Fun with the AD Administrative Center

Fun with the AD Administrative Center

  • Comments 19
  • Likes

Hi folks, Ned here again. We introduced the AD Administrative Center in Windows Server 2008 R2 to much fanfare. Wait, I mean we told no one and for good measure, we left the old AD Users and Computers tool in-place. Then we continued referencing it in all our documentation.

And people say we're a marketing company.

I've talked previously about using ADAC as a replacement for acctinfo.dll. Today I run through some of the hidden coolness that ADAC brings to the table as well as techniques that make using it easier. If you're never used this utility, make sure you review the requirements and if you don't have any Windows Server 2008 R2 DCs, install the AD Management Gateway and its updates on at least one of your older DCs in each domain. ADAC is included in RSAT.

I am going to demo as much as possible, so I hope you have some bandwidth this month, oppressed serfs Canucks and Aussies. Since this is me, I'll also show you how to work around some ADAC limitations - this isn’t a sales pitch. To make things interesting, I am using one of my more complex forests where I test the ADRAP tools.

image

Fire up DSAC.EXE and follow along.

ADAC isn't ADUC

The first lesson is "do not fight the interface". Don’t try to make ADAC into AD Users and Computers simply because that's what you’re used to. ADUC wants to click everywhere, expanding trees of data. It's also has short-term memory loss - every time you restart it you have to set it up all over again.

ADAC realizes that you probably stick to a few areas most of the time. So rather than heading to the Tree View tab right away to start drilling down, like this:

image

… instead, consider using navigation nodes to add areas you are frequently accessing. In my case here, the Users container is an obvious choice:

image

image

This pins that container in the navigation pane so that I don’t have to click around next time.

image

It's even more useful if I use many deeply nested OU structures in the domain. For example, rather than clicking all the way into this hierarchy each time:

image

I can instead pin the areas I plan to visit that week for a project:

image

Nice! It even preserves the visual hierarchy for me. Notice another thing here - ADAC keeps the last three areas I visited in the recent view list under that domain. Even if I had not pinned that OU, I'd still get it free if I kept returning to it:

image

Once you open one of those users, you don't have to dig through a dozen tabs for commonly used attributes. The important stuff is right up front.

image

For a real-world example of how this does not suck, see this article. The old tabs are down there in the extensions section still, if you need them:

image

A lot of people have a lot of domains

One thing AD Users and Computers isn’t very good at is scale: it can only show you one domain at a time, requiring you to open multiple dialogs or create your own custom MMC console.

image

In ADAC, it’s no sweat - just insert any domains you want using Add Navigation Nodes again:

image

I can add other navigation nodes for those domains without adding the domains themselves too. Each domain gets that three-entry "recently used" list too. I'm also free to move the pinned nodes up and down the list with the right-click menu, if I have OCD. For instance, if I want the Users and Computers container from three domains, it's nothing to have them readily available, in the order I want:

image

image

Come on now, you have to admit that is slick, right?

Always look for the nubbin arrow

Scattered around the UI are little arrows that allow you to hide and expose various data views. For instance, you can give yourself more real estate by hiding the navigation pane:

image

Or see a user's logon information:

image

Or hide a bunch of sections in groups that you don't usually care about, leaving the one you constantly examine:

image

Note: It's not really called the nubbin arrow except by Mike Stephens and me. Join our cool gang!

Views and Search are better than Find

AD Users and Computers is an MMC snap-in: this means a UI designed for NT 4.0. When it lets you search, you are limited to the Find menu, which lets you return data, but not preserve it. After closing each search, ADUC's moron brain forgets what you just asked, like a binary pothead.

ADAC came after the birth of search and in a time where AD is now ubiquitous and huge. That means everywhere you go, it wants to help you search rather than browse. Moreover, it wants to remember things you found useful. If I am looking at my Users container, the Filter menu is right there beckoning:

image

It lets me do quick and reasonable searches without a complicated menu system:

image

As well as create complex queries for common attributes:

image

Then save those queries for later, for use within any spot in the forest:

image

I can also use global search. And I do mean global - for example, I can search all my domains at once and not be limited to Global Catalog lookups that are often missing less-travelled attributes:

image

For example here, I use ambiguous name resolution to find all objects called Administrator - note how this automatically wildcards.

image

Not bad, but I want only users that are going to have their passwords expire in the next month. Moreover, I've been trying to improve my LDAP query skills when scripting. No sweat, I can do it the easy way then convert it to LDAP:

image

image

Or maybe I let ADAC do the hard work of things like date range calculation:

image

Then I take that query:

image

And modify it to do what I want. Like only show me groups modified in the past three days:

image

Neato - on demand quasi-auditing.

