Active Directory Isn't Just for Sysadmins: What Support Techs Should Know
When I started my IT Support Apprenticeship at Beyond Housing, I thought Active Directory was just something sysadmins touched and I'd only need to know the basics. Reset a password here, unlock an account there, maybe check a group membership if I was feeling ambitious. Supporting 800+ users across multiple sites quickly taught me otherwise.
Active Directory isn't just a tool for provisioning and deprovisioning. For support technicians, it's your diagnostic toolkit, your roadmap to permissions, and often the difference between a five-minute fix and an hour-long wild goose chase. Here's what I wish I'd known from day one.
AD Is Your First Stop for Troubleshooting, Not Your Last Resort
Early on, I'd get a ticket: "User can't access the finance shared drive." I'd check the drive permissions, verify the network path, test their connection. Twenty minutes later, I'd finally think to check Active Directory and discover they weren't in the Finance_Users group anymore. Someone had moved them to a different department last week.
Now? AD is where I start. User profile issues, application access problems, printer mapping failures - nine times out of ten, the answer is in Active Directory. Not always in obvious places, but it's there.
What this looks like in practice:
Check the user's group memberships first. Not just for the obvious groups (like department or team groups), but also for application-specific groups, distribution lists, and security groups that control access to resources. Sometimes a user is in 15 different groups and the one they're missing is buried in the middle.
Look at when their account was last modified. If they're having permission issues and someone changed their account yesterday, you've found your starting point.
Review their organizational unit location. Is this user still in the right OU? Group policies apply based on OU structure, so a user who got moved during a department restructure might have completely different settings applied than they should.
Understanding Group Policy Without Being a Domain Admin
You don't need domain admin rights to understand how Group Policy affects your users. You just need to know how to read the results.
I can't count how many times I've been on a call with a user whose mapped drives aren't showing up, or whose default printer keeps changing, or who can't access certain websites. The answer is usually Group Policy, but as a support tech, you're not going into Group Policy Management Console to edit policies - you're using gpresult to see what's actually being applied.
From the user's machine, run:
gpresult /r
This shows you what Group Policy Objects are being applied to the user and computer. More importantly, it shows you which ones are actually taking effect and which ones are being filtered out.
For a more detailed breakdown (especially useful when documenting issues for escalation):
gpresult /h C:\Users\username\Desktop\gpreport.html
This generates an HTML report showing every single setting being applied. When I escalate a ticket to the sysadmins, I include this report. It tells them exactly what the user is experiencing and saves them from having to reproduce the issue themselves.
Understanding gpresult has made me significantly faster at diagnosing policy-related issues. I can see if a drive mapping policy is being blocked, if security settings are preventing an application from running, or if the user is getting policies they shouldn't be getting because they're in the wrong OU.
Account Attributes That Actually Matter for Support
Active Directory tracks way more information about a user than you might think. Some of it is purely administrative (like when the account was created), but a lot of it directly impacts your ability to support users effectively.
Manager field:
This isn't just organizational chart fluff. When someone leaves and their account is disabled, the manager field tells you who needs access to their emails and files. When someone's permissions seem inconsistent with their role, checking their manager can reveal they've been moved to a different department but their account wasn't updated properly.
MemberOf (group memberships):
This is obvious but worth emphasizing - you should be checking this constantly. Applications control access through groups. Shared drives use groups. Printers use groups. Email distribution lists are groups. If a user can't do something, check their groups first.
Account expiration date:
We use these for contractors and temporary staff. I've had tickets from users who "suddenly" can't log in - their account expired overnight because their contract ended and nobody told IT. Checking this saves you from going down permission rabbit holes when the account is simply expired.
Password last set:
When a user swears they haven't changed their password but things stopped working, this field tells you the truth. If it changed three days ago and that's when their issues started, you know their cached credentials somewhere need updating.
Last logon timestamp:
Critical for determining if an account issue is real or if the user just hasn't logged in yet. Someone reports they can't access their account after returning from leave - check this field. If they haven't logged in for 6 weeks and your password policy requires changes every 60 days, their password probably expired while they were gone.
Home directory path:
If configured, this tells you where a user's personal network drive is supposed to be mapped. When they say "my H: drive is missing," you can verify the path immediately instead of guessing.
The Difference Between Disabled, Locked Out, and Expired
These three states look similar to users ("I can't log in") but they're completely different situations with different fixes.
Disabled:
Someone manually disabled this account. Usually intentional - user left the company, long-term leave, security concern. You can't just re-enable these without authorization. I've learned to check with HR or the user's manager before touching disabled accounts.
Locked out:
The user (or something using their credentials) entered the wrong password too many times. This is your most common "I can't log in" ticket. You can unlock it immediately. But here's something I learned the hard way: if you unlock an account and it locks again within minutes, something is still trying to authenticate with the old password - usually a mobile device, mapped drive, or scheduled task.
Expired:
The password is too old or the account hit its expiration date. Password expired is straightforward - the user needs to change it. Account expired usually means they're a contractor whose end date passed, or someone didn't update the expiration date when a contract was extended.
