The Active Directory Administrative Center (ADAC) has become a very important tool for many Windows Server administrators. ADAC integration with Windows PowerShell provides for a unique management interface that is both powerful and easy to use. This article highlights using ADAC and Windows PowerShell to perform relevant Active Directory Management tasks.
Unlike traditional consoles such as Active Directory Users and Computers, the Active Directory Administrative Center (ADAC) is a graphical interface that runs Windows PowerShell commands. ADAC was introduced in Windows Server 2008 R2 but its functionality has been greatly improved on Windows Server 2012.
MCSE Training – Resources (Intense)
To demonstrate ADAC functionality, a domain controller name DC-DNS1 in the lanztek.com domain will be used to complete specific assignments.
Assignment # 1: Raise the Domain Functional Level
On DC-DNS1, in Server Manager, click on Tools, and then click Active Directory Administrative Center.
- In the Active Directory Administrative Center console, right-click LanzTek (local) and select Raise the Domain Functional Level.
- In the Raise Domain Functional Level window, notice that the current domain functional level is Windows Server 2008 R2. In the Select an available domain functional level window, select Windows Server 2012 and click OK.
- Click OK three times.
To raise the domain functional level using Windows PowerShell, run the following command:
Set-ADDomainMode -Identity lanztek.com –DomainMode ` Windows2012Domain
To verify the new domain functional level from a PowerShell prompt, enter the following command: Get-ADDomain.
Assignment #2: Raise the Forest Functional Level
In the Active Directory Administrative Center, right-click LanzTek (local) and select Raise the Forest Functional Level.
- In the Raise Forest Functional Level window, notice that the current forest functional level is Windows Server 2008 R2. In the Select an available forest functional level window, select Windows Server 2012 and click OK.
- Click OK three times.
- To raise the Forest Functional Level using Windows PowerShell, run the following command:
- Set-ADForestMode –Identity lanztek.com -ForestMode Windows2012Forest –Confirm:$false
To verify the new forest functional level, enter the following command: Get-ADForest.
Assignment #3: Create and Manage Active Directory Objects
Let’s create a new Organizational Unit named DAC-Computers and move two computer accounts from the Computers container into the new DAC-Computers OU.
- In Directory Administrative Center, right-click LanzTek (local), click New, and then click Organizational Unit.
- In the Create Organizational Unit: dialog box, in the Name field, type DAC-Computers, and then click OK.
- In Active Directory Administrative Center, click the Computer container. Right-click the FILESERVER1 computer and then click Move.
- In the Move window, click DAC-Computers, and then click OK.
- Repeat steps 3 and 4 for the WIN8A computer.
- Click on the DAC-Computers organizational unit and verify that FILESERVER1 and WIN8A have been moved.
Assignment #4: Manage the Active Directory Recycle Bin
The Active Directory Recycle Bin showed up for the first time on Windows Server 2008 R2 to allow system administrators to recover deleted objects in Active Directory. Because of the absence of a graphical user interface, Windows PowerShell and Ldp.exe were the tools used to enable and manage the AD recycle bin. With Windows Server 2012 Microsoft introduced a GUI option using Active Directory Administrative Center.
By default the AD Recycle Bin is disabled. To enable it, the forest functional level must be set to Windows Server 2008R2 or higher.
After you enable the Active Directory Recycle Bin, all the attribute settings of deleted Active Directory objects are safeguarded. The objects and their corresponding attribute values can be restored to the original state that they were before the accidental deletion. This includes object relationships such as user and computer accounts group membership, permissions to access resources, discretionary access control list (DACLs) and system access control lists (SACLs).
Enabling the Recycle Bin is a one-way trip. Once enabled, the recycle bin cannot be disabled again.
Let’s proceed to enable the Recycle Bin and then test its functionality by deleting and recovering an AD object.
In the Active Directory Administrative Center, right- click LanzTek (local) and then click Enable Recycle Bin.
Click OK on the Enable Recycle Bin Confirmation.
Click OK again to acknowledge the warning that the Active Directory Recycle Bin will not be fully functional until the new configuration has been replicated to all domain controllers in the forest.
In the Active Directory Administrative Center, click on the Lanztek (local) and verify that a new container named Deleted Objects has been created.
Enabling the Recycle Bin Using Windows PowerShell.
At the Active Directory module for Windows PowerShell command prompt, type the following command, and then press ENTER:
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional `Features,CN=Directory Service,CN=Windows NT,CN=Services, ` CN=Configuration,DC=lanztek,DC=com’ –Scope ForestOrConfigurationSet ` –Target ‘lanztek.com’
In the above commandthe distinguished name (also known as DN) of the Active Directory Recycle Bin is CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=<lanztek>,DC=<com>, where <lanztek> and <com> represent the corresponding forest root domain name of our Active Directory Domain Services (AD DS) environment.
Restoring Objects Using the AD Administrative Center (ADAC) Recycle Bin
The Active Directory Recycle Bin safeguards all objects deleted in the forest using the msDS-deletedObjectLifetime attribute. In Windows Server 2012 R2 this attribute is set to match the tombstoneLifetime attribute of the forest which by default is 180 days. You will need to change these parameters to be able to recover objects beyond the 180 days default settings.
Let’s demonstrate the Recycle Bin functionality in our lab by “accidentally” deleting an AD object and then restoring the object.
In the Active Directory Administrative Center under LanzTek (local), click on the DAC-Computers organizational unit (OU). Right-click the WIN8A computer and select Delete.
Confirm that the WIN8A computer account is no longer in the DAC-Computers OU.
Under LanzTek (local), click on Deleted Objects to verify that the WIN8A computer account is visible in this container. The Deleted Objects container shows you all the restorable objects in the LanzTek domain partition. That includes user accounts, computer accounts, organizational units, and other AD objects.
