Active Directory Users and Computers (ADUC) is a very common tool over on the Active Directory side. As the name implies, it gives us visibility into every user and computer within the domain. It also reveals other things, like groups, contacts, organizational unit structure, and potentially, group policy objects. When I took off my systems and security architect hat and returned to the world of the DBA, ADUC is a tool I kept on using. Here's why:
- I can quickly look up what groups a particular user is a member of.
- I can look at a group and see who its members are, telling me who has login rights to my SQL Server through that Windows group login.
- I can see the nesting of groups from either direction, seeing how many different ways a user has access to my SQL Server.
- I can see whether the user account they are telling me the user has is correct (we don't use a standard naming scheme). So if the security folks tell me Anna is coming in as user A347C, I can go to user A347C and see if the full name corresponds to Anna.
For a DBA, it all means that you don't have to go to the system or security administrators to find these types of answers. And by default, all users have basic read information throughout Active Directory, meaning this type of information is usually available and it's not a security event for you to be hitting it. This invariably saves time. So where do you get ADUC?
- For WIndows XP, install the Windows Server 2003 AdminPak. (download from Microsoft)
- For Windows Vista, install the Remote Server Admin Tools for Windows Vista (download from Microsoft)
- For WIndows 7, install the Remote Server Admin Tools for Windows 7 (download from Microsoft)