Zachary Loeber

The personal website of Zachary Loeber.

Active Directory: Essential Tools

During my many years of working with active directory I’ve used several tools. Here are some of the best that I’ve used which are not baked into windows. Good thing about this list is that most of these tools are fee! Another bonus is that most of the information gathering tools don’t require elevated rights as, by default, domain users have read-only access to active directory.

AD Info/AD Tidy


AD Info

This is a top notch information gathering tool that provides exportable reports for all kinds of AD related information. It actually checks every domain controller in your domain to ensure accuracy as well. This tool can provide an enormous amount of information about your forest which you  might have to script out otherwise.


Get AD Info here.

AD Tidy

From the same author as AD Info comes AD Tidy. Rather than re-hash the capabilities of this handy tool here is a list of features directly from the author’s site.


  • Search for user or computer accounts
  • Search entire domain or select a specific OU
  • Specify alternate credentials to connect to domain with
  • Get account last logon information from all DCs or select specific DCs
  • Optionally only find accounts that have not logged on for a specified number of days
  • Can ping any computer accounts found, to help confirm if they are still active
  • Exclude or include disabled accounts, or only find disabled accounts
  • Exclude specific account names from the search results
  • Save search settings to file so that you can reload them whenever you want
  • Works with domains that you are not a member of (assuming you provide valid credentials)
  • Help buttons within the application explain what each setting is for

For any accounts that are found in the search, you can perform one of the following actions:

  • Disable
  • Enable
  • Delete
  • Move To Another OU
  • Set Description
  • Set Expiration Date
  • Add To Group
  • Remove From Group
  • Remove From All Groups
  • Hide From Exchange Address Lists (not tested with Exchange 2010 yet)
  • Delete home drive
  • Export Details To CSV

Get AD Tidy here.


This author has a few other handy tools you may want to check out as well (AD Photo Edit, Group Manager, Get Group Membership)


AD Explorer

Sysinternals made this little gem of a free utility. It is basically active directory users and computers on steroids. You can use AD explorer to save favorite locations, take snapshots, and dig into the innards of AD in a way that is similar to adsiedit. The snapshots can be compared and browsed offline.

Get AD Explorer here.


Joeware makes a bunch of really nice free command-line driven tools for AD but oldcmp.exe is one of my favorites. You use oldcmp.exe to generate, and optionally take actions against, old computers and users.

Here is a good sample script you can use and modify to suit your needs. It assumes that you are generating reports in a “Reports” directory residing with the oldcmp.exe executable. Pay special attention to the fact that we are excluding cluster names from the results (-excldn cluster01;cluster02). Cluster names are virtual and don’t ever really get logged on to. You will also have to change the ldap paths to match your organizational needs.

REM --- This script can report and move old Servers within AD
REM --- MOVE OLD Servers (Password older than 90 days) ---
REM - Find computer accounts with passwords older than 90 days
REM - If you just want a report of old workstations run this
oldcmp -report -nohtmlheader -file ".\Reports\old_servers.html" -llts -sort lltsAge -b "ou=Servers,ou=Computers,ou=North America,dc=corp,dc=contoso,dc=local"
REM – Remove REM on next line to MOVE old servers to another OU and generate a report
REM oldcmp -nohtmlheader -file ".\Reports\old_servers.html" -rsort LLTS -b "ou=Servers,ou=Computers,ou=North America,dc=corp,dc=contoso,dc=local" -move -newparent "ou=Computers,ou=Inactive Accounts,ou=North America,dc=corp,dc=contoso,dc=local" -nodc -norefer –unsafe –forreal

If you wanted to email the reports to some versioned email enabled sharepoint document libarary you can use blat.exe in a batch file that looks like this:

@echo off
blat - -body " " -to "[email protected]" -f "[email protected]" -s "Old Servers" -log blat.log -timestamp -attacht .\Reports\old_servers.html


Get oldcmp.exe here.


Microsoft Active Directory Topology Diagrammer

This is a handy tool to have if you are becoming familiar with a new forest. It will connect with a global catalog server or domain controller and collect information about the forest and visually map it out in a visio diagram. The diagrams are often a total mess initially but nothing that a bit of manual tweaking cannot resolve. As an added bonus it can also do some exchange mapping if you like (not really valid in Exchange 2010 though).

