Microsoft's official enterprise support blog for AD DS and more
Hi folks, Ned here again. We introduced the AD Administrative Center in Windows Server 2008 R2 to much fanfare. Wait, I mean we told no one and for good measure, we left the old AD Users and Computers tool in-place. Then we continued referencing it in all our documentation.
And people say we're a marketing company.
I've talked previously about using ADAC as a replacement for acctinfo.dll. Today I run through some of the hidden coolness that ADAC brings to the table as well as techniques that make using it easier. If you're never used this utility, make sure you review the requirements and if you don't have any Windows Server 2008 R2 DCs, install the AD Management Gateway and its updates on at least one of your older DCs in each domain. ADAC is included in RSAT.
I am going to demo as much as possible, so I hope you have some bandwidth this month, oppressed serfs Canucks and Aussies. Since this is me, I'll also show you how to work around some ADAC limitations - this isn’t a sales pitch. To make things interesting, I am using one of my more complex forests where I test the ADRAP tools.
Fire up DSAC.EXE and follow along.
The first lesson is "do not fight the interface". Don’t try to make ADAC into AD Users and Computers simply because that's what you’re used to. ADUC wants to click everywhere, expanding trees of data. It's also has short-term memory loss - every time you restart it you have to set it up all over again.
ADAC realizes that you probably stick to a few areas most of the time. So rather than heading to the Tree View tab right away to start drilling down, like this:
… instead, consider using navigation nodes to add areas you are frequently accessing. In my case here, the Users container is an obvious choice:
This pins that container in the navigation pane so that I don’t have to click around next time.
It's even more useful if I use many deeply nested OU structures in the domain. For example, rather than clicking all the way into this hierarchy each time:
I can instead pin the areas I plan to visit that week for a project:
Nice! It even preserves the visual hierarchy for me. Notice another thing here - ADAC keeps the last three areas I visited in the recent view list under that domain. Even if I had not pinned that OU, I'd still get it free if I kept returning to it:
Once you open one of those users, you don't have to dig through a dozen tabs for commonly used attributes. The important stuff is right up front.
For a real-world example of how this does not suck, see this article. The old tabs are down there in the extensions section still, if you need them:
One thing AD Users and Computers isn’t very good at is scale: it can only show you one domain at a time, requiring you to open multiple dialogs or create your own custom MMC console.
In ADAC, it’s no sweat - just insert any domains you want using Add Navigation Nodes again:
I can add other navigation nodes for those domains without adding the domains themselves too. Each domain gets that three-entry "recently used" list too. I'm also free to move the pinned nodes up and down the list with the right-click menu, if I have OCD. For instance, if I want the Users and Computers container from three domains, it's nothing to have them readily available, in the order I want:
Come on now, you have to admit that is slick, right?
Scattered around the UI are little arrows that allow you to hide and expose various data views. For instance, you can give yourself more real estate by hiding the navigation pane:
Or see a user's logon information:
Or hide a bunch of sections in groups that you don't usually care about, leaving the one you constantly examine:
Note: It's not really called the nubbin arrow except by Mike Stephens and me. Join our cool gang!
AD Users and Computers is an MMC snap-in: this means a UI designed for NT 4.0. When it lets you search, you are limited to the Find menu, which lets you return data, but not preserve it. After closing each search, ADUC's moron brain forgets what you just asked, like a binary pothead.
ADAC came after the birth of search and in a time where AD is now ubiquitous and huge. That means everywhere you go, it wants to help you search rather than browse. Moreover, it wants to remember things you found useful. If I am looking at my Users container, the Filter menu is right there beckoning:
It lets me do quick and reasonable searches without a complicated menu system:
As well as create complex queries for common attributes:
Then save those queries for later, for use within any spot in the forest:
I can also use global search. And I do mean global - for example, I can search all my domains at once and not be limited to Global Catalog lookups that are often missing less-travelled attributes:
For example here, I use ambiguous name resolution to find all objects called Administrator - note how this automatically wildcards.
