dsa.msc Explained: Active Directory Users and Computers for Windows Admins (2026)

If you typed dsa.msc into your Windows Run dialog and nothing happened, or you are trying to understand what it is and how to use it, you are in the right place. This guide covers everything you need to know about dsa.msc, from what it is, how to open it, what you can do with it, and how to fix it when it breaks.

What Is dsa.msc?

dsa.msc is the Microsoft Management Console (MMC) snap-in file for Active Directory Users and Computers (ADUC). The “dsa” stands for Directory Services Administration. The “.msc” extension means it is a saved MMC console file.

When you run dsa.msc, it opens the Active Directory Users and Computers tool. This tool is the primary graphical interface for managing users, groups, computers, and organizational units (OUs) in a Windows Active Directory domain environment.

In short: if you manage a Windows domain, dsa.msc is one of your most-used tools.

Who Uses dsa.msc?

This tool is used by:

• System administrators managing Windows Server domains
• IT helpdesk staff who need to reset passwords or unlock accounts
• Network engineers configuring group policies and OUs
• Security teams auditing group memberships and permissions

If you are on a standalone Windows 10 or 11 home PC with no domain, dsa.msc will not open because it requires Active Directory infrastructure.

How to Open dsa.msc in Windows

There are several ways to open dsa.msc. Pick the one that suits your workflow.

Method 1: Run Dialog (Fastest)

1. Press Windows + R
2. Type dsa.msc
3. Press Enter

This is the fastest method. It works on Windows Server editions and on Windows 10/11 machines that have RSAT (Remote Server Administration Tools) installed.

Method 2: Start Menu Search

1. Click the Start button
2. Type Active Directory Users and Computers
3. Click the result

This method works the same as Method 1 but takes slightly longer.

Method 3: Command Prompt or PowerShell

Open a terminal and type:

dsa.msc

Press Enter. The ADUC console launches immediately.

Method 4: Via Server Manager (Windows Server)

1. Open Server Manager
2. Click Tools in the top-right menu
3. Select Active Directory Users and Computers

This is the official path on Windows Server editions.

Why dsa.msc Does Not Open: Common Reasons

If dsa.msc fails to open, here are the most common reasons:

Reason	Explanation
Not a domain member	dsa.msc requires the PC to be joined to an Active Directory domain
RSAT not installed	On Windows 10/11 client machines, RSAT tools must be installed separately
Insufficient permissions	You need domain admin or equivalent rights to use the tool meaningfully
AD DS role not installed	On Windows Server, the role must be installed before the snap-in works
Group Policy restriction	Some environments block MMC snap-ins for non-admin accounts

How to Install dsa.msc on Windows 10 and Windows 11 (2026)

On client machines running Windows 10 or Windows 11, dsa.msc is not installed by default. You need RSAT.

Installing RSAT on Windows 10/11

1. Open Settings
2. Go to System (Windows 11) or Apps (Windows 10)
3. Click Optional Features
4. Click Add a feature or View features
5. Search for RSAT: Active Directory Domain Services and Lightweight Directory Tools
6. Select it and click Install

After installation, dsa.msc becomes available on your machine. You must still be connected to a domain network for the tool to function correctly.

You can also install it via PowerShell (run as Administrator):

Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0

This installs the same RSAT component without going through the Settings UI.

For more details on RSAT installation, Microsoft’s official RSAT documentation at https://learn.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/remote-server-administration-tools covers every supported Windows version.

The dsa.msc Interface: What You Are Looking At

When dsa.msc opens, you see the Active Directory Users and Computers console. Here is a breakdown of what you see:

Left Pane (Tree View)

This shows your domain structure. You will see:

• Your domain name (e.g., contoso.com)
• Built-in containers like Users, Computers, Domain Controllers
• Custom Organizational Units (OUs) your organization has created

Right Pane (Object List)

When you click a container or OU in the left pane, the right pane shows all the objects inside it. These are your users, groups, and computers.

Top Menu and Toolbar

The toolbar lets you:

• Create new objects
• Search for objects
• Refresh the view
• Access properties of selected objects

What You Can Do With dsa.msc

This is where the real value is. Here is a practical breakdown of tasks.

Managing User Accounts

Create a new user:

1. Right-click an OU in the left pane
2. Select New > User
3. Fill in the first name, last name, and logon name
4. Set a password
5. Click Finish

Reset a user password:

1. Find the user in the correct OU
2. Right-click the user
3. Select Reset Password
4. Enter and confirm the new password
5. Check “User must change password at next logon” if required
6. Click OK

Unlock a locked account:

1. Right-click the user
2. Select Properties
3. Go to the Account tab
4. Uncheck “Account is locked out”
5. Click OK

Disable or enable an account: Right-click the user and select Disable Account or Enable Account directly from the context menu.

