Active Directory Management Tools: Must-Have Features

Learn how to manage Active Directory with native and third-party tools

Like This Article?​

Subscribe to our LinkedIn Newsletter to receive more educational content

The landscape of technology infrastructure has changed since Active Directory emerged in the late nineties. Line-of-business applications, devices, servers, and users are no longer tied to corporate networks and firewalls. Authentication services have shifted from legacy protocols such as NTLM and Kerberos to modern authentication protocols such as OpenID Connect and OAuth. Yet, many organizations still retain Active Directory and use it as the source of authority for user objects and devices in cloud environments. It remains a crucial service for organizations, and ensuring its health and availability remains critical.

This article reviews the importance of Active Directory management and provides an overview of key concepts. We look at management with Active Directory and management of Active Directory—both critical aspects for the AD administrator.

The native tools with Active Directory, Windows Server, and Entra ID are limited and lack certain features. It is worthwhile to obtain a solution that reduces potential downtime, automates tasks, ensures proper compliance, and simplifies administration across Active Directory and Entra ID. It is a wise investment.

Essential Active Directory Management Tasks and Supporting Tools

When learning to manage Active Directory, starting with the critical management tools and concepts is helpful. These tools only offer base functionality and, in most environments, need not meet the standards of modern management at security. Most organizations will opt for a third-party solution with more robust management and security features.

We start with the essential features below and cover the advanced features later in this article.

Admin Task

Native Management Tools

Native Management Tools Description

User and group management

Active Directory Users and Computers (ADUC), Active Directory Administrative Center

Graphical console that allows an admin to perform object-level administrative tasks in Active Directory

Least privilege model of delegation

Active Directory Domains and Trusts, Active Directory Users and Computers

The Active Directory Domains and Trusts console allows an admin to manage various trusts with other domains and forests.

Governance

Event viewer logs, Group Policy Management Console, Active Directory PowerShell module, Active Directory Users and Computers, Resultant Set of Policy, and related command line tools,  Task Scheduler, Azure Runbooks

The Active Directory PowerShell module is a collection of cmdlets to manage Active Directory-related settings and objects.

Task Scheduler is a tool that allows processes and scripts to run in an unattended fashion based on defined triggers.

Azure Runbooks is a cloud-based service that can schedule unattended tasks without a management server.

Automation options

Azure Automation and Group Policy

Azure Automation is also used for the creation of automation processes from within the Azure portal.  Group Policy also for the automation of Windows domain settings and user configuration options to be applied automatically to domain-joined devices.

Redundancy and disaster recovery

Active Directory Sites and Services, Windows Server Backup, and related command line tools

The Active Directory Sites and Services console allows admins to view and manage the Active Directory replication-related settings and force replication.

Windows Server Backup allows admins to take a backup of the local or remote server and review the results of previous backup jobs.

Health and performance

Performance Monitor, event viewer, Active Directory PowerShell module, and Entra ID Connect Health

Performance Monitor allows admins to create and view various performance counters to track system performance and monitor for performance-related issues.

Entra ID Connect Health is a cloud-based service from Microsoft that can monitor Active Directory replication and performance. It can provide insights and recommended fixes as well.

NOTE: The tools mentioning the installation of optional Windows Features are part of a collection called RSAT (Remote Server Administration Tools). You can install the components mentioned above using these instructions.

The rest of the article elaborates on the above features in detail.

User and Group Management

The Active Directory Users and Computers console lets you view and manage directory objects, including users, computers, organizational units, and containers. You can access it by clicking the Start button on a Windows OS and typing “dsa.msc.”

Active Directory Users and Computers Console
Active Directory Users and Computers Console

Manage, Monitor & Recover AD, Azure AD, Office 365

Unified Console

Use a single tool to administer and secure AD, Azure AD, and Office 365

Track Threats

Monitor AD for unwanted changes – detect for security or critical functions

Instant Recovery

Recover global enterprise-wide Active Directory forests in minutes, not days 

A more recent administrative tool for Active Directory is the Active Directory Administrative Center. You can open this by clicking the Start button and typing “dsac.exe.” It has all the capabilities of Active Directory Users and Computers, plus additional capabilities like:

  • View and manage Fine-Grained Password Policies.
  • Restore deleted objects (if the Active Directory Recycle Bin is enabled).
  • Connect to and search multiple forests at one time.
  • Export PowerShell cmdlets to transform the tasks performed in the console so they can be more easily automated.
Active Directory Administrative Center

The native tools for user and group management come with challenges and limitations. Being able to manage multiple forests within one instance of the native tools is not possible. Additionally, separate tools from the vendor are needed for hybrid environments to manage the cloud resources and services. It can be difficult to delegate only the permissions an administrator needs to do their job. 

