Have you been searching for an article that explains the Active Directory Users and Computers (ADUC) tool? You’ve just found it, as this is a deep dive into this topic!
Overview
SysAdmins use Active Directory Users and Computers to manage users, groups, organizational units, and all other Active Directory objects. If you open ADUC in a fresh installation of Active Directory, you’ll find the nodes shown in the screenshot below.
As you can see from the screenshot above, you can manage Builtin groups, Domain-joined computers, and Domain Controllers. In addition to those, you can also manage ForeignSecurityPrincipals, Managed Service Accounts, and Users.
That is not all. You can also use Active Directory Users and Computers to create AD users, Groups, and Organizational Units.
There is more to this versatile tool, and in the subsequent sections, you’ll have an in-depth view of ADUC. In addition to that, you’ll also learn all the admin tasks you can perform with it.
How Active Directory Users and Computers (ADUC) Works
Active Directory is a multi-master database that stores objects across multiple Domain Controllers in a Domain. By “multi-master,” I mean that an Active Directory object (like a user) is saved on multiple Domain Controllers.
So, where does ADUC come in?
While Active Directory stores and manages objects in its database, ADUC is your interface to add and/or edit these objects. So, when you create or modify an object in ADUC, you’re making the change in the Domain Controller you’re connected to.
Then, the Domain Controller replicates the changes to other Domain Controllers in Active Directory. Generally, due to its “multi-master” model, multiple SysAdmins can connect to different Domain Controllers and modify the same object.
When this happens, Active Directory manages the replication and conflict resolution to maintain the integrity of objects.
It is important to mention that even though AD is a multi-master database, some objects have to be modified using a single-master model.
“Single-master” means that, for such objects, only one Domain Controller MUST modify the single-master object; then replicate the changes to other Domain Controllers.
For the purpose of ADUC, all you need to understand is that when you make changes to Active Directory (AD) via Active Directory Users and Computers, AD manages the replications. In addition to that, it also manages conflict resolution as well.
Features of Active Directory Users and Computers (ADUC)
To help you make the best of ADUC, this section outlines and discusses its core features.
Delegate Control to Junior Admins via ADUC
One of the essential features of Active Directory Users and Computers is that you can use it to delegate control to other admins. Microsoft recommends the “lease access” model to reduce risk to your AD forest.
What this means is that you only grant the access people need to perform specific functions. So, if you need a team member to perform more tasks in AD, you can use the ADUC delegation tool to grant user-specific access.
To delete access in Active Directory Users and Computers:
- Open ADUC, then right-click your domain name and select Delegate Contol.
- When the Delegate Contol wizard opens, enter the user name of the person you want to delegate control to and click Next.
- Finally, select the tasks you want to delegate.
Active Directory Users and Computers has a Search Functionality
As I hinted earlier, you can access AD objects via the ADUC nodes. However, if you manage an Active Directory domain with thousands of objects, searching for objects may be more efficient.
Fortunately, ADUC has search functionality. To access this feature, right-click your AD Domain name and select Find.
Alternatively, click the Action menu and select Find.
Change Domain, Domain Controllers, or Change Domain Functional Level
If you open Active Directory Users and Computers, it automatically connects to a default domain. In addition to that, ADUC also connects to a default Domain Controller.
However, if you want to connect to another domain and/or Domain Controller, you can use ADUC to do so. To connect to another Domain or Domain Controller, right-click your current AD Domain, then select the option you require.
Apart from changing the Domain or Domain Controller, you can also use ADUC to raise the Domain Functional Level of your AD Domain.
To access this feature, click the Action menu. Then, click Raise domain functional level.
View Domain Controllers with the RID, PDC, and Infrastructure Masters Roles
ADUC also offers you the feature to view and change the Domain Controller that currently holds three out of the five Flexible Single Master Operations (FSMO) roles.
To view the current holders of these three roles, click the Action menu, then select Operations Masters.
Active Directory Users and Computers will then display a smaller window with three tabs – RID, PDC, and Infrastructure. If you wish to move an FSMO role to another DC, first log in to the DC.
Then, open the Operations Masters window from ADUC and select Change.
Create Users, Computers, Groups, and Other AD Objects with ADUC
The commonest task SysAdmins perform in Active Directory Users and Computers is to create objects. Point to the Actions menu to create common AD objects like Users, Groups, and Printers with ADUC.
Then, point to New and select the object you want to create.
Active Directory Users and Computers has an Advanced Feature
In the overview section of this guide, I showed you the view of ADUC for a new AD installation. Here it is…
In addition to the nodes shown in the default view, you can enable the Advanced View to give you access to nodes you can use to perform advanced ADUC tasks.
To enable the Advanced Features of Active Directory Users and Computers, click the View menu. Then, select Advanced Functions.
ADUC will now display additional nodes. In the screenshot below, I have labeled the nodes added when you enabled Advanced Features in Active Directory Users and Computers.
