I’m excited to announce that Gartner has named Quest as an example vendor in multiple areas in its 2025 report titled, “A Well-Run Active Directory Requires Strong Identity Controls”!1 In fact, Quest and our business unit One Identity are recognized as an example vendor across many categories.
No one offers as many identity security controls as Quest and One Identity.
This breadth of functionality is critical because IT security always requires more than a single tool or strategy. In particular, to effectively defend against today’s identity-focused attacks, you need a defense-in-depth approach across many layers.
With Quest and One Identity, you get a unique focus on identity-centered security coupled with market-leading AD migration, management, security, disaster recovery, and identity threat detection and response (ITDR). As a result, you can modernize your IT environment, proactively strengthen your security posture, identify and respond to threats in motion, and recover from incidents quickly to minimize their impact.
We think that while other vendors provide one or a few capabilities, the new Gartner report is proof that no one offers as many Active Directory and identity security controls as Quest and One Identity.
The categories where Quest and One Identity are named an Example Vendor
The Gartner report offers a structured approach to managing Active Directory. Specifically, it states: “This guidance framework provides a systematic approach to addressing existing gaps in enterprise AD implementations and preparing enterprises for the future.”
Here are the listed categories of the Gartner report that mention Quest or One Identity as an Example Vendor:
- Active Directory migration
- ITDR
- AD backup
- AD monitoring, auditing and analytics
- Specialized AD management tools
- Identity federation, hub-and-spoke architecture
- Architectures for multi-forest environments
- Privileged Access Management tools
- Access management tools
- Least privilege & separation of duty
- General-purpose IGA tools
- AD bridging software to integrate non-Windows systems
Active Directory migration
Best practice: Streamline your logical topology.
Migrations are critical to AD security because they help you get your identity house in order and keep it that way. Many organizations have an AD infrastructure that has grown cluttered and complex over the years and is in urgent need of modernization. Plus, merger and acquisition (M&A) activity, divestitures, internal reorganizations, and technical investments all drive significant change to the IT environment — including adding complexity to the identity infrastructure.
So it’s really no wonder that one of the first best practices that the Gartner report identifies is to streamline your logical topology. As it notes, “Simpler AD topologies improve security, reduce administrative overhead, increase efficiency and enable faster time to value for integrations with cloud services.”
To achieve this goal, organizations usually opt for migrations, rather than rebuilding everything from scratch in a greenfield environment. Choosing a migration enables them to minimize both the impact on end users and the work required by the IT team.
Still, AD migrations are lengthy and complex projects that involve significant business risk. How can you maximize your chances of success? The Gartner report says: “A successful AD migration requires management support, a clear communications plan, project management support, planning, training, testing and provisions for rollback. A key challenge often cited by Gartner clients is the necessity to properly inventory all applications and services integrated with AD, and to understand their AD integration patterns. Most organizations engage a professional services firm to carry out a migration.”
“A key challenge often cited by Gartner clients is the necessity to properly inventory all applications and services integrated with AD, and to understand their AD integration patterns.”
Gartner, “A Well-Run Active Directory Requires Strong Identity Controls” (ID G00830063), Paul Rabinovich, 8 May 2025.
Given all the moving pieces involved in a migration, it's really no wonder that the report states unequivocally, “Gartner recommends using a commercial off-the-shelf product to support a migration.”
How Quest can help
On Demand Migration (ODM) helps you integrate and migrate users, groups and devices between Active Directory, Entra ID and hybrid directory environments — without requiring trusts, SQL, network connectivity or installing servers. This cloud-based SaaS solution provides a management dashboard for scheduling and automation, is highly adaptable to custom configurations, and keeps migrated and un-migrated users and groups in sync during AD or Entra ID migrations. Plus, you can modernize and migrate your devices to the cloud.
With ODM, you can:
- Move AD, hybrid Entra ID and Entra ID devices from one environment to another while retaining user settings, including Microsoft Outlook profiles.
