Windows domain users and computers

Оснастка Active Directory Users and Computers (или ADUC) – это одна из наиболее часто используемых консолей управления объектами в домене Active Directory. Вы можете установить mmc оснастку ADUC как на Windows Server, так и на десктопные Windows 10 и 11. Консоль ADUC входит в состав набора компоненту администрирования Microsoft Remote Server Administration Tools (RSAT). В этой статье мы покажем, как установить и использовать консоль управление Active Directory Users and Computers в Windows.

Установка оснастки RSAT Active Directory в Windows 10 и 11

В современных версиях Windows 10 (начиная с билда 1809) и в Windows 11 инструменты администрирования RSAT устанавливаются онлайн в виде Features on Demand. Чтобы установить инструменты администрирования RSAT Active Directory в Windows 10/11, перейдите в Settings -> Apps -> Optional Features -> Add an optional feature (View features).

Наберите в поисковой строке Active Directory и выберите для установки компонент RSAT: Active Directory Domain Services and Lightweight Directory Services Tool.

Нажмите Next-> Install для начала установки.

Windows подключится к серверам Microsoft, скачает и установит набор инструментов для управления Active Directory (включает в себя графические консоли Active Directory, утилиты командной строки и модуль Active Directory PowerShell).

Либо вы можете установить набор компонентов администрирования AD с помощью PowerShell:

Add-WindowsCapability –online –Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0

В предыдущих билдах Windows 10, а также в Windows 8.1, установить RSAT можно с помощью MSU обновления. Скачать RSAT можно здесь:

• RSAT для Windows 10 1803/1709 — https://www.microsoft.com/en-us/download/details.aspx?id=45520
• RSAT для Windows 8.1 — https://www.microsoft.com/en-us/download/details.aspx?id=39296

Скачайте версию файла RSAT в зависимости от разрядности вашей операционной системы и установите его. Дважды щелкните по файлу для начала установки:

Или установите MSU файл RSAT из командной строки в «тихом» режиме:

wusa.exe c:\Install\WindowsTH-RSAT_TP5_Update-x64.msu  /quiet /norestart

После окончания установки RSAT нужно перезагрузить компьютер.

Осталось активировать необходимый функционал RSAT. Для этого:

1. Щелкните ПКМ по кнопке Start и выберите Control Panel (Панель управления)
2. Выберите Programs and Features (Программы и компоненты)
3. В левой панели нажмите кнопку Turn Windows features on or off
4. В дереве компонентов разверните Remote Server Administration Tools-> Role Administration Tools -> AD DS and AD LDS Tools
5. Отметьте раздел AD DS Tools и нажмите OK.

Установка оснастки ADUC также может быть выполнена из командой строки. Последовательно выполните 3 команды:

dism /online /enable-feature /featurename:RSATClient-Roles-AD
dism /online /enable-feature /featurename:RSATClient-Roles-AD-DS
dism /online /enable-feature /featurename:RSATClient-Roles-AD-DS-SnapIns

После установки оснасток управления, в разделе Administrative Tools панели управления (Control Panel\System and Security\Windows Tools) появится ссылка на консоль Active Directory Users and Computers.

Как пользоваться консолью Active Directory?

Чтобы запустить консоль ADUC, щелкните по ярлыку в панели управления или выполните команду:

dsa.msc

Все аутентифицированные пользователи домена могут использовать консоль ADUC для просмотра объектов Active Directory.

Если ваш компьютер состоит в домене Active Directory, то консоль ADUC подключится к контролеру домена, на основании текущего Logon сервера. Имя контроллера домена, с которого вы получаете информации указано в верху.

Вы можете подключиться к другому контроллеру домена AD или другому домену, щелкнув по корню консоли и выбрав пункт в контекстном меню.

В консоли Active Directory отображается древовидная структура организационных юнитов (Organizational Unit, OU) вашего домена (и отдельный раздел с сохраненными запросами/ Saved Queries AD).

Администратор домена может создавать контейнеры (OU) в соответствии с физической или логической структуры предприятиями. С помощью контекстного меню можно создать новые объекты в AD (пользователей, группы, компьютеры, OU, контакты), переименовать, переместить или удалить объекты. В зависимости от типа объекта, который вы выбрали пункты контекстного меню могут отличаться.

Например, у пользователя есть опции на сброс пароля в AD или блокировку/разблокировку учетной записи.

Вы можете использовать контекстное меню Search для поиска объектов в AD.

Администратор может делегировать права на создание/редактирование/удаление объектов в Active Directory другим пользователям или группам.