Knowing which state you're dealing with changes how you approach the ticket completely. Disabled requires approval, locked out is a quick fix, expired might need HR involvement.
Security Groups vs Distribution Groups (And Why It Matters)
This tripped me up more times than I want to admit in my first few months.
Security groups control access to resources - files, applications, printers, everything. Distribution groups are just email lists. They look identical in the Global Address List, but they work completely differently.
Early mistake I made: User couldn't access a shared folder. I saw they were in the "Finance Team" group, which seemed right. Thirty minutes of permission checking later, I realized "Finance Team" was a distribution group. The security group I needed was "Finance_Users" - similar name, completely different purpose.
Now when I check group memberships, I pay attention to the group type. If someone needs access to a resource, being in a distribution group with a similar name does absolutely nothing.
The reverse is also true: if you add someone to a security group thinking it's a distribution list because it has "Team" in the name, you might accidentally give them access to sensitive resources.
Nested Groups: Your Hidden Permissions Nightmare
Group nesting is when a group is a member of another group. Sounds simple. In practice, it's where permissions go to hide.
A user might not be directly in the "Finance_FullAccess" group, but they're in "Finance_Managers," which is nested inside "Finance_FullAccess." When you're troubleshooting access issues, you need to check both direct memberships and nested memberships.
Active Directory Users and Computers doesn't show you nested memberships in the standard view. You either need to dig through each group manually (time-consuming and error-prone) or use PowerShell:
Get-ADPrincipalGroupMembership username | Select-Object Name
This shows you every group the user is effectively a member of, including nested groups. I keep this command saved in a notepad file because I use it constantly.
The frustrating part about nested groups is explaining to a user why they have access to something when they're not in the group that grants that access. "You're not in Finance_FullAccess, but you're in Finance_Managers, which is inside Finance_FullAccess, so you have the same permissions." It makes sense technically but sounds like nonsense when you say it out loud.
When AD Doesn't Match Reality
Here's the uncomfortable truth about Active Directory in real organizations: it's not always accurate.
People change departments and their AD account doesn't get updated. Contractors leave and their accounts stay enabled. Someone gets promoted and they accumulate groups instead of having old ones removed. Distribution lists become ghost towns of people who left years ago.
You'll encounter situations where a user has access to resources they shouldn't (because they changed roles but nobody removed the old groups) or where they can't access things they need (because they moved departments but nobody added the new groups).
As a support tech, you're often the first person to notice these discrepancies. When you see them, flag them. Document them. Make sure someone with the authority to clean up AD knows about it.
I've started keeping notes on recurring issues. If I unlock the same user's account three times in a week because an old mobile device is still trying to authenticate, I make sure someone knows that device needs to be removed from their profile. If I notice someone has been in both "Sales_Team" and "Finance_Team" groups for six months, that's probably not intentional.
The PowerShell Commands That Make Your Life Easier
You don't need to be a PowerShell expert to use Active Directory more effectively. You just need a few commands that answer the questions you're constantly asking.
Get basic account info:
Get-ADUser username -Properties *
Shows you everything AD knows about this user. It's overwhelming at first, but you learn which properties matter for your common issues.
Check if an account is locked out:
Search-ADAccount -LockedOut -UsersOnly | Where-Object {$_.SamAccountName -eq "username"}
Faster than navigating through AD Users and Computers when you just need to verify lockout status.
See when a password expires:
Get-ADUser username -Properties PasswordLastSet, PasswordNeverExpires | Select-Object Name, PasswordLastSet, PasswordNeverExpires
Useful when users report upcoming expiration warnings or when you're troubleshooting authentication failures.
Find all members of a group:
Get-ADGroupMember "GroupName" | Select-Object Name
Essential when someone asks "who has access to this resource" and you know the group but not the members.
Check what groups someone is in (including nested):
Get-ADPrincipalGroupMembership username | Select-Object Name | Sort-Object Name
I mentioned this earlier, but it's worth repeating - this command has saved me hours of clicking through group memberships manually.
I keep these commands in a text file on my desktop. When a ticket comes in, I copy the relevant command, swap in the username or group name, and run it. Five seconds versus five minutes of clicking through GUIs.
What This Actually Means for Your Daily Work
Understanding Active Directory doesn't make you a sysadmin. But it makes you a significantly better support technician.
You close tickets faster because you're checking the right things in the right order. You escalate more effectively because you've already ruled out the obvious AD-related causes. You build better documentation because you understand what's actually happening instead of just following steps.
When I started, I thought Active Directory was something I'd interact with occasionally - password resets and account unlocks. Now I recognize it as the foundation that most of my troubleshooting builds on. User can't print? Check their groups. Application won't launch? Check their OU and applied policies. Email distribution list isn't working? Check if it's actually a distribution group or a security group someone misconfigured.
The more comfortable you get with AD, the less you'll hear yourself saying "I don't know why that's happening" and the more you'll find yourself thinking "I know exactly where to look."
Supporting 800+ users taught me that Active Directory knowledge isn't optional for support techs. It's not just for sysadmins. It's for anyone who wants to actually understand why things break and how to fix them efficiently.
And that makes your job a lot less frustrating and a lot more effective.