Overview
Three products in the TontonTools suite access Active Directory: Delete Device Everywhere (DDE), Get Primary Device And Email From User (GPDEU), and Get Primary User And Email From Device (GPUED). The other seven products do not touch AD directly — they reach AD-sourced data through one of two indirect channels: SCCM (which has its own AD Discovery), or Microsoft Graph against Entra ID (which is synchronized from on-premises AD via Entra Connect). This page documents the AD permissions required by the three tools that touch AD directly and explains why the others don't need any AD grant at all.
Two access patterns
DDE uses direct LDAP via System.DirectoryServices (no RSAT required). GPDEU and GPUED use the PowerShell ActiveDirectory module from RSAT (Get-ADUser). Both patterns ultimately talk LDAP to a domain controller, but the stack and the prerequisites differ.
Three tools concerned
DDE deletes computer objects from AD as part of a four-system decommission. GPDEU resolves user attributes (mail, displayName) by sAMAccountName. GPUED does the same after a device-to-user pivot via SCCM. Nothing else in the suite touches AD.
Seven tools that don't need AD
AUC, ADC, CDS, SIM, ODM, DDM, ODC do not require any AD permission. Their identity-related data comes either from SCCM Discovery (which has already imported the relevant AD attributes) or from Entra ID via Microsoft Graph (which mirrors AD via Entra Connect). The chain is documented below.
Two ways the suite accesses Active Directory
The two access patterns are deliberate. DDE needs to delete computer objects — an operation that benefits from the explicitness and reliability of direct LDAP. GPDEU and GPUED need to read user attributes — an operation that is more conveniently expressed as a Get-ADUser PowerShell call. Both patterns are documented below so that AD administrators know exactly what to expect on the wire and what to grant on the operator accounts.
Pattern A — Direct LDAP via System.DirectoryServices (DDE only)
DDE uses DirectoryEntry and DirectorySearcher from System.DirectoryServices — the .NET namespace for direct LDAP access. The operator supplies an LDAP root path (e.g. LDAP://DC=corp,DC=contoso,DC=com) in the Credentials dialog. DDE then runs a search with the filter (&(objectClass=computer)(cn=<deviceName>)) to locate the computer object, reads its distinguishedName and selected attributes, and finally calls DeleteTree() followed by CommitChanges() to remove the object.
| Aspect | Detail |
|---|---|
| Library | System.DirectoryServices (built into .NET Framework) |
| Prerequisites on workstation | None — RSAT is NOT required for this pattern |
| Protocol | LDAP (port 389) or LDAP-S (port 636) depending on AD topology |
| Authentication | Kerberos (or NTLM as fallback) under the signed-in Windows user |
| Operations performed | Search for computer object by CN, read attributes, DeleteTree + CommitChanges to delete |
Pattern B — PowerShell ActiveDirectory module via RSAT (GPDEU, GPUED)
GPDEU and GPUED use PowerShell.Create() from System.Management.Automation to invoke the Get-ADUser cmdlet from the RSAT ActiveDirectory PowerShell module. The cmdlet, under the hood, talks LDAP to a domain controller — but from the operator's perspective, it's a standard PowerShell call against Get-ADUser -Identity <sam> -Properties <attribute>. The attributes the tools care about are mail (for email resolution) and displayName (for the friendly display name).
| Aspect | Detail |
|---|---|
| Library | System.Management.Automation + RSAT ActiveDirectory PowerShell module |
| Prerequisites on workstation | RSAT must be installed (Windows Settings → Apps → Optional Features → "RSAT: Active Directory Domain Services and Lightweight Directory Services Tools") |
| Protocol | LDAP (port 389) or ADWS (port 9389) depending on the cmdlet implementation — both reach a domain controller |
| Authentication | Kerberos under the signed-in Windows user |
| Operations performed | Get-ADUser -Identity <sam> -Properties mail,displayName (read only) |
AD permissions required per tool
In Active Directory, default ACLs already grant most of what GPDEU and GPUED need (read access on standard user attributes is granted to Authenticated Users by default in most environments). DDE requires explicit delegation because deleting a computer object is not a default-allowed operation. The table below specifies what each tool needs, expressed as the minimum AD permission that must be granted to the operator account.
