Active Directory Management Tools: Must-Have Features

Learn how to manage Active Directory with native and third-party tools

The landscape of technology infrastructure has changed since Active Directory emerged in the late nineties. Line-of-business applications, devices, servers, and users are no longer tied to corporate networks and firewalls. Authentication services have shifted from legacy protocols, such as NTLM and Kerberos, to modern authentication protocols, such as OpenID Connect and OAuth. Yet, many organizations still retain Active Directory and use it as the source of authority for user objects and devices in cloud environments. It remains a crucial service for organizations, and ensuring its health and availability remains critical.

This article reviews the importance of Active Directory management and provides an overview of key concepts. We look at management with Active Directory, as well as management of Active Directory—both critical aspects for the AD administrator.

The native tools with Active Directory, Windows Server, and Entra ID are limited and lack certain features. It is worthwhile to obtain a tool that reduces potential downtime, automates tasks, ensures proper compliance, and simplifies administration across Active Directory and Entra ID. It is a wise investment.

Summary of Essential Active Directory Management Tool Features

When learning to manage Active Directory, starting with the critical management tools and concepts is helpful. Afterward, more advanced concepts should be considered, especially for large enterprise production environments.

The table below begins with the essential features. The rest of the article elaborates on these features in detail and covers advanced features later on.

Essential Feature Native Management Tools Native Management Tools Description
User and Group Management Active Directory Users and Computers (ADUC), Active Directory Administrative Center Active Directory Users and Computers is a graphical console that allows an admin to perform object-level administrative tasks in Active Directory.
Permissions Management Active Directory Domains and Trusts, Active Directory Users and Computers The Active Directory Domains and Trusts console allows an admin to manage various trusts with other domains and forests.
Governance Event Viewer logs, Group Policy Management Console, Active Directory PowerShell module, Active Directory Users and Computers, Resultant Set of Policy (RSoP), Task Scheduler, Azure Runbooks, and related command line tools The Active Directory PowerShell module is a collection of cmdlets to manage Active Directory-related settings and objects. Task Scheduler is a tool that allows processes and scripts to run in an unattended fashion based on defined triggers. Azure Runbooks is a cloud-based service that can schedule unattended tasks without a management server.
Redundancy and Disaster Recovery Active Directory Sites and Services, Windows Server Backup, and related command line tools The Active Directory Sites and Services console allows admins to view and manage the Active Directory replication-related settings and force replication. Windows Server Backup allows admins to take a backup of the local or remote server and review the results of previous backup jobs.
Health and Performance Performance Monitor, Event Viewer, Active Directory PowerShell module, and Entra ID Connect Health Performance Monitor allows admins to create and view various performance counters to track system performance and monitor for performance-related issues. Entra ID Connect Health is a cloud-based service from Microsoft that can monitor Active Directory replication and performance. It can provide insights and recommended fixes as well.

NOTE: The tools mentioning the installation of optional Windows Features are part of a collection called Remote Server Administration Tools (RSAT). You can install the components mentioned above using these instructions.

Security and Auditing

Cayosoft Administrator simplifies the management of Active Directory objects in multiple Active Directory forests, including hybrid scenarios where Microsoft 365 services are enabled in the environment, in a unified solution. It provides user lifecycle management, including provisioning, deprovisioning, and license management. It also allows the management of Microsoft 365 features at the object level, as pictured below.

Cayosoft Administrator Web Portal
Cayosoft Administrator Web Portal

User and Group Management

The Active Directory Users and Computers console lets you view and manage directory objects, including users, computers, organizational units, and containers. To access this, click the Start button on a Windows OS and type in “dsa.msc.”

Active Directory Users and Computers Console
Active Directory Users and Computers Console

A more recent administrative tool for Active Directory is the Active Directory Administrative Center. To open this, click the Start button and type in “dsac.exe.” It has all the capabilities of Active Directory Users and Computers, plus additional capabilities like:

  • View and manage fine-grained password policies
  • Restore deleted objects (if the Active Directory Recycle Bin is enabled)
  • Connect to and search multiple forests at one time
  • Export PowerShell cmdlets to transform the tasks performed in the console, so they can be more easily automated
Active Directory Administrative Center
Active Directory Administrative Center

The native tools for user and group management come with challenges and limitations. Being able to manage multiple forests within one instance of the native tools is not possible. Additionally, separate tools are needed for hybrid environments to manage the cloud resources and services. Cayosoft Administrator offers hybrid management of Active Directory and Entra ID from a single console.

Permissions Management

For permissions management, an essential tool is Active Directory Users and Computers. You can right-click on any object and select properties. There, you can view and modify the permissions. You can also use the Active Directory Administrative Center as an alternative method to perform these tasks.