- Provision target users, groups and contacts, including syncing passwords for AD accounts.
- Accelerate migration readiness with an AI-driven assistant that will analyze complex AD migration logs and knowledge base articles and then surface the most critical insights and recommendations.
- Empower business users to control the timing of their device migrations through self-service scheduling, thereby minimizing disruption and freeing IT teams from manual orchestration.
- Perform application inventory and assessment to evaluate legacy applications, map how they integrate and plan for migration.
- Move devices from on-prem AD to Entra ID or from one Intune environment to another — without the need to wipe and reimage the devices.
ITDR
Best practice: Implement identity posture management and ITDR.
Today, attacking Active Directory is a key method that hackers use to infiltrate corporate networks. As per Gartner, “To deliver effective IAM capabilities that are integrated with AD, identity architects should: “Ensure the integrity and security of your Active Directory environment by implementing identity posture management and identity threat detection and response.”
The Gartner report emphasizes, “Identity posture management and ITDR are about correct and secure operation of the identity infrastructure as well as protection of individual users and resources managed by this infrastructure. Tools fulfill this mission by applying threat intelligence, behavioral signatures, heuristics, statistical analysis, analyses of known tactics, techniques and procedures (TTPs) and machine learning algorithms to discover indicators of exposure and indicators of compromise in Active Directory. Thus, these tools may perform both preventive and detective functions, although their relative weights and specific methodologies vary from tool to tool.”
According to the Gartner report, “Identity posture management and ITDR tools typically offer some combination of the following features:
- Configuration, policy and identity data analysis to assess the security posture of an organization’s AD environment
- Attack path management and impact analysis
- Risk scoring and prioritization
- Real-time monitoring of runtime behaviors for common indicators of compromise
- Machine learning or analytics to detect abnormal behaviors or events
- Automated remediation and incident response
- Dashboards, alerts, reports, search and incident management
- Integration with security information and event management (SIEM), security orchestration automation and response (SOAR), and extended detection and response (XDR) tools
- Integration with multifactor authentication (MFA) solutions to deliver step-up authentication in response to risk events
- Risk signal sharing with additional modules (for suite providers) and third-party tools”
As per Gartner, “Prepare for the unexpected: new zero-day exploits against AD will be discovered. Include Active Directory in your organization’s vulnerability and threat management and incident response planning.”
Gartner,“A Well-Run Active Directory Requires Strong Identity Controls” (ID G00830063), Paul Rabinovich, 8 May 2025.
How Quest can help
Security Guardian is a powerful solution that delivers both the preventive and detective functions that the Gartner report recommends. Powered by Generative AI and seamlessly integrated with Microsoft Security Copilot, Security Guardian:
- Reduces your attack surface by assessing your hybrid AD against industry best practices
- Automatically identifies critical Tier 0 assets to ensure they receive priority attention
- Secures critical AD and Entra ID objects from compromise and misconfiguration
- Accurately detects anomalous behavior and other threats to avoid alert fatigue
- Offers an innovative Shields Up capability that enables the IT team to temporarily freeze all changes to Tier 0 objects when a threat is detected, thereby containing threats and stopping adversaries from modifying critical security settings, hijacking privileged accounts or spreading across the environment
- Spotlights what happened, whether you’re exposed and how to remediate
- Enables quick reversion of unwanted changes to a previous, trusted state
Gartner states that organizations should: “Prioritize tools that support both preventive and detective controls.”
Gartner, “A Well-Run Active Directory Requires Strong Identity Controls” (ID G00830063), Paul Rabinovich, 8 May 2025.
For even more robust threat prevention, pair Security Guardian with SpecterOps BloodHound Enterprise. This is the only product available that provides attack path management and impact analysis for Active Directory — enabling you to quickly identity sequences of steps that an adversary who compromises an ordinary user account could take to gain control over critical assets or even Active Directory itself. With risk scoring and prioritization, you can measure the impact of any point in an attack path and identify optimal locations to block the largest number of pathways.
