Microsoft Active Directory is one of the most widely-used services by network administrators. For most administrators, Microsoft Active Directory is one of the most important services at their disposal. However, despite Microsoft Active Directory’s wide utility, it can be quite inconvenient to use at times. The original user interface feels very slow and there is no automation. Fortunately, you can enhance the ability of this administration tool by relying on third-party software.
Here is our list of the best Microsoft AD tools for 2021:
- SolarWinds Permissions Analyzer for Active Directory EDITOR’S CHOICE A free interface that gives a better view of permissions than you can glean in Active Directory itself. Download free tool.
- ManageEngine ADManager Plus An interface to Active Directory that enables you to plan access rights more effectively.
- ManageEngine ADAudit Plus Auditing features for Active Directory that helps you demonstrate data protection standards compliance.
- Specops Command Interface to PowerShell and VBScripts to automate many Active Directory management tasks.
- Recovery Manager for Active Directory This tool recovers Active Directory objects without you needing to restart the Domain Controller.
- Microsoft Active Directory Topology Diagrammer A great mapping tool to let you see your permissions hierarchy at a glance.
- ManageEngine Free Active Directory Tools Free bundle of 12 tools to help you manage your Active Directory implementation.
- IT Environment Health Scanner This tool looks at DNS records, network time servers, and site and subnet configurations to confirm the accuracy of your Active Directory records.
- BeyondTrust Privilege Explorer A simple interface that clarifies the user permissions and device access rights held in Active Directory.
- Netwrix Account Lockout Examiner This tool supports the investigations into why a user has suddenly lost access permissions.
- Bulk Password Control Password manager for Active Directory that includes bulk action facilities.
- Netwrix Inactive User Tracker Root out abandoned accounts in Active Directory with this tool.
- Lepide Last Login Report This tool gives activity reports that enable you to spot abandoned accounts.
The Best Active Directory Tools
Whether you’re looking for an automated alerts system, a more convenient user management interface, or reporting, then there is a product available for you.
What should you look for in Active Directory tools?
We reviewed the market for AD management software and analyzed the options based on the following criteria:
- A facility to analyze the permissions structure
- A system to automate user account and group creation
- An audit trail that logs all changes to AD entries
- An assessment feature that helps to tighten security
- An abandoned account identifier
- A free trial period or a money-back guarantee to aid risk-free assessment
- A value for money package that is worth paying for or a free tool that is worth installing
When assessing Microsoft AD management tools that made our ‘best of’ list, our main considerations were the ease of getting the tools working and how easy it is to use, it’s robustness and reliability, the amount of support and regularity of updates the tool received and its overall relative value.
First up on this list we have SolarWinds Permissions Analyzers for Active Directory. One of the most common complaints made of the original Active Directory program is that it offers poor permissions management. SolarWinds Permissions Analyzer for Active Directory is an AD management tool that seeks to rectify this by allowing you to view which users in your network have permission to which data.
This means that in a live networking environment you will be able to quickly identify which members of your team have access privileges to sensitive data. You can do this by viewing permissions by group or individual user. You can also see why a user has privileges to certain information.
- Highly visual and intuitive tool that is great for both small and large Active Directory environments
- Top down view allows you to quickly spot permission issues based on shares, security groups, or individual users
- Lightweight tools – won’t bog down important services running on AD
- Great for auditing compliance
- Completely free
- While the tool is easy to use, it features an advanced tab that contains a lot of options that can take time to fully explore
As an added bonus, SolarWinds Permissions Analyzer for Active Directory is available for free. This is great because you can start monitoring your network permissions without having to spend a fortune in order to be able to do so. SolarWinds Permissions Analyzer for Active Directory can be downloaded free.
With SolarWinds Permission Analyzer for Active Directory you get a powerful dashboard that will give you insights on network shares, files and folders that users have access to. You can browse permission at the group or even individual levels. Lots of power for a free Active Directory tool.
Download Free Tool: solarwinds.com/free-tools/permissions-analyzer-for-active-directory
ManageEngine ADManager Plus is an AD management tool that allows users to conduct Active Directory management and generate reports. In terms of management capabilities, you can manage AD objects, groups, and users from one location. This is beneficial because it allows you to sidestep the hassle of your Active Directory management and use the sleek ManageEngine GUI instead.