Tasks related to viewing and managing trusts are performed with the Active Directory Domains and Trusts console. Launch this tool by entering “domain. msc” at the Start Menu, as outlined above. Here, you can establish trusts with forests or domains within the organization or other organizations, if the proper network connectivity requirements are met. It is important to note that from an Active Directory standpoint, an Active Directory forest acts as a security boundary, as there are no inherited trusts or permissions between forests.

Active Directory Domains and Trusts Console
Active Directory Domains and Trusts Console

Roles

Privileged accounts typically are assigned permissions by being placed in a role group. Native roles do not extend from Active Directory to the cloud, including in Entra ID. It is worth noting that these tools require some development to automate tasks. 

Administrative changes are audited with various logs stored on domain controllers, visible with Event Viewer. You can control the security policies and Windows OS settings with centralized policies managed with the Group Policy Management Console. Active Directory Users and Computers can manipulate objects, including disabling and deleting stale objects. However, auditing these changes across the domain and forest, and even across domain controllers, is extremely challenging without a centralized log management system, custom-developed scripts, or processes. Correlating events between Active Directory and Entra ID is even more challenging.

To secure your Active Directory and reduce risk, it is recommended to implement protocols to protect privileged access. For example, the principle of least privilege (PoLP), which ensures users only have the minimal permissions required to perform the tasks related to their roles and responsibilities. Ensuring administrators can request a role for a certain period, and then remove the role after that duration, adds another layer of security to the equation. Native tools do not provide an out-of-the-box method to perform this action, also know as just-in-time (JIT) administration. 

Manage, Monitor, & Recover AD, Azure AD, Office 365, & Beyond

Inline promotional card - default cards_Img3

Unified Console

Single tool to administer & secure AD/Azure & Office 365

Inline promotional card - default cards_Img1

Track Threats

Monitor AD for unwanted changes & detect vulnerabilities

Inline promotional card - default cards_Img2

Instant Recovery

Recover Active Directory forests in minutes, not days

Rules

Typically, access to resources or roles is controlled by rules or policies defined by administrators and the business (or resource owners). One type of rule controls what actions users can take on their devices and the configuration of the user’s session or device. An excellent example of these types of rules is Group Policy. Another example is Access Packages, part of the Entra ID identity governance service.

Group Policy is very effective for managing Windows devices and environments. However, it is very challenging to report on deployment status and it can not be automated. Access Packages are a relatively new concept for Entra ID and are equally challenging to report on and maintain in large, growing environments. Cayosoft offers granular rule capabilities and can automate, even for expected environmental changes, so immediate policy governance is in place for the environment.

Governance

In identity and access management, governance focuses on the lifecycle of objects, including user and computer objects. Ensuring stale objects are either disabled or removed is critical to reduce risk. Another aspect of governance is auditing administrative changes and ensuring the configuration settings comply with organizational policies and standards. Automating the provisioning and deprovisioning of user objects in Active Directory reduces risk and ensures compliance regulations are met more efficiently.

Cayosoft Administrator also provides rule-based functionality to automate the lifecycle of user objects in on-prem Active Directory and hybrid environments. In addition to automation using rules and policy to ensure proper and least privileged access is granted, Cayosoft offers governance certification and attestation that can be extended easily through the portal for the actual owners of the resources. For example, a finance manager certifies and attests to group membership, allowing sensitive documentation access.

Cayosoft Administrator Account Provisioning Rules
Cayosoft Administrator Account Provisioning Rules

Automation

Many organizations have requirements that generate the need for custom development. For example, if you want to detect indicators of compromise—such as unusual user actions, like performing administrative tasks in Active Directory that indicate an elevation of privileges—you need custom task flows. Automation allows the execution of routine flows to be more secure and controlled as the tasks typically run from management servers. It also reduces the chance of human error.

You can automate tasks like searching and downloading logs from Event Viewer, managing group policy settings, and managing Active Directory objects from the PowerShell. PowerShell cmdlets are part of objects called modules. There are modules for components built into Windows Server and various Windows Server roles, including Active Directory. The cmdlets within these modules allow administrators or developers to automate multiple tasks by writing PowerShell scripts, custom functions, and modules. PowerShell scripts can be scheduled to run regularly based on organizational requirements. These tasks can be executed from on-premises Windows Servers or Windows Servers running in the cloud.

Automation with Azure

An alternate approach would be to trigger the scripts from a cloud service like Azure Automation within a runbook. You can configure the services in the Azure portal by searching for the term ‘Azure Automation account.’ Azure Automation is a serverless service, as administrative tasks usually associated with a server are no longer required. The Azure runbook can reach on-premises servers via the Hybrid Worker extension.

Microsoft Azure Portal
Microsoft Azure Portal

Below is a sample script that sets the ‘user must change the password on next log-on’ flag in Entra ID using Azure Runbooks automation — $AADPasswordProfile.