С помощью меню View -> Add/Remove columns можно добавить атрибуты объектов, которые вы хотите отображать в консоли ADUC.

В консоли ADUC можно посмотреть или изменить свойства объектов домена. Например, можно открыть свойства пользователя и изменить его настройки. Часть свойств пользователя находится на соответствующих вкладках, а полный список атрибутов пользователя доступен на вкладке редактора атрибутов AD (Attribute Editor).

Можно добавить отдельную вкладку с фотографией пользователя AD.

Чтобы показывать системные контейнеры и свойства объектов в оснастке AD (по умолчанию скрыты), включите опцию View -> Advanced features.

После этого у всех объектов появится ряд системных вкладок. Например, на вкладке Object можно получить каноническое имя объекта, дату создания учетной записи и включить опцию защиты от удаления (protect object from accidental deletion).

Подключение консоли ADUC к домену из рабочей группы

Если вы хотите подключится консолью ADUC к контроллеру домена с компьютера, который не включен в домен (состоит в рабочей группе), воспользуйтесь таким методом:

1. Запустите командную строку и выполните команду запуска оснастки от имени другого пользователя:
   runas /netonly /user:winitpro\aaivanov mmc
2. В пустой консоли MMC выберите File->Add/Remove Snap-In
3. Перенесите оснастку Active Directory Users and Computers в правую панель и нажмите Add;
4. Чтобы подключится к домену, щелкните по корню консоли и выберите Change domain. Укажите имя домена.

В результате консоль ADUC подключится к контроллеру домена, получит и отобразит структуру контейнеров (OU) данного домена Active Directory.

Click Start, point to Administrative Tools, and then click Active Directory Users and Computers to start the Active Directory Users and Computers console. Click the domain name that you created, and then expand the contents.

Use these steps to install it.

1. Right-click the Start button and choose “Settings” > “Apps” > “Manage optional features” > “Add feature“.
2. Select “RSAT: Active Directory Domain Services and Lightweight Directory Tools“.
3. Select “Install“, then wait while Windows installs the feature.

How do I access Active Directory?

Select Start > Administrative Tools > Active Directory Users and Computers. In the Active Directory Users and Computers tree, find and select your domain name. Expand the tree to find the path through your Active Directory hierarchy.

How do I open Active Directory Users and Computers in Windows Server 2012?

Here’s how to install Active Directory Users and Computers in Windows Server 2012 R2:

1. Click with Windows Icon at the Bottom Right Corner of your Screen, and click “Server Manager” when the menu opens.
2. When the Server Manager Dashboard displays, click the “Add Roles and Features” link to open the Wizard.

How do I open Active Directory Users and Computers Server 2008?

Access the Active Directory in Windows Server 2008 by opening the Active Directory Administrative Center.

1. Click Start to open the Start Menu from the desktop.
2. Left-click on the Administrative Tools option from the Start Menu and select the Active Directory Administration Center.

How do I open Active Directory Users and Computers on Windows Server 2019?

From the Start menu, select Settings > Apps. Click the hyperlink on the right side labeled Manage Optional Features and then click the button to Add feature. Select RSAT: Active Directory Domain Services and Lightweight Directory Tools. Click Install.

How do I open Active Directory Users and Computers in Windows Server 2016?

Navigate into Server Manager.

1. Click Manage -> Add roles and features.
2. Pick Role based or feature based installation -> Click Next.
3. Pick the Server from the Server pool -> click Next.
4. Check Active Directory Domain Services -> Click Next.
5. Follow the screenshot and click Next.
6. Proceed by clicking Next.

How do I turn on Active Directory Administrative Center?

To enable Active Directory Recycle Bin in ADAC on the target domain

1. Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.
2. Click Manage, click Add Navigation Nodes and select the appropriate target domain in the Add Navigation Nodes dialog box and then click OK.

What is domain controller and Active Directory?

Active Directory is a directory service that stores information of users, network resources, files and other network objects. On the other hand, a domain controller is a server that responds to security authentication requests within a Windows Server domain.

How do I use Microsoft Active Directory?

Right-click on the Start button and go to Settings > Apps > Manage optional features > Add feature. Now select RSAT: Active Directory Domain Services and Lightweight Directory Tools. Finally, select Install then go to Start > Windows Administrative Tools to access Active Directory once the installation is complete.

How do I find Active Directory users in Windows 10?

Open File Explorer, select Network, and you should see a button in the toolbar labeled “Search Active Directory”. Depending on your permissions, it will let you search users and groups by name, and view the membership of those.