Cayosoft Administrator offers hybrid management of Active Directory and Entra ID from a single console. This also includes modern interface designs to enhance the admin user experience while ensuring they can access the only tools necessary for their specific tasks.

Group Policy Management

Group policy is an extremely powerful native Windows process. Any changes to the GPOs can be applied to any single part of the organization or the entirety of all objects within the directory. Group policy objects can be managed with the Group Policy Management Console, which can be accessed by entering “gpmc.msc.” Changes to these policies are replicated between domain controllers. The contents of these policies are stored in the SYSVOL folder, a unique network share that domain controllers host. These policies are used to control the end-user environment and to manage the configuration of operating system components on servers and devices.

Group Policy Management Console

The Resultant Set of Policy tool, launched by entering “rsop.msc,” allows administrators to model and view the results of existing or proposed policies. There are also command line tools for managing Group Policy objects, including the GroupPolicy PowerShell module.

Resultant Set of Policy Tool

Cayosoft Administrator also provides role-based least privilege delegation. It comes with built-in policies to delegate permissions in hybrid environments. These rule-based policies allow permissions to be delegated in Active Directory and Entra ID/Azure AD. The roles control users’ tasks and what is visible in the Cayosoft Administrator web portal.

Cayosoft Administrator web portal home page showing delegated tasks

Caysoft Guardian is another solution that can be leveraged when working with GPOs.  Guardian can be used to provide automated threat reviews, out-of-the-box alerts for GPO changes, and the ability to protect GPOs from change beyond the standard delegation model.

Least Privilege Model of Delegation

Permissions, roles, and rules all form delegation in Windows Active Directory. Windows has a built-in tool, Active Directory Users and Computers (ADUC), that helps manage delegation. You can right-click on any object and select Properties. There, you can view and modify the permissions. You can also use the Active Directory Administrative Center as an alternative method to perform these tasks.

Integrating Windows ADUC (on-premises) and Entra ID (cloud) for privileged account management enhances security. Administrators can request time-limited access to specific roles, automatically reducing risk once the task is complete. These predefined roles adhere to a least privilege model but often grant excessive permissions. For example, assigning help desk employees the ‘Account Operators’ role gives them password management and user creation abilities, as well as near-administrator access for object management – a significant security risk.

Cayosoft Administrator eliminates the reliance on over-permissive, pre-built roles, enabling a true least privilege model. Administrators can effortlessly create custom roles with granular permissions – like allowing a help desk technician to reset passwords, modify users, and manage groups. This role-based approach streamlines management without requiring complex Access Control Lists (ACLs). These roles can also be extended to Entra ID, so that a single role can cover both on-premises and cloud environments.

Manage, Monitor & Recover AD, Azure AD, M365, Teams

PlatformAdmin FeaturesSingle Console for Hybrid
(On-prem AD, Azure AD, M365, Teams)
Change Monitoring & AuditingUser Governance
(Roles, Rules, Automation)
Forest Recovery in Minutes
Microsoft AD Native Tools    
Microsoft AD + Cayosoft

Governance

Governance is about applying appropriate and documented processes to everything that provides access to any resource. Objects and principles that require governance include user and group creation, granted access, life cycles, resource ownership and certification, among many others. Windows ADUC and other native tools don’t really provide any method of applying effective governance for these items. It’s almost impossible to have an effective automation or reporting system that satisfies governance requirements. 

Nearly every organization of any size has some form of 3rd party solution. However, many of these are difficult to implement, maintain, and customize to flex with the every changing needs of an organization.

Cayosoft Administrator efficiently implements onboarding, lifecycle management, and offboarding with the appropriate level of reporting and change history to satisfy proof of process. The automation extends beyond just the capability to run scheduled runbooks of rules but also to the manual administrative tasks that take place daily by admin users.

For example, consider a scenario where an admin user manually creates, modifies, or deprovisions a user. Cayosoft Administrator, in the background, will automate tasks necessary as they relate to group memberships, attribute changes, account enablement and disablement, moving the object to a different OU, removing/modifying licenses and tracking the change history. And, it does this seamlessly for AD and Entra ID.

Cayosoft Administrator also enhances compliance by enabling resource owners to certify and attest to the accuracy of access permissions, ensuring that only the right people have access to sensitive data. For example, a finance manager can certify group memberships for accessing sensitive financial documents. All attestation history is tracked for streamlined reporting and auditing.

