With so many enhancements to Active Directory and the identity managements tools, Microsoft has made some good progress in ensuring that its product is reliable and productive. A good write up on Active Directory enhancements can be found at Enterprise IT Planet. So how will the enhancements save our time? With so many changes to […]
With so many enhancements to Active Directory and the identity managements tools, Microsoft has made some good progress in ensuring that its product is reliable and productive. A good write up on Active Directory enhancements can be found at Enterprise IT Planet.
So how will the enhancements save our time? With so many changes to Active Directory, let me zoom in into the latest Active Directory console — Active Directory Administrative Center — and show you some scenarios that are common within an organization, and how this tool can align itself with the operation processes of the organization. I’ll also introduce you to some other cool enhancements of AD that every system administrator will need to know.
As ActiveDirectory has evolved over time, Microsoft has improved its focus on end users and how they interact with the system. This manifests in the form of a task-based management console known as Active Directory Administrative Center.
Receiving calls regarding user account issues, which includes user account lockout or forgotten passwords, is one of the common issues that help desk personnel resolve on a daily basis. Most companies have password expiration enabled, which requires users to change their passwords every 45 days. Users also tend to forget their passwords if their password expires and they change it on a Friday before the weekend.
To reset a password without needing to search and locate the user from the organizational unit (OU) hierarchy, a password reset tile is available as part of Overview, which is the default view when Active Directory Administrative Center is launched.
In a decentralized environment it is common to delegate departmental managers/dedicated IT personnel to manage accounts from their own departments. If user turnover is high, creating and disabling user or computer accounts needs to take the minimum time possible.
Active Directory Administrative Center allows you to customize the navigation pane, allowing the user to add or remove navigation nodes. Navigation nodes allow you to point to system containers or organizational units in local and foreign domains.
Consider a situation similar to our previous scenario, but with user and computer accounts being managed by a non-IT staff. It is possible to hide the unnecessary account options (or sections, to be exact) that are not needed to reduce confusion.
In the figure below, the properties dialog of the user account “Michelle” is open. There are a huge amount of options available for user accounts, and it is confusing for non-IT staff. For most departmental managers, we could safely hide away the Organization, Member Of, Profile and Extension sections:
Unfortunately, there’s no proper GUI for this feature.
By delegating control over Active Directory, it is also introducing possibilities of people messing up Active Directory. If a delegated user (Eg, departmental manager) accidentally deleted a user, it is possible to recover the user object, but this requires the use of System State backup copy.
As long as the forest functional level is set to Windows Server 2008 R2, it is possible to recover deleted Active Directory object, without going through any backup files. By default, recover objects functionality is disabled.
To enable Active Directory Recovery Bin, fire up Active Directory Module for Windows PowerShell in elevated privilege, and run the following:
Enable-ADOptionalFeature -Identity <ADOptionalFeature> -Scope <ADOptionalFeatureScope> -Target <ADEntity>
For example,
Enable-ADOptionalFeature '-Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=omazzaff,DC=com' '-Scope ForestOrConfigurationSet '-Target 'omazzaff.com'
Once you have Active Directory Recycle Bin enabled, and if a user accidentally deletes an Active Directory object, we’ll use Get-ADObject and Restore-ADObject cmdlets:
Get-ADObject -Filter {String} -IncludeDeletedObjects | Restore-ADObject
For example, to restore a user named “Juliana Chew”:
Get-ADObject -Filter {displayName -eq "Juliana Chew"} -IncludeDeletedObjects | Restore-ADObject
In some environments, setting up the network connectivity might require more time. Hence, it is not possible for deployment engineers to join a workstation to a domain. Through Offline Domain Joining, even though there’s no network connectivity from the workstation to the Active Directory, but when then workstation boots up, it will automatically attempt to join itself to the Active Directory.
Offline Domain Joining is an easy 2-step process:
Enterprise Networking Planet aims to educate and assist IT administrators in building strong network infrastructures for their enterprise companies. Enterprise Networking Planet contributors write about relevant and useful topics on the cutting edge of enterprise networking based on years of personal experience in the field.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
