Active Directory Administrative Center

Active Directory Administrative Center is essentially the new administration interface for Active Directory that provides network administrators with an enhanced Active Directory data management experience and a rich graphical user interface (GUI).


Active Directory Administrative Center

It comes standard with Windows Server 2008 R2 and it can be used to perform common Active Directory object management tasks through both data-driven navigation and task-oriented navigation. It is meant to be the replacement of Active Directory Users and Computer (ADU&C) Snap-In and it certainly offers an enhanced management experience for IT administrators.

It can be used to manage domain user and computer accounts, domain security groups and of course Organizational Units and containers. It can also be used to filter data by using query-building search.

One of the key benefits of the Active Directory Administrative Center is that it can be used to manage objects across multiple domains, as long as they belong to the same Active Directory forest, or there exists a trust path between the local and the target domain.

One neat new feature of the Active Directory Administrative Center is the breadcrumb bar, which can be used to directly enter the location of a specific Active Directory object, so that you can directly navigate to that object.

Another neat feature is that it can be used to query the Active Directory based on richer criteria, such as the to find a list of locked user accounts. It however falls short in providing accurate information on last logons, as it does NOT query each DC, but instead relies on the approximation method which is based on the lastLogonTimeStamp attribute.

Although Active Directory Administrative Center is not big on reports, I have found that when you compliment it with a dedicated Active Directory reporting tool, you can have a complete (well almost) Active Directory management and reporting solution at your disposal.


You can open the Active Directory Administrative Center is one of two ways - you can either click Start, then select Administrative Tools, then click on Active Directory Administrative Center, or you can click Start, then click Run, and then type dsac.exe.

It however can currently only run on running the Windows Server 2008 R2 operating system (and on Windows 7 clients using (RSAT)), and it cannot be used to manage Active Directory Lightweight Directory Services (AD LDS) instances and configuration sets.

It is not without its downsides however in that it cannot be used to generate pretty printed reports which might be needed for security audits and compliance reporting, as the best one can do is perhaps export to CSV.

Also, because under the hood Active Directory Administrative Center, It is powered by PowerShell, and so while it is certainly more powerful than the its predecessor, the Active Directory Users and Computer MMC Snap-In, it can be sluggish at time.

+ Pros: Free, Offers Multi-domain Active Directory data management, provides basic Active Directory querying capabilities, enables instant navigation to an Active Directory object, Can generate simple account management type reports


- Cons: Limited in its ability to generate custom (advanced) IT management and security reports (e.g. True Last Logons etc), Currently only runs on Windows Server 2008 R2 and Windows 7 (using RSAT), Relies on PowerShell

Download Point: Ships along with Windows Server 2008 R2, so will be automatically available when you DCPROMO the Windows Server 2008 R2 machine. Alternatively, you can download and install the Remote Server Administration Tools (RSAT) on a Windows Server 2008 R2 server or a Windows 7 machine. Alternatively, you can download it from here.

Summary: In summary, the Active Directory Administrative Center is the first major revision to the Active Directory data management tools since the initial release of Active Directory way back in 2000. It certainly offers numerous visual and capability enhancements, but is neither intended to and cannot replace the need for a dedicated/professional-grade Active Directory audit tool

No comments:

Post a Comment