IMPORTANT ANNOUNCEMENT FOR OUR READERS!
AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!
We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!
Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.
If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.
NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!
As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!
Active Directory Administrative Center (ADAC) was first introduced in Windows Server 2008 R2 to manage directory service objects along with Active Directory Users and Computers (ADUC) however, it did not win me over until after I saw the enhancements made in Windows Server 2012. It is one of the reasons why I don’t resort to typing dsa.msc to open up ADUC anymore. Instead I type dsac on the start screen to open ADAC to manage my users, computers and much more. Let me share with you four things I like about ADAC in Windows Server 2012.
1. PowerShell History Viewer
This is a new addition to ADAC in Windows Server 2012 and this feature certainly blew me away.
While ADAC provides a graphical interface for administrators to perform common tasks such as creating new groups, users etc., PowerShell History Viewer in ADAC, allows them to review the exact PowerShell commands for these tasks. Now, that is brilliant! Let’s face it, for those who are not well versed in PowerShell or use it every day to remember the Cmdlets, can now use it to learn PowerShell and create their own Cmdlets. As a test, I created a new user called Tester, via the graphical interface and an equivalent PowerShell command got displayed in the PowerShell history viewer (screenshot below). I can now copy it to the clipboard via the Copy button and reuse it in a script later. Furthermore, if I want to review all the calls made by PowerShell, I can simply check Show All on the top right corner and it will display all the commands recently executed by ADAC.
2. Active Directory Recycle Bin
ADAC in Windows Server 2012 now includes the Active Directory Recycle Bin UI. In Windows Server 2008 R2 AD recycle bin was introduced to assist with recovering deleted objects in AD but it lacked the graphical interface and could only be administered via PowerShell. However, Windows Server 2012 has made this process much easier via the ADAC GUI. While this blog is not intended to cover AD recycle bin in detail, you can learn more about it here. It is important to note that by default AD Recycle Bin is disabled. To enable it, ensure your forest is at Windows Server 2008 R2 Functional level or higher.
The screenshot below shows how to enable Recycle bin for the first time. Keep in mind, once enabled, it cannot be disabled.
After enabling, refresh ADAC and you will see the Deleted Objects container. As the objects get deleted, they will be stored in the Deleted Objects container for up to the tombstone lifetime. To recover a deleted object, go to the Deleted Objects container, right-click the object and select restore. This is a much smoother and painless operation compared to in Windows Server 2008 R2 and now it can be administered easily via ADAC.
3. Fine Grained Password Policy
ADAC in Windows Server 2012 makes Fine Grained Password Policy management much easier and simpler due to the graphical user interface. This feature was first introduced in Windows Server 2008 to allow administrators to define different password and lockout policies for different users in the domain. However, it was difficult to manage and was not very visual. Using the Windows Server 2012 version of ADAC, administrators can create a separate password policy for user accounts with different password needs, much more easily and quickly. First, ensure that your domain is at Window Server 2008 domain functional level or higher. Next, select New Password Settings, under the Password Settings Container which resides under System. Complete the password settings dialog box as desired and then click Add to apply this policy directly to the desired users, groups etc. And there you have it. You will really like this if you have ever set this up on Windows Server 2008 and felt the pain 🙂
4. Global Search
I really liked the Global Search feature in ADAC to search for objects in AD. This is not new to Windows Server 2012 as it was first introduced in Window Server 2008 R2. However, it is still one of my favorite features as it allows me to perform global search such as searching all my domains at once and not be limited to Global Catalog lookups. If I had more domains in my lab, you would see all of them listed under the navigation nodes.
Another gem is the ability to very easily build LDAP queries. For example, if I want to search for all users who have not logged on for more than a given number of days, I can use the built in criteria (Click Add Criteria) to quickly get that information as shown below.
It gives you the option to select the number of days as show below
You can also convert it to LDAP and build on that query should you wish
While you can’t transfer FSMO roles via ADAC today, starting in Windows Server 2008 R2 this feature is now easily available at fingertips via PowerShell using Move-ADDirectoryServerOperationMasterRole cmdlet of AD Module. I have added few examples below:
You can view FSMO role owner with these AD-Powershell commands:
Get-ADForest | select SchemaMaster,DomainNamingMaster
Get-ADDomain | select PDCEmulator,RIDMaster,InfrastructureMaster
Transfering all roles, command syntax:
Move-ADDirectoryServerOperationMasterRole -Identity "Target-DC" -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator
Seizing all roles, command syntax:
Move-ADDirectoryServerOperationMasterRole -Identity "Target-DC" -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator –Force
Well, these are some of the reasons why ADAC has now become a one stop shop for me when it comes to AD tasks. I am now using ADAC for all my AD administrative needs including raising the domain and forest functional level which is conveniently located under Tasks when Domain node is selected. I therefore, invite you to start using “The Tool of the Future’ as I would like to call it 🙂