I always enjoy seeing the different tools used across different IT shops. In fact, one of the most common questions clients ask is what other companies are using to perform various functions in AD. So, today I figured I’d continue on with the Active Directory theme (started by Christian’s post regarding AD Admin accounts on Monday) and do a quick roundup of AD management tools I’ve encountered.

Let’s start with the nice face-lift given to AD management in Server 2012.

Revamped Active Directory Management at Windows Server 2012

As of Windows Server 2012, most of the built in AD tools have been have been overhauled with most being completely rebuilt to run on PowerShell. PowerShell is Microsoft’s task automation and configuration management framework which is comprised of Cmdlets, or commands that act as little scripts you can feed parameters and variables into.

Microsoft went a step further and now even allows for the administrator to easily see which Cmdlets are being called in AD Administrative Center to perform tasks. For example, when you add a user in Windows Server 2012 (and 2012 R2), you can actually see the PowerShell used to implement the commands, copy and paste it, modify it, then save it as a .PS1 file to automate, batch or schedule the processes in the future!

PowerShell on display in Server 2012 (Click to Enlarge)

PowerShell on display in Server 2012 (Click to Enlarge)

Still, for many organizations Windows Server 2012 and beyond is still a ways off, and there are other things left to be desired that solid third party tools help with.

Third Party Tool Round Up

Dell PowerGUI/Quest ActiveRoles Server: These two tools distributed by Dell, used in conjunction with one another do the best job of simplifying AD management and adoption of PowerShell.

  • Utilizes PowerShell to perform tasks, which is the wave of the future in Windows Server
  • PowerGUI can generate reports from AD quickly and easily.
  • ActiveRoles provides an outstanding PowerShell debugger and IDE.
  • ActiveRoles makes automating work flows easy, which can be implemented as PowerShell scripts.
  • PowerGUI is free!

Softterra LDAP Browser: This tool is handy if you are required to work with multiple directory protocols (i.e. OpenLDAP, AD, Oracle Internet Directory).

  • Adds a lot of little features you wish Microsoft’s out of the box utilities had like copying entries directly out of the app and pasting into a spreadsheet, easy filtering and sorting and quick and easy searching
  • Simplified Import and Export tools with GUI support
  • Supports templates for object creation (as opposed to empty accounts that get endlessly copied and pasted).

ADSI Edit: Microsoft’s LDAP editing tool included in Windows Server 2008 R2 and above. This tool tends to be overlooked by a lot of systems engineers in my experience.

  • Much quicker access to object attributes than using other built in Active Directory tools.
  • Built in! No need to get permission to install or set anything up.

Bulk AD Users: A nice freeware tool that allows for simplified manipulation of AD data and features a familiar, simple interface.

  • Mass update AD data via CSV imports or even editing directly in Excel!
  • Features a rollback feature so that updates can easily be undone.
  • Requires no use of scripting language or command line tools.

LazyWinAdmin: A brilliant systems admin who has automated almost every annoying task a sys admin might ever have to deal with. I like using many of his scripts and resources to help my auditees along with my requests/process improvements.

My favorite solution is his solution for monitoring and reporting changes in group membership.

A special thanks to Josh Kaldor for his input on this post!

Know of some other great resources? Share!