Cayosoft Administrator Account Provisioning Rules
Cayosoft Administrator Account Provisioning Rules

Automation Options

Many organizations have requirements that generate the need for custom development. For example, as users move into different roles within organizations, their assigned security roles change as well. It is recommended that you handle this ideally through a process with no human intervention to prevent any mistakes. Automation allows the execution of routine flows to be more secure and controlled as the tasks typically run from management servers. It also reduces the chance of human errors.

Onboarding and offboarding are functions of every single company that has a turnover. Disabling users, removing licenses, and removing the user from all security groups are all functions required to offboard an employee. This is often a very lengthy process in the absence of automation.

Automation with Azure

An alternate approach would be to trigger the scripts from a cloud service like Azure Automation within a runbook. You can configure the services in the Azure portal by searching for the term ‘Azure Automation account.’ Azure Automation is a serverless service, as administrative tasks usually associated with a server are no longer required. The Azure runbook can reach on-premises servers via the Hybrid Worker extension.

Microsoft Azure Portal
Microsoft Azure Portal

Below is a sample script that sets the ‘ user must change the password on next log-on’ flag in Entra ID using Azure Runbooks automation:

				
					###Script to set ’user must change password flag’ in Azure AD
 #Set Parameters
 param (
 	[parameter(Mandatory = $true)]
 	[string]$UserObjectId
 )
 #Import Modules
 Import-Module AzureADPreview

 #Set Variables
 $ErrorActionPreference = "Stop"
 $Creds = Get-AutomationPSCredential -Name ’SVC-MSFlow’
 $AADPasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
 $AADPasswordProfile.ForceChangePasswordNextLogin = "True"

 #Connect to Azure AD PS Module
 Connect-AzureAD -Credential $Creds | Out-Null

 #Output Result Function

 
Function OutputResult($result,$UserPrincipalName,$UserObjectId,$Exception){
 	If ($result -eq "Error") {
     	Write-Output "$result : The change password flag could not be set on the user with an object ID of $UserObjectId due to the following error:`r`n`r`n$Exception"
 	}
 	Else {
     	Write-Output "$result : The change password flag was successfully set on user $UserPrincipalName."
 	}
 }

 #Set Force Change Password at Next Login Flag Function
 Function SetFlag ($UserObjectId,$AADPasswordProfile) {
 	Try {
     	$UserPrincipalName = (Get-AzureADUser -ObjectId $UserObjectId).UserPrincipalName
     	Set-AzureADUser -ObjectId $UserObjectId -PasswordProfile $AADPasswordProfile
     	}
 	Catch {
     	$ErrorMessage = Write-Output $Error[0].Exception.Message
     	return OutputResult -Result "Error" -UserPrincipalName $UserPrincipalName -UserObjectId $UserObjectId -Exception $ErrorMessage
 	}
 	If ($Result -ne "Error") {
     	return OutputResult -Result "Success" -UserPrincipalName $UserPrincipalName -UserObjectId $UserObjectId
 	}
 	Disconnect-AzureAD
 }


				
			
				
					SetFlag -UserObjectId $UserObjectId -AADPasswordProfile $AADPasswordProfile
				
			

In comparison, Cayosoft Administrator provides the rules feature to easily automate many tasks, including tasks for hybrid users. Administrators can define rules to automate tasks like identifying stale accounts and disabling them or assigning specific features of Microsoft 365 during the account provisioning process. For example, a rule allows admins to quickly inform users of their password expiring while advising them to change their password.  

One of Cayosoft Administrator’s core use cases for automation is preventing unwanted environmental changes. It also offers a complete monitoring and auditing solution called Cayosoft Guardian that enables comprehensive Active Directory and Entra ID auditing out of the box from a single console. Many useful alerts are already built-in for the most critical change types. Guardian allows for automated remediation and rollback of object and attribute level changes. Another core feature of Guardian is enabling the recovery of deleted items in Entra ID even if they have been hard deleted and the 30-day retention period has elapsed.  

Cayosoft Administrator rule templates
Cayosoft Administrator Rule Templates

Redundancy and Disaster Recovery

Replication of the Active Directory database ensures the service is highly available even when it serves users, computers, and applications in different regions and data centers. Similarly, ensuring a backup of the Active Directory database is vital for business continuity. A disaster recovery plan is essential if there is data corruption or the Active Directory service is compromised by a security incident.

Replication settings can be managed with Active Directory Sites and Services. You can optimize your Active Directory topology based on the organization’s network infrastructure and data center design. You can manually trigger replication to force essential changes to other domain controllers on the same or different sites. There are also various command line tools like repadmin to initiate replication on demand and troubleshoot issues with replication.