What is DSA MSC?

By default, the Active Directory Users and Computers (dsa. msc) console is installed on a Windows Server host, when it’s promoted to the domain controller during the Active Directory Domain Services (AD DS) role installation.

How do you create a group by using Active Directory Users and Computers snap in?

To add a new membership group in Active Directory

1. Open the Active Directory Users and Computers console.
2. In the navigation pane, select the container in which you want to store your group.
3. Click Action, click New, and then click Group.
4. In the Group name text box, type the name for your new group.

What are the 5 roles of Active Directory?

Currently in Windows there are five FSMO roles:

• Schema master.
• Domain naming master.
• RID master.
• PDC emulator.
• Infrastructure master.

Is Active Directory only for Windows Server?

The main Active Directory service is Active Directory Domain Services (AD DS), which is part of the Windows Server operating system.It’s important to understand that Active Directory is only for on-premises Microsoft environments.

What is the difference between server and Active Directory?

Definition. A directory service produced by the Microsoft for the networks of windows domain is known as the active directory whereas a server that responds to the authentication security requests such as checking permissions, logging in, etc.

Any Windows Server administrator must have used the Active Directory Users and Computers (ADUC) Microsoft Management Console on a Domain Controller (DC). Using this console, you can control and manage users, user groups, computers, and the Organizational Units (OUs) in the domain.

The ADUC console is no longer limited to servers anymore. You can install the Active Directory Users and Computers snap-in on a Windows 11 or Windows 10 computer as well, which performs the same functions as the original Server console. This snap-in is part of the Remote Server Administration Tools (RSAT) for Windows operating systems.

We have written separate posts for installing any RSAT tools on Windows 11 and Windows 10. This article focuses on installing specifically the Active Directory Users and computers snap-in on a Windows PC and then using it to manage your domain.

How to Install Active Directory Users and Computers (ADUC) on Windows

All RSAT tools, including the Active Directory Users and Computers snap-in, allow you to manage the different Active Directory components as if you are on the server itself. This way, you do not always have to access the server, neither physically nor remotely, to perform an action.

You can download and install the Active Directory Users and Computers snap-in using the Settings app, from the Command Prompt, and Windows PowerShell.

Note: On Windows 10 v1803 and older, you must download and install all RSAT tools using the MSI files. You can find the MSI files for your version of Windows here.

Install Active Directory Users and Computers from Settings App

The easiest way to install the ADUC snap-in on a Windows PC is from the settings app. It does involve more steps than the other methods shared below, but this is the only method using the Windows GUI.

Use these steps to install the ADUC snap-in from the Settings app:

1. Navigate to the following:

   Settings app >> Apps >> Optional Features

2. Click “View features.”

   

3. Search for “Active Directory,” select “RSAT: Active Directory Domain Services and Lightweight Directory Services Tools,” and click Next.

   

4. Click “Install.”

   

5. Once installed, restart the computer.

The Active Directory Users and Computers snap-in will now be installed. If you prefer installing it using the command line, refer to the sections below. To learn how to use the snap-in, continue reading down.

Install Active Directory Users and Computers from Command Prompt

Below are the simple steps to install Active Directory Users and Computers snap-in using the Command Prompt:

1. Open an elevated Command Prompt instance.

2. Run the following command:

   DISM /Online /Add-Capability /CapabilityName:Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0

   

The ADUC snap-in should now be installed. Run the following command in Command Prompt to confirm that the Active Directory Users and Computers snap-in has been installed:

DISM.exe /Online /Get-CapabilityInfo /CapabilityName:Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0

You should see “Installed” in front of Status.

Install Active Directory Users and Computers from PowerShell

Use the following steps to install the Active Directory Users and Computer snap-in using PowerShell:

1. Launch an elevated PowerShell instance.

2. Run the following command to install ADUC:

   Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0

   

The ADUC snap-in should now be installed. To confirm its status, run the following command in PowerShell:

Get-WindowsCapability -Online | Where-Object {$_.Name -like "RSAT.ActiveDirectory*"}

You should see “Installed” in front of State.

These are all the methods to install the Active Directory Users and Computers snap-in on a Windows 11/10 PC. Let us now continue to see how to use this tool.

How to Use Active Directory Users and Computers

How to Open Active Directory Users and Computers Snap-In

Now that Active Directory Users and Computers is installed, you can open it by searching for it in the Start menu, or running the following in the Run Command box:

dsa.msc

Alternatively, you can also open the ADUC snap-in through the Control Panel at the following location:

Control Panel >> System and Security >> Windows Tools

If your computer is connected to a domain and you are logged in from an authorized domain account, then the ADUC snap-in will automatically connect to the server. However, if one is not connected, then you must connect to the Domain Controller.

