1. Getting Started
  2. Scheduled Tasks
  3. Firewall Settings
  4. Audit Log Settings
  5. Import Users
  6. Bulk User Modification
  7. Delete Users
  8. Export Users
  9. Move Users
  10. Lockout Troubleshooter
  11. Password Reset & Unlock
  12. AD Cleanup
  13. AD Health Monitor
  14. Import OUs
  15. Create Groups
  16. Copy User Groups
  17. Modify Groups
  18. Group Membership Report
  19. Update Group Membership
  20. Windows Uptime
  21. Local Admins Report
  22. Local Certificates Report
  23. NTFS Permissions
  24. Firewall Status
  25. Service Account Manager
  26. Troubleshooting

Knowledge Base / AD Pro Toolkit User Guide

AD Pro Toolkit User Guide

Use the navigation on the right side to jump to a specific section of the user guide.

Release Notes:

Click here to view the latest release notes.

Support:

For support or questions about the AD Pro Toolkit contact support@activedirectorypro.com.

Feature Requests:

To submit a feature request or improvement to the product email support@activedirectorypro.com.

Getting Started

Here are the basics on getting started with the AD Pro Toolkit.

Installation Steps

  • The AD Pro Toolkit can be installed on a Windows Server, Domain Controller, or Client OS (Windows 10 or 11).
  • The software can be installed on a domain-joined or non domain-joined computer.

1. Right-click the ADProToolkit.zip file and select “Extract All”.

2. Select a destination to extract the files. You can keep the default or change it to another folder.

3. From the extracted folder double click the ADProToolkit.msi to start the installation.

4. Click “Next” on the welcome screen.

5. Accept the end user license agreement and click “Next”.

6. Select the Installation folder and click “Next”

7. Click “Install” on the ready to install page.

You might get prompted by Windows User Account Control. Click Yes on this popup.

When the installation is completed click finish.

That completes the installation process.

An icon will be added to the desktop for quick access.

License and Activation

Below are the steps to apply the license file and activate the AD Pro Toolkit.

  • The toolkit requires a license to activate and fully unlock the software.
  • If you do not have a license file you can purchase one from our pricing page.
  • If no license is installed or the license has expired the toolkit will run in trial mode.
  • The license key must be installed manually. It cannot be pushed out with software deployment software.

1. After the purchase is completed you will receive an email with a license.zip attachment file.

2. Download the license.zip file.

3. Extract the zip file.

4. Open the toolkit and click on the License

5. Click on the Browse button and select the license.lic file.

6. Next, click the Activate button.

The software will now be activated and the license details will be updated.

That completes the steps to activate the software.

You will receive an email 30 days before the license expires.

Authentication

The AD Pro Toolkit works on domain-joined and non-domain joined computers.

Note: You only need to authenticate to one domain controller in your domain.

By default, the AD Pro Toolkit will use pass-through authentication. If your computer is domain joined and you log in with a domain account the toolkit will use those credentials to automatically connect to your domain.

You can check the connection status by clicking on Settings.

If you want the toolkit to connect with a different account then click the pencil icon.

In this example, I’m logged into the computer as a regular user “robert.allen”. I want to change the toolkit to use by admin account “robert.allen.da”.

Check the box Specify username then enter your username and password. If it is a domain-joined computer it should auto-detect your domain and domain controller.

If the domain and domain controller and not detected you will need to provide those details. The domain controller needs to be the FQDN.

Click OK to connect with the provided credentials.

The domain settings screen should update with the username and display connected.

Software Updates

Follow the steps below to upgrade the AD Pro Toolkit.

Automatic Updates

Note: Starting with version 1.4.22 the software will auto-check for updates on startup. You can choose to upgrade from within the software or skip the update.

Manual Updates

1. Download the latest version from the download page. You do not need to login to download the latest version.

2. Extract the zip file and launch the installer.

3. Follow the prompts to complete the installation.

When the upgrade is complete click the help menu and verify the version number.

Log Files

The AD Pro Toolkit will save error and debug events to a log file.

To view the log files click on help and then click Open toolkit logs.

Scheduled Tasks

The scheduler is used to run tasks and reports on an automated schedule. The following tools can be automated.

  • Import Users
  • Bulk User Modification
  • AD Health Monitor
  • Local Admins Report
  • Reports

Reports can be emailed or saved to disk.

Requirements

  • If you want to email reports you first need to configure the email settings.

