NIST's guidance for a Zero Trust Architecture

Active Directory FundamentalsRecent Posts

Active Directory Users and Computers – Part II

In part I  of Active Directory Users and Computers, we introduced the Active Directory Users and Computers (ADUC) snap-in. We also saw a list of tasks an administrator can perform from the ADUC console and described how to perform a few basic tasks. In this part, we will look at some advanced tasks that will come in handy for an administrator managing users, computers, and other objects in Active Directory.

Advanced Settings in ADUC

There are advanced settings available within ADUC that allow administrators to work with complex settings and containers that are otherwise not visible in the console.

To enable advanced features, do the following:

  • In the ADUC console, click View and enable Advanced Features.
  • The advanced settings are now enabled.
  • When advanced features are enabled, hidden containers, tabs, and attributes are visible when selecting an object’s properties.
  • The Object tab not only allows you to set the Protect Object from Accidental Deletion flag, but it also provides the full path of the object, which is useful for locating computers in the AD.

Viewing User and Computer Attributes

  • In the left pane of ADUC, right-click the object whose attributes you want to see.
  • Click Properties and then click the Attribute Editor tab. A list of all the attributes of the object can be viewed.

Note: The advanced features must be enabled for performing this action.

Opening the Attribute Editor Tab for a user

If you find the AD Attribute Editor using AD search, it does not open in the object properties; instead, you must expand the OU that contains the object you require in the AD tree, find the object, and open its properties. The ADUC console helps you in overcoming the inconvenience. You can use ADUC to open the Attribute Editor for the user by following the steps below:

  • Use the search function to locate the user.
  • Navigate to the Member of tab, which displays a list of user groups.
  • Open the group with the fewest users.
  • Go to the Members tab in the group properties.
  • Close the user properties window.
  • In the list of group members, click the user you want, and the user properties window with the Attribute Editor tab will open.

Protecting Objects from Accidental Deletion

This action denies permission to delete the object and attempting to do so displays an error message.

The following steps illustrate how to protect AD objects from accidental deletion:

  • In the left pane of ADUC, right-click the object that is to be protected from accidental deletion, and click Properties.
  • Select the Object tab, and check the Protect Object from Accidental Deletion option.

Searching for Objects

Objects in AD can be located using the Find dialog box in the ADUC console. The following steps illustrate how to perform the search:

  • In the left pane of ADUC, right-click the container object where you need to search.
  • Select Find from the shortcut menu.
  • In the Find Users, Contacts, and Groups dialog box that appears, specify the object type that is to be searched for, and also the container where the search is to be carried out.
  • To streamline the search, click on the Advanced tab.
  • In the dialog box that appears, select the attribute search in the field list box. To further refine the search, use the conditions drop-down list. Specify a value for the conditional search in the value box. You may use the add button to include more conditions.
  • Click Find Now to display the search results.

An alternate method to search for objects is using the DSquery command line tool. To learn how, click here.

Creating a Saved Query

Saved Queries in ADUC allow administrators to access and audit information in AD and filter just those objects that meet certain criteria. A saved query can also help you save time because it eliminates the need to construct the query each time you visit the Search page.

The following steps illustrate how to create a saved query:

  • In the left pane of ADUC, right-click Saved Queries and click New followed by Query.
  • Type in a suitable name for the saved query and click Define Query.
  • Select the required object tab and define the variables of your query.
  • Click OK to save the query.

Delegating Control

Delegating control is useful when you wish to limit the sysadmin team’s responsibilities for managing certain domains in your network and want to appoint two sysadmins per domain, one primary and one backup. The following steps will guide you to delegate control using ADUC:

  • Run ADUC as Administrator.
  • Right-click the domain or Organizational Unit.
  • Select Delegate Control from the context menu and the Delegation of Control wizard is launched.
  • To proceed, click Next in the welcome dialogue box.
  • Click Add to specify a user or group to whom the right will be granted.
  • Enter the name of the user or group you wish to add and then click the Check Names button to validate it.
  • Click OK to return to the wizard.
  • To proceed to the next page, click Next.
  • Choose the tasks you wish to delegate and then click Next.

On the last page of Delegation of Control Wizard, you’ll see a summary of your delegation selections; check it and then click Finish to exit the wizard.

Unlocking a user account:  

A user account in AD is locked if the incorrect password attempts exceed the maximum number allowed by the account password policy. The domain administrator can use the ADUC console to unlock the user’s account early, saving the user from having to wait 30 minutes. You can unlock a user account using ADUC by following these steps:

  • Run ADUC console as an administrator.
  • Right-click on the user object whose account has been locked.
  • From the context menu, select Properties.
  • Select the Account tab in the Properties window.
  • Mark the box Unlock Account. This account has been locked in this Active Directory Domain Controller.
  • Click Apply and then OK.

The user account has now been successfully unlocked.

The Microsoft Management Console (MMC) snap-in ADUC is a key Active Directory domain management tool. ADUC is used to manage users, groups, workstations, Organizational Units (OU), and their properties in the Active Directory domain. When the Active Directory Domain Services role is configured, the ADUC console is installed by default on a Windows Server host. ADUC is now included in the Remote Server Administration Tools (RSAT) administrative suite in recent versions of Windows. ADUC is simply one of the several tools available for AD administration, but it has been one of the frequently employed tools for managing objects in an Active Directory domain since Windows 2000.

Related posts
Active Directory Fundamentals

How to seize FSMO roles

Active Directory Fundamentals

How to transfer FSMO roles

Active Directory Fundamentals

Securing administrator accounts in Active Directory

Active Directory Fundamentals

How to install the PowerShell Active Directory module