One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to perform typical domain administration tasks and manage users, groups, computers, and organizational units in the Active Directory domain. By default, the Active Directory Users and Computers (dsa.msc) console is installed on the server when it is promoted to the domain controller during the Active Directory Domain Services (AD DS) role is installed.
To use ADUC snap-in in Windows 10, you need first to install the Remote Server Administration Tools (RSAT). The RSAT includes various command line tools, PowerShell modules, and graphical snap-ins to remote manage Windows Servers, Active Directory, and other Windows roles and features, which are running on Windows servers.
How to Install Active Directory Users and Computers in Windows 10?
By default, RSAT is not installed in Windows 10 (and other Windows desktop operating systems). Remote Server Administration Tools (RSAT) allows IT administrators to remotely manage roles and components on Windows Server 2019, 2016, 2012 R2, 2012, 2008 R2 from user’s workstations running Windows 10, 8.1, 8 and Windows 7. The RSAT resembles Windows Server 2003 Administration Tools Pack (adminpak.msi) that was installed on clients running Windows 2003 or Windows XP and was used for remote server management. RSAT can’t be installed on computers with the Home editions of Windows. To install RSAT, you must have Professional or Enterprise edition of Windows 10.
Depending on the Windows 10 build, the ADUC console is installed differently.
Installing ADUC in Windows 10 Version 1803 and Below
- You can download the latest version of Remote Server Administration Tools for Windows 10 (Version: 1803 1.0, Date Published: 5/2/2018) using the following link.Tip. As you can see, the RSAT package is available for the latest version of Windows 10 1803. WindowsTH-RSAT_WS_1709 and WindowsTH-RSAT_WS_1803 are used to manage Windows Server 2016 1709 and 1803 respectively. If you are using a previous version of Windows Server 2016 or Windows Server 2012 R2/2012/2008 R2, you need to use the WindowsTH-RSAT_WS2016 package.
- Select Language of your Windows 10 version and click on the Download button. Depending on the bitness of your OS, select desired *.msu file:
For Windows 10 x86 – download WindowsTH-RSAT_WS2016-x86.msu (69.5 MB);
For Windows 10 x64 – download WindowsTH-RSAT_WS2016-x64.msu (92.3 MB);
- Install the downloaded file (Update for Windows KB2693643) by double-click on it.
- You can install RSAT from Command prompt in the silent mode:
wusa.exe c:\Install\WindowsTH-RSAT_WS2016-x64.msu /quiet /norestart
If the error message “This update does not qualify for your computer” appears when installing RSAT, most likely you are using Windows 10 Home or Single-Language edition (you need a Pro or Enterprise edition)
Installing ADUC in Windows 10 1809 and Above
In Windows 10 1809 and newer builds, the RSAT pack is added to the Features on Demand (FoD) capabilities and is installed differently.
- Press the Start menu > Settings > Apps;
- Select Manage Optional Features > Add features;
- In the list of optional features already installed on your Windows 10 desktop select RSAT: Active Directory Domain Services and Lightweight Directory Tools and press Install.
After RSAT installation is completed, you need to restart your computer.
How to Enable AD DS Tools in Windows 10?
It remains to activate the necessary RSAT function. To do this:
- Right click on Start button and select Control Panel;
- Select Programs and Features;
- In the left pane press on Turn Windows features on or off;
- Expand node Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools;
- Check item AD DS Tools and press OK.
However, you can install AD feature from the command prompt with the administrator privileges just with these three commands:
dism /online /enable-feature /featurename:RSATClient-Roles-AD dism /online /enable-feature /featurename:RSATClient-Roles-AD-DS dism /online /enable-feature /featurename:RSATClient-Roles-AD-DS-SnapIns
How to Run dsa.msc (Active Directory Users and Computers) Snap-in?
After AD Management snap-ins installed, go to the Control Panel and select section Administrative Tools. As you can see, a new link to the console %SystemRoot%\system32\dsa.msc (Active Directory Users and Computers) appeared.