Steps to create a scheduled task.

Note: The scheduler UI has been updated since this video was released. A new video will be posted soon.

Log Files

If you want to see the results of a task then view the adtoolkitservice.log file -> C:\ProgramData\ActiveDirectoryPro\AD Pro Toolkit\Logs

Windows Firewall Settings

The following tools from the AD Pro Toolkit require WMI to be allowed inbound.

  • Computer Uptime
  • Local Admins Report
  • Local Certificates Report
  • Service Account Management Tool

Firewall GPO Settings

You can use group policy to push these settings out to all computers.

Here are screenshots of the firewall settings.

Click Finish.

Audit Log Settings for the AD Pro Toolkit

The lockout troubleshooter tool requires the audit policies to be configured.

This will enable the tool to collect events 4771 and 4740 from your domain controllers.

How to enable Auditing log settings

On your Default Domain Controller policy navigate to the following GPO settings:

computer configuration -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Account Management

Enable success and failure for the “Audit User Account Management” policy.

Next, enable the following:

computer configuration -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Account Logon

Enable Success and Failure for “Audit Kerberos Authentication Service.

The required auditing is now turned on and event IDs 4740 and 4771 will be logged in the security event logs when an account is locked out. The user unlock tool will query the domain controller event logs for this event ID to display additional lockout details.

Import Users Into Active Directory

In this tutorial, you will learn how to import users into Active Directory. In this guide, I’ll demonstrate using the Active Directory User Creation Tool that is included with the AD Pro Toolkit.

Read First

  1. It is recommended to first run a small import to ensure the accounts are being created as expected.
  2. The CSV template includes 33 user attributes. This covers the most common attributes for creating new accounts. Additional attributes can be added to the template.
  3. You DO NOT need to add the name attribute to the CSV. This gets automatically created based on the first and last name.
  4. CSV Template – Refer to the provided CSV template for an example of how to setup the CSV file.
  5. CSV Template CheatSheet – If you are not familiar with Active Directory attributes then refer to the CSV Template Cheatsheet section for an overview.

Step 1: Download & Modify the CSV Template

1. Click on Import Users

2. Click on the CSV Template button

You will be prompted to save the CSV file. You can save it anywhere you want.

3. Modify the CSV Template

The provided template includes an example user as a reference on how to fill out the CSV template.

At a minimum, I recommend setting the following fields for all users.

  • SamAccountName (required) = This will be the users logon name.
  • password (required) = users password. Make sure it meets your password requirements.
  • OU = The organizational unit to import users into. This is the distinguished name of the OU. If you leave it blank it will import into the default users container.
  • givenName (required) = First name
  • sn (required) = Last name
  • displayName = Display Name
  • Groups = Groups to add the users to. Separate each group with a comma.

You can download my CSV template here.

When you have your CSV template configured save it and move to the next step.

Step 2. Select Import Options

Select your import options in box 2.

  • Enable users = The imported accounts will be set to enabled
  • Force Password Change = The import accounts will be required to change their password at next logon.
  • Name: LastName, FirstName – By default the name format is FirstName, LastName, if you want to reverse this select this box.

Step 3. Select your CSV file and click run

Next, click the “Select CSV File” button and select your CSV template. Then click run to start the import.

Then click run to start the import.

When the import process is completed, review the logs for any errors. Errors will be in red and will tell you why the error occurred.

As a reference, it took 45 seconds to create 100 accounts on a virtual machine with 2 GB memory.

You should now see the accounts in Active directory, they should be configured with the settings you specified from the CSV.

Verify the Import (Optional)

A quick way to verify the accounts imported correctly is to use the export users tool.

You are not actually going to export anything but you can quickly preview accounts and their settings.

Click on Export Users and click Run (if you want to check users in a specific OU select the OU).

Now you can scroll through the list and verify all of the user fields are set correctly.

CSV Template Cheatsheet

The provided CSV template includes 33 user attributes you can use. You can add or remove attributes as needed. Active Directory uses LDAP attribute names to store most account information. This means the user fields you see in Active Directory Users and Computers do not always match with the LDAP attribute name. To create accounts the LDAP field names must be used.

Below is a reference table that shows the LDAP name (CSV Template column) and what it maps to in Active Directory.

For example, the first name in Active Directory = giveName. The office field in Active Directory = physicalDeliveryOfficeName.