Not bad, but I want only users that are going to have their passwords expire in the next month. Moreover, I've been trying to improve my LDAP query skills when scripting. No sweat, I can do it the easy way then convert it to LDAP:
Or maybe I let ADAC do the hard work of things like date range calculation:
Then I take that query:
And modify it to do what I want. Like only show me groups modified in the past three days:
Neato - on demand quasi-auditing.
If you want to zero out the ADAC console and get an out of box experience, there's no menu or button. However, if you delete this folder, you delete the whole cache of settings:
ADAC will be slow to start the next time you run it (just as it was the first time you ever ran it) but it will be quick again after that.
Have some really ginormous containers? If you navigate into one using ADAC, you will see an error like this:
"The number of items in this container exceeds the maximum number blah blah blah…"
"The number of items in this container exceeds the maximum number blah blah blah…"
The error tells you what to do - just change the "Management List" options. Right! So… ehhh… where is the management list? You have to hit the ALT key to expose that menu. Argh…
Then you can set the turned object count as low as 2000 or as high as 100000. If you have to do this though, you need to work on organizing your objects better.
In many ways, we designed ADAC like 7's Windows Explorer. It has a breadcrumb bar, a refresh button, and forward/back buttons.
It lets you use the address bar to quickly navigate and browse, with minimal real estate usage.
The buttons offer a history:
It has an obvious and "international" refresh button - very handy. ADUC made you learn weird habits like F5, which may seem natural to you now, but isn't not very friendly for new admins.
That new Explorer probably took some getting used to but once you had them, returning to XP seems like visiting the dusty hometown you left years ago: Quaint. Inefficient. Boring. Having used the new one for a few years now, ADAC should be more intuitive.
I'm not here to argue against AD Users and Computers; it has its advantages (I miss the Copy… menu). And it's certainly familiar after 11 years of use. However, the AD Administrative Center deserves a place at any domain admins' table and can make your life easier once you know where to look. Try it for a week and see for yourself. If you come back to ADUC, it's ok - we already cashed your check.
Until next time.
- Ned "Ok, maybe 'fun' was a stretch" Pyle
@gallwapa: For DHCP mgmt, you may want to look at this -- blogs.technet.com/.../use-the-powershell-dhcp-module-to-simplify-dhcp-management.aspx. I also know that on the Script Repository, there are modules that basically control NETSH and do full management. For all I know you may be modifying these solutions for a better one. Either way, hope this helps a little.
If possible it would be great to have more (all?) attributes and columns available for data filtering, and the ability to export filtered data to a text or CSV file.
I know it's easy enough to do with a script but sometimes it would be just a bit quicker to have access to these through the GUI, since some of those filtering options are already there.
Another thing some of our admins miss with the 2008 ADUC is losing the Exchange related tabs that were available with the 2003 ADUC console and Exchange 2003 installed. Attributes such as mailbox details and proxy addresses were helpful to have rather than having to open the Exchange Management Console. Is that something that may be possible to integrate? - I'm sure the product teams explicitly seperated them for a reason...
When using "Find" in 2008 ADUC you cannot see the Attribute Editor tab, only when drilling down into OUs manually. Is this a bug or intentional? I now use ADAC for that reason, to search and view the Attribute Editor tab.
Lots of great feedback here folks - the developers of these tools are now monitoring this thread so keep them coming. :)
Phatmike128 - to your last question, it's a known issue: blogs.technet.com/.../friday-mail-sack-scooter-edition.aspx
But no customer has come forward with a premier support case to ask for a fix so there it sits (as ADUC is pretty much... dead).
Another Feat.Req. I've seen mentioned in a couple of places is being able to specify a DC on commandline (dsac.exe /server=dc-at-nearby-site-but-not-default).. and if it would be possible to leave out the default domain entry so you can just specify the subOU for delegation purposes and only have that visible instead.