Benefits (Pros) of Active Directory Users and Computers (ADUC)
From the previous sections of this article, you would have deduced the various advantages of using ADUC. However, in this section, I have highlighted some of the core benefits of this tool.
ADUC is Easy to Use
This AD tool has a simple interface that gives you quick access to all its nodes and the ability to manage Active Directory.
You can Install ADUC on Windows 10 or Windows 11
Even though you can access ADUC by logging in directly to a Domain Controller, this is not the best practice.
Microsoft’s best practice is to install ADUC on your Windows 10 or 11 computer. The great news is that you can install this tool by enabling RSAT for AD on your Windows 10 or Windows 11 computer.
Active Directory Users and Computers Have Filter Options
You can use Active Directory Users and Computers with its default view.
However, if you work with specific nodes, you can use the Filter Options to select the nodes you want to display.
To open the Filter Options, click the View menu. Then, select Filter Options.
Active Directory Users and Computers has a Shortcut Menu
ADUC has a short-cut menu that grants you quick access to perform tasks.
In the screenshot below, I have highlighted ADUC’s shortcut menu. The shortcuts available in the menu change depending on the object you selected in the left pane of ADUC.
Limitations (Cons) Of Active Directory Users And Computers (ADUC)
Believe it or not, ADUC has some limitations. The purpose of this section is to highlight these limitations.
In addition, I will point you to the alternative tools you can use to perform the tasks you cannot perform with ADUC.
You Cannot Create Dynamic Access Contol with ADUC
One of the limitations of ADUC is that it does not include the option to create some advanced policies and access controls.
To create these advanced tools like Dynamic Access Contol and Authentication policies, use Active Directory Administrative Center.
You can open Active Directory Administrative Center in a Domain Controller from the Tools menu of Server Manager.
ADUC Does not Offer the Option to Enable Active Directory Recycle Bin
If you need to enable AD Recycle Bin, do it via the Active Directory Administrative Center.
To enable Recycle Bin via Active Directory Administrative Center, right-click your domain name. Then, select Enable Recycle Bin.
You Cannot Raise Forest Functional Level with ADUC
Active Directory Users and Computers have the option to raise the Domain functional level.
However, if you want to raise the functional level, you must perform the task from either Active Directory Administrative Center or Active Directory Domains and Trusts.
ADUC Does not Have the Option to Manage AD Trusts or Sites
Apart from all the objects you can manage via ADUC, AD has other features that you need to manage.
For example, you need to manage AD Sites and inter-domain trusts. To manage AD Trusts, use Active Directory Domains and Trusts.
On the other hand, if you need to manage AD Sites, you need to use Active Directory Sites and Services.
How to Install Active Directory Users and Computers (ADUC) on Windows 10 or Windows 11
We have the guides to install ADUC in Windows 10 or Windows 11. To install ADUC in Windows 10, follow the steps in this guide – How to Enable RSAT for AD in Windows 10.
Alternatively, if you use a Windows 11 PC, follow the steps in How To Enable RSAT For Active Directory In Windows 11.
Frequently Asked Questions
Active Directory Users and Computers is a tool. SysAdmins use to manage users, groups, organizational units, and all other Active Directory objects.
In a Domain Controller, you can access Active Directory Users and Computers from the Tools menu of Server Manager.
Alternatively, you can use the search tool on Windows Server to search for the tool.
On the other hand, if you enabled RSAT for Active Directory in Windows 10 or Windows 11, you can use the search tool in Windows 10/11 to open ADUC.
The fastest way to get to Active Directory users and Computers in Windows 10 is to search for it.
RSAT (Remote Server Administration Tool) – as the name implies – is a set of tools you can install on a Windows 10 or Windows 11 computer to manage specific Windows Server roles from your Windows 10 or Windows 11 computer.
To read more about RSAT in Windows 10, read RSAT Tools in Windows 10 Explained Plus How to install Each Tool.
We also have a guide that explains RSAT Tools In Windows 11 Explained: Plus How To Install RSAT.
To see a full list of Active Directory users in your domain, open Active Directory Users and Computers. Then, click the Users node.
Note that depending on the structure of your domain, some users may have been moved to Organisational Units (OU). So, to view these users, click on the OU.
Conclusion
If you’re a Windows SysAdmin, you’ll work with Active Directory Users and Computers (ADUC). ADUC gives you the GUI interface to create and manage AD users, groups, and other objects.
ADUC has some great benefits, like delegating control, search functionality, and Advanced Features. However, like all tools, Active Directory Users and Computers also have some limitations.
I hope this article gives you a better understanding of ADUC, how it works, and its features! If this article improved your knowledge of ADUC, click on “Yes” beside the “Was this page helpful” question below.
You may also express your thoughts and opinions by using the “Leave a Comment” form at the bottom of this page.
Finally, visit our Windows Server Explained page to read more Windows Server tech explained guides.