With regards to reports, ManageEngine ADManager Plus can be used to automate the report generation process. This means that you can generate reports without having to do everything manually. This not only makes Active Directory management more convenient but also reduces the time that would be wasted on navigating the Active Directory program.
It is also worth mentioning that ManageEngine ADManager Plus is a tool you should consider for regulatory compliance as well. If you need to complete a compliance audit for SOX or HIPAA, the ability to manage your Active Directory data and generate reports is invaluable.
- Detailed reporting, can generate compliance reports for all major standards (PCI, HIPAA, ect)
- Supports multiple domains
- Supports delegation for NOC or helpdesk teams
- Allows you to visually view share permissions and the details of security groups
- Has a steeper learning curve than similar tools
Price-wise ManageEngine ADManager Plus is available for download on a 30-day free trial. We recommend this product to anyone wanting to make Active Directory Management more convenient as well as those who want to benefit from a high-quality report function.
See also: Access Rights Management Tools
AdAudit Plus from ManageEngine has a stronger focus on standards compliance requirements than the company’s ADManager Plus tool. This system auditing utility is a powerful AD tool that gives you live user activity reports and includes automated insider threat detection systems. You will be able to block people who are allowed access to your resources from using them inappropriately.
One of the main reasons that you would be interested in ADAudit Plus is if you need to demonstrate compliance with data protection standards to win or keep service contracts. This tool has a great bundle of pre-formatted standards compliance reports, which follow the SOX, HIPAA, GLBA, PCI-DSS, and FISMA standards. So, you won’t need to customize the system or set up your own reports in order to demonstrate compliance.
- Focused heavily on compliance requirements, making it a good option for maintaining industry compliance
- Preconfigured compliance reports allow you to see where you stand in just a few clicks
- Features insider threat detection, can detect snooping staff members or blatant malicious actors who have infiltrated the LAN
- Supports automation and scripting
- Great user interface
- Upgrading can often break features and cause issues
- Custom reporting has a steep learning curve
ManageEngine produces three editions of ADAudit Plus. These are Free, Standard, and Professional. A great offer to look into is the 30-day free trial of the Standard edition. You don’t have to enter any payment details to get this offer and you won’t be charged automatically when the trial period ends. If you choose not to buy, your installation automatically switches over to the Free edition.
Specops Command is another tool that offers you a formidable Active Directory management experience. With this program, you use scripts to manage your network. Specops Command enables the use of Windows PowerShell and VBScripts to manage users and devices throughout your network. You can even execute commands straight through to client systems.
What makes the scripting feature interesting is that you can not only write your own scripts but import them straight from a file as well. In addition, you can schedule when a script will be executed. This gives you an additional measure of automation that allows you to take a step back.
Not wanting to be a one trick pony, SpecOps Command also allows you to generate reports as well. These reports are web-based and designed around script feedback. The advantage here is you can take extra time to analyze the feedback from what you’ve done.
- Extremely lightweight, runs from Powershell
- Very flexible, allows for VBSCripts and powershell commands
- Can generate reports
- Designed for professionals that want a barebones option
- Much steeper learning curve than similar tools
- No real graphical interface
- Reporting is limited
- No preconfigured actions or reports
Overall Specops Command is a product that offers a complementary mix of additional features of Active Directory. This product is recommended based on its scripting ability alone, but its support for reports also makes it useful for regulatory compliance as well. Specops Command can be downloaded for free.
As the name suggests, Recovery for Active Directory is a third-party tool for Active Directory that has been designed to help you recover data. Generally speaking, when an object is lost in Active Directory you have to restart the Domain Controller to recover it. Recovery Manager for Active Directory eliminates this inconvenience by allowing you to recover objects without restarting Active Directory.
With Recovery Manager for Active Directory you can restore objects such as users, computers, attributes, configurations, sites, subnets, group policy objects, and organizational units. In other words, if you lose something you can recover it.
The advantage of this is far beyond convenience. By allowing you to recover without restarting, your service stays online and any damage done to your service is minimized. Whether the system fails due to a security event or a fault you can get the recovery process started immediately. There is also a reporting process that highlights any changes that have taken place since the last backup. This helps you to see if any undesirable changes have taken place.
