose something you can recover it.

The advantage of this is far beyond convenience. By allowing you to recover without restarting, your service stays online and any damage done to your service is minimized. Whether the system fails due to a security event or a fault you can get the recovery process started immediately. There is also a reporting process that highlights any changes that have taken place since the last backup. This helps you to see if any undesirable changes have taken place.

However this isn’t all, as Recovery Manager for Active Directory also offers you Hybrid and Azure Active Directory Recovery as well. This means you have a wide coverage of basic network infrastructure as much as off-premises services.

Pros:

  • Adds helpful graphical elements to AD to enhance the management experience
  • Helpful for recovering deleted objects from the graveyard
  • Supports Azure AD as well as on premise versions
  • Can help visualize permissions and inheritance

Cons:

  • Interface feels a bit outdated
  • Some of the Wizards aren’t as intuitive as other

The only issue with the Recovery Manager for Active Directory is that its pricing is not transparent. You have to contact the Quest Sales Department to get a quote. To examine the system, you can download a 30-day free trial – the software installs on Windows Server.

6. ManageEngine Free Active Directory Tools

ManageEngine Active Directory Query Tool

ManageEngine Free Active Directory Tools is essentially a group of utilities that help to manage Active Directory. Some of the utilities available include AD Query Tool, CSV Generator, Last Logon Reporter, Terminal Session Manager, AD Replication Manager, SharePoint Manager, DMZ Port Analyzer, Domain and DC Roles Reported, Local Users Manager, Password Policy Manager, and Exchange Health Monitor.

Key Features

  • A bundle of 14 tools
  • Password renewal reminder
  • See who is connected

All of these utilities have the focus of making it easier to manage Active Directory. For example, there is a Free Password Expiry Notifier utility that reminds users to update their passwords via email or SMS. Similarly, the Duplicates Identifier allows you to see all duplicated objects in one click. The result is an Active Directory administrative experience that is more versatile than Active Directory alone.

Another interesting utility is the Terminal Session Manager. With the Terminal Session Manager the user can utilize a PowerShell cmdlet to find and manage a range of terminal sessions from a centralized location. This is particularly useful because it allows you to manage and disconnect multiple users from one location.

Pros:

  • A complete tool set of over 14 different tools that add additional functionality into Active Directory
  • Can be notified when an AD account password is locked out, or going to expire soon
  • Offers a duplicate objects finder, great for cleaning up larger directories
  • Can export lists of members based on permissions, group, or name
  • Completely free

Cons:

  • Different functionality is found in different tools, it would be more convenient to have most features in a single tool
  • Some tools come with little explanation of how to use them

The ManageEngine Free Active Directory Tools bundle is well worth considering if you’re looking to add a range of new Active Directory functions to your tricks bag. One of the best things about this is that you won’t have to pay for the privilege of these utilities either because everything is free to download.

7. Netwrix Account Lockout Examiner

NetWrix Account Lockout Examiner

There are many occasions in Active Directory where a user is locked out of Active Directory at the most inconvenient time. Netwrix Account Lockout Examiner has been designed for the expressed purpose of getting to the bottom of Active Directory lockouts. This tool notifies administrators when an account has been locked out of Active Directory so that they can take a closer look at why this is the case.

Key Features

  • Fast identification of locked accounts
  • Unlock button
  • Investigation option

You can use Netwrix Account Lockout Examiner to ascertain why the user has been locked out with relative ease. Whether it’s on account of a disconnected desktop or a task obscuring the service you will be able to tell. This allows you to tell if you need to take further action or if it’s a temporary blip.

Once an administrator has seen that an account has been locked out they can unlock that account through the centralized console or a mobile device. This enables the user to get user accounts unlocked ASAP. As a consequence, normal service can be resumed much quicker than it would be trying to go it alone with Active Directory.

Pros:

  • Provides a visual indication of when accounts are locked, great for detecting attempted attacks
  • Can unlock accounts directly from the tool without reopening ADUC
  • Can investigate netlogon for more details from within the tool
  • Completely free

Cons:

  • Interface is a bit cluttered, not viable for tracking a large number of users
  • May have to refresh the program to see new lockouts

Netwrix Account Lockout Examiner is a tool that provides a solid account monitoring experience. In the event that a user gets locked out this tool is invaluable at getting the account unlocked so that they can get back to business quickly. This product can be downloaded for free.

8. Bulk Password Control

Bulk Password Control

Bulk Password Control is a tool designed to help users with password management on Active Directory. As a password manager, Bulk Password Control is very fast paced. You can change passwords on multiple accounts at once. You can do this through the use of a password generator that creates passwords for each account. In the event that you want to make this more simple, you can set every account password to the same code. In other words, you can manage passwords in bulk.

