The Active Directory Users and Computers (ADUC) MMC snap-in is one of the main tools for managing Active Directory domains. The ADUC (dsa.msc) snap-in is used to perform typical domain administration tasks and manage users, groups, computers, and Organizational Units in the Active Directory domain. By default, the Active Directory Users and Computers (dsa.msc) console is installed on a Windows Server when it’s promoted to the domain controller when deploying the Active Directory Domain Services (AD DS) role.
An ADUC snap-in can be installed on Windows 10/11 desktop versions as part of Remote Server Administration Tools (RSAT). The RSAT includes several command-line tools, PowerShell modules, and graphical snap-ins to remotely manage Windows Server hosts, Active Directory, and other server roles and features.
Table of Contents
How to Install the ADUC Console (dsa.msc) on Windows 10 and 11
RSAT tools (including the Active Directory Users and Computers snap-in) are not installed by default on Windows desktop operating system versions (such as Windows 11, 10, and 8.1). On Windows 10 and 11, you can install ADUC as part of RSAT by using the Settings app or with using PowerShell.
Hint. You can only install RSAT Active Directory on the Pro and Enterprise editions of Windows 10 or 11 (not on Home).
Enable Active Directory Users and Computers on Windows 10 and 11 Using the GUI
In modern versions of Windows 10 and 11 (starting from build 1809), it is possible to install RSAT components as Features on Demand (FoD) from the modern Settings app.
You can install the ADUC console on modern desktop editions of Windows as follows:
- Press the Start menu > Settings > Apps;
- Select Optional Features > Add a feature;
- From the list of optional features, select RSAT: Active Directory Domain Services and Lightweight Directory Tools, and press Install.
- Windows will download the ADUC RSAT binaries from the Internet and install them on your computer.
After installing RSAT you need to reboot your computer.
Hint. RSAT was distributed as a separate MSU update for earlier versions of Windows. This update had to be manually downloaded from the Microsoft Web site and installed on your Windows operating system. For example, you must download and install update KB2693643 for Windows 10 1803 (https://www.microsoft.com/en-us/download/details.aspx?id=45520).
The required RSAT features can then be enabled through the Control Panel > Turn Windows features on or off applet (optionalfeatures.exe).
Use PowerShell to Install Active Directory Users and Computers Snap-in
You can use PowerShell to install the Active Directory console on Windows 10 and 11. Open an elevated PowerShell console and check that the RSAT Active Directory feature is installed on your computer:
Get-WindowsCapability -Online | Where-Object {$_.Name -like "RSAT.ActiveDirectory*"}
In our case, the RSAT: Active Directory Domain Services and Lightweight Directory Services Tools feature is not installed (State > NotPresent).
If the Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 component is missing, you can install it with the command:
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
You can also use the DISM command to install the RSAT ADUC feature:
DISM /Online /Add-Capability /CapabilityName:Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
Check the AD RSAT status. The State should be changed to Installed.
Note. The PowerShell Active Directory module is also installed with the ADUC console.
How to Fix ADUC Installation Failed on Windows
The RSAT components in the latest versions of Windows are delivered as Features on Demand (FoD). Windows doesn’t store the local RSAT binaries on a local drive; instead, it downloads the RSAT files that it needs from the Microsoft Update servers. If your computer is in an isolated environment, you will get an error when installing the ADUC snap-in:
0x800f0954
No features to install
To install the RSAT components on your offline computer, you can use the FoD ISO image for your Windows 10/11 release. FoD DVD medias is available for download from your Volume License Servicing Center (VLSC) or on my.visualstudio.com.
To install the ADUC offline, you need to mount the FoD ISO image to a virtual drive (for example, to drive F:) and run the ADUC feature installation from local media:
Add-WindowsCapability -online -name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -source -Source "F:\" –LimitAccess
If you are using WSUS or SCCM to deploy Windows updates to client devices, you must enable the special GPO option to correctly install Features on Demand (including ADUC).
- Open the local Group Policy Editor (gpedit.msc) and go to Computer Configuration > Administrative Templates > System;
- Enable the GPO option Specify settings for optional component installation and component repair and check the Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS) checkbox.
- Update the Group Policy settings on the computer by using the command: gpupdate /force.
Without this option, Windows 11 will try to get RSAT from your local Windows update server (errors 0x8024402c and 0x800f081f).
How to Open Active Directory Users and Computers (dsa.msc) Snap-in on Windows
Go to Start Menu > All Programs > Windows Tools to run the Active Directory snap-in on Windows 11.
On Windows 10 (and previous versions) the AD Management snap-ins are available in the Administrative Tools section of the Control Panel.
As you can see, a new link to the MMC console %SystemRoot%\system32\dsa. appeared.
Start the Active Directory Users and Computers snap-in.
Alternatively, press Win+R, type dsa.msc and click OK to start the ADUC console.
If your computer is joined to the Active Directory domain, the ADUC console will automatically connect to the nearest DC in your Active Directory site on startup.
If the console doesn’t find the domain controller, get the name of your LogonServer using the PowerShell command:
$env:LOGONSERVER
Right-click on the root in the ADUC console and select Change Domain Controller. Select the name of your logon DC server from the list.
Always use the domain controller closest to you. The RSAT console may become slow when working with a domain controller at a remote site.
If you want to connect to AD using dsa.msc snap-in from a non-domain computer, you must:
- Open the Command prompt and run the command:
runas /netonly /user:Domain_Name\Domain_USER mmc - In the empty MMC Console select File > Add/Remove Snap-In;
- Add Active Directory Users and Computers Snap-In to the right pane and press OK;
- Connect to the domain with right-click on ADUC > Connect to the domain and enter the domain name.
As a result, the structure of your OU Active Directory domain appears in the ADUC snap-in.
You will see a standard set of Active Directory OUs and containers:
- Saved Queries — saved search criteria, allows quickly replay of the previous search in Active Directory (LDAP query supported);
- Builtin — built-in user accounts;
- Computers — default container for computer accounts;
- Domain Controllers — default container for domain controllers;
- ForeignSecurityPrincipals — contains information about objects from trusted external domains. Typically, these objects are created when an object from an external domain is added to the group of the current domain;
- Users — default container for user accounts.
When you select the OU, you will see a list of the objects it contains. The ADUC console may display security groups, contacts, users, and computers.
Depending on the domain structure, the ADUC console may contain other containers. Some AD folders are not displayed by default. To display them, select View > Advanced Features in the top menu.
The following additional folders should appear:
- LostAndFound — directory objects that have lost their owners;
- NTDS Quotas — directory service quoting info;
- Program Data — data stored in the directory service for Microsoft applications;
- System — the built-in system parameters.
In the ADUC console, you can perform the following actions:
- Create and manage user accounts, computers, and Active Directory groups;
- View and edit AD object attributes with ADSI Edit;
- Search for AD objects;
- Change user password in Active Directory or reset it;
- Create organizational units and build hierarchical structures for AD objects. Enable or disable OU accidental deletion protection;
- Delegate administrative permission to OUs to non-admin domain users;
Raise domain functional level, and move FSMO roles to another domain controller.