Connect ADUC to Domain Controller

Use these steps to connect to a Domain Controller. You can also use these to change your domain/Domain Controller.

1. From the ADUC console, click “Action,” and then click “Change Domain Controller.”

   

   The Change Directory Server window will now open.

2. Select the “This Domain Controller or AD LDS instance” radio button, then select the Domain Controller from the give list and click Ok.

   

The ADUC will now connect to the Domain Controller and populate the fields.

Now that you are connected to the Domain Controller, you can now begin making changes and managing the different components of the domain.

Manage Users, Computers, Organizational Unit using ADUC

You can now begin adding new users, computers, printers, and Organizational Units to the domain. Simply right-click on the OU that you want to add the new device/user to, expand “New”, and select the element that you want to add.

Once you have selected the element to add, the respective window will open, where you can then configure the component to add.

You can now also use other operators to manage the users, devices, and other elements configured inside the domain directly from your Windows PC.

Additionally, you can also manage what you see inside the snap-in. Click “View” from the top menu and select the things that you want to see. You can then also click “Filter options” to open the advanced viewing options.

The list does not end here. There are a bunch of other management options you can perform directly from the ADUC snap-in on a Windows PC. We suggest that you play around to discover all the options. However, we advise caution and only use the console if you know what you are doing.

What is Active Directory Users and Computers Used For

By now, we have a pretty good understanding of what the ADUC snap-in can be used for. However, there is more to it than meets the eye. The Active Directory Users and Computers RSAT tool can be used to perform the following actions:

• Create and manage user accounts, computers, and Active Directory groups.
• View and edit AD object attributes with ADSI Edit.
• Search for AD objects.
• Change or reset user password in Active Directory.
• Create organizational units and build hierarchical structures for AD objects. You can also delegate administrative permission on these OUs to other domain users.
• Delegate administrative permissions.
• Raise domain functional level, and transfer FSMO roles with PowerShell to another domain controller.

From this, it is understood how useful the ADUC snap-in is for administrators that use Windows client PCs.

If you’ve ever managed an Active Directory domain controller, you’re probably familiar with this long-standing, easy-to-use «Active Directory Users and Computers» console.
Here is a full presentation of it.

1. Available folders
   1. Builtin folder
   2. Computers folder
   3. Domain Controllers folder
   4. ForeignSecurityPrincipals folder
   5. Managed Service Accounts folder
   6. Users folder
2. Create new objects in your Active Directory domain
   1. Create a new user
   2. Create a new group
   3. Create an organizational unit
   4. Reference a shared folder
   5. Reference a shared printer
   6. Add a printer on a client PC from the Active Directory
3. Advanced features
4. Filter options
5. Actions
   1. Delegate Control
   2. Find
   3. Change Domain
   4. Change Domain Controller
   5. Raise domain functional level
   6. Operations Master
   7. Properties
   8. Resultant Set of Policy (Planning)

1. Available folders

By default, only the main folders are displayed :

• Builtin
• Computers
• Domain Controllers
• ForeignSecurityPrincipals
• Managed Service Accounts
• Users

1.1. Builtin folder

In the «Builtin» folder, you will find the groups created by default by Windows Server and Active Directory.

1.2. Computers folder

In the «Computers» folder, you will find the «computer» type objects corresponding to the client computers that you have joined to your Active Directory domain.

If you display the properties of a computer type object, you will find, for example :

• the NETBIOS name of the affected computer
• its full DNS name
• the type of computer or domain controller. In this case, it indicates that it’s a workstation. In other words, a client computer with a client version of Windows (ex : Win 10).

In the «Operating System» tab, you will find information about the operating system installed on it :

• the name of the operating system : in our case, Windows 10 Professional
• its version : 10.0 (19041)
• the service pack installed (if applicable)

In the «Member of» tab, you can choose in which group you want to add this computer.
By default, computer objects are members of the «Domain Computers» group.

In the «Delegation» tab, you can approve or not this computer for Kerberos or for specific services.

This tab is particularly useful when you implement dynamic migration with several Hyper-V servers.

In the «Location» tab, you can choose its location.

You can delegate management of a computer to a user in your Active Directory domain.
Although this «Managed By» tab is mostly useful for domain controllers.

