Group Policy Management – limitations with standard tools

Most of the companies having a Microsoft Active Directory use group policies. But the administration of these group policies with standard tools does maybe not provide all the functionality you like to have for daily business.

  • No rights delegation
  • No versioning
  • No rollback-possibility
  • No possibility to compare group-policies
  • No offline editing-possibilities

Microsoft’s AGPM for extended administration

Microsoft provides the tool “Advanced Group Policy Management” for “Software Assurance” customers. The tool is part of Microsoft Desktop Optimization Pack (MDOP). With it, most of the wishes for daily business with group policies are fulfilled.

Below, I have accumulated some links to this tool giving an overview over the possibilities of AGPM.

Links, Manuals and Tutorials

Technical overview:

Planning manual:

Operation manual:

Demonstration of AGPM:

Step-by-step tutorials:


Active Directory Reporting with free ADInspector

I would like to introduce a nice freeware tool for AD reporting to you.

It is easy to use and does not need to be installed. Check your Active Directory for:

Locked user accounts, empty groups and much more…and export the result to .csv

Active Directory Reports

Firstware-ADInspector provides IT admins a free and fast possibility to analyze Active Directory. The tool is developped by FirstAttribute. (jump to ↓ Example: Active Directory Reporting – Empty Groups)

You can download it for free here:

The software comes as a FAT client and doesn’t need to be installed. You can just download it, unzip it and run it. The only thing necessary is that you need connection to Active Directory. ADInspector won’t give you any possible report you can think about, but the 17 standard reports here are quiet nice.

I really like that it runs fast and answers you little questions without a lot of effort.
To give you an example:
I needed to know how many user where created in the last 10 days.
I just set up the time parameter in the configuration and run the tool – exported the result as .csv and later used the list in a weekly report.

What kind of reports are available? Here is the list:

  • Users with never expiring passwords
  • Group nesting info (Nesting-Level + Membership)
  • Empty groups
  • Users with missing required attributes
  • Contacts with missing required attributes
  • Users with all required attributes filled
  • Contacts with all required attributes filled
  • Users created within the last x days
  • Users not logged on within the last x days
  • Computers not logged on within the last x days
  • Locked user accounts
  • Disabled user accounts
  • Disabled computer accounts
  • Accounts with password not set within the last x days
  • Duplicate user logon names (SamAccountNames) in forest
  • Duplicate Kerberos logon names (userPrincipalName) in forest
  • User group memberships

The website shows you more detailed information about the Active Directory Analysis possible with the tool.

Active Directory Reporting – Example: Empty groups

Just to give you a short example I want to read out how many empty groups are in a certain folder.

  1. Check the report you want to go for and click the yellow folder button (top left) to choose a root folder.
    Alternatively just hit the play button and you will also see the “select folder”-dialog
  2. The “Select”-dialog pops up and you can define a search root here.
    Click the green “Check button” to accept your choice.
  3. Run the report by clicking the green “play” button.
    You will see how many empty groups there are in the selcted group – here it were 13.
  4. Now you have 2 options.
    If you press the “i” info button, you will get information on what empty groups are and in which situation they should be removed.
    Hitting the “magnifying glass” button shows you all the empty groups in a report window.
  5. If you need to process the data, for example to use it for a mangement report you can save the data to .csv by clicking the blue “disk” button


Firstware-ADInspector is a handy small tool for standard Active Directory reporting. If you just want to know how many user didn’t log in the last X days, give it a try. There is no installing needed and you can save your results in a .csv file. What it not does is a very deeply customizable report with lots of additional paramaters. But the reports offered can be set up with some parameters in the configuration (mainly for the duration of the search event or the search root). For very special reports you still have to do some work by your own. But I didn’t expected that and so to me it doesn’t matter, as the tool really does well with the offered reports. Great for a fast overview of what is going on in your Active Directory.

You can find more detailled information on the product website:


This above post is information copied from

More Information check Source website :


Active Directory Schema Synchronization

I wanted to create an Active Directory test domain. It was supposed to have the exactly same content as an existing one.

That quickly confronts you with the following problem:
How can I ensure that the test directory has the same LSAP schema as the reference domain?

With board tools you can synchronize or export and import the AD schema. Especially one tool, a part of the server role AD LDS (formerly ADAM), has proven to be very helpful with that. When the role is installed, you can find a program named ADSchemaAnalyzer.exe in the folder C:\Windows\ADAM.

Install AD schema as a copy of productive domain

With the tool ADSchemaAnalyze you can determine the schema difference between two LDAP directories (AD DS / AD LDS) and export them into a LDIF file. This file then has to be imported into the target directory with the tool ldifde.exe. ldifde.exe is a command line tool which exists on every domain controller.

Introduction ADSchemaAnalyzer

Because some of the used terms could be misleading, I want to explain them first.

Target Schema
The target schema describes the source , reference or original schema. In this case target means that the base schema has to look the same as the target.
Base Schema
The base schema is the schema to be edited, meaning the copy or the test AD domain. It should be expanded so it has the same contents as the target.

Tutorial: Synchronize and install LDAP schema

  1. Start ADSchemaAnalyzer

  2. Load schema of the target directoryFile >Load target schema…
    Enter user name, password and domain
    Confirm with OK


    The result could look like this:


  3. Load schema of the test directoryFile >Load base schema…
    After having entered the connection data to the test directory successfully, the schema difference will be determined.



    The tool now shows all classes and attributes with their status.

    With the option Schema >Hide present elements you can hide already existing entries.
    After that, you can manually select the desired classes and attributes.
    With Schema >Mark all non present elements as included you can add all missing ones.

  4. Then, you can create the LDIF import file via File >Create LDIF file.Example file (short):

# ==================================================================
# This file should be imported with the following command:
# ldifde i u f Fa Schema.ldf s Server Name j . c “cn=Configuration,dc=X” #configurationNamingContext
# LDIFDE.EXE from AD/AM V1.0 or above must be used.
# This LDIF file should be imported into AD or AD/AM. It may not work for other directories.
# ==================================================================
# ==================================================================
# Attributes
# ==================================================================

# Attribute: faAdresse2
dn: cn=FaAdresse2,cn=Schema,cn=Configuration,dc=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: faAdresse2
adminDisplayName: FaAdresse2
# schemaIDGUID: 21d94f36 80d8 408e a8e9 b272a0e1e8c0
schemaIDGUID:: Nk/ZIdiAjkCo6bJyoOHowA==
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE

In the head, this file already contains the command line command for Ldifde:

ldifde i u f Fa Schema.ldf s Server Name j . c “cn=Configuration,dc=X” #configurationNamingContext

It is important that the target server owns the AD role „Schema Master“ and that the executing user is schema administrator (group schema admins).


Changes to the AD schema cannot be reversed! Check all actions thoroughly!
The author does not assume liability for data loss, undesired side effects or any other guarantees. The risk lies with the user.

%d bloggers like this: