Fun with the AD Administrative Center
Hi folks, Ned here again. We introduced the AD Administrative Center in Windows Server 2008 R2 to much fanfare. Wait, I mean we told no one and for good measure, we left the old AD Users and Computers tool in-place. Then we continued referencing it in all our documentation.
And people say we're a marketing company.
I've talked previously about using ADAC as a replacement for acctinfo.dll. Today I run through some of the hidden coolness that ADAC brings to the table as well as techniques that make using it easier. If you're never used this utility, make sure you review the requirements and if you don't have any Windows Server 2008 R2 DCs, install the AD Management Gateway and its updates on at least one of your older DCs in each domain. ADAC is included in RSAT.
I am going to demo as much as possible, so I hope you have some bandwidth this month,
oppressed serfs Canucks and Aussies. Since this is me, I'll also show you how to work around some ADAC limitations - this isn’t a sales pitch. To make things interesting, I am using one of my more complex forests where I test the ADRAP tools.
Fire up DSAC.EXE and follow along.
ADAC isn't ADUC
The first lesson is "do not fight the interface". Don’t try to make ADAC into AD Users and Computers simply because that's what you’re used to. ADUC wants to click everywhere, expanding trees of data. It's also has short-term memory loss - every time you restart it you have to set it up all over again.
ADAC realizes that you probably stick to a few areas most of the time. So rather than heading to the Tree View tab right away to start drilling down, like this:
… instead, consider using navigation nodes to add areas you are frequently accessing. In my case here, the Users container is an obvious choice:
This pins that container in the navigation pane so that I don’t have to click around next time.
It's even more useful if I use many deeply nested OU structures in the domain. For example, rather than clicking all the way into this hierarchy each time:
I can instead pin the areas I plan to visit that week for a project:
Nice! It even preserves the visual hierarchy for me. Notice another thing here - ADAC keeps the last three areas I visited in the recent view list under that domain. Even if I had not pinned that OU, I'd still get it free if I kept returning to it:
Once you open one of those users, you don't have to dig through a dozen tabs for commonly used attributes. The important stuff is right up front.
For a real-world example of how this does not suck, see this article. The old tabs are down there in the extensions section still, if you need them:
A lot of people have a lot of domains
One thing AD Users and Computers isn’t very good at is scale: it can only show you one domain at a time, requiring you to open multiple dialogs or create your own custom MMC console.
In ADAC, it’s no sweat - just insert any domains you want using Add Navigation Nodes again:
I can add other navigation nodes for those domains without adding the domains themselves too. Each domain gets that three-entry "recently used" list too. I'm also free to move the pinned nodes up and down the list with the right-click menu, if I have OCD. For instance, if I want the Users and Computers container from three domains, it's nothing to have them readily available, in the order I want:
Come on now, you have to admit that is slick, right?
Always look for the nubbin arrow
Scattered around the UI are little arrows that allow you to hide and expose various data views. For instance, you can give yourself more real estate by hiding the navigation pane:
Or see a user's logon information:
Or hide a bunch of sections in groups that you don't usually care about, leaving the one you constantly examine:
Note: It's not really called the nubbin arrow except by Mike Stephens and me. Join our cool gang!
Views and Search are better than Find
AD Users and Computers is an MMC snap-in: this means a UI designed for NT 4.0. When it lets you search, you are limited to the Find menu, which lets you return data, but not preserve it. After closing each search, ADUC's moron brain forgets what you just asked, like a binary pothead.
ADAC came after the birth of search and in a time where AD is now ubiquitous and huge. That means everywhere you go, it wants to help you search rather than browse. Moreover, it wants to remember things you found useful. If I am looking at my Users container, the Filter menu is right there beckoning:
It lets me do quick and reasonable searches without a complicated menu system:
As well as create complex queries for common attributes:
Then save those queries for later, for use within any spot in the forest:
I can also use global search. And I do mean global - for example, I can search all my domains at once and not be limited to Global Catalog lookups that are often missing less-travelled attributes:
For example here, I use ambiguous name resolution to find all objects called Administrator - note how this automatically wildcards.
Not bad, but I want only users that are going to have their passwords expire in the next month. Moreover, I've been trying to improve my LDAP query skills when scripting. No sweat, I can do it the easy way then convert it to LDAP:
Or maybe I let ADAC do the hard work of things like date range calculation:
Then I take that query:
And modify it to do what I want. Like only show me groups modified in the past three days:
Neato - on demand quasi-auditing.
A few tricks of the trade
Return to defaults
If you want to zero out the ADAC console and get an out of box experience, there's no menu or button. However, if you delete this folder, you delete the whole cache of settings:
ADAC will be slow to start the next time you run it (just as it was the first time you ever ran it) but it will be quick again after that.
The Management List
Have some really ginormous containers? If you navigate into one using ADAC, you will see an error like this:
The error tells you what to do - just change the "Management List" options. Right! So… ehhh… where is the management list? You have to hit the ALT key to expose that menu. Argh…
Then you can set the turned object count as low as 2000 or as high as 100000. If you have to do this though, you need to work on organizing your objects better.
Just think "Explorer"
In many ways, we designed ADAC like 7's Windows Explorer. It has a breadcrumb bar, a refresh button, and forward/back buttons.
It lets you use the address bar to quickly navigate and browse, with minimal real estate usage.
The buttons offer a history:
It has an obvious and "international" refresh button - very handy. ADUC made you learn weird habits like F5, which may seem natural to you now, but isn't not very friendly for new admins.
That new Explorer probably took some getting used to but once you had them, returning to XP seems like visiting the dusty hometown you left years ago: Quaint. Inefficient. Boring. Having used the new one for a few years now, ADAC should be more intuitive.
I'm not here to argue against AD Users and Computers; it has its advantages (I miss the Copy… menu). And it's certainly familiar after 11 years of use. However, the AD Administrative Center deserves a place at any domain admins' table and can make your life easier once you know where to look. Try it for a week and see for yourself. If you come back to ADUC, it's ok - we already cashed your check.
Until next time.
- Ned "Ok, maybe 'fun' was a stretch" Pyle