Finally, in the «Dial-In» tab, you can :

• choose whether this computer can access the network or not, or if this setting is managed by the «NPS Network policy»
• assign static IP addresses to this computer
• apply static routes if necessary

1.3. Domain Controllers folder

In the «Domain Controllers» folder, you will find the list of domain controllers joined to this Active Directory domain.

If you display the properties of the computer object of a domain controller, you may find out :

• his NETBIOS name
• his DNS name
• what type is this domain controller : global catalog, …
• in which Active Directory site it’s located

In the case of a domain controller, a «NTDS Settings» button is present in the properties of the computer object.
In these NTDS Settings, you can choose whether or not this domain controller should act as a «Global Catalog».

In the «Connections» tab, you will find the list of domain controllers from or to which the data of your Active Directory domain are replicated.
For example, assuming that we add a new domain controller to our Active Directory domain, and that we choose our domain controller «DC» as the source, we would see a «DC2-RODC — Default-First-Site-Name» appear in the «Replicate To» list.

The «Managed By» tab is blank by default for writable domain controllers.

In the case of read-only domain controllers (RODCs), an additional «Password Replication Policy» tab will be displayed.

Still in the case of a read-only domain controller (RODC), you will be able to find the name of its delegated administrator if you defined one when you deployed this read-only domain controller (RODC).

1.4. ForeignSecurityPrincipals folder

This «ForeignSecurityPrincipals» folder looks empty by default, but actually contains several special security-related identities.
To learn all about this somewhat special folder, refer to the Microsoft site : Active Directory: Foreign Security Principals and Special Identities

To display the contents of this «ForeignSecurityPrincipals» folder, you must go to the «View» menu and click «Advanced Features».

Now, as you can see, several security identities appear, include one which is for example linked to the «NT AUTHORITY\Authenticated Users» group.

1.5. Managed Service Accounts folder

Managed Service Accounts are domain accounts whose password is automatically managed by the domain controller.
These managed service accounts are used to run specific services (the services that you find on Windows), scheduled tasks or for application pools on Microsoft IIS web servers.

Sources : Running Assessments with Managed Service Accounts

1.6. Users folder

In the «Users» folder, you will find by default, a list of users and groups created during the installation of Windows Server or created later during the installation of specific roles (including AD DS).
Among these users and groups, you will obviously find :

• the «Administrator» account of the server which also becomes the administrator of the domain when you promote your server as a domain controller
• the «Domain Admins» group
• and more

What is Active Directory Users and Computers (ADUC)?

ADUC is a Microsoft Management Console (MMC) snap-in that enables administrators to manage Active Directory objects and their attributes. For example, they can:

• Change passwords.
• Reset user accounts.
• Add users to security groups.
• Create and delete organizational units (OUs)
• Assign FSMO roles like RID Master, PDC Emulator and Infrastructure Master to domain controllers.
• Create and manage computers, groups and users and their attributes
• Delegate control of objects.
• Define advanced security and auditing in AD.

You can find more information about Active Directory in our AD tutorial for beginners.

AD Users and Computers advanced features

If you enable the Advanced Features setting in ADUC (as described later in this document), you can also manage:

• The LostAndFound container
• NTDS quotas
• Program data
• System information

Enabling Advanced Features adds many tabs to the properties page of an object, including Published Certificates, Attribute Editor and Password Replication.

How to enable AD Users and Computers

Your Active Directory domain controllers (DCs) will have ADUC installed by default.

Remote Server Administration Tools (RSAT)

To manage servers and other computers remotely, you should install Remote Server Administration Tools (RSAT) for Windows, which includes ADUC. Note that RSAT can be installed only on computers that are running the Professional or Enterprise versions of Windows.

RSAT enables administrators to run snap-ins and tools to control features, roles and role services on a remote server or other computer. RSAT comes bundled with the operating system starting with Windows Server 2008 R2. For earlier versions of Windows Server, as well as Windows 7 and Windows 8, RSAT is available as a package for download with installation instructions.

The remote administration tools included in the RSAT package include the following:

• Active Directory Users and Computers (ADUC) — Widely used by system administrators to create and manage Active Directory objects
• Active Directory Administrative Center — Used to manage the AD trash can and password policies and to display your PowerShell history
• Active Directory Module for Windows PowerShell — Provides PowerShell cmdlets for administering AD
• Active Directory Domains and Trusts — Allows you to manage functional level, forest functional level and user principal names (UPNs), as well as trusts between forests and domains
• Active Directory Sites and Services — Lets you view and manage your sites and services
• ADSI Edit — Provides some functionality for managing AD objects, though most experts recommend using ADUC

How to install ADUC on a Windows member server

To install ADUC, use the wizard in Server Manager, a management tool included with Windows Server, as follows:

1. Launch Server Manager in one of the following ways:
   • Click the Server Manager icon on the taskbar, as shown below:
     
   • Click the Windows Start button and type Server Manager in the search box. Then click the Server Manager icon.
2. To open the wizard, click Add roles and features.
   
