Contents
Active Directory Lookup
As an IT Systems Engineer, I am often asked who the Members of particular Active Directory groups are. There are multiple ways to retrieve that information, including:
- LDAP
- PowerShell
- AD Users and Computers tool
Oftentimes, however, the user community wants to be able to get the requested information quickly/urgently without having to wait for hours or days for someone in IT to get back to them. There is a quick, user-friendly way to look up a subset of Active Directory information.
Did You Know?
Since Windows 7, there is a built-in way to search Active Directory with for Users, Groups, and Computers without having to install the “AD Users and Computers” (ADUC) tool. Unless the Administrator has disabled the functionality, this allows anyone at the company to perform the searches themselves, allowing the user community to be self-sufficient and free up your time to focus on projects.
This feature is the “Search Active Directory” button. To find it, open Windows Explorer > Network (on the left side pane) > Network ribbon (top), as shown below:
The search tool can also be launched from the command line (or Start > Run) with:
%SystemRoot%\SYSTEM32\rundll32.exe dsquery,OpenQueryWindow
Security Risk
With anyone having the ability to look up Active Directory information, is that a security risk? Yes, absolutely! Any exposure of data to unauthorized persons creates a risk, and proper control measures should be put in place, including preventing them from logging on to a computer in the first place.
TIP: Be sure the Search Active Directory button is disabled on shared computers, such as conference and training rooms, and Kiosks, especially on those where a password is not required to log in.
However, Active Directory can, by default, be queried by anyone using LDAP, and as such, a subset of AD information is already available to anyone logging on to the network. Design your environment appropriately to lock down Active Directory.
Search Active Directory Button
Here are some ways to use the tool:
- Look up Group membership
- Look up User information
- Find Computers
Be aware that only a limited subset of the object’s information can be queried with this tool.
There you have it! Now you can look up a limited set of Active Directory information from any domain-joined computer.