Active Directory: Essential Tools
During my many years of working with active directory I’ve used several tools. Here are some of the best that I’ve used which are not baked into windows. Good thing about this list is that most of these tools are fee! Another bonus is that most of the information gathering tools don’t require elevated rights as, by default, domain users have read-only access to active directory.
AD Info/AD Tidy
AD Info
This is a top notch information gathering tool that provides exportable reports for all kinds of AD related information. It actually checks every domain controller in your domain to ensure accuracy as well. This tool can provide an enormous amount of information about your forest which you might have to script out otherwise.
AD Tidy
From the same author as AD Info comes AD Tidy. Rather than re-hash the capabilities of this handy tool here is a list of features directly from the author’s site.
Features
- Search for user or computer accounts
- Search entire domain or select a specific OU
- Specify alternate credentials to connect to domain with
- Get account last logon information from all DCs or select specific DCs
- Optionally only find accounts that have not logged on for a specified number of days
- Can ping any computer accounts found, to help confirm if they are still active
- Exclude or include disabled accounts, or only find disabled accounts
- Exclude specific account names from the search results
- Save search settings to file so that you can reload them whenever you want
- Works with domains that you are not a member of (assuming you provide valid credentials)
- Help buttons within the application explain what each setting is for
For any accounts that are found in the search, you can perform one of the following actions:
- Disable
- Enable
- Delete
- Move To Another OU
- Set Description
- Set Expiration Date
- Add To Group
- Remove From Group
- Remove From All Groups
- Hide From Exchange Address Lists (not tested with Exchange 2010 yet)
- Delete home drive
- Export Details To CSV
This author has a few other handy tools you may want to check out as well (AD Photo Edit, Group Manager, Get Group Membership)
AD Explorer
Sysinternals made this little gem of a free utility. It is basically active directory users and computers on steroids. You can use AD explorer to save favorite locations, take snapshots, and dig into the innards of AD in a way that is similar to adsiedit. The snapshots can be compared and browsed offline.
Oldcmp.exe
Joeware makes a bunch of really nice free command-line driven tools for AD but oldcmp.exe is one of my favorites. You use oldcmp.exe to generate, and optionally take actions against, old computers and users.
Here is a good sample script you can use and modify to suit your needs. It assumes that you are generating reports in a “Reports” directory residing with the oldcmp.exe executable. Pay special attention to the fact that we are excluding cluster names from the results (-excldn cluster01;cluster02). Cluster names are virtual and don’t ever really get logged on to. You will also have to change the ldap paths to match your organizational needs.
If you wanted to email the reports to some versioned email enabled sharepoint document libarary you can use blat.exe in a batch file that looks like this:
Microsoft Active Directory Topology Diagrammer
This is a handy tool to have if you are becoming familiar with a new forest. It will connect with a global catalog server or domain controller and collect information about the forest and visually map it out in a visio diagram. The diagrams are often a total mess initially but nothing that a bit of manual tweaking cannot resolve. As an added bonus it can also do some exchange mapping if you like (not really valid in Exchange 2010 though).
Quest AD-PKI Powershell Cmdlts
Although the included Microsoft AD cmdlts are fairly decent they never quite got to the level of usefulness as the Quest AD powershell cmdlts. If you have ever had to do mass updates or data retrieval from AD you know that the baked in command line programs Microsoft provides are available; ldifde.exe or csvde.exe. But these require the use of ldap filters to get any filtered information. Besides the fact that ldap filters are going the path of the do-do bird (well maybe not but it sure feels that way with exchange 2010 moving to opath filters) I find them to be needlessly complex. That and I’ve become quite enamored with powershell from using it so much for Exchange 2010 related tasks.
Here is a list of powershell (both quest and non-quest specific) and command line snippets which you might find handy to have:
Get a list of all users and list their permission inheritance setting
Get a list of all users and list those without permission inheritance setting set
Set Permission Inheritence on all Users
Get Computers in OU with Descriptions (use –Service to reference specific forests)
Get Computers in OU, Parse Descriptions for User Names, and Try to Enumerate Logon ids.
(Note: the -Service is used to get past a limitation of the qwest AD powershell commandlets. This is also rather slow)
Set 2008 R2 AD forest mode
Enable Recycle Bin in 2008 R2
Restore Deleted AD Object
Get All Group Memberships For A User
Assign a CSV of User Properties to Users Skipping Empty Fields
Get Quest AD-PKI Cmdlets here.
PowerGui
If you have already installed the Quest AD-PKI Cmdlets then you may as well install PowerGui as well as it can use them for pulling up all kinds of info in your environment and automatically generate scripts for you as well! Just make sure to select the AD powerpack option when installing PowerGUI.