Managing Groups

Create a new group:

1. Right-click an OU
2. Select New > Group
3. Enter the group name
4. Choose the group scope (Domain Local, Global, Universal)
5. Choose the group type (Security or Distribution)
6. Click OK

Add a user to a group:

1. Double-click the group to open Properties
2. Go to the Members tab
3. Click Add
4. Type the user’s name and click Check Names
5. Click OK

Alternatively, open the user’s properties, go to the Member Of tab, and add groups there.

Managing Computer Accounts

Add a computer to the domain manually:

1. Right-click an OU
2. Select New > Computer
3. Enter the computer name
4. Click OK

Move a computer to a different OU:

1. Right-click the computer object
2. Select Move
3. Choose the destination OU
4. Click OK

Delete a stale computer account: Right-click the computer and select Delete. Be careful. Deleting a computer account that is still active will break its domain connection.

Working with Organizational Units (OUs)

OUs are containers that help you organize objects and apply Group Policy at a granular level.

Create an OU:

1. Right-click your domain or an existing OU
2. Select New > Organizational Unit
3. Give it a name
4. Check “Protect container from accidental deletion” if needed
5. Click OK

Delegate control of an OU: Right-click an OU and select Delegate Control. This opens a wizard that lets you grant specific permissions (like password reset rights) to users or groups without giving them full admin access.

Finding Objects Quickly

Instead of browsing the tree manually, use the built-in search:

1. Right-click your domain in the left pane
2. Select Find
3. Choose the object type (Users, Computers, Groups)
4. Type a name or attribute
5. Click Find Now

This is faster than scrolling through large OUs with hundreds of objects.

Advanced Features in dsa.msc

Enabling Advanced Features View

By default, dsa.msc hides some containers and attributes. To see everything:

1. Click the View menu
2. Select Advanced Features

This reveals:

• The LostAndFound container (objects that lost their parent OU)
• The System container
• Additional attribute tabs on object properties
• The Security tab for setting permissions on AD objects

Viewing and Editing Object Attributes Directly

With Advanced Features enabled:

1. Right-click any object
2. Select Properties
3. Go to the Attribute Editor tab

Here you can read and edit raw LDAP attributes. This is useful for tasks like:

• Setting the thumbnailPhoto attribute for a user
• Editing the proxyAddresses field for email routing
• Checking the lastLogonTimestamp to identify inactive accounts

Managing Fine-Grained Password Policies

Fine-grained password policies (PSO) are stored in the Password Settings Container under System. With Advanced Features enabled, navigate there to view or create password settings objects that apply different password rules to specific groups.

dsa.msc vs Other Related Tools

People sometimes confuse dsa.msc with similar tools. Here is a clear comparison:

Tool	File Name	Purpose
Active Directory Users and Computers	dsa.msc	Manage users, groups, computers, OUs
Active Directory Sites and Services	dssite.msc	Manage AD replication, sites, subnets
Active Directory Domains and Trusts	domain.msc	Manage domain trusts and UPN suffixes
ADSI Edit	adsiedit.msc	Low-level LDAP attribute editing
Group Policy Management	gpmc.msc	Create and link Group Policy Objects
DNS Manager	dnsmgmt.msc	Manage DNS zones and records

Each tool has a specific job. dsa.msc is focused purely on object management within your domain.

Using dsa.msc Remotely

You do not need to be physically on a domain controller to use dsa.msc. You can run it from any domain-joined machine with RSAT installed.

To connect to a specific domain controller:

1. Open dsa.msc
2. Right-click your domain name in the left pane
3. Select Change Domain Controller
4. Choose a specific DC from the list or type its name
5. Click OK

This is useful when troubleshooting replication issues or when you need to target a specific DC for changes.

Common dsa.msc Tasks for Helpdesk Staff

If you are on the helpdesk, you will likely use dsa.msc for these daily tasks:

• Password reset: Most common helpdesk ticket. Right-click user > Reset Password.
• Account unlock: Users get locked out. Right-click > Properties > Account tab > Unlock.
• Account disable/enable: For leavers and returners. Right-click and select the option.
• Group membership check: Open user Properties > Member Of tab.
• Finding a user by email or employee ID: Use the Attribute Editor to search custom fields.
• Moving a user to a new OU: Right-click > Move. Important when someone changes department.