3. The first page describes what you can do with the wizard and the prerequisites for using it. Click Next to proceed.
   
4. On the next page, select Role-based or feature-based installation and click Next.
   
5. Select either a server from the server pool or a virtual hard disk. Click Next.
   
6. The next page lists the roles you could install. We will skip this and simply click Next.
   
7. On the next page, select Remote Server Administration Tools and AD DS and AD LDS Tools, which will automatically select the other Active Directory management tools. Click Next.
   
8. The next page displays a summary of the tools being installed. Select the Restart the destination server automatically if required checkbox because some of the roles and features require a server restart. Click Install to start the installation.
   
9. On the next page, you can view the installation progress. Click Close at any time to close the wizard; the installation will continue as a running task.
   
10. After the installation succeeds, open Server Manager and click the Tools menu to see the installed tools. The following screenshot shows Active Directory Users and Computers along with other management tools:
    

How to install ADUC on Windows clients

How you install Active Directory Users and Computers on a Windows workstation depends on which version of Windows you’re running: either Windows 11 or a version of Windows 10 later than version 1809.

How to determine your Windows version

You can determine the Windows version by following any of the steps below.

Install ADUC on Windows 10 version 1809 and above

1. Click the Start menu and then click Settings > Apps.
   
2. Click Optional Features, and then click Add a feature.
   
3. Click RSAT: Active Directory Domain Services and Lightweight Directory Services Tools.
   
4. Click Install.
   

When the installation completes, you will see a new item in the Start menu under Windows Administrative Tools.

Install ADUC using the command line

Alternatively, if you’re using Windows 10 version 1809 or later, you can install ADUC from the command line as follows:

1. Click Start (or press Win+R). Type cmd and click Enter.
2. Run following commands:

dism /online /enable-feature /featurename:RSATClient-Roles-AD
dism /online /enable-feature /featurename:RSATClient-Roles-AD-DS
dism /online /enable-feature /featurename:RSATClient-Roles-AD-DS-SnapIn

Install ADUC on Windows 8 or Windows 10 version 1803 and below

1. Download Remote Server Administrator Tools for Windows 10 version 1803 and below from the Microsoft Download Center and install it.
   
   
2. Click the Windows Start button and then click Control Panel > Programs. Under  Programs and Features, click Turn Windows features on or off.
   
   
3. Scroll down in the list of features and expand Role Administration Tools -> AD DS and AD LDS Tools. Check AD DS Tools. Then click OK.
   
4. Once the system has installed the tools, click Restart now.
   

When the installation completes, the folder Windows Administrative Tools will appear in the Start menu, and ADUC will be in this folder.

Install ADUC on older versions of Windows

If you have an older version of Windows, you can download the appropriate RSAT package and then use Add Windows features in the Control Panel to add the necessary MMC snap-ins.

Note that if you install RSAT on a computer running Windows 7, you must enable the tools manually after RSAT installation. Go to Start > Control Panel > Programs and Features and use Turn Windows Features On and Off.

How to fix RSAT errors in Windows 10

RSAT can crash for various reasons, including a failed update, a corrupt installation file or operating system incompatibility. In addition, issues can occur if a server administrator attempts to modify any of its administration tools, especially the Active Directory Administrative Center (ADAC) component of RSAT. Here are some troubleshooting tips:

First, make sure you have the right RSAT version for your operating system. If not, uninstall RSAT and install the correct version.

If you get RSAT installation error 0x800f0954:

1. Right-click the Start button > Choose Run > Type msc > Click OK.
2. In the local group policy editor, navigate to Computer Configuration > Administrative Templates > System.
3. Right-click the Specify settings for optional component installation and component repair policy > Set it to Enabled and check the box Download repair content and optional features directly from Windows Updates instead of Windows Server Updates Services (WSUS).
4. Click Apply > Click OK.
5. Right-click the Start button > Choose Run > Type gpupdate > Click OK.

RSAT installation error 0x80070003 is usually related to installation from an uncommon location. Copy the installation files to the target machine’s local drive and proceed.