| Tool | AD operations | Minimum permission required | Object scope |
|---|---|---|---|
| DDE | Read attributes on computer objects; Delete the computer object | Delete on the computer object (or "Delete computer objects" delegation on the parent OU) | OUs containing the computer objects DDE is allowed to delete |
| GPDEU | Read mail and displayName attributes on user objects | Read property on user objects — granted by default to Authenticated Users in most AD installations | Domain-wide (or the OUs containing the queried users) |
| GPUED | Read mail and displayName attributes on user objects (same as GPDEU) | Same as GPDEU — Read property on user objects, granted by default | Domain-wide (or the OUs containing the queried users) |
A common pattern: create an AD security group named (for example) DDE-Operators, grant it the "Delete computer objects" delegation on the OUs containing decommissioning candidates, and add operators to the group. The group can be removed entirely when DDE is no longer in use, without affecting any other system.
Why the other seven tools don't need AD permissions directly
A natural question for an AD administrator reading this page: if AUC, ADC, CDS, SIM, ODM, DDM, and ODC operate on identity-tied data — users, computers, groups — how can they function without any AD permission grant? The answer is that they consume AD data through two well-established relay systems, both of which already have their own credentials and their own permission models.
Relay 1 — SCCM Discovery brings AD data into the SCCM database
SCCM runs scheduled discovery cycles (Active Directory System Discovery, Active Directory User Discovery, Active Directory Group Discovery, and Active Directory Forest Discovery) that import AD objects into the SCCM database. From that moment on, querying SMS_R_System or SMS_R_User via WMI returns AD data — name, sAMAccountName, distinguishedName, group memberships, lastLogonTimestamp — without ever talking to a domain controller.
AUC, ADC, CDS, GPDEU, GPUED, and SIM rely on this relay. The AD permissions they would have needed (read on user / computer / group objects) are held by the SCCM site server's computer account (or a dedicated SCCM discovery account), not by the operator. The operator only needs SCCM permissions, documented separately.
Relay 2 — Entra Connect synchronizes AD objects into Entra ID, accessible via Graph
For hybrid-identity environments, Microsoft Entra Connect (formerly Azure AD Connect) replicates on-premises AD users, groups, and computers into Entra ID on a regular cycle. From the cloud side, these objects look like native Entra ID objects and are queried via Microsoft Graph (GET /users, GET /devices, GET /groups). The on-premises origin is exposed via attributes like onPremisesSyncEnabled, onPremisesLastSyncDateTime, and onPremisesDistinguishedName, but the access path is purely cloud.
ODM, DDM, and ODC are entirely cloud-driven. They never query AD, they never talk WMI to SCCM. Their identity-tied data comes from Entra ID via Graph, and the permissions they need are Graph permissions on the Entra ID App Registration — never an AD delegation.