If you look at the provided CSV template the example has Test for the giveName (First name) and Nixa Office as the physicalDeliveryOfficeName (Office).

Here is a visual to help illustrate this.

Bulk User Modification

In this guide, I’ll demonstrate using the Active Directory User Updater Tool to bulk update user account properties.

Read First:

  • Run a small test first – Run a small test to ensure the accounts are being updated as expected. This is a powerful tool and you can mess up a lot of accounts if you don’t test first.
  • ID Column – This field is used to identify the account that you want to update. Do not remove this column from the CSV. You can use the following attributes to identify accounts
    • sAMAccountName (default)
    • userPrincipalName
    • mail
    • empoyeeID
    • employeeNumber
  • DO NOT modify the CSV headers – The tool may not process correctly if you remove or move around the CSV headers.
  • CSV Template – The CSV template includes 32 attributes. You can add additional attributes to the CSV. If you add additional attributes and it doesn’t work, please let me know.
  • Existing values – If an attribute already has a value, the tool will replace the value. If the attribute is blank the tool will add that value.
  • Remove option – Use the remove option to remove any attribute value. You can update and remove attributes at the same time.

Step 1. Download and modify the CSV Template

1. Click on Bulk User Modification

2. Click the “Download CSV Template” button.

You will be prompted to save the CSV file. You can save it anywhere you want.

3. Modify the CSV Template

The provided template includes an example user as a reference on how to fill out the CSV template.

The ID column is used to identify the account in Active Directory. The ID column can be one of the following.

  • sAMAccountName (default)
  • userPrincipalName
  • mail
  • employeeID
  • employeeNumber

Now fill in the CSV with the user accounts and details you want to update. Just fill out the columns that you want to update, the rest can be left blank. You do not need to remove columns that are not used.

For this example, I’m going to update the following attributes.

  • description
  • physicalDeliveryOfficeName
  • streetAddress
  • postOfficeBox
  • title
  • department
  • employeeID
  • manager

Here is what my CSV template looks like.

When you have your CSV template configured save it and move to the next step.

Step 2. Update Options

Click the Update Options button and change any options that you need. You may not need to change any of the default settings.

If you are not using the sAMAccountName attribute to identify the accounts then use the drop-down to change the attribute.

Note: Changes to user proxyAddresses will only occur if you add a value to the proxyaddresses column in the CSV. I cover updating proxyaddresses in a separate how-to guide.

Step 3. Select your CSV file and click run

Next, click the “Select CSV File” button and select your CSV template.

Then click run to start the update.

When the update process is completed, review the logs for any errors. Errors will be in red and will tell you why the error occurred.

All done. Now go check one of the accounts in Active Directory.

Remove User Account Properties

If you want to bulk remove user account properties then just put remove in the CSV column. In this example, I will remove the department information. Here is a screenshot of the CSV.

If any of these users had anything in the department field in Active Directory this tool will remove it.

Now check the logs and Active Directory to verify.

CSV Template CheatSheet

The provided CSV template includes 33 user attributes you can use. You can add additional attributes if needed. Active Directory uses LDAP attribute names to store most account information. This means the user fields you see in Active Directory Users and Computers do not always match with the LDAP attribute name. To update user accounts you must use the LDAP names.

Below is a reference table that shows the LDAP name (CSV Template column) and what it maps to in Active Directory.

For example, the first name in Active Directory = giveName. The office field in Active Directory = physicalDeliveryOfficeName.

If you look at the provided CSV template the example has Test for the giveName (First name) and Nixa Office as the physicalDeliveryOfficeName (Office).

Here is a visual to help illustrate this.

Here is a visual to help illustrate this.

If you need more visual reference refer to the LDAP Field Mappings guide.

Add Additional User fields to the CSV

You can add additional user attributes to the CSV file, you just need to know the LDAP name. You can find the LDAP name by opening the attribute editor in Active Directory Users and Computers. You could also use PowerShell to list all user account properties.

To see the attribute editor you first need to enable the advanced features in Active Directory Users and Computer

Click view from the top menu then select advanced features.

Now when you open an account you will see the attribute editor tab.

The attribute editor screen will show you all the user LDAP properties.

Now just find the attribute name and add it to the CSV. For example, I want to add information to the other Home telephone section for users.

In the attribute editor, I see the name is “otherHomePhone”. I will add this to the CSV.

All done. That is how you add additional attributes to the CSV file to import with new accounts.