ADUC console components

The Active Directory Users and Computers console has some key component that make it easy for system administrators to manage objects:

• Menu bar: Contains the File, Actions, View and Help menus
• Toolbar: Contains buttons to perform quick actions, such as create a new user or group and show/hide the Directory and Action panes
• Directory (Console Tree) pane: Shows the hierarchy of the domain you are connected with, as well as a list of the available containers and OUs
• Objects Pane: Show the objects and their attributes; you can edit the columns using the View menu
• Actions Pane: Shows the details of the selected object and offers a More Actions option

ADUC advanced settings

By default, ADUC shows some OUs and other containers. To work on other containers, click on the View menu and click Advanced Features.

Then you will see additional properties. Below, you can compare the tabs available in the normal view (on the left) with those in the advanced view (on the right):

How to perform common administrative tasks using ADUC

Create an organizational unit (OU)

Follow these steps to create an organizational unit:

1. Right-click the domain or the OU under which you want to create the desired OU; then click New > Organizational Unit.
   
2. Type a name for the new OU in the Name field, and specify whether to protect the OU from accidental deletion. Click OK to create the organizational unit.

Add a user account

1. Select the domain where you want to add the user, and then expand its contents.
2. Right-click the container you want to add a user to (usually Users), select New and then click User.
   
3. Type the new user’s first name, last name and logon name. Then click Next.
   
4. Type and confirm a new password for the user. Make sure you enable one of the following options to control how the user must manage their password:
   • User must change password at next logon
   • User cannot change password
   • Password never expires
   • Account is disabled
     Click Next.
     
5. Make sure everything you entered is correct and then click Finish.
   

Enable and disable user accounts

You can easily disable or enable a user account using the context menu in ADUC.

To enable a user account:

• Right-click a disabled user and click Enable Account.

To disable a user account:

• Right-click the user object you want to disable and click Disable Account.

Create a group object

Follow these steps to create a group using ADUC:

1. Right-click the domain or the OU under which you want to create the new group.
2. Specify the following:
   • A name and a pre-Windows 2000 name for the group
   • The group type: distribution or security
   • The group scope: domain local, global or universal
     
3. Click OK to create the group.

Add a user to a group

1. Right-click the domain in which you want to add a user to a group and then select Find.
2. Select Users, Contacts, and Groups in the Find dropdown list.
3. Enter the name of the group you want to add the user to, click Find Now, select the desired group in the search results and click OK.
   
4. Go to Action > Properties and click the Members tab. click Add.
   
5. Type the name of the user you want to add and click Check Names. (Alternatively, you can use the Advanced button to search for the users one by one. If you specify multiple users, separate their names using semicolons.) Then click OK to confirm the addition.

Remove a user from a group

1. Right-click the domain from which you want to remove the user and select Find.
2. Select Users, Contacts, and Groups in the Find dropdown list.
3. Enter the name of the group you want to remove the user from and click Find Now.
4. Right-click the desired group and select Properties.
5. Go to the Members tab, highlight the user and click Remove.
   

Reset a user’s password

1. Navigate to the Users folder of the user’s domain.
2. Right-click the user’s name, choose All Tasks and select Reset Password.
   
3. Type a new password, type it again in the Confirm password box, and then click OK.
   

Move a user to another OU

1. Right-click Active Directory Users and Computers and select Connect to Domain.
2. Enter the name of the user’s domain and click OK.
3. Right-click the user and select Move.
4. Choose the container you want to move the user to and then click OK.

Change a user’s data

1. Right-click Active Directory Users and Computers and select Connect to Domain.
2. Enter the name of the user’s domain and click OK.
3. Right-click the user and select Properties.
4. Navigate to the tab containing the data you want to change, make your edits, and click OK.

Change a group’s type and scope

To change a group’s type or scope, take these steps:

1. Right-click the desired group and select Properties.
   
2. On the General tab, specify the new group type and/or scope. Then click OK.
   

Find objects in the directory

ADUC provides a powerful search for finding objects in the entire directory. You can find users, contacts, groups and OUs using the Find dialog box:

1. Right click either the domain or an OU and click Find.
   
2. In the Find dialog box, specify the following:
   • In the Find drop-down, select Users, Contacts, and Groups.
   • Using the In drop-down, select where to search: either a domain or the entire directory.
   • To narrow your search, use the Browse button to select a particular OU.
   • In the Name field, type the first or full name of the user or the name of the group you want to find.
     Click Find Now.
     
3. Review the search results. You can double-click an object to view its properties.

Delegate control to users

Using the Active Directory Delegation wizard, you can enable a user or group to perform specific tasks, such as creating user objects or managing specific domain controllers.