Key Features

  • Mass password setting
  • Password generator
  • Enable, disable, and unlock accounts

However you aren’t limited to resetting passwords for user accounts either; you can also unlock, enable or disable user accounts as well. This gives you a high degree of control over your active directory users and computers so that if you need to restructure or remove an unsuitable account you can do so with ease.

Pros:

  • Can help manage generic accounts easily
  • Saves a ton of time when changing passwords in bulk
  • Supports unlocking/locking accounts as well as disabling users
  • Free to use

Cons:

  • Passwords are visible all in one place, could be a security issue if users are not prompted to reset upon login

The bulk password management ability of this product makes it ideal for larger enterprise environments with lots of different users and accounts. Bulk Password Control can be downloaded for free.

9. Netwrix Inactive User Tracker

Netwrix Inactive User Tracker

Netwrix Inactive User Tracker is a tool that is used to flag up Active Directory accounts that aren’t in use and helps to put them to rest. This tool scans for inactive user accounts and then provides you with information on for how long the accounts have been dormant. In effect, the tool automatically keeps you updated on the state of your connected accounts so that you can take action if need be.

Key Features

  • Discovers inactive accounts
  • Account activity details
  • Auditing features

Once you can see that an account has been inactive for a substantial length of time you can deactivate it. Deactivating inactive accounts will reduce the risk of a malicious entity gaining access to your data. Likewise, it will also help if you are audited because it shows that you are taking a proactive approach towards cybersecurity and record management.

Pros:

  • Can easily see metrics like last login, account age, and username from a single space
  • Good for pruning inactive accounts and identifying potential security flaws
  • Can quickly identify modified/new accounts that could be malicious

Cons:

  • Could use a better reporting option

Netwrix Inactive User Tracker is a tool that is worth its weight in gold for those moments where you need to clean up your Active Directory accounts. Doing this regularly will not only get rid of records you don’t need but will also eliminate vulnerable accounts that can be accessed for malicious purposes. Netwrix Inactive User Tracker can be downloaded for free.

Choosing an AD management tool

Active Directory may be a popular service but it’s not without significant flaws in terms of management and convenience. By incorporating third-party tools to your administrative toolkit you can greatly improve your experience of Active Directory and start to manage your data more effectively. Whether you’re implementing permissions management or a health checker, you will be able to exercise much more control over your system.

Stand out tools from this list include SolarWinds Permissions Analyzer for Active Directory, Recovery Manager for Active Directory, and Bulk Password Control. SolarWinds Permissions Analyzer for Active Directory allows you to provide a little more scrutiny over who has access to what data. On the health maintenance side of things, Recovery Manager for Active Directory acts as a backup plan if something goes wrong.

It goes without saying that Bulk Password Control allows you to allocate and manage user passwords on an automated basis. Combining these tools together, or similar tools provide you with a strong cross-section of tools to redefine your Active Directory experience.

See also: PowerShell Cheat Sheet

Active Directory & AD Management FAQs

How does Active Directory management work in Access Rights Manager?

SolarWinds Access Rights Manager provides an interface to Active Directory. Your user accounts and resource permissions data is flowed through to Active Directory. However, ARM is able to coordinate data between several instances of AD and record all of the information necessary to quickly compile compliance reports.

Is Active Directory free?

Active Directory is built into Windows Server, so if you have that operating system, you don’t have to pay for AD. Microsoft also makes Active Directory available as an Azure service. The price for AD is free for users of Azure services or Office 365.

How so I create a desktop shortcut for Active Directory?

To create an AD shortcut on your desktop:

  1. Right-click anywhere over the desktop to get the context menu.
  2. Hover over New to get the sub-menu. Click on Shortcut.
  3. Enter dsa.msc as the location of the destination for the shortcut and click Next.
  4. Enter a name for the shortcut.
  5. Click on Finish.

How to perform Active Directory cleanup?

To perform an Active Directory Domain Services metadata cleanup:

  1. Open Active Directory Users and Computers.
  2. Click the name of the domain controller that you want to clean up. Click OK.
  3. Expand the domain of the domain controller that was forcibly removed.  Click on Domain Controllers.
  4. In the details pane, right-click the computer object to clean up. Click on Delete.
  5. In the Active Directory Domain Services popup. check the domain controller name. Click on Yes.
  6. In the Deleting Domain Controller popup, select This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO). Click on Delete.
  7. For a global catalog server, a confirmation popup will appear. Click Yes to continue with the deletion.
  8. A domain controller that has operations master role will provoke an action popup. Click OK to move the role or roles to the domain controller that is shown.