Now you can run the ADUC snap-in and connect to any available AD domain controller. If your computer is joined to the Active Directory domain, then the nearest domain controller in your AD site will be selected automatically, basedon your Logon server. Also to start the ADUC console you can press the Win+R combination, type dsa.msc and then click on OK.
DSA.msc: Connecting to DC From Non-domain Computer
If you want to connect to AD using dsa.msc snapin from a non-domain computer, you must:
- Open Command prompt and run command:
runas /netonly /user:Domain_Name\Domain_USER mmc
- In the empty MMC Console select File > Add/Remove Snap-In.
- Add Active Directory Users and Computers Snap-In to the right pane and press OK.
- Connect to the domain by right click on ADUC > Connect to domain and enter the domain name.
As a result, in the ADUC snap-in appears the structure of your OU Active Directory domain.
You will see a standard set of AD folders and containers:
- Saved Queries — saved search criteria, allowing you to quickly replay the previous search in Active Directory;
- Builtin — built-in user accounts;
- Computers — the default container for computer accounts;
- Domain Controllers — the default container for domain controllers;
- ForeignSecurityPrincipals — contains information about objects from trusted external domains. Typically, these objects are created when an object from an external domain is added to the group of the current domain;
- Users — the default container for user accounts.
Choosing the OU you will see a list of objects that are in it. The ADUC console may display security groups, contacts, users, and computers.
Depending on the domain structure, the ADUC console may contain other containers. Some AD folders are not displayed by default. To display them, select View > Advanced Features in the top menu.
The following additional folders should appear:
- LostAndFound — directory objects that lost the owner;
- NTDS Quotas — data about the quoting of the directory service;
- Program Data — data stored in the directory service for Microsoft applications;
- System — the built-in system parameters.
You can add organizational units to the AD tree yourself.
In the ADUC console, you can perform the following actions:
- Create and manage user accounts, computers, and security groups;
- View AD object attributes.
- Change and reset user passwords ;
- Create organizational units and build a hierarchical system for AD objects. In the future, you can delegate administrative permission on this OUs to other domain users (without granting domain administrator privileges).
Dsa.msc: Missing Tabs in Windows 10
Users sometimes complain that some tabs are missing in the ADUC snap-in on Windows 10.
- At first, check if Advanced Features is selected in the AD view;
- Check if you are using the latest version of Windows 10;
- Before installing RSAT, make sure you have removed the old versions of RSAT and the RSAT editions for other languages. At the same time, only one version of Remote Server Administration can be installed on the computer;
- Currently, RSAT for Windows 10 is only available in English (United States) language. If you have a localized version of Windows 10 installed, make sure you have installed the English (United States) language pack before installing RSAT. Move English (United States) to the top of the list of preferred languages;
- In some cases, manual copying of the tsuserex.dll and tsuserex.dll.mui libraries from Windows Server 2012 R2 to the Windows 10 computers to the C:WindowsSystem32 directory helps. Do not forget to register the library with the command:
How to Add Custom Commands and Views to the ADUC console?
You can add your own tools and commands to the Active Directory Users and Computers console to launch external applications.
Create a new text file named ping.bat with the following text and save it to local disk:
Title ping [%1]
Ping.exe %1 –t -8
Create the custom view for the ADUC console:
- Run the command mmc.exe;
- Select File > Add/remove snap-in;
- In the list of available snap-ins, select Active Directory Users and Computers and press Add;
- Select a container with computers or servers, right-click on it and select New Taskpad View;
- Press Next;
- Select result pane style – Vertical list, List Size – Medium and press Next > Next;
- Specify the taskpad view name: Computer Tools;
- In the New Task Wizard window, specify that you want to create a Shell command;
- In the Command field, specify “C:PSping.bat”, in the Parameters field > $COL<0> (computername field);
- Input the Task Name and select icon;
- Press Next > Finish.
Now, if you select the Computer object in the ADUC console, the Ping button appears in the list of available actions. By clicking this button, you will check the computer’s availability via ICMP protocol (ping).
This way you can add various administration tools to the ADUC console.
Don’t forget to save your custom ADUC view with an additionals tool to a separate file custom_aduc_with_tools.msc (File > Save as). Use this file instead dsa.msc to run the ADUC console.