Take the following steps to delegate permissions to a specific user:

1. Right-click the domain or the OU where you want to assign permissions to an object. Click Delegate Control to launch the Delegation of Control wizard.
   
2. The Welcome page describes what you can do with this wizard. Click Next.
   
3. On the next page, click Add to search for the user or group object you want to apply permissions on.
   
4. Type the name of the user or group you want to delegate to, and click Check Names. From the list of matching objects, select the desired user and click OK.
   
5. You will now see the object in the Selected users and groups field. Click Next.
   
6. On the next page, select the Delegate the following common tasks radio button and click one or more of the checkboxes underneath it. Click Next.
   
7. Select the scope of the delegation:
   • Choosing This folder, existing objects in this folder, and creation of new objects in this folder will grant all the permissions to the object on the selected folder or OU.
   • Selecting Only the following objects in the folder enables you to delegate permissions to only the objects in the folder that you specify.
     Click Next.
     
8. Select the permissions you want to delegate and click Next.
   
9. Review your changes and click Finish.
   

Create and save queries

You can build complex LDAP queries using the Saved Queries feature in the ADUC console. You can save these queries and use them to:

• Quickly find AD objects.
• Swiftly complete routine AD object management activities, like selecting all employees of a company with mailboxes on a specific Exchange server or displaying a list of all disabled accounts in a domain.
• Perform activities with objects from different  Active Directory OUs.
• Perform bulk lock/unlock, enable/disable, move, remove and rename activities.
• Bypass Active Directory’s OU hierarchy and gather all the required objects in a flat table view.

Take the following steps to create a query for an operation:

1. Right-click the domain or OU where you want to perform the search operation and select New  -> Query.
   
2. Provide a name and description for the query. (If you want to select a different OU, click Browse.) Then open another dialog box for defining the query by clicking Define Query.
   
3. Use the Find drop-down to select a common query, such as:
   • Users, Contacts, and Groups
   • Computers
   • Printers
   • Shared Folders
   • Organizational Units
   • Custom Search
   • Common Queries
     
4. Use the Users, Computers or Groups tab to define your query. Under the Users tab, for instance, you get options for limiting your query by:
   • Disabled accounts
   • Non-expiring passwords
   • Days since the user last logged on to the domain
     Click OK to create your query.
     

The context menu in ADUC appears when you click an object or click in the middle pane in an empty space. This menu displays common commands and options for the type of object you selected. Here are examples of the context menu for different types of objects:

Domain

OU

User

Group

Computer

Contact

How Netwrix can help

While ADUC can be a valuable tool for admins, it can be difficult for helpdesk technicians and business users to access, let alone use. Netwrix GroupID enables you to easily create web-based portals that make it easy to perform tasks like creating and editing groups and users, without any assistance from an administrator.

You can control what each user can view and change based on their role. To ensure data integrity, you can define workflows to verify supplied information before changes are applied.

FAQ

What is Active Directory Users and Computers (ADUC)?

ADUC is a Microsoft Management Console (MMC) snap-in that enables administrators to manage Active Directory objects and their attributes. For example, they can:

• Change passwords.
• Reset user accounts.
• Add users to security groups.
• Create and delete organizational units (OUs).
• Handle FSMO roles like RID master, PDC Emulator and infrastructure master.
• Create and manage computers, groups and users and their attributes.
• Delegate control of objects.
• Define advanced security and auditing in AD.

You can find more information about Active Directory basics in our AD tutorial for beginners.

How do I get Active Directory Users and Computers on Windows 10?

In Windows 10 version 1809 or higher, you can enable ADUC by going to Settings > Apps and Features > Optional features > Add a feature. In older versions of Windows, to get ADUC, you need to download and install the Remote Server Administration Tools (RSAT) package manually.

What is Remote Server Administration Tools?

The Remote Server Administration Tool enables you to remotely manage Windows Server services and features from a Windows computer. It has a busload of tools, including ADUC, Active Directory Module for Windows PowerShell and Active Directory Administrative Center (ADAC).

How do I install RSAT on Windows 10?

Starting with the October 2018 update to Windows 10, RSAT is included as a set of “Features on Demand,” so you don’t need to install it. You simply need to enable the specific RSAT tools you require by going to Settings > Apps and Features > Optional features > Add a feature.

If you’re using an earlier version of Windows, you need to manually download and install RSAT.

How to open Active Directory Users and Computers console?

To start the ADUC console, do one the following:

• Go to Start > Click Run > Type dsa. msc > Hit Enter.
• Click Start > Navigate to Administrative Tools > Click Active Directory Users and Computers.