Active Directory Users and Computers (ADUC) is a Microsoft Management Console snap-in that you use to administer Active Directory (AD). You can manage objects (users, computers), Organizational Units (OU), and attributes of each.
ADUC is one of the many tools that you can use to administer AD, but since it has been around since Windows 2000, it is one of the most popular. Read on to see how to run and use ADUC to manage AD.
Get the Free Pen Testing Active Directory Environments EBook
How Do I Add Active Directory Users and Computers?
Some of you might have already looked for ADUC on your laptop to discover that it’s not there. It’s not part of the default installation, and how you get it installed depends on your version of Windows.
In current versions of Windows, ADUC is part of an administrative suite of tools called Remote Server Administration Tools (RSAT).
Remote Server Administration Tools (RSAT)
In an October 2018 update, Microsoft moved all of the Active Directory administration tools to a ‘feature on demand’ called RSAT. Attackers use whatever they can for privilege escalations and exfiltration. They don’t need RSAT to do major damage to your network, but it sure makes it easier! If an attacker got hold of a computer with ADUC installed, they could just change passwords and access rights at will. That would be very bad.
Anyway, if you want to access ADUC on your computer, you need to install RSAT. ADUC is not part of the default installation for any Windows version. Follow the instructions below to install:
Installing ADUC for Windows 10 Version 1809 and Above
- From the Start menu, select Settings > Apps.
- Click the hyperlink on the right side labeled Manage Optional Features and then click the button to Add feature.
- Select RSAT: Active Directory Domain Services and Lightweight Directory Tools.
- Click Install.
- When the installation completes, you will have a new menu item in the start menu called Windows Administrative Tools.
Installing ADUC for Windows 8 and Windows 10 Version 1803 and Below
- Download and install Remote Server Administrator Tools depending on your version of Windows. The link is for Windows 10, other versions are available in the Microsoft Download Center.
- Click the Start button and select Control Panel > Programs > Programs and Features > Turn Windows features on or off.
- Scroll down the list and expand Remote Server Administration Tools.
- Expand Role Administration Tools.
- Expand AD DS and AD LDS Tools.
- Check AD DS Tools, then select “OK.”
- When the install completes you will have a folder for Administrative Tools on the Start menu. ADUC should be in this list.
Troubleshooting RSAT Installation
There are two common installation issues to check if something goes sideways and you can’t get RSAT installed. First, check that you have enabled Windows Firewall. RSAT uses the Windows Update backend and thus needs Windows Firewall enabled.
Sometimes after the install, you might be missing tabs and such. Uninstall and reinstall. You might have had an older version and the update didn’t work 100%. You can also right click on ADUC in the Start menu and verify the shortcut is pointing to %SystemRoot%\system32\dsa.msc. If it doesn’t point there then you need to uninstall and reinstall for sure.
What is Active Directory Users and Computers Used For?
ADUC can cover most of your AD admin responsibilities. The most important missing task is probably managing GPOs, but you can do most everything else in ADUC.
With ADUC, you can manage the FSMO server roles, reset passwords, unlock users, change group memberships, and too many more to list. There are other tools in RSAT you can also use to manage AD.
- Active Directory Administrative Center: Allows management for the AD Trash Can (accidental deletes), password policies, and displays the PowerShell history.
- Active Directory Domains and Trusts: Lets you administer multiple domains to manage functional level, manage forest functional level, manage User Principle Names (UPN), and manage trusts between domains and forests.
- Active Directory Module for Windows PowerShell: Enables the PowerShell cmdlets to administer AD.
- Active Directory Sites and Services: Allows you to view and manage Sites and Services. You can define the topology of AD and schedule replication.
- ADSI Edit: ADSI Edit is a low-end tool to manage AD objects. AD experts don’t recommend that you use ADSI Edit, use ADUC instead.
Now let’s look at a few different use cases for ADUC.
ADUC for Delegating Control
Scenario: You are looking to limit the sysadmin team’s responsibility to manage specific domains in your network. You would like to assign two sysadmins per domain, a primary and a backup. Here is how you would do this:
- Open ADUC as Admin.
- Right click the domain and select Delegate Control.
- Click through the Wizard until you get to this screen. Add the user(s) you want to delegate administrative responsibilities to here.
- Select the user and click Next.
- Select the tasks you are delegating to this user in the next screen.
- On the next screen you get a recap, click Finish if it looks correct.
ADUC for Adding New Users to Domain
Next we will look at how to add a new user to the domain.
- Expand the tree for the domain where you want the new user, right click the User container and select New -> User.
- Fill in the blanks and click Next.
- Set a password and check the correct boxes and click Next.
- Verify the user is set up correctly in the next screen and click Finish.
ADUC for Adding a New Group
And to create a new group, follow these steps:
- Just as before, expand the domain and right click the container where you want the new Group to live, and select New -> Group.
- Fill in the blanks of the wizard, making sure to select the correct button for “Security” or “Distribution.”
- Click OK, and then find your new group and open it up, select the Members tab, and add the correct users to this group.
The more you know about the intricacies of AD the better prepared you are to defend it.
Varonis monitors and automates the tasks users perform with ADUC. Varonis provides a full audit log of any AD events (users added, logged in, group changes, GPO changes, etc.) and compares the current activity to a baseline of normalized behavior over time. Any new activity that looks like a cyberattack (brute force, ticket harvesting, privilege escalations, and more) triggers alerts that help protect your network from compromise and data breach.
Additionally, Varonis enables your data owners with the power to control who has access to their data. Varonis automates the process to request, approve, and audit data access. It’s a simple but elegant solution to a huge and increasingly important problem.
Want to see all the ways Varonis can help you manage and secure AD? Check out this on-demand webinar: 25 Key Risk Indicators to Help You Secure Active Directory.