To restore the delete object, on the Deleted Objects container right-click WIN8A and select Restore.
Click on the DAC-Computers OU to confirm that the WIN8A computer account has been restored.
Using Windows PowerShell to restore deleted objects.
To verify that the deleted object is in the recycle bin, run the following command.
Get-adobject -searchbase ‘cn=deleted objects,dc=lanztek,dc=com’ `
-ldapfilter ‘(objectclass=*)’ `
- Examine the output generated by the previous command. You could use either the DistinguishedName or the ObjectGUID to restore the WIN8A account. It is easier just to copy and paste these values when using the Restore-ADObject cmdlet.
- To restore the object using the ObjectGUID, at the PowerShell prompt, enter the following command.Restore-ADObject – Identity 1fddfebc-11e0-4ba3-bd51-84b9e5257afdThe following Windows PowerShell cmdlets will also uncover and restore the deleted object:Get-ADObject –Filter ‘Name –Like “*win8A*”‘ –IncludeDeletedObjects | Restore-ADObject
Assignment #5: Configure Fine Grained Password Policy
Before Windows Server 2008, Windows Server Operating systems did not have the option to configure multiple password policies in the same domain. This was a serious limitation as many organizations prefer to set distinctive password policies for different groups or users. For example, front line employees and clerical workers may not need the same strict password policy requirements as CIOs and network administrators. Fine Grained Password policies also known as Password Settings Objects (PSO) were introduced in Windows Server 2008 but no graphical interface was available to create or manage them. With Windows Server 2012 and Windows Server 2012 R2 you can use Active Directory Administrative Center (ADAC) to configure multiple password policies and assign them to different groups or users in your network.
The domain functional must be at the Windows Server 2008 functional level or higher for Fine Grained Password Policies to work. As our lanztek.com domain is already at the Windows Server 2012 functional level, let’s use ADAC in the DC-DNS1 domain controller to configure and assigned a password settings object (PSO).
In the ADAC Navigation pane, click Tree View, click lanztek (local), click System, click Password Settings Container, and then in the Tasks pane, click New and Password Settings.
- In the Create Password Settings editor, assign the Fine-grained Password Policy a descriptive name, a precedence and all the appropriate settings that you want to enforce with this policy. Click OK to save the PSO without applying it to any user or group (we will apply the PSO on a separate step for illustration purposes).The precedence number indicates which password policy to use when more than one password policy applies to a user or group. The lower this number is, the higher the priority. However, Password Settings Objects applied to users directly always take precedence over Password Settings Objects applied to groups the user is a member of.
Executing the following Windows PowerShell cmdlet achieves the same result as the preceding procedure:
New-ADFineGrainedPasswordPolicy “Domain Admins PSO” `
In the ADAC Navigation pane, click Tree View, click lanztek (local), click System, click Password Settings Container, right-click Domain Admins PSO and select Properties.
- In the Domain Admins PSO editor, Under Directly Applies To, click Add, type Domain Admins, and then click OK. This associates the Password Settings object with the members of the Domain Admins group.
With Windows PowerShell the following cmdlet can be used in one line to apply the PSO.Add-ADFineGrainedPasswordPolicySubject “Domain Admins PSO” –Subjects “Domain Admins”
- To verify that the new PSO has been applied to the Domain Admins group. In the ADAC Navigation pane, click Tree View, click lanztek (local), click Users, right-click Domain Admins and select Properties.
- In the Domain Admins properties, under Directly Associated Password Settings confirm that the “Domain Admins PSO” has been applied with a precedence of 1.
Assignment #6: Using Windows PowerShell History Viewer
The Active Directory Administrative Center (ADAC) is a user interface tool built from the ground up to execute Windows PowerShell commands. As commands are executed in the GUI, the corresponding Windows PowerShell script is shown in Windows PowerShell History Viewer. This is a fantastic feature for system administrators to learn and increase productivity as they can copy these scripts and use them again to reduce tedious or repetitive tasks. The scripts can also be modified to fit specific situations in your environment. Let’s demonstrate how to use the Windows PowerShell History Viewer in ADAC.
If not already open, at the PowerShell prompt type dsac to access the ADAC.
- On the ADAC at the bottom of the window, notice the PowerShell History Viewer panel. Click anywhere on PowerShell History Viewer panel to see the script code that PowerShell executes for the administrative tasks that you perform in the GUI.
- If necessary, click the Show All options to display the Windows PowerShell commands.
- On the Windows PowerShell History panel deselect the Show All option. Click the Start Task button and type Create an AD Group as the name for the task. You can type any name, but it is recommended to enter a name that somehow describes the purpose of the task.
- In the ADAC Navigation pane, click Tree View, click lanztek (local), click Users, select New and click Group.
- On the Create Group interface enter the following and click OK.Group name: Temp Workers
Group Type: Security
Group Scope: Global
Protect from accidental deletion: Selected
Managed By: Administrator
- The PowerShell History Viewer shows all the code executed to create the group. Click the End Task buttonto end the Create an AD Group task. Now you can highlight all the command lines related to this task, click the Copy button, and paste that code into your script editor to use it as a PowerShell script that will perform this same action consistently.
Active Directory Administrative Center (ADAC) is a powerful Graphical User Interface (GUI) that runs on top of the Windows PowerShell engine. This article demonstrates how to use ADAC to raise domain and forest functional levels, create and manage AD objects, run the Active Directory Recycle Bin, configure Fine Grained Password Policies, and use the Windows PowerShell History Viewer to generate PowerShell scripts.
The next article will show detailed demonstrations of Dynamic Access Control configuration using the Active Directory Administration Center. This game changing functionality was introduced in Windows Server 2012. DAC enhances the authentication and authorization processes providing new options to configure file server access, file classification, audit policies and risk management.