Learn New Features in Active Directory Administrative Center

With Windows Server 2008 R2, Microsoft has shifted the focus of Active Directory management to end users and non-IT personnel who need to manage personnel without a lot of confusing clutter.

By Jabez Gan | Posted Jun 10, 2010
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

With so many enhancements to Active Directory and the identity managements tools, Microsoft has made some good progress in ensuring that its product is reliable and productive. A good write up on Active Directory enhancements can be found at Enterprise IT Planet.

So how will the enhancements save our time? With so many changes to Active Directory, let me zoom in into the latest Active Directory console -- Active Directory Administrative Center --- and show you some scenarios that are common within an organization, and how this tool can align itself with the operation processes of the organization. I'll also introduce you to some other cool enhancements of AD that every system administrator will need to know.

Active Directory Administrative Center

As ActiveDirectory has evolved over time, Microsoft has improved its focus on end users and how they interact with the system. This manifests in the form of a task-based management console known as Active Directory Administrative Center.

Scenario 1: User Has Lost Their Password, or User's Account Has Been Locked Out

Receiving calls regarding user account issues, which includes user account lockout or forgotten passwords, is one of the common issues that help desk personnel resolve on a daily basis. Most companies have password expiration enabled, which requires users to change their passwords every 45 days. Users also tend to forget their passwords if their password expires and they change it on a Friday before the weekend.

To reset a password without needing to search and locate the user from the organizational unit (OU) hierarchy, a password reset tile is available as part of Overview, which is the default view when Active Directory Administrative Center is launched.

Scenario 2: Managing Departmental User and Computer Accounts

In a decentralized environment it is common to delegate departmental managers/dedicated IT personnel to manage accounts from their own departments. If user turnover is high, creating and disabling user or computer accounts needs to take the minimum time possible.

Active Directory Administrative Center allows you to customize the navigation pane, allowing the user to add or remove navigation nodes. Navigation nodes allow you to point to system containers or organizational units in local and foreign domains.

Scenario 3: Managing Departmental User and Computer Accounts Minus Advance Features

Consider a situation similar to our previous scenario, but with user and computer accounts being managed by a non-IT staff. It is possible to hide the unnecessary account options (or sections, to be exact) that are not needed to reduce confusion.

In the figure below, the properties dialog of the user account "Michelle" is open. There are a huge amount of options available for user accounts, and it is confusing for non-IT staff. For most departmental managers, we could safely hide away the Organization, Member Of, Profile and Extension sections:

Simplifying the Active Directory interface

Active Directory Recycle Bin

Unfortunately, there's no proper GUI for this feature.

Scenario 4: Departmental Managers Accidentally Deleted a User Account Object. How Do You Recover the Deleted Object in the Shortest Amount of Time?

By delegating control over Active Directory, it is also introducing possibilities of people messing up Active Directory. If a delegated user (Eg, departmental manager) accidentally deleted a user, it is possible to recover the user object, but this requires the use of System State backup copy.

As long as the forest functional level is set to Windows Server 2008 R2, it is possible to recover deleted Active Directory object, without going through any backup files. By default, recover objects functionality is disabled.

To enable Active Directory Recovery Bin, fire up Active Directory Module for Windows PowerShell in elevated privilege, and run the following:

Enable-ADOptionalFeature -Identity <ADOptionalFeature> -Scope <ADOptionalFeatureScope> -Target <ADEntity>

For example,

Enable-ADOptionalFeature '-Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=omazzaff,DC=com' '-Scope ForestOrConfigurationSet '-Target 'omazzaff.com'

Once you have Active Directory Recycle Bin enabled, and if a user accidentally deletes an Active Directory object, we'll use Get-ADObject and Restore-ADObject cmdlets:

Get-ADObject -Filter {String} -IncludeDeletedObjects | Restore-ADObject

For example, to restore a user named "Juliana Chew":

Get-ADObject -Filter {displayName -eq "Juliana Chew"} -IncludeDeletedObjects | Restore-ADObject

Offline Domain Joining

Scenario 5: As Part of Your Rapid Deployment Plan, You Need to Deploy New Desktops and Join Them to Active Directory Automatically.

In some environments, setting up the network connectivity might require more time. Hence, it is not possible for deployment engineers to join a workstation to a domain. Through Offline Domain Joining, even though there's no network connectivity from the workstation to the Active Directory, but when then workstation boots up, it will automatically attempt to join itself to the Active Directory.

Offline Domain Joining is an easy 2-step process:

  1. On any domain joined machine, use the command djoin.exe /provision to create the computer account metadata for the to-be-joined (destination) computer:
    djoin /provision /domain <domain to be joined> /machine <name of the destination computer> /savefile <filename.txt>
  2. On the to-be-joined (destination) computer, use the command djoin.exe /requestODJ to insert the computer metadata into the Windows directory of the computer:
    djoin /requestODJ /loadfile <filename.txt> /windowspath <path to Windows directory of the offline image>

Resources

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter