One of the main Active Directory domain management tools is the Active Directory Users and Computers snap-in (ADUC). The ADUC snap-in is used to perform typical domain administration tasks and manage users, groups, computers, and Organizational Units in the Active Directory domain. By default, the Active Directory Users and Computers (dsa.msc) console is installed on a Windows Server host, when it’s promoted to the domain controller during the Active Directory Domain Services (AD DS) role installation.
In order to use the ADUC snap-in in Windows 10/11, you need to install the Remote Server Administration Tools (RSAT). The RSAT includes various command-line tools, PowerShell modules, and graphical snap-ins to remote manage Windows Servers, Active Directory, and other Windows roles and features, which are running on Windows Server.
How to Install ADUC (dsa.msc) on Windows 10?
By default, RSAT is not installed in Windows 10 (and other Windows desktop operating system versions). Remote Server Administration Tools (RSAT) allows administrators to remotely manage roles and components on Windows Server 2022, 2019, 2016, 2012 R2, 2012, 2008 R2 from user’s workstations running Windows 11, 10, 8.1, 8, and Windows 7. RSAT can’t be installed on computers with the Home editions of Windows, you must have a Professional, Enterprise, or Education version.
You can install ADUC on Windows 10 via the Settings app or with PowerShell.
Enable RSAT:ADUC on Windows 10 via GUI
On modern Windows 10 builds (1809 and newer), the RSAT pack is added to the Features on Demand (FoD). In order to install ADUC, you can add an optional feature from FoD.
- Press the Start menu > Settings > Apps;
- Select Manage Optional Features > Add features;
- In the list of optional features already installed on your Windows 10 desktop, select RSAT: Active Directory Domain Services and Lightweight Directory Tools, and press Install.
After the RSAT installation completes, you need to restart your computer.
Install the Active Directory Users and Computers Snap-in Using the Command Line
You can install the Active Directory console on Windows 10 via the Сommand prompt (DISM tool) or with PowerShell. To verify if the RSAT ActiveDirectory feature is installed, open a command prompt as an administrator, and run the command:
DISM.exe /Online /Get-CapabilityInfo /CapabilityName:Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
Capability Identity : Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
Name : Rsat.ActiveDirectory.DS-LDS.Tools
State : Not Present
Display Name : RSAT: Active Directory Domain Services and Lightweight Directory Services Tools
Description : Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) Tools include snap-ins and command-line tools for remotely managing AD DS and AD LDS on Windows Server.
Download Size : 5.23 MB
Install Size : 17.35 MB
The screenshot above shows the RSAT Active Directory feature is not installed. To install, you need to run the command:
DISM /Online /Add-Capability /CapabilityName:Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
Now check the status of AD RSAT. It should be changed to State: Installed.
You can also use PowerShell cmdlets to install the Active Directory snap-in on Windows 10.
Get RSAT Active Directory component status:
Get-WindowsCapability -Online | Where-Object {$_.Name -like "RSAT.ActiveDirectory*"}
Install it:
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
RSAT components are downloaded over the Internet from Windows Update servers. If you want to install RSAT in a disconnected environment (without Internet access), you need to download the Feature on Demand (FoD) ISO image for your Windows 10 release. FoD DVD media is available for download from your Volume License Servicing Center (VLSC) or on my.visualstudio.com.
To install the ADUC offline, you need to mount the FoD iso image to a virtual drive (for example, to drive F:) and run the installation from local media:
Dism.exe /online /add-capability /source:F: /Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
Install AD Users and Computers MMC Snap-in on Windows 11
You can also install RSAT Active Directory on Windows 11. You can’t install RSAT on devices running Windows 11 Home edition. RSAT is only available for Windows 11 Pro and Enterprise. There are several ways to install the Active Directory snap-in on Windows 11.
On a Windows 11 workstation, you can install RSAT via Optional Features (FoD) in the Settings app.
- Click Start menu and go to Settings > Apps > Optional features;
- Click on View Features and in the Add an optional feature window select to install RSAT: Active Directory Domain Services and Lightweight Directory Services Tools;
- Click Next > Install.
- Windows 11 will download the RSAT binaries from the internet.
Hint. If you use WSUS or SCCM on your network to install Windows Updates on client devices, you need to enable the special GPO option. Open the local Group Policy Editor (gpedit.msc) and go to Computer Configuration > Administrative Templates > System. Enable the GPO option Specify settings for optional component installation and component repair and tick the Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS) checkbox. Update local Group Policy settings on the client with the gpupdate command: gpupdate /force. Without this option, Windows 11 will try to get RSAT from your local Windows update server (errors 0x8024402c and 0x800f081f).
