Which of the following is a key benefit to using ADAC or the Active Directory Users and Computers console?

Active Directory Administrative Center (ADAC) is a tool by Microsoft that is used for managing objects in Active Directory. Microsoft offers ADAC in Windows Server 2008 R2 and higher to help administrators perform usual Active Directory tasks with greater efficiency.

ADAC is designed as a graphical interface on top of Windows PowerShell. This means that every time an action is carried out through ADAC, Windows PowerShell cmdlets are executed in the background.

How is ADAC Different from Active Directory Users and Computers (ADUC)?

ADAC is superior to ADUC in many ways.

• ADAC is more task-oriented than ADUC as it helps admins manage Active Directory tasks in fewer and simpler steps.
• ADAC supports enhanced management features that simplify the handling of multiple domains across the forest for administrators. For instance, ADUC does not have the option to configure all user attributes when creating a new account, but ADAC does support this feature, which makes it incredibly convenient for admins to create users and add all their properties in one go.
• Options like password reset and object search are available on the landing page in Active Directory Administrative Center. If you want to reset a password using ADUC, you will have to locate the object, right-click it, select the password reset option, and then type in the new password. In ADAC, you can perform all these functions in a single action from the landing page.

How to Install Active Directory Administrative Center (ADAC)?

In Windows Server 2019, Active Directory management tools are available as optional features and can be installed using the Server Manager. To install the Active Directory management tools on Windows Server 2019, follow these instructions:

1. Launch Server Manager.
   
   
   
   Press the “Windows” + “R” keys to launch the Run dialog box. Type “servermanager” in the Open box and click OK to launch the Server Manager.
2. Go to Add Roles and Features.
   
   On the Server Manager dashboard, under the Quick Start panel, click Add Roles and Features.
3. Select the installation type.
   
   On the Add Roles and Features wizard, go to the Installation Type panel on the left and select “Role-based or feature-based installation”. Then click Next.
4. Select the destination server.
   
   In the Add Roles and Features wizard, under the Server Selection panel on the left, choose the “Select a server from the server pool” option. Then select the server on which you want to install the Active Directory management tools and click Next.
5. Select the server roles.
   
   In the same wizard, under the Server Roles panel on the left, leave the settings to defaults and click Next.
6. Select the required features.
   
   Under the Features panel, expand “Remote Server Administration Tools”, then expand “Role Administration Tools”, and select the “AD DS and AD LDS Tools” check box. Click Next. In case you are prompted to install any supporting roles, accept the defaults and continue with the installation.
7. Confirm the installation selections.
   
   Under the Confirmation panel, click Install to start the installation of the Active Directory management tools.
8. Check the installation progress.The installation progress can be seen under the Results panel on the left. You do not need to restart the server after the installation is complete.
9. View the installed tools after completion of installation.
   
   After successful installation, you can see the Active Directory management tools under the Tools menu in Server Manager.

What New Features are Introduced in Active Directory Administrative Center (ADAC)?

ADAC introduced three new management features, which are:

• Active Directory Recycle Bin
• Fine-Grained Password Policy
• Windows PowerShell History Viewer

Active Directory Recycle Bin

In Windows Server 2003, you could recover Active Directory deleted objects through tombstone reanimation. However, the attributes associated with the reanimated objects, like group memberships, could not be recovered. Therefore, IT administrators could not rely on tombstone reanimation for objects that were accidently deleted.

Recycle Bin in ADAC is an enhanced version of the tombstone reanimation that enables admins to preserve as well as recover deleted objects in Active Directory. When you enable the Recycle Bin feature, all attributes of deleted objects are restored in the same logical state as they were before deletion. For example, if you accidentally delete a few users, you can restore them using Active Directory Recycle Bin and they will automatically regain all the group memberships and access rights that they had before being deleted from the directory.

Fine-Grained Password Policy

Prior to Windows Server 2008 Active Directory, admins could set only one type of password and account lockout policy for all the users in the domain. The policy was specified in the Default Domain Policy for the domain. So, if an organization wanted to set different password and account lockout policies for different users, it would either have to create a password filter or deploy multiple domains, both of which are costly options.