A few tricks of the trade

Return to defaults

If you want to zero out the ADAC console and get an out of box experience, there's no menu or button. However, if you delete this folder, you delete the whole cache of settings:

%appdata%\IsolatedStorage\StrongName.um0icba0dwq40nfvuftw3i5jvholhn3k

ADAC will be slow to start the next time you run it (just as it was the first time you ever ran it) but it will be quick again after that.

The Management List

Have some really ginormous containers? If you navigate into one using ADAC, you will see an error like this:

image
"The number of items in this container exceeds the maximum number blah blah blah…"

The error tells you what to do - just change the "Management List" options. Right! So… ehhh… where is the management list? You have to hit the ALT key to expose that menu. Argh…

image

Then you can set the turned object count as low as 2000 or as high as 100000. If you have to do this though, you need to work on organizing your objects better.

Just think "Explorer"

In many ways, we designed ADAC like 7's Windows Explorer. It has a breadcrumb bar, a refresh button, and forward/back buttons.

image

It lets you use the address bar to quickly navigate and browse, with minimal real estate usage.

image

The buttons offer a history:

image

It has an obvious and "international" refresh button - very handy. ADUC made you learn weird habits like F5, which may seem natural to you now, but isn't not very friendly for new admins.

image

That new Explorer probably took some getting used to but once you had them, returning to XP seems like visiting the dusty hometown you left years ago: Quaint. Inefficient. Boring. Having used the new one for a few years now, ADAC should be more intuitive.

Sum Up

I'm not here to argue against AD Users and Computers; it has its advantages (I miss the Copy… menu). And it's certainly familiar after 11 years of use. However, the AD Administrative Center deserves a place at any domain admins' table and can make your life easier once you know where to look. Try it for a week and see for yourself. If you come back to ADUC, it's ok - we already cashed your check.

Until next time.

- Ned "Ok, maybe 'fun' was a stretch" Pyle

  • But how to extend it?!  It is supposed to be powershell based, but there doesn't seem any info on how to extend it - or even - to add extensions to it.  The sample prop page from the Windows SDK for the "Human Resources" tab appears when registered with a display specifier but my C# prop page does not.  Do I really fail that bad at MSDN/technet search?  Save us! :-)

  • Yep, that's a huge gap (we chatted about that previously in the comments here: blogs.technet.com/.../friday-mail-sack-ghost-of-the-goat-riding-bambino-edition.aspx). I gave that feedback to the Product Group and they did not tell me to $&^# off so we'll see what happens in MSDN. :-)

  • I just clicked that link and read before the blog went down briefly - thanks for the response!  I've spent about a month learning all sorts of sordid details (.net 4.0, in process shell extensions, mmc vs shell components, oy!) trying to find the right solution.  Eventually I said 'forget it, I'll do it in ADAC' before moving back to an uglier solution in ADUC - Admin context menu display specifier to launch a wpf app to manage the attributes we need, as well as a C# property page if we happen to browse to the user :)

    Thanks for the great article.  Everyone here _loves_ ADAC but can't use it due to our needs.  I'd even be willing to join Connect or whatever for whatever 'unofficial' documentation they need to create for this!

  • That is great feedback gallwapa, I will forward it directly to the PM who owns ADAC.

  • ADAC is great, I would recommend it do anyone with the disclaimer "It is not MMC". It is the best AD day to day management tool out there though. ADAC teamed with a PowerShell console is how I get by the limitations. When you start your day, you just do the following:

    1. Open a PowerShell console (as your admin user)

    2. Type ADAC.exe (no need to type your password again :))

    After a few days you will be able to build a pretty robust profile that allows you to move forward with the next few steps.