However this isn’t all, as Recovery Manager for Active Directory also offers you Hybrid and Azure Active Directory Recovery as well. This means you have a wide coverage of basic network infrastructure as much as off-premises services.
- Adds helpful graphical elements to AD to enhance the management experience
- Helpful for recovering deleted objects from the graveyard
- Supports Azure AD as well as on premise versions
- Can help visualize permissions and inheritance
- Interface feels a bit outdated
- Some of the Wizards aren’t as intuitive as other
The only issue with Recovery Manager for Active Directory is that it carries a hefty price tag. The unit price is $12.97 (£10.15) per unit but the minimum quantity you can order is 100 which gives this product a price of $1,297 (£1,015). While it is worth the investment if you have the budget, it is unsuitable for smaller companies with limited budgets. Download a free trial.
Microsoft Active Directory Topology Diagrammer is a product that brings a level of visualization to the mix that complements Active Directory well. With this program you can automatically create a Microsoft Visio diagram of your Active Directory topology. Diagrams include features such as administrative groups, domains, sites, servers, and organizational units. This allows you to look at your network from another perspective.
When taking information from Active Directory you can also opt to limit your diagram to one domain or site. This allows you to take a more specific approach to see how particular devices link together in isolation before looking at everything. You can also take your diagrams and add additional objects to them in Microsoft Office Visio for further interaction.
- Can build Visio diagrams automatically based on AD topology, great for more complex environments
- Supports multiple domains and sites
- Offers a host of options for visualizing trust, sites, and services
- Interface is a bit challenging to learn, would like to see settings more organized into groups
- Offers a large number of customization options, which can be confusing at time
Microsoft Active Directory Topology Diagrammer supports Windows 2000 Server, Windows 7, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP, Microsoft .NET Framework Version 2.0, and Microsoft Office Visio 2003 and higher. Microsoft Active Directory Topology Diagrammer can be downloaded for free.
ManageEngine Free Active Directory Tools is essentially a group of utilities that help to manage Active Directory. Some of the utilities available include AD Query Tool, CSV Generator, Last Logon Reporter, Terminal Session Manager, AD Replication Manager, SharePoint Manager, DMZ Port Analyzer, Domain and DC Roles Reported, Local Users Manager, Password Policy Manager, and Exchange Health Monitor.
All of these utilities have the focus of making it easier to manage Active Directory. For example, there is a Free Password Expiry Notifier utility that reminds users to update their passwords via email or SMS. Similarly, the Duplicates Identifier allows you to see all duplicated objects in one click. The result is an Active Directory administrative experience that is more versatile than Active Directory alone.
Another interesting utility is the Terminal Session Manager. With the Terminal Session Manager the user can utilize a PowerShell cmdlet to find and manage a range of terminal sessions from a centralized location. This is particularly useful because it allows you to manage and disconnect multiple users from one location.
- A complete tool set of over 14 different tools that add additional functionality into Active Directory
- Can be notified when an AD account password is locked out, or going to expire soon
- Offers a duplicate objects finder, great for cleaning up larger directories
- Can export lists of members based on permissions, group, or name
- Completely free
- Different functionality is found in different tools, it would be more convenient to have most features in a single tool
- Some tools come with little explanation of how to use them
The ManageEngine Free Active Directory Tools bundle is well worth considering if you’re looking to add a range of new Active Directory functions to your tricks bag. One of the best things about this is that you won’t have to pay for the privilege of these utilities either because everything is free to download.
IT Environment Health Scanner is a product that aims to help you maintain the integrity of Active Directory. Active Directory needs to be maintained like any other service and IT Environment Health Scanner has been designed to allow users to do just that. You can use this tool to scan your Active Directory service to look for any problems or chinks in its armor.
You can use IT Environment Health Scanner to collect information on site and subnet configurations, DNS name resolution, health and configuration of the Network Time Protocol of domain controllers and configuration of network adapters of all domain controllers. This gives you the basics to ascertain if there are any problems with your Active Directory service.