Active Directory backup
Additional function: Active Directory backup
The Gartner report identifies AD backup as an additional function that can enhance an organization’s AD security posture. Specifically, it calls out “Tools that provide more complete and efficient alternatives to Microsoft’s built-in AD backup and recovery capability.”
The reason for this is simple: The built-in AD backup and recovery capabilities are not — and were never intended to be — a comprehensive, enterprise-quality solution for backup and recovery. In particular, while the AD Recycle Bin offers a convenient way to quickly restore certain types of AD objects that were recently deleted, it does not cover all types of deleted objects, nor does it help with objects that were modified rather than deleted.
Moreover, in case of a full-on Active Directory disaster that brings down your entire forest, the Microsoft recovery process is exceedingly slow and prone to human error. Data protection and generic enterprise backup tools might seem like a good fit, but they also lack recovery automation, cannot restore an entire forest and do not perform object level recovery. It’s no surprise that the Gartner report states: “A dedicated backup tool for AD will be of great help in case of a successful ransomware attack.”
A dedicated backup tool for AD will be of great help in case of a successful ransomware attack.
Gartner, “A Well-Run Active Directory Requires Strong Identity Controls” (ID G00830063), Paul Rabinovich, 8 May 2025.
How Quest can help
Quest pioneered purpose-built AD backup and recovery more than 20 years ago, resulting in solutions with maximum stability, scalability and capability. Here’s a quick overview of the key Quest solutions that can help you ensure reliable Active Directory backup and recovery:
- Recovery Manager for Active Directory Disaster Recovery Edition enables you to quickly and easily restore specific users, attributes, organizational units (OUs), computers, GPOs and more — all without restarting your domain controllers (DCs). Moreover, in a disaster scenario, it slashes AD forest recovery time from days or weeks to just hours, giving you peace of mind that an AD disaster will not become a business disaster. This capability is especially important today, with ransomware attacks becoming both more common and more devastating.
- Disaster Recovery for Identity is a SaaS-based backup and recovery solution for on-premises AD disasters. With its SaaS-based management and cloud backups, it provides instant, malware-free recovery for AD and reduces reliance on server teams to rebuild infrastructure.
- On Demand Recovery helps ensure the availability and integrity of both on-premises AD and Azure AD. It provides a single recovery dashboard to differentiate hybrid and cloud-only objects, run difference reports between production and real-time backups, and restore changes.
AD monitoring, auditing and analytics
Best practice: Implement audit logging, reporting, monitoring and analytics.
Clearly, building a strong security posture is important. But it’s by no means sufficient: Your IT infrastructure is still at risk from both malicious attacks and inadvertent errors. Accordingly, you also need to audit, analyze and record activity across your IT environment.
Indeed, according to the Gartner report, “implementing audit logging, reporting, monitoring and analytics can help organizations accomplish all of the following priorities:
- Adhere to the principles of least privilege and separation of duty
- Stay compliant with relevant regulations
- Identify policy violations
- Detect anomalies and threats
- Respond to incidents”
Native logs provide a good start toward the auditing required for strong security, compliance and business continuity. But they are notoriously noisy, cryptic and incomplete. Moreover, they are disjointed — and when you have to manually juggle multiple separate logs, each with its own structure, data format and so on, it’s difficult to get a true understanding of what’s happening across your IT ecosystem, especially in time to block threats in motion.
Exactly what activity should your auditing program cover? The Gartner report states in Table 5 of the report that identity-related events in an AD environment include:
- “Login activity for users, administrators and service accounts
- Changes in AD, such as account creation as well as changes to account attributes, account status, group membership, Group Policy objects (GPOs), access control lists (ACLs) and delegation rules
- Creation or modification of privileged accounts
- Activity by privileged accounts
- Configuration changes that could weaken security and access controls
- Suspicious activity that could indicate an identity-based attack against AD
- Events in applications and services integrated with AD that could be correlated with user and admin activities in AD itself”
How Quest can help
Quest offers solutions that go far beyond native audit capabilities. They translate system-provided logs into a simple, normalized format — and also collect additional information that native logs simply do not capture. In particular, Security Guardian helps you quickly detect and respond to threats while maintaining deep visibility into critical changes and logon activity across your environment. It reduces operational overhead by eliminating the need for on-prem infrastructure and simplifies management through an intuitive, modern interface. Built on a scalable cloud platform, it ensures reliable performance even as data volumes grow, and supports long-term data retention to meet compliance and investigative needs.