Watch a 12-minute product demo video of Cayosoft’s hybrid user provisioning

Active Directory Sites and Services Console
Active Directory Sites and Services Console

Disaster Recovery

The traditional way to back up Active Directory is with the Windows Server Backup component, launched with “wbadmdin.msc,” built into the Windows Server operating system. These jobs can run daily or on some other schedule. The backups can be full backups or incremental based on business requirements.

Windows Server Backup Module
Windows Server Backup Module

Another way to back up Active Directory is with command line tools like wbadmin or the PowerShell cmdlets in the WindowsServerBackup module.

Backing up Active Directory is also possible through DsDButil. This tool allows point-in-time snapshots to be taken. These snapshots can then be mounted offline without requiring a restore on a domain controller, and the data can be viewed to see the state of the Active directory objects at that point in time.

Native tools provide the capabilities to achieve data recovery but require manual intervention, which can be time-consuming. Recovering objects and rolling back to previously configured settings is challenging in hybrid environments, as different tools are needed when working in Active Directory and Entra ID/Azure AD. Cayosoft Guardian allows for single click, instant recovery of objects and attribute values across both environments. Cayosoft Guardian Forest Recovery also offers a patent-pending technology and methodology that allows for instant recovery of the AD forest if the entire forest has been compromised.

Cayosoft Guardian Recovery Plan Interface
Cayosoft Guardian Recovery Plan Interface

To reduce downtime and accelerate the time it takes to get a Disaster Recovery plan in place for Active Directory, a tool like Cayosoft Guardian can be a wise investment. Cayosoft offers the fastest available recovery on the market! You can use a wizard-based guide that is ready to execute, and will recover domain controllers, domains, and forests in an environment in an automated way. In addition, recovery can be tested on a standby site. This product eliminates the tedious task of orchestrating Active Directory forest recovery using native tools.

Health and Performance

Health and performance monitoring insights and telemetry are critical to detect and remediate issues promptly. Having tools that monitor and detect issues while providing automated methods to remediate them reduces recovery time and business interruption risk.

Cayosoft Guardian also provides continuous change monitoring and real-time alerting across both environments, allowing administrators to take action to prevent outages and security incidents before they occur. The screen capture below shows the event-level changes being monitored in the Change History node in the Active Directory Forest. Guardian also has out-of-the-box threat monitoring specific to Entra ID and AD that scans for threats and gaps and provides remediation options.

Cayosoft Guardian Change History interface
Cayosoft Guardian Change History Interface

One of the newer tools available is the Entra Connect Health service. It is a cloud-based service that can provide insights into system performance and replication health and create alerts when issues arise. You can access the admin portal at https://entra.microsoft.com. There, you can search for Entra Connect Health in the search bar. It is easy to set up. One of the requirements is to install an agent on each Domain Controller in the forest. No outbound firewall rule changes are required. Only specific endpoints are needed for outbound access so that the agents can communicate with the Entra ID Connect Health service.

Microsoft’s Entra Connect Admin console
Microsoft’s Entra Connect Admin Console

A classic tool for performance monitoring of Windows Server and Active Directory is Performance Monitor, also known as perfmon (use “perfmon.msc” to launch). It is a console that displays many different counters. These can be saved into custom views to track performance over time and to troubleshoot performance issues.

Performance Monitor console
Performance Monitor Console

Event Viewer can view Windows Server operating system and Active Directory-related issues, including replication, database health, etc. Outside of the Entra ID Connect Health service, creating dashboards and reports would be a manual task requiring development effort. These tasks can be achieved with PowerShell. Issues detection and automation remediation would also require development effort when using out-of-the-box tools.

Learn why U.S. State’s Department of Information Technology (DOIT) chose Cayosoft

Conclusion

Organizations with a cloud presence, such as an instance of M365 or Entra ID (Azure AD or related services), usually need to use separate Active Directory management tools, which can become challenging for administrators.

When selecting management tools for Active Directory, there is a list of core capabilities and considerations to evaluate. The essential items are:

  •  Scalability and performance
  •  Integration and compatibility
  •  Security and Compliance
  •  User interface and usability
  •  Vendor support and documentation

Cayosoft is a vendor that has solutions that address these core capabilities. The Cayosoft Management and Protection Suite, including Cayosoft Administrator and Cayosoft Guardian, solves many challenges associated with Active Directory management concepts.

Like This Article?​

Subscribe to our LinkedIn Newsletter to receive more educational content

Explore More Chapters