- Streamlines the scanning process by turning the scans into an easy to follow Wizard
- Is comprehensive, can detect everything from services running to DNS settings to help identify issues
- Is a great tool for junior administrators who may need guidance in troubleshooting
- Very easy to use
- Is a bulkier tool, to as lightweight as other options
- Not designed for enterprise networks (500+ users)
- Professionals may find the tool a bit limiting
In terms of size, IT Environment Health Scanner is suitable for small to midsize organizations. It comes recommended for up to 500 computers or laptops and 20 servers. As a result, this product is an excellent addition to your network tools if you want to make sure that your Active Directory service hasn’t been compromised. You can download IT Environment Health Scanner here.
BeyondTrust Privilege Explorer is another permissions utility that allows the user to see who has access to what. This utility is one of the better permissions management tools because it keeps things simple. The user interface has a simple classic design that allows you to see who had access to Active Directory when a certain network event was happening.
You also have the ability to be able to track user permissions over time. For example, you can view the permissions for a specific device and view the event logs within the PowerBroker Auditor to see if permissions have been changed. This allows you to look out for any unusual behavior and address it promptly.
In the event that you spot something amiss, you can generate a report to document the event in further detail. You can then use advanced filtering to aim target resources to specific groups, permissions, and dates. Whether you’re sending this on to a manager or documenting ahead of an audit, it provides you with the paper trail needed to show how permissions have changed.
- Interface works well, can support a large number of AD objects, making it viable in larger networks
- Highly detailed, can compare permissions based on groups or individual
- Supports permission tracking over time
- Features in depth reporting tools that are highly configurable
- Not the best tool for smaller Active Directory servers
- Steeper learning cursive than similar tools
If you’re looking for a lightweight permissions manager that you can’t go wrong with, then look no further than BeyondTrust Privilege Explorer. This program leaves next to no room for error and allows you to track permission changes easily over time. The only problem is that you have to contact the company directly in order to view a quote. That being said you can download a free trial.
There are many occasions in Active Directory where a user is locked out of Active Directory at the most inconvenient time. Netwrix Account Lockout Examiner has been designed for the expressed purpose of getting to the bottom of Active Directory lockouts. This tool notifies administrators when an account has been locked out of Active Directory so that they can take a closer look at why this is the case.
You can use Netwrix Account Lockout Examiner to ascertain why the user has been locked out with relative ease. Whether it’s on account of a disconnected desktop or a task obscuring the service you will be able to tell. This allows you to tell if you need to take further action or if it’s a temporary blip.
Once an administrator has seen that an account has been locked out they can unlock that account through the centralized console or a mobile device. This enables the user to get user accounts unlocked ASAP. As a consequence, normal service can be resumed much quicker than it would be trying to go it alone with Active Directory.
- Provides a visual indication of when accounts are locked, great for detecting attempted attacks
- Can unlock accounts directly from the tool without reopening ADUC
- Can investigate netlogon for more details from within the tool
- Completely free
- Interface is a bit cluttered, not viable for tracking a large number of users
- May have to refresh the program to see new lockouts
Netwrix Account Lockout Examiner is a tool that provides a solid account monitoring experience. In the event that a user gets locked out this tool is invaluable at getting the account unlocked so that they can get back to business quickly. This product can be downloaded for free.
Bulk Password Control is a tool designed to help users with password management on Active Directory. As a password manager, Bulk Password Control is very fast paced. You can change passwords on multiple accounts at once. You can do this through the use of a password generator that creates passwords for each account. In the event that you want to make this more simple, you can set every account password to the same code. In other words, you can manage passwords in bulk.
However you aren’t limited to resetting passwords for user accounts either; you can also unlock, enable or disable user accounts as well. This gives you a high degree of control over your active directory users and computers so that if you need to restructure or remove an unsuitable account you can do so with ease.
- Can help manage generic accounts easily
- Saves a ton of time when changing passwords in bulk
- Supports unlocking/locking accounts as well as disabling users
- Free to use
- Passwords are visible all in one place, could be a security issue if users are not prompted to reset upon login
The bulk password management ability of this product makes it ideal for larger enterprise environments with lots of different users and accounts. Bulk Password Control can be downloaded for free.
Netwrix Inactive User Tracker is a tool that is used to flag up Active Directory accounts that aren’t in use and helps to put them to rest. This tool scans for inactive user accounts and then provides you with information on for how long the accounts have been dormant. In effect, the tool automatically keeps you updated on the state of your connected accounts so that you can take action if need be.