Specialized AD management tools
Best practice: Implement best practices for identity governance and administration.
The Gartner report describes IGA and its relationship to identity security as follows: “IGA as a subdiscipline of IAM exists to ensure that the right people get the right access to the right resources at the right time for the right reasons. Because of the centrality of Active Directory, a disproportionately large number of IGA processes in any organization is tied to AD. Effective enterprisewide IGA is impossible without effective IGA of user accounts, roles, entitlements and policies in enterprise AD.”
As the Gartner report states, having the right tools can help: “Although IGA is first and foremost about processes, not technology, tools can help organizations improve operational efficiency, business enablement, security and risk management, and compliance in their AD.” As per Gartner, “In addition to common IGA functionality, AD-centric management tools often include:
- Delegated administration
- Self-service for managing personal attributes
- Management of Group Policy objects (GPOs)
- Management of access control lists (ACLs)
- Discovery of, and reporting on, expired, locked, orphaned and other high-risk accounts
- Change management services
- Data access governance
- Compliance monitoring and enforcement”
How Quest can help
Our Active Directory management tools include the following:
- GPOADmin offers enhanced security and workflow capabilities that enable you to control and secure your Windows infrastructure while supporting governance initiatives. Given the April 2026 end of life for Microsoft Advanced Group Policy Management (AGPM), organizations need a replacement ASAP to protect GPOs from SwiftSlicer, BlackCat, Mango Sandstorm, Play and the many other modern ransomware gangs who routinely abuse Group Policy as part of their attack playbooks. GPOADmin delivers the powerful Group Policy management capabilities that organizations need to mitigate today’s sophisticated threats and ensure strong productivity.
- Active Roles from One Identity extends and enhances the native capabilities of Active Directory and Entra ID to accelerate account, group and directory management. You can eliminate manual processes to increase security and efficiency, enabling IT teams to focus on other tasks knowing that critical data, user permissions and privileged access are under control.
Additional categories
In addition to being named alongside Quest for specialized Active Directory management tools, One Identity was named as an example vendor in six additional categories in the Gartner report:
- Architectures for multiforest environments
- General-purpose IGA
- Access management
- Least privilege & separation of duty
- General-purpose PAM tools
- Active Directory bridging software to integrate non-Windows systems
Indeed, One Identity is a recognized market leader in all of the following vital areas:
- Identity and access management (IAM) — OneLogin by One Identity is a customizable, extensible, and scalable identity platform with features like single sign-on (SSO), MFA and certificate-based authentication. The solution was named an Overall Leader, Product Leader and Market Leader in the KuppingerCole 2025 Access Management Leadership Compass.
- Privileged access management (PAM) — One Identity solutions also facilitate enforcement of least privilege and separation of duty by supporting delegated administration capabilities beyond those natively available in AD.
- Identity governance and administration (IGA) — One Identity solutions support both point-to-point and hub-and-spoke identity federation architectures.
Conclusion
The 2025 Garner report A Well-Run Active Directory Requires Strong Identity Controls states, “Active Directory is a critical IT asset for an overwhelming majority of organizations. This research provides identity architects with guidance on how to apply IAM best practices to AD.” Quest invites you to learn more about our solutions and try them out for yourself as you build a defense-in-depth strategy for strong cybersecurity and cyber resilience.
1 Gartner, “A Well-Run Active Directory Requires Strong Identity Controls” (ID G00830063), Paul Rabinovich, 8 May 2025.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.