    3. In the Console, type your function to do basic health check - Test-ActiveDirectory, Test-ServerDiskSpace, etc

    4. Since you cannot open computer management with a simple right click, you just type: compmgmt.msc /computer:Server1 - again you inherit your admin account here). Or Service.msc /computer:Server1, etc

    5. Get ta work.

    If you start to learn the *-AD* commands in PowerShell, you will find that in a lot of cases you will go to ADAC and use the great "Explorer" style navigation to pull DNs with an easy copy/paste

    Allan

  • @coderaven:  I typically leave ISE open (until it crashes hehe) for this reason.  That, and my handy eikon fingerprint reader saves my bacon!

  • @coderaven - Nice tips, thanks!  Just wanted to offer one minor correction.  I believe the EXE is named, DSAC.exe not ADAC.exe.  At least mine is anyway, so it's possible I'm missing something.  Either way, I definitely like your daily plan of attack.

  • Oh, and I forgot to mention...  great article as always Ned!  Although I still have to convince myself to use ADAC more regularly.  I seem to be in PowerShell more than a console as of late.

  • Good stuff guys. If you have any thoughts on things you'd like to see added in either ADAC or AD PSh, feel free to reply here or email us - I'll be sure to forward along your feedback.

    Well, your useful feedback. If it's "OMGUSuxorzM$" I might hold onto that one...

  • AD Powershell:  Ability to filter where attribute -eq $null .  QADCmdlets can do this

    ADAC:  thumbnailPhoto view, update, edit.   Moreover (and this is the reason we want to extend ADAC) the ability to add arbitrary UI elements for properties in the schema (in our case, we have a text field that only IT staff can edit/view)

  • Example of error:

    PS C:\Windows\system32> Get-ADuser -Filter "EmployeeID -eq '$null'" -properties EmployeeID

    Get-ADUser : The search filter cannot be recognized

    At line:1 char:11

    + Get-ADuser <<<<  -Filter "EmployeeID -eq '$null'" -properties EmployeeID

       + CategoryInfo          : NotSpecified: (:) [Get-ADUser], ADException

       + FullyQualifiedErrorId : The search filter cannot be recognized,Microsoft.ActiveDirectory.Management.Commands.Get

      ADUser

  • @gallwapa - You can get the same results as "-eq $Null" with the following syntax, granted I more than agree this isn't as intuitive!

    Get-ADuser -Filter "EmployeeID -notlike '*'" -properties EmployeeID

    The sytax (and many others) are within...

    help about_activedirectory_filter

    Although I do agree that more intuitive PowerShell-esque filtering would be a nice to have.

  • @sgrinker - thanks for that.  I guess I glossed over that.  I had been checking -ne "" -and length -gt 0

  • Y'all are correct that the -Filter takes a little getting use to and it can get sticky depending on what you are doing. I do try to use the -Filter as much as I can, it is consistent with other PowerShell cmdlets. If you don't want to mess with that though or are in a hurry, revert to -LDAPFilter. -LDAPFilter is golden, simple multi-filter, same ole LDAP filtering and you can use it in conjunction with ADAC LDAP Filtering searches. Just do an advanced search -> convert to LDAP -> Copy -> Paste -> ... | foreach-Object { Set-ADUser -Identity $_.DistinguishedName -doSomeThingFancy}

    @gallwapa: yea, the ISE will eat your lunch. Always keep a console open unless your getting funky with it or creating/updating your functions then open ISE

    @sgrinker: thanks for correcting on the EXE name you are correct. After reading such a great article and seeing ADAC about 25 times -- ya know.

    @ned: Request -- Not really "needed" but a Transcript of work (Start-Transcript; End-Transcript) would be nice to have.

    I envision it would work something like View -> Transcript and you would have a Window of all PowerShell equivalent commands the ADAC has sent to the web service. This could be integrated pretty easy with a roll forward and roll back ability. I think it would be very nice to have it when doing requested changes that had to be approved in some way or project work so that you can paste the commands in documentation allow the work to be recreated or rolled back even after the fact if something goes wrong.

    This same functionality could work with other management tools like SCCM/SCOM/SCVMM/Exchange etc. Older tools don't have command equivalents so it was not really possible or considered.

    Allan

  • As long as its feature request time...

    DHCP / DNS server management through cmdlets.  My management scripts are ginormous and complex