Nov 11, 2014
OK all you budding server administrators, have you checked out ADAC (the Active Directory Administrative Center)
lately? Now ADAC has been around for a while now, but if you were anything like me, I took a look at ADAC when it first came out in Windows Server 2008 R2, thought it was cute, and promptly went back to using the good old Active Directory Users and Computers. After all, back then it showed a lot of promise but it was it was a new, unfamiliar web type interface and didn’t have a lot of features that made it unique.
But it sure has grown up now! Over the last few server interactions some great new features have been added, and in Windows server 2012
R2 not only has it become a very useful and easy to use tool, I think it has also become a great learning tool, which can now really help you learn the master administration tool of all server functions these days – PowerShell
(more on that in a minute). Of course we should all be used to the web style interface of all of the new management tools. Now that ADAC has grown up, these days it can pretty much do everything that the older Active Directory Users and Computers could do, plus a few extra’s noted below!
However, I will try and keep this blog concise and briefly go over the main updates I especially like and that are now in the 2012 R2 edition:
- PowerShell History Viewer.
- Recycle Bin.
- Configuring Fine Grained Password Policies.
- Support for raising Domain and Forest levels and Global Search.
- PowerShell Viewer History
The PowerShell Viewer
was introduced in Windows Server 2012 and to me is one of the most useful features in the ADAC. The PowerShell Viewer (click the down arrow at the bottom right of the ADAC screen to open) will keep a track of all of the PowerShell cmdlets that are built in the background each time you run a wizard in the ADAC, for as long as you keep the ADAC window open. This makes it a great tool to not only see the PowerShell cmdlets as they are being built, but you can easily cut and paste them to notepad and modify them slightly by introducing a couple of variables or three, and suddenly you have script that can be used to import or create hundreds of users from a simple CSV file.
Again the Recycle Bin
feature in Active Directory has been around since Windows Server 2008 R2, but previously it had to be enabled and administered via PowerShell. Please note here that the Recycle Bin is not enabled by default – you have to first enable it to be able to recover deleted items, and once it is enabled it cannot be disabled. But now you can use ADAC in Windows Server 2012 upwards to both enable and administer the Recycle Bin – a boon to most administrators! Once it is enabled (by right-clicking the domain name) you will now have a Deleted Objects Container. The Recycle Bin requires the forest functional level to at Windows Server 2008R2 or higher.
- Fine Grained Password Policy
Before Windows Server 2008, Active Directory only had the one password policy that applied to all users in the domain. Microsoft introduced Fine Grained Password Policies in Server 2008, but again there was no graphical user interfaces to manage them. In Windows Server 2012, this feature was added to the ADAC, so now you can configure multiple password policies and assign them to different groups or users in your domain. Under the system container in your domain, you will now find a 'Password Settings Container', where you can build these password settings or policies, and either nominate the group(s) or user(s) you wish the policy to apply to at creation time or at a later time – in the properties of the password settings policy is a “Directly applies to” section. Again, so simple to use and again you can find see the PowerShell cmdlets in the PowerShell History Viewer.
Fine Grained Password Policies requires the Domain functional level to be at Windows Server 2008 or higher, which leads me into the next feature:
- Support for Raising Domain and Forest Levels
Granted raising the domain and/or forest levels is not something you need to do often, but one of the advantages in the old Users and Computers/Domains and Trusts tools etc. was the ability to not only raise these levels when required, but more often than not they gave you the ability to see what the current levels were set to. Knowing what the domain and forest levels are should be one of your pre-requisite checks before installing any application, Role or features and now ADAC can do that too. Just right-click on the domain name and you get the options “Raise the domain functional level” and “Raise the forest functional level” (assuming you are looking at the forest root domain). Of course you still need your standard permissions, but you can now check and raise the domain and forest functional levels now without having to swap tools.
Where was this feature when I started playing with Microsoft servers all those years ago? One of the biggest banes of my server administrator’s existence has always been trying to find out where a particular AD object, particularly user objects are in the AD structure, and in particular multiple domain and even different tree structures. Now we have full global search capabilities in ADAC, introduced in Windows Server 2008R2, able to search all domains without having to be limited Global Catalog lookups. And not only that, but it can also give us the ability to add our own search criteria and build (and show us) the LDAP queries as well! Criteria such as, “Users with enabled accounts who have not logged on for more than a given number of days” or “Resource property lists containing a given resource property”.
Now of course there are still a few things that ADAC cannot do as yet, such as delegating administrative control over AD OU’s, creating trusts between domains or forests, creating and managing sites, site links and subnets etc. However, I am sure Microsoft are working feverishly on these, and we will see them appear soon. In the meantime, check out the Active Directory Administrative Center and see what other gems you can find (such as the more information caret in the bottom left of the user properties dialog windows, where you can view the user’s last logon, bad password count, Update Sequence Number (USN), GUID and SID etc. etc.). And of course come along to the New Horizon’s Windows Server 20012/2012R2 and Windows 8/8.1 courses for much more details on these and plenty of other ADAC features!