This article is Part 25 in a series of articles on the "Top 31 Favorite Features in Windows Server 2012" with my fellow IT Pro Technical Evangelists. Be sure to follow them on Twitter and check out their blogs this month for the other parts of this series:
Looking to Streamline Active Directory Administration?
When we were designing the new version of the Active Directory Administration Center (ADAC) tool, we talked with lots of IT Pros to understand the day-to-day Active Directory (AD) tasks that were the most time consuming. The top feedback that we received included:
We took this feedback and incorporated GUI-based features into ADAC to address each area. Learn these new tricks to make some of your IT Admin headaches disappear!
NOTE: The new ADAC tool is included with Windows Server 2012 and can also be installed on Windows 8 IT Admin workstations by downloading the updated Remote Server Administration Toolkit for FREE!
Trick #1 - Easy Batch Operations on AD Objects
The new ADAC in Windows Server 2012 makes scripting PowerShell batch operations on AD objects easier than ever – even if you’re not a PowerShell pro! ADAC is built on top of PowerShell 3.0, and we’ve added a new feature that interactively shows you the PowerShell code it’s running behind the scenes for leveraging in your own scripts.
Trick #2 – Quickly Recovering Deleted AD Objects
In Windows Server 2008 R2, we introduced the concept of an Active Directory Recycle Bin to help with deleted object recovery. However, the Recycle Bin in R2 was administered exclusively via PowerShell and didn’t have a GUI-based interface. In Windows Server 2012, ADAC now includes a full GUI-based process for enabling the Recycle Bin and also restoring deleted objects! If you love PowerShell, all the prior PowerShell functionality for the Recycle Bin is still there and is unchanged from R2.
NOTE: To use the Active Directory Recycle Bin feature, your AD Forest must be at the Windows Server 2008 R2 Functional Level or later and you must be a member of the Enterprise Admins group.
Trick #3 – Multiple Password Policies in One Domain
One of the most common security requirements I’ve seen in enterprise organizations is setting unique password policies for different subsets of user accounts on the network. Some user accounts need to have very restrictive password policies – such as powerful IT Admin user accounts and user accounts with access to sensitive information. Other accounts often don’t have these same requirements. If we try to force very strict passwords on all user accounts to support the needs of just a few, most users will probably resort to writing down their passwords – which defeats our security practices all-together!
In the old days ( prior to Windows Server 2008 ), we resorted to complex AD configurations with multiple domains because of the “one password policy per domain” restriction. In Windows Server 2008, we provided functionality for creating multiple password policies within a single domain via Password Settings objects ( Yay! ), but it was only accessible via ADSIEdit ( Yuck! ) and, as a result, many IT Admins weren’t aware of it and didn’t leverage it.
NOTE: To configure Password Settings objects, your AD Domain must be at the Windows Server 2008 Domain Functional Level or later.
In the new ADAC in Windows Server 2012, we can now define and assign multiple password policies within a single AD domain entirely from within the GUI-based ADAC console! Here’s how …
Do It: Try It In Your Own Lab
Try these steps in your own lab environment, by following these steps:
What do you think of the new ADAC?
Are you excited about using the new ADAC in your environment? Feel free to share your feedback and stories in the comments below!
Hope this helps,
Like this article? Subscribe to "IT Pros ROCK!" and stay up-to-date!