Summary of the three identity-data chains
| Chain | Where AD permissions are needed | Which tools rely on this chain |
|---|---|---|
| Direct AD (LDAP or PowerShell) | On the operator account itself (or a dedicated delegated group) | DDE, GPDEU, GPUED |
| SCCM Discovery → SMS_R_* in WMI | On the SCCM site server's computer account or discovery account — NOT on the operator | AUC, ADC, CDS, GPDEU (for SCCM cross-ref), GPUED (for SCCM cross-ref), SIM |
| Entra Connect → Entra ID → Graph | On the Entra Connect service account, configured during Entra Connect setup — NOT on the operator | ODM, DDM, ODC |
Prerequisites per tool
| Tool | Workstation prerequisite | AD environment prerequisite |
|---|---|---|
| DDE | No RSAT required (System.DirectoryServices is built into .NET Framework) | LDAP reachability (TCP 389) from workstation to a writable domain controller. Operator delegated Delete computer objects on target OUs. |
| GPDEU | RSAT ActiveDirectory PowerShell module installed (Optional Features in Windows Settings) | LDAP or ADWS reachability. Default ACL on user objects (read mail / displayName) is sufficient in most domains. |
| GPUED | RSAT ActiveDirectory PowerShell module installed (same as GPDEU) | Same as GPDEU. |
Authentication model
All three AD-touching tools authenticate to the domain controller as the signed-in Windows user via Kerberos (NTLM as automatic fallback). No service account is required, no credentials are typed, no LDAP bind string is sent over the wire. The operator simply needs to be logged into a domain-joined workstation with their own domain account.
For DDE specifically, the operator can override the default LDAP root path in the Credentials dialog if they need to query a non-default partition (e.g. a child domain, a different forest reachable via trust). The override changes the LDAP search base; it does not change the authentication mechanism. The bind is always under the current Windows session.
Verifying AD connectivity before using the tools
Three quick PowerShell checks cover the full AD-side prerequisites:
| Check | PowerShell command | Expected result |
|---|---|---|
| Find a domain controller | nltest /dsgetdc:contoso.local | Returns DC name, site, address, flags |
| LDAP reachability | Test-NetConnection <dc-name> -Port 389 | TcpTestSucceeded : True |
| RSAT module present (GPDEU / GPUED only) | Get-Module -ListAvailable ActiveDirectory | Returns the ActiveDirectory module entry |
If the first check fails, the workstation is not on the domain (or DNS is misconfigured). If the second check fails but the first succeeds, a firewall is blocking LDAP. If the third check fails, install RSAT before using GPDEU or GPUED.
Common errors and how to fix them
| Symptom in the tool log | Likely cause | Fix |
|---|---|---|
| LDAP bind failure (0x8007203a, "server is not operational") in DDE | LDAP root path is wrong, or workstation cannot reach any DC | Verify the LDAP root path in the Credentials dialog (e.g. LDAP://DC=corp,DC=contoso,DC=com). Run nltest /dsgetdc:<domain> to confirm DC discovery. |
| Computer object not found by DDE | The deviceName doesn't exist in the configured LDAP partition, or it lives in a different domain | Verify with ADUC (Active Directory Users and Computers) or with Get-ADComputer <name>. If the device is in a different domain, change the LDAP root path. |
| DeleteTree fails with "insufficient access rights" | Operator lacks Delete on the computer object | Grant Delete on the parent OU via Delegate Control wizard, or grant Delete on the specific computer objects. |
| Get-ADUser fails with "The term ... is not recognized" in GPDEU / GPUED | RSAT ActiveDirectory PowerShell module is not installed on the workstation | Install RSAT via Windows Settings → Apps → Optional Features → "RSAT: Active Directory Domain Services and Lightweight Directory Services Tools". |
| Get-ADUser returns nothing for a known-valid sAMAccountName | The account exists in a different domain or forest than the one the workstation queries by default | Use Get-ADUser -Server <fqdn-of-dc-in-target-domain> manually to confirm. GPDEU/GPUED query the current domain only by default. |
| Get-ADUser returns the user but the mail attribute is empty | The mail attribute is genuinely empty in AD for this user — common when email comes from Exchange Online and was not synced back to on-premises AD | Either populate mail in AD (via Exchange Hybrid mailbox config) or accept the empty result for that user. GPDEU/GPUED only read what AD has — they do not query Exchange Online. |
For the SCCM permissions used by the six SCCM-touching products (including DDE, GPDEU, GPUED which use both SCCM and AD), see the SCCM permissions reference. For the Microsoft Graph permissions used by every cloud-touching tool, see the Microsoft Graph permissions reference. For the overall security and data-handling model, see Security & Data Handling.