Also, you can install the Active Directory tools on Windows 11 using PowerShell. List the installed RSAT components by running the command:
Get-WindowsCapability -Name RSAT* -Online | Select-Object -Property DisplayName, State
In our case, the RSAT: Active Directory Domain Services and Lightweight Directory Services Tools feature is not installed (State > NotPresent).
Install the Windows feature with the command:
Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 –Online
The PowerShell Active Directory module is also installed with the ADUC console.
How to Open Active Directory Users and Computers (dsa.msc) Snap-in on Windows?
In order to run Active Directory snap-in on Windows 11 go to the Start Menu > All apps > Windows tools.
As you can see, a new link to the console %SystemRoot%\system32\dsa.msc (Active Directory Users and Computers) appeared.
On Windows 10 (and previous versions) the AD Management snap-ins are available in the Administrative Tools section of the Control Panel.
Start the Active Directory Users and Computers snap-in.
Now you can run the ADUC snap-in and connect to any available AD domain controller. If your computer is joined to the Active Directory domain, then the nearest domain controller in your Active Directory site will be selected automatically, based on your Logon server. In addition, to start the ADUC console, you can press the Win+R combination, type dsa.msc, and then click OK.
At startup, the ADUC console automatically connects to the closest DC. If the console doesn’t find the domain controller, get the name of your LogonServer using the PowerShell command:
$env:LOGONSERVER
Right-click on the root in the ADUC console and select Change Domain Controller. Select the name of your logon DC from the list.
Always try to connect to the closest domain controller. When working with a domain controller at a remote site, the RSAT console may become slow.
If you want to connect to AD using dsa.msc snap-in from a non-domain computer, you must:
- Open the Command prompt and run the command:
runas /netonly /user:Domain_Name\Domain_USER mmc
- In the empty MMC Console select File > Add/Remove Snap-In;
- Add Active Directory Users and Computers Snap-In to the right pane and press OK;
- Connect to the domain with right-click on ADUC > Connect to the domain and enter the domain name.
As a result, the structure of your OU Active Directory domain appears in the ADUC snap-in.
You will see a standard set of Active Directory OUs and containers:
- Saved Queries — saved search criteria, allows quickly replay of the previous search in Active Directory (LDAP query supported);
- Builtin — built-in user accounts;
- Computers — default container for computer accounts;
- Domain Controllers — default container for domain controllers;
- ForeignSecurityPrincipals — contains information about objects from trusted external domains. Typically, these objects are created when an object from an external domain is added to the group of the current domain;
- Users — default container for user accounts.
When choosing the OU, you will see a list of objects that are in it. The ADUC console may display security groups, contacts, users, and computers.
Depending on the domain structure, the ADUC console may contain other containers. Some AD folders are not displayed by default. To display them, select View > Advanced Features in the top menu.
The following additional folders should appear:
- LostAndFound — directory objects, that lost the owner;
- NTDS Quotas — data about the quoting of the directory service;
- Program Data — data stored in the directory service for Microsoft applications;
- System — the built-in system parameters.
You can add organizational units to the AD tree by yourself.
In the ADUC console, you can perform the following actions:
- Create and manage user accounts, computers, and Active Directory groups;
- View and edit AD object attributes with ADSI Edit;
- Search for AD objects;
- Change user password in Active Directory or reset it;
- Create organizational units and build hierarchical structures for AD objects. In the future, you can delegate administrative permission on these OUs to other domain users (without granting domain administrator privileges);
- Delegate administrative permissions;
- Raise domain functional level, and transfer FSMO roles with PowerShell to another domain controller.
7 comments
Thanks
You are welcome, Marco!
Found your well-written article on AD at/near the top of my Google search after repeatedly failing to see the traditional path in W10’s “Turn Settings On/Off”. Thanks for sharing your knowledge.
Thank you very much!
Do you know how I can create a console with the multiple ADUC snapins but each configured to separate domain? I’ve done this and saved the console but each time I launch the saved mmc it sets each ADUC snapin to the domain of the current logged in user. I can then obviously change domain and checking the saved mmc I can see the correct reference to the domain but each launch it seems to reset.
Very nice article.. much appreciated, Mr.Cyril..
The feature RSAT isn’t there. Only about 30 items are there; mostly languages and a few tools like xps viewer and wireless display, etc.