Task Scheduler

You can run the User Bulk Updater tool on an automated schedule.

Please refer to the Task Scheduler Guide for the steps.

Delete Users

In this guide, you will learn how to use the delete users tool to remove Active Directory user accounts in bulk.

Requirements

  • You need permission to delete user accounts in Active Directory.

Option 1. Search or browse for user accounts.

This tool is located on the management tools page under user management.

Step 1. Click Run to list all accounts in the domain. You can also click browse to display users from a specific OU or group.

When you click run it will display the accounts based on what you selected. In this example, it displays all user accounts from the disabled OU.

Step 2. Select one or multiple accounts that you want to delete and click the delete button.

You will get a popup to confirm the deletion. Click Ok.

Option 2. Bulk Delete users from CSV file

Step 1. Download the included CSV template.

Step 2. Add the user’s username (samaccountname) to the csv template.

Here is an example CSV file with 3 user accounts.

Step 3. From the tool select your CSV file and click run.

You will get a popup to confirm the deletion.

The tool will log the accounts it deleted and any errors.

Option 3. Delete Users with specific attribute

You can search, filter the columns, or use the filter editor to find accounts with a specific value.

For example, I right-clicked on the description column and filtered for all accounts that has disabled in the description.

Select one or multiple accounts from the filtered list and click the delete button.

Export Users

In this guide, you will learn how to use the export users tool to export Active Directory users to CSV, xlsx or PDF.

Requirements

  • No special permissions are required.

1. Click on Export Users from the management tools page.

2. Click run to get all domain users

  • By default, the tool will get all domain users
  • To get users from an OU or group click the browse or search button.

Default user attributes

  • sAMAccountname
  • ou
  • memberOf
  • userPrincipalName
  • givenName
  • initials
  • sn
  • displayName
  • description
  • physicalDeliveryOfficeName
  • telephoneNumber
  • mail
  • wwwHomePage
  • streetAddress
  • postOfficeBox
  • l
  • st
  • postalCode
  • c
  • co
  • countryCode
  • profilePath
  • homeDirectory
  • homePhone
  • mobile
  • ipPhone
  • title
  • department
  • company
  • employeeID
  • empoyeeeNumber
  • manager
  • proxyAddresses

To add or remote user properties (attributes) click the column button.

To export the list of users click the export button and select your format.

Filter and Export Specific Users

The grid has built-in filtering options so you can search or filter the results.

For example, to list all in a specific department I can click on the department column and select only the departments I want to export.

You can create advanced filters by clicking on the filter editor. You can create multiple conditions such as the department begins with “enter value” and the company equals “enter value”

Move Users

In this guide, you will learn how to use the move users tool to move users from one OU to another OU.

Requirements:

  • You will need permission to move user objects in Active Directory

1. Click on Move users from the management tools page.

2. First you need to display the accounts in the results grid. You can click run to display all domain accounts or click browse to select a specific OU or group.

3. When the accounts are displayed you can select accounts and click move

4. When you click the move button you will then select which OU to move them to.

In this example, I’m moving the selected accounts to my Disabled OU.

Click OK and you will be asked to confirm the move.

Click OK and you will get a pop-up that the action completed.

Move Disabled Users

To move disabled users click run to display all domain users and then filter the status column for disabled accounts.

Now you will have a list of all disabled user accounts. Select the ones you want to move and click the move button.

Move Inactive Users

You can use the lastLogonTimestamp column to find inactive accounts and move them.

Click the filter icon and select the time period.

In this example I selected last year, now it will only display accounts that have a lastLogonTimestamp from last year.

Select the accounts and click the move button.

Lockout Troubleshooter

Description: The lockout troubleshooter tool is used to help you find the source of user account lockouts in Active Directory.

  • Gets events 4771 and 4740 from all domain controllers
  • Displays events in an easy-to-ready format

Requirements:

  • You will need permission to read the event logs from all domain controllers
  • Audit Log policy needs to be configured. See Audit Log Settings for step-by-step instructions.

1. Click on Lockout Troubleshooter from the management tools page.

2. Select the date range and click run. If you have a lot of users and multiple domain controllers you might want to limit the date range as it can pull in a lot of events.

The tool will collect the events (4771 and 4740) from all your domain controllers and display them in the results column.

For example, I can see Alonso Hall had an account lockout event (4740) and the source computer was PC1.