Get ADTD here.

Quest AD-PKI Powershell Cmdlts

Although the included Microsoft AD cmdlts are fairly decent they never quite got to the level of usefulness as the Quest AD powershell cmdlts. If you have ever had to do mass updates or data retrieval from AD you know that the baked in command line programs Microsoft provides are available; ldifde.exe or csvde.exe. But these require the use of ldap filters to get any filtered information. Besides the fact that ldap filters are going the path of the do-do bird (well maybe not but it sure feels that way with exchange 2010 moving to opath filters) I find them to be needlessly complex. That and I’ve become quite enamored with powershell from using it so much for Exchange 2010 related tasks.

Here is a list of powershell (both quest and non-quest specific) and command line snippets which you might find handy to have:

Get a list of all users and list their permission inheritance setting

Get-QADUser -SizeLimit 0 | Select-Object Name,@{n='IncludeInheritablePermissions';e={!$_.DirectoryEntry.PSBase.ObjectSecurity.AreAccessRulesProtected}}

Get a list of all users and list those without permission inheritance setting set

Get-QADUser -SizeLimit 0 | Select-Object Name,@{n='IncludeInheritablePermissions';e={!$_.DirectoryEntry.PSBase.ObjectSecurity.AreAccessRulesProtected}} | Where {!$_.IncludeInheritablePermissions}

Set Permission Inheritence on all Users

Get-QADUser -SizeLimit 0 | Set-QADObjectSecurity -LockInheritance

Get Computers in OU with Descriptions (use –Service to reference specific forests)

Get-QADComputer -Service corp.contoso.local -SearchRoot "Ou=SomeOtherOU,OU=SomeOU,DC=corp,DC=contoso,DC=local" -Description "*" | Select-Object Name, Description | Export-Csv -NoTypeInformation C:\Temp\emea5_systems.csv

Get Computers in OU, Parse Descriptions for User Names, and Try to Enumerate Logon ids.

(Note: the -Service is used to get past a limitation of the qwest AD powershell commandlets. This is also rather slow)

Get-QADComputer -Service corp.contoso.local -SearchRoot "Ou=SomeOtherOU,OU=SomeOU,DC=corp,DC=contoso,DC=local"  | Where {$_.Description} | Select-Object Name,Description,@{name="SAMname";expression={(get-qaduser -Service  corp.contoso.local -Name $_.Description).SAMAccountName}},@{name="NewName";expression={(get-qaduser -Service  corp.contoso.local -Name $_.Description).PrimarySMTPAddressPrefix}} | Export-Csv "c:\Temp\computer-logons.csv" -NoTypeInformation

Set 2008 R2 AD forest mode

Import-Module Active Directory
Set-ADForestMode domain.tld  Windows2008R2Forest


Enable Recycle Bin in 2008 R2

Enable-ADOptionalFeature –Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=corp,DC=contoso, DC=local' -Scope ForestOrConfigurationSet -Target 'corp.contoso.local'


Restore Deleted AD Object

Get-ADObject -Filter {displayName -eq "Some user"} -IncludeDeletedObjects | Restore-ADObject


Get All Group Memberships For A User

$sUser= Get-QADUser -Service "corp.contoso.local" test.user; foreach ($grp in $sUser.memberof) {Get-QADGroup $grp | select GroupName,Domain,GroupScope,GroupType};

Assign a CSV of User Properties to Users Skipping Empty Fields

foreach ( $record in (Import-Csv c:\update.csv)) {
  $command = "Set-QADUser $($record.samAccountName)"
  foreach ( $attr in
   (Get-Member -InputObject $record -MemberType NoteProperty) ) {
     $value = $record.($attr.Name)
     if ( $value -and ( $attr.Name -ne 'samAccountName' ) ) {
      $command += " -$($attr.Name) $value"
  Invoke-Expression $command


Get Quest AD-PKI Cmdlets here.



If you have already installed the Quest AD-PKI Cmdlets then you may as well install PowerGui as well as it can use them for pulling up all kinds of info in your environment and automatically generate scripts for you as well! Just make sure to select the AD powerpack option when installing PowerGUI.

Download PowerGUI here.