				
					###Script to set 'user must change password flag' in Azure AD
 #Set Parameters
 param (
 	[parameter(Mandatory = $true)]
 	[string]$UserObjectId
 )
 #Import Modules
 Import-Module AzureADPreview

 #Set Variables
 $ErrorActionPreference = "Stop"
 $Creds = Get-AutomationPSCredential -Name 'SVC-MSFlow'
 $AADPasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
 $AADPasswordProfile.ForceChangePasswordNextLogin = "True"

 #Connect to Azure AD PS Module
 Connect-AzureAD -Credential $Creds | Out-Null

 #Output Result Function

 
Function OutputResult($result,$UserPrincipalName,$UserObjectId,$Exception){
 	If ($result -eq "Error") {
     	Write-Output "$result : The change password flag could not be set on the user with an object ID of $UserObjectId due to the following error:`r`n`r`n$Exception"
 	}
 	Else {
     	Write-Output "$result : The change password flag was successfully set on user $UserPrincipalName."
 	}
 }

 #Set Force Change Password at Next Login Flag Function
 Function SetFlag ($UserObjectId,$AADPasswordProfile) {
 	Try {
     	$UserPrincipalName = (Get-AzureADUser -ObjectId $UserObjectId).UserPrincipalName
     	Set-AzureADUser -ObjectId $UserObjectId -PasswordProfile $AADPasswordProfile
     	}
 	Catch {
     	$ErrorMessage = Write-Output $Error[0].Exception.Message
     	return OutputResult -Result "Error" -UserPrincipalName $UserPrincipalName -UserObjectId $UserObjectId -Exception $ErrorMessage
 	}
 	If ($Result -ne "Error") {
     	return OutputResult -Result "Success" -UserPrincipalName $UserPrincipalName -UserObjectId $UserObjectId
 	}
 	Disconnect-AzureAD
 }
				
			
				
					SetFlag -UserObjectId $UserObjectId -AADPasswordProfile $AADPasswordProfile
				
			

Automation with Cayosoft Administrator

In comparison, Cayosoft Administrator provides the rules feature to easily automate many tasks, including tasks for hybrid users. Administrators can define rules to automate tasks like identifying stale accounts and disabling them or assigning specific features of Microsoft 365 during the account provisioning process. For example, a rule allows admins to quickly inform users of their password expiring while advising them to change their password.

One of Cayosoft Administrator’s core use cases for automation is preventing unwanted environmental changes. A complimentary offering is a complete monitoring and auditing solution called Cayosoft Guardian, that enables comprehensive Active Directory and Entra ID auditing out of the box, from a single console. Many useful alerts are already built-in for the most critical change types. Guardian allows for automated remediation and rollback of object and attribute level changes. Another critical feature of Guardian is enabling the ability to recover deleted items in Entra ID, even if they have been hard deleted and the 30-day retention period has elapsed.

Cayosoft Administrator rule templates
Cayosoft Administrator Rule Templates

Group Policy Management

Group policy objects can be managed with the Group Policy Management Console, which can be accessed by entering “gpmc.msc. into the Start menu. Changes to these policies are replicated between domain controllers. The contents of these policies are stored in the SYSVOL folder, a unique network share that domain controllers host. These policies are used to control the end-user environment and are used to manage the configuration of operating system components on servers and devices.

Group Policy Management Console
Group Policy Management Console

The Resultant Set of Policy tool, launched by entering “rsop.msc” in the Start menu, allows administrators to model and view the results of existing or proposed policies. There are also command line tools for managing Group Policy objects, including the GroupPolicy PowerShell module.

Resultant Set of Policy Tool
Resultant Set of Policy Tool

Cayosoft Administrator also provides role-based delegation. It comes with built-in policies to delegate permissions in hybrid environments. These rule-based policies allow permissions to be delegated in Active Directory and Entra ID/Azure AD. The roles control users’ tasks and what is visible in the Cayosoft Administrator web portal.

Cayosoft Administrator web portal home page showing delegated tasks
Cayosoft Administrator Web Portal Home Page Showing Delegated Tasks

Redundancy

Replication of the Active Directory database ensures the service is highly available even when it serves users, computers, and applications in different regions and data centers. Similarly, ensuring a backup of the Active Directory database is vital for business continuity. A disaster recovery plan is essential if there is data corruption or the Active Directory service is compromised by a security incident.

Learn why the Department of Information Technology (DOIT) for a large U.S. state chose Cayosoft

Replication settings can be managed with Active Directory Sites and Services. You can optimize your Active Directory topology based on the organization’s network infrastructure and data center design. You can manually trigger replication to force essential changes to other domain controllers on the same or different sites. There are also various command line tools like repadmin to initiate replication on demand and troubleshoot issues with replication.