Once you can see that an account has been inactive for a substantial length of time you can deactivate it. Deactivating inactive accounts will reduce the risk of a malicious entity gaining access to your data. Likewise, it will also help if you are audited because it shows that you are taking a proactive approach towards cybersecurity and record management.
- Can easily see metrics like last login, account age, and username from a single space
- Good for pruning inactive accounts and identifying potential security flaws
- Can quickly identify modified/new accounts that could be malicious
- Could use a better reporting option
Netwrix Inactive User Tracker is a tool that is worth its weight in gold for those moments where you need to clean up your Active Directory accounts. Doing this regularly will not only get rid of records you don’t need but will also eliminate vulnerable accounts that can be accessed for malicious purposes. Netwrix Inactive User Tracker can be downloaded for free.
Finally, we have Lepide Last Login Report. Lepide Last Login Report is a tool that allows you to view information on when users last logged into Active Directory. You can view login times in bulk alongside usernames and common names. There is also a search function which allows you to search through the records listed in the table until you find what you’re looking for.
Once you’ve finished searching for the last login times you can then generate reports in CSV and HTML for further analysis. All you need to do to generate a report is to enter the Domain Name/IP of the Domain Controller and the user’s login name and password. You can simply click report to start generating the document.
- Simple way to see last login, name and CN path of multiple accounts at once
- Can quickly create CSVs or HTML format reports
- Completely free
- Fairly limited, similar tools allow for more functionality like bulk password changes and unlocks
Lepide Last Login Report is a tool you should definitely consider if you require a tool to monitor access to Active Directory. Lepide Last Login Report is completely free as well so you don’t have to spend a fortune to be able to enjoy this useful product. You can download this tool for free.
Choosing an AD management tool
Active Directory may be a popular service but it’s not without significant flaws in terms of management and convenience. By incorporating third-party tools to your administrative toolkit you can greatly improve your experience of Active Directory and start to manage your data more effectively. Whether you’re implementing permissions management or a health checker, you will be able to exercise much more control over your system.
Stand out tools from this list include SolarWinds Permissions Analyzer for Active Directory, Recovery Manager for Active Directory, and Bulk Password Control. SolarWinds Permissions Analyzer for Active Directory allows you to provide a little more scrutiny over who has access to what data. On the health maintenance side of things, Recovery Manager for Active Directory acts as a backup plan if something goes wrong.
It goes without saying that Bulk Password Control allows you to allocate and manage user passwords on an automated basis. Combining these tools together, or similar tools provide you with a strong cross-section of tools to redefine your Active Directory experience.
See also: PowerShell Cheat Sheet
Active Directory & AD Management FAQs
How does Active Directory management work in Access Rights Manager?
SolarWinds Access Rights Manager provides an interface to Active Directory. Your user accounts and resource permissions data is flowed through to Active Directory. However, ARM is able to coordinate data between several instances of AD and record all of the information necessary to quickly compile compliance reports.
Is Active Directory free?
Active Directory is built into Windows Server, so if you have that operating system, you don’t have to pay for AD. Microsoft also makes Active Directory available as an Azure service. The price for AD is free for users of Azure services or Office 365.
How so I create a desktop shortcut for Active Directory?
To create an AD shortcut on your desktop:
- Right-click anywhere over the desktop to get the context menu.
- Hover over New to get the sub-menu. Click on Shortcut.
- Enter dsa.msc as the location of the destination for the shortcut and click Next.
- Enter a name for the shortcut.
- Click on Finish.
How to perform Active Directory cleanup?
To perform an Active Directory Domain Services metadata cleanup:
- Open Active Directory Users and Computers.
- Click the name of the domain controller that you want to clean up. Click OK.
- Expand the domain of the domain controller that was forcibly removed. Click on Domain Controllers.
- In the details pane, right-click the computer object to clean up. Click on Delete.
- In the Active Directory Domain Services popup. check the domain controller name. Click on Yes.
- In the Deleting Domain Controller popup, select This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO). Click on Delete.
- For a global catalog server, a confirmation popup will appear. Click Yes to continue with the deletion.
- A domain controller that has operations master role will provoke an action popup. Click OK to move the role or roles to the domain controller that is shown.