There will be times when an account is locked out but event 4740 will be blank for the source. This can be for a number of reasons such as the authentication failure coming from a non domain joined computer. When this occurs you can use event 4771 to help troubleshoot the lockout.

In the above screenshot, there are multiple authentication failures coming from IPs 192.168.100.11 and .20 for Alonso Hall’s account.

Password Reset & Unlock

In this guide, you will learn how to use the Active Directory Password Reset Tool to reset user account passwords and unlock accounts.

  • Quickly reset user accounts.
  • Easily find all locked users and unlock them.

Requirements:

  • You will need permission to unlock user account objects in Active Directory

Video Tutorial

How to use the Password Reset Tool

1. Click on Password Reset from the management tools page.

2. To reset a user account click browse to browse for the account or click search.

In this example, I’ll reset the user Alonso.Hall.

3. Select the reset options and click the reset account button.

In this example, I’m going to reset the password and set the account to change password at next logon.

When you click the “reset account” button you will get a popup.

Find Locked Users

To find all locked users click the “Check for Locked Users” button.

To unlock an account right click and select “unlock”.

AD Cleanup

This guide describes how to use the AD Cleanup Tool to find inactive user and computer accounts in Active Directory.

Details:

  • The toolkit uses the computer’s lastLogonTimestamp to find inactive computer accounts.
  • You can enter any number of days to search for inactive computers.
  • Note: The lastLogonTimestamp does not provide real-time logon details. Therefore it is recommended to search for at least 30 days of computer activity.

Find Inactive User Accounts

1. Click on AD Cleanup from the management tools page.

2. Select the time range and click run. By default, the tool searches inactive users for 90 days.

If you want to search an OU or group click browse or search to select the objects.

3. If you want to disable any account select them from the list and click the disable button.

4. To move accounts select them and click the move button.

Find Disabled Users

To find all disabled users click the “disabled users” box and click run.

Users with No Logons

Users with no logons are accounts that have no date in the lastlogonTimestamp attribute.

Click on “users with no logons” and click run.

Expired Users

Expired accounts are accounts that have a date set under the account expires settings.

To find all expired users click the “expired users” box and click run.

Find Inactive Computers

To find inactive computers click the “Inactive Computers” box select the time range and click run.

Find Empty Groups

Empty groups are groups that have no members.

To find all empty groups click the “empty groups” box and click run.

AD Health Monitor

The AD Health Monitor Tool is used to check the health of your domain controllers.

  • By default runs 20 diagnostic tests.
  • Comprehensive will run 27 tests (but will take longer for each DC).
  • Can be run on a schedule with email reports
  • Optionally get critical event logs from the domain controllers.

Requirements:

  • Requires domain administrator rights.
  • If running on a non-domain controller the RSAT tools will need to be installed.

1. Click on AD Health Monitor from the Management Tools page (Listed under Other Tools).

2. Click the “Select Domain Controller” button and select the DCs you want to test.

3. Click “Test Options” and change the default options if needed.

4. Click run to start the tests.

If you have any failed tests you can click the log file to view the details.

If you select to include the event logs click the event logs tab.

To run this tool on an automated schedule click “Scheduler”. Choose “AD Health Monitor” from the task type.

Import OUs

The import OUs tool will bulk create new OUs from a CSV file

Requirements:

  • You will need permission to create objects in Active Directory

1. Click on Import OUs from the management tools page.

2. Download and modify the CSV template

The template contains two columns.

  • Name = name of the OU
  • distinguishedName = This will be the path where the OU is created.

The included template provides an example of how to fill out the CSV.

When your template is filled out move to step 3.

3. Select CSV file and click run.

Create Groups

The Create Groups tool will bulk import new Active Directory security groups from a CSV file.

Requirements:

  • Permissions to create objects in Active Directory

1. Click on Create Groups from the management tools page.

2. Download the included CSV template

3. Modify the template

The template includes the following group attributes:

  • Name
  • distinguishedName = This is the location where the new groups will be created.
  • groupCategory
  • groupScope
  • description
  • mail

Example CSV template for importing new groups.

4. Select the template and click run

When you have your template filled out click on Select Template and then click Run to start the import.

Review the logs for any import issues.

Now check Active Directory to verify the groups imported.

Copy User Groups

Description: The Copy User Groups tool will copy one user’s group membership to another user. This makes it easy if you want two users to have the same permissions.

Requirements:

  • You will need permission to modify Active Directory user accounts and groups.

