You can't install RSAT on computers that are running Home or Standard editions of Windows. You can install RSAT only on Professional or Enterprise editions of the Windows client operating system. Unless the download page specifically states that RSAT applies to a beta, preview, or other prerelease version of Windows, you must be running a full (RTM) release of the Windows operating system to install and use RSAT. Some users have found ways of manually cracking or hacking the RSAT MSU to install RSAT on unsupported releases or editions of Windows. This behavior is a violation of the Windows end-user license agreement.

download active directory users and computers

Installing RSAT is similar to installing Adminpak.msi in Windows 2000-based or Windows XP-based client computers. However, there's one major difference: in Windows 7, the tools aren't automatically available after you download and install RSAT. Enable the tools that you want to use by using Control Panel. To enable the tools, click Start, click Control Panel, click Programs and Features, and then click Turn Windows features on or off.

Active Directory Users and Computers (ADUC) is a Microsoft Management Console snap-in that you use to administer Active Directory (AD). You can manage objects (users, computers), Organizational Units (OU), and attributes of each.

A domain administrator may create containers (OUs) based on a physical or logical organization structure. Using a context menu, you can create new AD objects (users, groups, computers, OUs, contacts), rename, move, or delete objects. Depending on the selected object type, context menu options may vary.

Scan remote computers to find out who has local administrator rights. By default, this tool will query the local administrators group and display all its members (local and domain accounts). You can quickly sort or filter the groups to get a list of all users and groups that have local administrator rights.

The AD Pro toolkit includes over 200 built in reports for users, computers, groups, and security. Easily generate reports on all users, enabled or disabled users, bad password attempts, inventory computers by operating system and much more.

The main benefit is it simplifies active directory management. One of the most popular tasks of working with Active Directory is to create new user accounts. The built-in tools provide no options for bulk importing new accounts so it becomes very time-consuming. With the AD Pro Toolkit you can easily bulk import, bulk update, and disable user accounts.

Active Directory Bridging (AD Bridging) is a mechanism that allows users to log on to non-Windows systems using Active Directory (AD) login credentials. Active Directory is a Windows directory service that lets IT administrators easily manage the users, applications, data, and other aspects of their IT network.

Before executing any Active Directory synchronization with Duo, understand the effect that synchronization can have on accounts with the same name. Suppose that you already have some Duo users, and one or more of these users have the same username on your Active Directory server. Performing a synchronization will cause the existing Duo users' information to be merged with, and in some cases overwritten by the Active Directory information, such as email addresses in Duo changing to match the value stored in the synced directory.

If you have previously created an Active Directory sync for users or administrators you can either create another new connection or reuse an existing connection to that directory for this new sync. User syncs and admin syncs can share connections to the same source directory.

Download the Authentication Proxy authproxy.cfg file for your AD domain sync by clicking the download a pre-configured file link in step 2 of the Duo Authentication Proxy section of the directory properties page. This file contains the values needed to set up the connection. You could also copy the values directly from the Admin Panel to paste into your server's config file.

To configure an existing Authentication Proxy server for directory sync, append the [cloud] section of the config file downloaded from the Duo Admin Panel directory properties page to the current authproxy.cfg file located in the Duo Security Authentication Proxy conf folder. If you already have a [cloud] section present (and you are running proxy version 5.2.0 or later), increment the next section you're adding as [cloud2].

Once you see your intended group (or a list of groups), click to select the desired group to sync. Repeat this until you've added all the groups you want to import. You can select up to 400 groups to sync from the source directory. Members of the groups you choose here will be synced as users into Duo.

Nested groups are supported; Duo sync imports users from groups nested within your sync group, but creates only the top level group in Duo (the group explicitly selected for directory sync), with all nested group members as direct members of that Duo group.

Required. The source attribute for the Duo username. The attribute selected should match the primary authentication login name your users submit to Duo. This attribute cannot be customized after the first directory synchronization occurs.

Be sure to choose directory attributes that have unique values (email address, employee ID, etc.). If any of the username or username alias attribute values is the same for two or more users, those users will be skipped by the sync process.

Select the Enrollment Email option if you want imported users to automatically receive an enrollment link email when the sync process completes. Only users imported with active status, a valid email address, and who do not already have any enrolled authentication devices in Duo receive an emailed link. The email address is populated by AD sync.

The directory page shows the status as "Connected to Duo" and the "Sync status" indicates when the next scheduled sync will now that all directory configuration steps have been completed successfully. If you wish you can click the Sync Now button to perform the first import of users from your directory into Duo.

After adding new users to Duo through Active Directory synchronization, your next step is to have them activate their Duo access (if you chose not to send enrollment emails to synced users when creating your directory in Duo). Because a phone created by directory sync defaults to the "Generic Smartphone" platform, on the Users page you'll see a notification bar indicating that users have not yet activated the Duo Mobile smartphone app. This bar provides a link to click to send these users activation links.

If you did choose to send enrollment emails to synced users automatically, the Pending Enrollments table shows which users created by directory sync (or bulk enrollment) have not yet completed enrolling their 2FA devices in Duo, along with the user's email address and the expiration date for the enrollment link previously sent.

Click Delete to remove a pending enrollment. Deleting a pending enrollment immediately invalidates any unexpired enrollment link previously sent to that user. The next time directory sync runs, a new enrollment link will be emailed to that users, as long as they remain a member of a synced group and the sync configuration still has the "Enrollment Email" option enabled.

Perform a manual full sync of the users in your directory to Duo by clicking Sync Now in the "Sync Controls" section. This immediately imports all members of your selected AD groups into Duo, creating and updating users and groups as necessary.

When you just need to import information for a few users from Active Directory you can interactively sync selected users instead of syncing the entire directory. For example, you may have some new employee accounts in AD who need a corresponding Duo account, or you might have just disabled an AD user and need that status carried over to Duo. Syncing these individual user accounts updates Duo immediately.

Type up to 50 Active Directory user names as a comma-separated list into the Sync individual users text box found in the "Sync Controls" section on the directory's properties page. If you used a different source attribute than sAMAccountName for the Duo username, you must type each username exactly as it is shown (or will be shown) in Duo i.e. if you opted to use mail as the username attribute, you must enter the values of the mail attribute as the usernames to sync.

Additionally, individually synced users must be members of a group specified in your directory sync's configuration. If you try to sync an individual user who is not a member of a selected group then no update of that user occurs.

In addition to syncing individual users by username from the directory's details page, you can also perform an individual sync on an existing Duo user by visiting that user's properties page in the Duo Admin Panel and clicking the Sync This User link at the top-right.

Should you want to put your directory sync on hold to prevent it from making changes to your imported users, you can do so without removing your Active Directory configured sync from Duo. Use the pause functionality to stop scheduled syncs from running until you want to resume them.

Deleting a directory sync from Duo doesn't delete or disable any of the previously imported objects. When you delete a synced directory from Duo, then the users, phones, and groups formerly managed by that sync remain available and get converted to unmanaged Duo objects that can be manually updated or deleted.

You do not enable import of Notes when you create your AD directory sync. The sync imports the username, email, and name from AD, but imports no notes information. You can edit the "Notes" field for synced Duo users. but you may not edit the "Username", "Full Name", or "Email" properties for synced users. 2ff7e9595c