Introducing Active Directory Administrative Center

Active Directory Administrative Center provides network administrators with an enhanced Active Directory data management experience and a rich graphical user interface (GUI). Administrators can use Active Directory Administrative Center to perform common Active Directory object management tasks (such as user, computer, group, and organization units management) through both data-driven and task-oriented navigation. Administrators can use the enhanced Active Directory Administrative Center GUI to customize Active Directory Administrative Center to suite their particular directory service administering requirements.

 There are several special considerations:

1. Active Directory Administrative Center can be installed only on computers running the Windows Server 2008 R2 operating system. Active Directory Administrative Center cannot be installed on computers running Windows 2000, Windows Server 2003, or Windows Server 2008.

2. Active Directory Administrative Center cannot be installed on the Windows 7 operating system. However, this functionality will be available in future releases of Windows 7.

3. In this release of Windows Server 2008 R2, you cannot use Active Directory Administrative Center to manage Active Directory Lightweight Directory Services (AD LDS) instances and configuration sets.

One of the collest features of Active Directory Administrative Center is that it gives administrators the ability to manage Active Directory objects across multiple domains within the same instance of Active Directory Administrative Center. When you open the Active Directory Administrative Center, the domain that you are currently logged on to (the local domain) appears in the Active Directory Administrative Center navigation pane. Depending on the rights of your current set of logon credentials, you can view or manage the Active Directory objects in this local domain. You can also use the same instance of the Active Directory Administrative Center and the same set of logon credentials to view or manage Active Directory objects from any other domain (that belongs or does not belong to the same forest as the local domain) as long as it has an established trust with the local domain (Both one-way trusts and two-way trusts are supported.)

You can also open the Active Directory Administrative Center using a set of logon credentials that is different from your current set of logon credentials. This can be useful if you are logged on to the computer that is running the Active Directory Administrative Center with normal user credentials, but you want to use Active Directory Administrative Center on this computer to manage your local domain as an administrator. This can also be useful if you want to use Active Directory Administrative Center to remotely manage a domain that is different from your local domain with a set of credentials that is different from your current set of logon credentials. However, this domain must have an established trust with the local domain.

For more information on Active Directory Administrative Center features, including details on the Overview page, the customizable navigation pane, the breadcrumb bar, the query building search and filtering mechanisms, etc. see What’s New in AD DS: Active Directory Administrative Center (

This posting is provided “AS IS” with no warranties, and confers no rights.

Comments (20)

  1. LA Richards says:

    I added the code from the blog post to dsac.exe.config with FIPS enabled in local policy and ADAC worked fine.  So, I think that's a good fix.  Am I in a position to ask for Microsoft to correct this.

  2. LA Richards says:

    I wish it had been this simple.  Making the change in the dsac.exe.config file allows the application to launch successfully but ADAC then informs you that it is unable to find any DC running ADWS.  🙁

    What does .Net 4 fix?

  3. Can you follow up with me offline That will make this easier for me to get right people involved.

    After we understand the issue more fully, we will capture all this in the docs for everyone else to be aware.

  4. Hi,

    Look for this improvment in Windows 8 versions of ADAC, where the Password Expiration Date will appear n the property page, in the More Information pane at the bottom.


    Justin [MSFT]

  5. Thanks for raising the problem, and trying out the workaround. Glad to hear it's working for you. I'm told this is fixed in .Net 4.


  6. Hello Lauri,

    There is no native way to print the results of  a query in ADAC.  You can create a query, click Convert to LDAP and then copy that filter into a tool that exports the results in a format you like.


    This examples illustrates a query performed with the parameter "and Name starts with admin and The object type is User.

    Windows PowerShell:

    Get-ADObject -LDAPFilter "(&(name=admin*)(&(objectCategory=person)(objectClass=user)(!objectClass=inetOrgPerson)))" -properties * | format-list | out-file c:query.txt

    You can then print the corresponding text file (query.txt).

  7. LA Richards says:


    Thank you for responding.  I understand the concept of changing what cipher suites a Windows system will use.  But, will ADAC use anything other than SSLv2?  Is changing the SSL version requirement in ADAC customizable?  And, Is the fix recommended in the second blog post a supported customer change to ADAC?  If I even knew how to do that.  🙂  Because the way I read the blog post a developer would have to modify .NET code and tell it to "ignore" the FIPS requirement.

  8. Thanks for the feedback John. It will be shared with ADAC feature team. What specific kinds of reporting capabilities would you want to see?


  9. LA Richards says:

    Have you heard of administrators having problems with ADAC and the group policy setting that enforces the use of FIPS compliant algorithms?

  10. Anonymous says:

    What are new features in Active Directory 2008.

  11. Thank you for your question. We’re not in a position where we can share plans for future releases, but we’ll make sure the product team is aware of the interest in this capability.

  12. Anonymous says:

    Why does ADAC not display the Password Expiration Date property for User objects?

  13. Hi, I had never heard of this, but I found a couple threads that could be related:…/0f64d59d-283b-43a9-9581-c7c51606509e…/disabling-the-fips-algorithm-check.aspx

    I will post any addditional info I can gather back here.

    Thanks for your question,

    Justin [MSFT]

  14. You cannot install Active Directory Administrative Center (ADAC) on down-level versions of the OS (operating systems before Windows Server 2008 R2); however, you can use it to manage them.  Installing Active Directory Web Service (ADWS) on down-level versions of the OS allows you to manage these versions with Windows Powershell (using the Active Directory module) and ADAC.

    ADAC is available for install as part of the Windows 7 Remote Server Installation Tools (RSAT).

  15. Anonymous says:

    You mentioned that "Active Directory Administrative Center can be installed only on computers running the Windows Server 2008 R2 operating system. Active Directory Administrative Center cannot be installed on computers running Windows 2000, Windows Server
    2003, or Windows Server 2008"

    What about the Active Directory Management Gateway Service (Active Directory Web Service for Windows Server 2003 and Windows Server 2008)

  16. For information about specific features in Active Directory Domain Services (AD DS) in Windows Server 2008, see Active Directory Domain Services Role (

    For information about specific features in AD DS in Windows Server 2008 R2, see What’s New in Active Directory Domain Services (

  17. PK says:

    Are there plans to release a version of ADAC that can be used to manage LDS instances?

  18. Lauri says:

    ADAC has been a helpful tool.  However, after getting the results from a query, I'm unable to locate how to print the results.  Am I missing this some where?

  19. John Carver says:

    Active Directory Administrative Center represents a long over due enhancement to the archaic Active Directory Users and Computers Snap-in, and while it does have numerous enhancements, we were a bit  disappointed to see a lack of certain basic Active Directory reporting capabilities. All in all, nice work though.