1. Click on Copy User Groups from the management tools page.

2. Select the source account

The source account is the user that you want to copy its group membership to another user.

Click browse to select the account (You will get a search box).

3. Select the destination account

Now select the account that you want to copy the source accounts groups to.

4. Click run

Now if I look at the two users member of tab the users will be members of the same groups.

Group Membership Report

Description: The group membership report tool will generate a list of all users and Active Directory groups they are a member of.

  • Get all users group membership
  • Get nested group membership
  • Sort and filter the results

Requirements:

  • No special permissions are required.

1. Click on Group Membership Report from the management tools page.

2. Select path and options.

  • Search the entire domain is the default search option
  • Click browse to select an OU or group
  • Click search to find a specific group
  • Nested groups is included by default, uncheck if you do not need nested groups.
  • To include contacts in the report check the include contacts box.

3. Click run to generate the report

In this example, I’m going to search the entire domain.

If you have many users this could take a few minutes to run. I have 10,000 users in my lab and this took about 2 minutes to complete.

4. If you want to add or remove user fields click the columns button. You may need to re-run the report if you add additional fields.

5. To export the report click the export button

Search, Filter, and Sort

The results box has built in sorting features. Below are a few examples of what you can do.

To group the report the memberof column right-click the column and select “Group by this column”.

This creates a report like below.

To search the results click the search icon, it will search on all columns in the result grid.

To create an advanced filter with multiple conditions, right click any column and select “Filter Editor”

Update Group Membership

Description: The Update Group Membership tool is used to bulk add or remove users to Active Directory groups.

  • Add users to groups
  • Remove users from groups
  • Remove groups from groups
  • Add groups to groups

Requirements:

  • You will need permission to modify group memberships in Active Directory

1. Click on Update Group Membership from the management tools page.

2. Download and modify the CSV template.

The CSV contains two columns:

  • sAMAccountName = This is the account or group that you want to update.
  • memberof = This is the target group(s) that you want to add or remove from.
  • Two modify multiple groups, separate them with a comma (see example below).

Here is an example CSV.

In the above example, test.user1 will be added to group1 and group2.

test.user2 will be added to group1, group2 and group 3.

When you have the CSV template ready move to step 3.

3. Select options (default is Add Users to Groups).

4. Select your CSV file and click run.

Review the log output for any errors.

Add or Remove Groups from Groups

Select “Remove Groups from Groups” or “Add Groups to Groups”

CSV example.

In the above example, this will add group1 to group2 and group3.

Windows Uptime

Description: In this guide, you will learn how to use the Windows Uptime tool to report on servers and client computer uptime.

Requirements:

  • WMI needs to be allowed inbound. If you have the Windows firewall enabled see firewall documentation for the GPO firewall settings to enable WMI.

1. Click on Windows Uptime from the management tools page.

2. Click run to scan all computers. Click browse to select an OU or group.

Computers that are offline or blocked will display “Unable to Connect”

Local Admin Report

Description: The Local Admin Report tool is used to get the members of the local administrator group on remote computers. In addition, it can display members of all local groups and nested groups.

Requirements:

  • WMI needs to be allowed inbound. If you have the Windows firewall enabled see Firewall docs for the GPO firewall settings to enable WMI.
  • You will need administrator rights on the remote computers.

Scan all Domain Computers

1. Click on “Local Admin Report” from the management tools page.

2. Click Run

The default search option is the entire domain, click Run to start the scan.

The report has the following columns.

  • Computer = The remote computer hostname
  • Group Name = The name of the local group
  • Member Name = The name of the user or group that is a member of the group
  • Object Class = The members object class
  • Principal Source = This indicates if the member is a domain object or local object
  • Status = Computer status

Report Example.

In the above example, the server SRV09 has the following accounts as a member of the local administrators group.

  • Administrator (local user object)
  • Domain Admins (domain group)
  • it_wrk_admins (domain group)

Scan Computers in a Specific OU or Group

To scan computers in a specific OU or group click the browse button.

Now when you run the tool it will only scan the computers from the selected OUs or groups.

Scan Computers from a CSV list.

To scan a list of specific computers you can use a CSV list.

1. Download the csv template.

2. Enter each computer name in the csv file.

3. Select CSV file and select your template.

Scan All Local Groups

By default, the tool will only get members from the local administrator group.

To get all groups click the “Show All groups” box.

When you run the tool it will now include all local groups.