Active Directory Sites and Services Console
Active Directory Sites and Services Console

Disaster Recovery

The traditional way to back up Active Directory is with the Windows Server Backup component, launched with “wbadmdin.msc” at the Start menu, built into the Windows Server operating system. These jobs can run daily or on some other schedule. The backups can be full backups or incremental, based on business requirements.

Windows Server Backup Module
Windows Server Backup Module

Another way to back up Active Directory is with command line tools, like wbadmin or the PowerShell cmdlets in the WindowsServerBackup module.

Yet another way to back up Active Directory itself is with DsDButil. This tool allows point-in-time snapshots to be taken. These snapshots can then be mounted offline without requiring a restore on a domain controller, and the data can be viewed to see the state of the Active directory objects at that point in time.

Native tools provide the capabilities to achieve data recovery but require manual intervention, which can be time-consuming. Recovering objects and rolling back to previously configured settings is challenging in hybrid environments, as different tools are required when working in Active Directory and Entra ID/Azure AD. Cayosoft Guardian allows for instant recovery of objects and attribute values across both environments.  In addition, it provides a way to restore many types of objects in Entra ID that are typically not recoverable, such as policy objects and administrative units.

Cayosoft Guardian Recovery Plan Interface
Cayosoft Guardian Recovery Plan Interface

To reduce downtime and accelerate the time it takes to get a disaster recovery plan in place for Active Directory, a tool like Cayosoft Guardian can be a wise investment. Cayosoft offers the fastest available recovery on the market! You can use a wizard-based guide that is ready to execute, which will recover domain controllers, domains, and forests in an environment in an automated way. In addition, recovery can be tested on a standby site. Cayosoft Guardian Forest Recovery eliminates the tedious task of orchestrating Active Directory forest recovery using native tools, while ensuring the sequence of tasks is appropriately executed under the proper conditions. Cayosoft also offers a patent-pending technology and methodology that allows for instant recovery of the AD forest if the entire forest has been compromised.

Health and Performance

Health and performance monitoring insights and telemetry are critical to detect and remediate issues promptly. Having tools that monitor and detect issues, while providing automated methods to remediate them, reduces recovery time and business interruption risk.

Cayosoft Guardian also provides continuous change monitoring and real-time alerting across both environments, allowing administrators to take action to prevent outages and security incidents before they occur. The screen capture below shows the event-level changes being monitored in the Change History node in the Active Directory forest.

Cayosoft Guardian Change History interface
Cayosoft Guardian Change History Interface

One of the newer tools available is the Entra Connect Health service. It is a cloud-based service that can provide insights into system performance and replication health and create alerts when issues arise. You can access the admin portal at https://entra.microsoft.com. There, you can search for Entra Connect Health in the search bar. It is easy to set up. One of the requirements is to install an agent on each domain controller in the forest. No outbound firewall rule changes are required. Only specific endpoints are needed for outbound access for the agents to communicate with the Entra ID Connect Health service.

Microsoft’s Entra Connect Admin console
Microsoft’s Entra Connect Admin Console

A classic tool for performance monitoring of Windows Server and Active Directory is Performance Monitor, also known as perfmon (use “perfmon.msc” at Start menu to launch). It is a console that displays many different counters. These can be saved into custom views to track performance over time and to troubleshoot performance issues.

Performance Monitor console
Performance Monitor Console

Event Viewer can view Windows Server operating system and Active Directory-related issues, including replication, database health, etc. Outside of the Entra ID Connect Health service, creating dashboards and reports would be a manual task requiring development effort. These tasks can be achieved with PowerShell. Issues detection and automation remediation would also require development effort when using out-of-the-box tools.

Manage, Monitor, & Recover AD, Azure AD, Office 365, & Beyond

Platform Admin Features Single Console for Hybrid (On-prem AD, Azure AD, M365, Teams) Change Monitoring & Auditing User Governance (Roles, Rules, Automation) Forest Recovery in Minutes
Microsoft AD Native Tools
Microsoft AD + Cayosoft

Conclusion

Organizations with a cloud presence, such as an instance of M365 or Entra ID (Azure AD or related services), usually need to use separate Active Directory management tools, which can become challenging for administrators.

When selecting management tools for Active Directory, there is a list of core capabilities and considerations to evaluate. The essential items are:

  •  Scalability and performance
  •  Integration and compatibility
  •  Security and compliance
  •  User interface and usability
  •  Vendor support and documentation

Cayosoft is a vendor that has solutions that address these core capabilities. The Cayosoft Management and Protection Suite, including Cayosoft Administrator and Cayosoft Guardian, solves many challenges associated with Active Directory management concepts.

Continue Reading This Series