With ADAC, admins can apply different password and account lockout policies for different users. For instance, you can apply strict policies for accounts that are highly privileged and set relatively easier policies for less privileged user accounts to keep the organization productive and secure at all times.

Windows PowerShell History Viewer

Since ADAC is built on Windows PowerShell, every action that is executed in its user interface generates a PowerShell script that is shown in the Windows PowerShell History Viewer. IT administrators can use this feature to learn the scripts, create automated commands, and reduce repetitive tasks while increasing overall productivity.

How to Access Active Directory Administrative Center (ADAC)?

To access ADAC, do the following:

1. Launch the Run dialog box by pressing the “Windows” + “R” keys.
2. Type “dsac.exe” in the Open box.
3. Click OK.
   

How to Use Active Directory Administrative Center (ADAC)?

ADAC can be used to perform routine Active Directory tasks but in a more advanced and efficient way. When you launch the ADAC console, you will see the two most used options by administrators, namely Reset Password and Global Search, readily available on the landing page.

You can perform the following actions through ADAC:

• Create an Organizational Unit
• Create and Add Users to an Organizational Unit
• Reset a User’s Password
• Restore a Deleted User or Object
• View PowerShell History

Create an Organizational Unit (OU)

An organizational unit (OU) is a container in Active Directory that can hold objects, like users, computers, and groups. Organizational units are very helpful in keeping the directory neat and well-structured.

To create an organizational unit using ADAC, follow these instructions:

1. In ADAC, select a domain from the left panel. In this case, we will be using “demo (local)”.
2. Under the Tasks panel on the right, select New > Organizational Unit.
   
   
3. On the Organizational Unit dialog box, specify a name and description for the new OU. In this case, we will be using “Test-OU” as the name and “Test OU for Demo” as description.
   
   
4. Click OK.
5. Go to the domain where you created the OU and confirm its existence.
   
   

Create and Add Users to an Organizational Unit

When new employees join a company, IT administrators have to create their user accounts so that they can access the company’s resources and start working. Here is how you can create new user accounts in your directory using ADAC:

1. Double-click the OU where you want to create a user account.
2. Right-click in the blank area, hover over to New, and select User. In this case, we will be creating a new user account in the “Test-OU” container.
   
   
3. Fill in the required fields and set a password for the new user account. In this case, we will be using “TestUser” as the Full Name and User SamAccountName of the new user account. You can also fill in other details and attributes of the user, such as First Name, Last Name, Job Title, Department, etc.
   
   
4. Click OK. The user will be successfully created in your desired OU.
   
   

Reset a User’s Password

Users often forget their passwords and reach out to IT admins to reset their passwords. Thankfully, ADAC is up to the task and that too, quite efficiently. To reset a user’s password in ADAC:

1. Go to Global Search on the left panel.
2. Type the name of the user in the search bar. In this case, we will be resetting the password of “TestUser”.
   
   
3. Under the Task panel on the right, select Reset password.
4. Type in the password that matches the requirements of your domain.
   
   
5. Check the User must change password at next log on check box.
6. Click OK. You have successfully changed the password of the user.

Restore a Deleted User or Object

If you accidentally delete an object from your directory, ADAC allows you to restore that object by enabling the Recycle Bin feature. Here is how you can enable the Recycle Bin feature in ADAC:

1. Select the domain from the left panel on which you want to enable the Recycle Bin feature.
2. Under the Task panel on the right, select the Enable Recycle Bin option.
   
   
3. Next, you will be prompted with a confirmation message.
   
   
4. Click OK to continue.
5. ADAC will ask you to refresh the console.
   
   
6. Click OK again.
7. Press the F5 key and refresh ADAC. You will notice that the Enable Recycle Bin option has grayed out. This means that the feature is successfully activated for the forest.
   
   
8. Now you can safely delete an object and restore it using ADAC.

Deleting a User from the Directory:

1. Navigate back to the domain.
2. Select the OU from where you want to delete a user.
3. Right-click the desired user and select Delete.
   
   
4. You will be prompted with a confirmation message.
   
   
5. Click Yes. The user is deleted from your directory.

Restoring a Deleted User Using ADAC:

1. Click the arrow next to your domain on the left panel and select the Deleted Objects container.
   
   
2. Select the object that you want to recover.
3. Right-click the object and select the Restore option to add the user back to its original OU. If you want to restore the object to a different OU, select the Restore To option and choose the desired container.
   