Included Nested Group Membership

By default, the tool will get direct members only. To show members of groups click “Include nested groups”

Here is a before screenshot (no nested groups)

and screenshot after enabling “Include nested groups”

The report now includes all the members of the “it_wrk_admins” group.

Schedule Scans (Automated Reports)

The local admin report tool can be run on an automated schedule with email reports.

1. Click on Scheduler

Note: If you want automated email reports you will first need to configure the email settings.

2. Click on Add and select “Local Admins Report”.

Click Next and complete the steps to create a task.

Local Certificates Report

Description: In this guide, you will learn how to use the Local Certificates Report Tool to report on server’s locally installed certificates. The tool will report on certificates from the following stores:

  • Personal
  • Trusted Root Certification Authorities
  • Trusted Publishers

Requirements:

  • The remote registry Windows service needs to be started on the target computers.
    • Windows servers this service is set to automatic by default.
    • Windows client computers (10/11) the service is disabled by default.

1. Click on Local Certificates Report from the management tools page.

2. Click Run to scan all domain computers. Click browse to select an OU or group.

The report includes the following columns:

  • Computer
  • Store Name
  • Issued To
  • Issued By
  • Expiration Date
  • Friendly Name
  • Status
  • Thumbprint

NTFS Permissions

Description: In this guide, you will learn how to use the NTFS Permissions Report Tool to get NTFS permissions on UNC or local folders.

Requirements:

  • Permission to access the target folder and subfolders

1. Click on NTFS Permissions from the management tools page.

2. Enter the local or UNC path or click browse.

By default, the tool will scan all sub-folders (0). To limit how many sub-folders deep to scan enter a folder depth.

3. Click run.

The report contains the following columns.

  • DirectoryName
  • Account
  • DirectoryOwner
  • DirectoryRights
  • Type (Allow or Deny)
  • AppliesTo
  • IsInherited

Search NTFS Permissions

Use the search box to search for users, groups, specific permissions, or anything from the results grid.

For example, I’ll search for folders that have the everyone group applied to the permissions.

Firewall Status

Description: The Firewall Status tool will get the firewall status and rules from remote Windows computers.

Requirements:

  • This tool uses the invoke-computer command which requires PowerShell Remoting to be enabled.

1. Click on Firewall Status from the management tools page.

2. You can run this tool on all domain computers or click browse to select an OU or group.

Select from the following options.

  • Get Firewall Status – This will show each firewall profile and report if it is on or off.
  • Get Firewall Rules – Displays the firewall rules on the remote computer.
  • Ping First – Checks if the computer is online before attempting to scan the Firewall Rules.

Firewall Status Example.

Firewall Rules Example.

Service Account Management

Description: In this guide, you will learn how to use the service account management tool to scan your network to find service accounts in use.

  • Scans remote computers and gets details on scheduled tasks and Windows Services.
  • Find accounts that are being used as service accounts (running scheduled tasks and Windows services).

Requirements:

  • WMI needs to be allowed inbound. If you have the Windows firewall enabled see Firewall docs for the GPO firewall settings to enable WMI.
  • You will need administrator rights on the remote computers.

1. Click on Service Account Management from the management tools page.

2. By default the tool will scan all domain computers. Click browse to select an OU or group. You can also click search to find a specific computer.

3. Click run

This will give you an inventory of all running services and tasks on remote computers.

You can search or filter the results. For example, I’ll click the filter icon and I’ll see a list of accounts that are in use.

You can also use the search box to find specific accounts in use.

If you want to search the domain for a specific account click the find box and enter a keyword.

Troubleshooting

Issue #1. Unable to Connect – The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)

Resolution:

This is typically a firewall issue. Verify the following firewall rules are enabled inbound on the target computer.

Issue #2. Unable to Connect – The RPC server is unavailable.

Resolution:

The computer is offline or unreachable. Verify the computer is online and can be reached by your computer.

Issue #3. Unable to Connect – Access is denied.

The computer has lost its trust relationship with Active Directory or you do not have administrator rights.

Verify WMI Connectivity with PowerShell

Use the following command to test the WMI connection from your local computer (that has the AD Pro Toolkit installed) to the remote computer. Replace PC2 with the remote computer hostname. 

Get-WmiObject -query "SELECT * FROM Win32_OperatingSystem" -ComputerName PC2

If the connection is successful you will get a message like below.

If WMI is being blocked you will get a message like below.