Scripting dsa.msc Tasks with PowerShell

For bulk tasks, dsa.msc’s GUI becomes slow. Use PowerShell with the ActiveDirectory module instead. This module is also installed as part of RSAT.

Import the module:

Import-Module ActiveDirectory

Get a user:

Get-ADUser -Identity "jsmith" -Properties *

Reset a password:

Set-ADAccountPassword -Identity "jsmith" -NewPassword (ConvertTo-SecureString "NewPass123!" -AsPlainText -Force) -Reset

Find all disabled accounts:

Search-ADAccount -AccountDisabled -UsersOnly | Select-Object Name, SamAccountName

Add a user to a group:

Add-ADGroupMember -Identity "Marketing" -Members "jsmith"

PowerShell is faster for bulk operations but dsa.msc is better for one-off tasks or when you need a visual overview of your AD structure.

For a full reference on the ActiveDirectory PowerShell module, see the official Microsoft documentation at https://learn.microsoft.com/en-us/powershell/module/activedirectory.

Security Considerations When Using dsa.msc

dsa.msc gives you significant power over your domain. Keep these points in mind:

• Use the principle of least privilege. Do not give all IT staff full domain admin access. Delegate specific rights using the Delegation of Control wizard.
• Enable auditing. Configure Windows audit policies to log changes made through dsa.msc. This helps with compliance and incident investigation.
• Be careful with account deletion. Deleting a user removes their SID, which cannot be recovered without a backup. Prefer disabling over deleting.
• Protect critical OUs. When creating OUs, always check “Protect container from accidental deletion.” To delete a protected OU, you must first disable protection under Advanced Features.
• Avoid running dsa.msc as Domain Admin for everyday tasks. Use a dedicated admin account for AD management and a separate account for daily work.

Troubleshooting dsa.msc Issues

“Naming information cannot be located”

This error usually means your machine cannot reach a domain controller. Check:

• That you are connected to the domain network or VPN
• That DNS is configured correctly (DC IP as primary DNS)
• That the DC is online

“Access Denied”

You are logged in with an account that does not have sufficient rights. Log in as a domain admin or request delegated permissions.

“The specified domain either does not exist or could not be contacted”

This is a DNS issue. Run nslookup yourdomain.com from the affected machine and confirm it resolves to a domain controller IP.

dsa.msc Opens But Shows Empty

Advanced Features may not be enabled, or you are connected to the wrong domain. Check View > Advanced Features and verify your domain connection.

Snap-in Not Found Error

You likely do not have RSAT installed. Follow the RSAT installation steps above.

Summary

dsa.msc opens the Active Directory Users and Computers console, the core tool for managing users, groups, computers, and OUs in a Windows Active Directory domain. It works on Windows Server natively and on Windows 10/11 after installing the RSAT optional feature. You use it to create and manage accounts, reset passwords, unlock accounts, organize objects into OUs, and delegate administrative control. For bulk operations, PowerShell with the ActiveDirectory module is more efficient. Always apply least-privilege principles and enable auditing when working with this tool. In 2026, it remains one of the most essential day-to-day tools for any Windows domain administrator.

Frequently Asked Questions

Can I use dsa.msc on a Windows 11 machine that is not a domain controller?

Yes. You need to install RSAT (specifically the Active Directory DS and LDS Tools feature) from Settings > Optional Features. Your machine must also be joined to the domain or at minimum be able to reach the domain controllers over the network.

What is the difference between dsa.msc and adsiedit.msc?

dsa.msc provides a user-friendly GUI focused on everyday AD object management. adsiedit.msc is a low-level LDAP editor that lets you view and edit every attribute of every AD object. adsiedit.msc is more powerful but also more dangerous since it allows changes that dsa.msc intentionally restricts.

Why can I open dsa.msc but not see my domain?

Either you are not connected to the domain network, DNS is not pointing to your domain controller, or you have insufficient permissions. Open a command prompt and run echo %userdomain% to confirm your domain membership, and run nslookup yourdomain.com to check DNS resolution.

Is dsa.msc available on Windows Home editions?

No. Windows Home does not support domain joining or RSAT installation. dsa.msc is only functional on Windows 10/11 Pro, Enterprise, and Education editions, as well as Windows Server editions.

Can dsa.msc be used to manage Azure Active Directory (Entra ID)?

No. dsa.msc only works with on-premises Active Directory Domain Services. For Azure AD (now called Microsoft Entra ID), you use the Azure Portal, the Microsoft Entra admin center, or the Microsoft Graph PowerShell module. Hybrid environments require separate tools for the cloud-side management.