   
4. Once restored, the object will disappear from the Deleted Objects container.
   
   
5. Now go to the OU where you restored the object. Notice that it is back in the directory.
   
   

View PowerShell History

PowerShell history in ADAC is useful for auditing and tracking as you can see all the changes that were made to the directory. To view the PowerShell history in ADAC:

1. Navigate to the domain.
2. Double-click Windows PowerShell History.
   
   

Here you will see all the changes that were made. In case an unauthorized modification was made, you can reverse it. You can also see the PowerShell cmdlets for the actions made in the directory, which can be used to construct automated scripts to reduce repetitive tasks and increase IT productivity.

Taking Active Directory Controls a Step Further

ADAC was meant to be a replacement for ADUC but the truth is that it is not a good substitute. Despite offering some advanced features, there is still room for a lot of improvement.

• ADAC is mostly used for its Recycle Bin feature but that is not a good practice.
• Plus, ADAC is dependent on PowerShell cmdlets, which can get highly complicated at times.

Instead of switching between ADAC and ADUC to carry out the tasks, you should opt for a one-stop solution that offers a user-friendly interface and helps you perform all the Active Directory tasks with utmost reliability and precision. Try GroupID; it enables you to take the controls of Active Directory a step further by offering all the functions that you can perform with ADAC and much more.

GroupID has been a leading tool for managing users and groups in Active Directory for over 21 years. Here’s how GroupID extends Active Directory functions:

• Seamless User Provisioning and Deprovisioning
• Powerful Group Management
• Logical Deletion and Recycle Bin
• Simplified Password Management
• Controlled Delegation
• Thorough Reporting

Seamless User Provisioning and Deprovisioning

Keep your directory up-to-date by syncing it with data from a source, such as an Excel file or an HR database. GroupID Synchronize reads new user records at the source and auto creates user accounts at the destination, such as Active Directory. This feature makes user provisioning and deprovisioning extremely easy and reliable, as new recruits are quickly onboarded and parting employees are offboarded while revoking their access.

Powerful Group Management

GroupID Automate solves a real problem for businesses by enabling them to manage groups automatically and dynamically.

• Queries cam be specified for groups, which retrieve objects from the directory to add as members to groups. So, when user attributes change, group memberships automatically change. Since employees depend on groups to perform their everyday tasks, GroupID ensures accurate memberships, so that users have appropriate access to the resources.
• GroupID also manages group lifecycle. Groups remain active for a specified period and owners are notified before a group will expire. If the owner does not renew the group, GroupID automatically expires it and then deletes it.

Logical Deletion and the Recycle Bin

GroupID enables administrators to restore deleted groups, which reinstates all group memberships and permissions. Groups are also restored to their original container.

Simplified Password Management

GroupID Password Center enables end-users to do the following on their own:

• Reset their domain account passwords
• Change their passwords
• Unlock their accounts

Users can perform these operations after authenticating via multifactor authentication.

Moreover, helpdesk can also reset passwords and unlock accounts for end-users. They also have access to dashboards and live updates to audit and examine the tasks carried out by end-users.

Controlled Delegation

GroupID Self-Service is a powerful web-based group and user management tool that allows administrators to delegate directory administration to end-users based on permissions and policies. Users can manage their profiles, accounts, groups, workflows, and much more.

Thorough Reporting

Active Directory does not come with any reporting tools, which is why administrators are forced to scroll through the Global Address List (GAL) manually to look for records. GroupID Reports offers hundreds of insightful reports on Active Directory users, computers, groups, and contacts, such as:

• Groups and their last modified time
• Groups without members
• Groups without owners
• Users with objects they own
• Disabled users
• Users without managers
• Users who never logged on
• Computers that have never logged on to the network
• Disabled computers and their OS

Summing Up

GroupID puts an end to all manual group and user management tasks in Active Directory and Azure AD, saving IT time and effort, which can be utilized for other projects. So, start your journey with GroupID today and reap the benefits of automated object management in Active Directory.

View Profile

Since 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.