Another look at Active Directory Administrative Center (ADAC)


Previously I had briefly written about ADAC and today we take a look at some of the things you can accomplish by this new interface of Active Directory.

We start out by launching the ADAC, by running DSAC.exe from the run window


ADAC offers two views, the list view


and the tree view


There are several useful queries built-in which you can add from the ‘Add criteria’ button such as find all the users with expired passwords


And add multiple criteria to your query


From the task pane, you can create a new user


Its an ease of use to be able to fill in all the pertinent attributes from a single interface


Now you can raise DFL and FFL from one location, previously you had to raise the FFL from AD Domains and Trusts snap-in


From the Global Search page, you can simply also add your own LDAP query


You can add specific navigation nodes into your list-view such as the Users container and apply different filters (query) to do a comparison side-by-side, from the same ‘add navigation nodes’ window you can also add other trusted domains to manage multi-domain environment all in one place.


For more info. see

Also watch this short webcast by Kevin Remde

PowerShell : Add-Computer cmdlet works in Windows 7 RTM but Rename-Computer is gone


I had earlier posted about the Add-Computer cmdlet bug in Windows 7 RC builds which didn’t allow the computer to be added to the domain via PowerShell. With Windows 7 RTM, it is fixed and turns out to be pretty handy should you need to script the domain joins for your new builds. The command to add the machine is pretty simple.


The –passthru switch as chosen in the example shows the results.

Check out help for what you can do with this cmdlet such as when you need to add the computer account to a specific OU. Remember that adding machine via PowerShell to the domain does not require you to create the computer name before hand, but it pre-exists than its not an issue.

Few examples :

Add-Computer -domainname Domain02 -OUPath OU=testOU,DC=domain,DC=Domain,DC=com

Add-computer -workgroupname WORKGROUP-A

Add-computer -domainname Domain01; restart-computer   (this adds the restart option)

For more info. see

For reasons unknown to me the useful Rename-Computer cmdlet (shown in my earlier example) seems to have been removed past CTP3 builds and the RTM. Even though the technet reference for all Windows 7 PowerShell cmdlets still has it listed.

Here is a discussion I found.

Windows 7, Windows Server 2008 R2 and Exchange Server 2010 Launch Event


I was reached out by Keith Powell from Microsoft about the Windows Server 2008 R2 Launch Event dubbed as “the efficiency launch event” on Sep 29th, 2009 at Hyatt Regency Downtown Chicago. It is going to be a virtual event live from San Francisco, with Steve Ballmer as the keynote speaker.


Similar events are going to be taking place in your or a city near you. Take a look at the link below and be sure to register and save the date. Take advantage of this free learning event.

Active Directory Management Gateway Service is RTW


ADMGS aka AD Web Services aka Powershell Native AD cmdlets which is originally a Windows Server 2008 R2 feature is out of beta and can be downloaded from here for DCs running down level OSs.

The Active Directory Management Gateway Service enables administrators to use the Active Directory module for Windows PowerShell and the Active Directory Administrative Center running on Windows Server 2008 R2 or Windows 7 to access or manage directory service instances that are running on Windows Server 2008 or Windows Server 2003 DCs.

Note:    Installing the Active Directory Management Gateway Service on your Windows Server 2008–based or Windows Server 2003–based servers does not make it possible for you to install the Active Directory module or the Active Directory Administrative Center (which is available only on Windows Server 2008 R2 or Windows 7 operating systems) on these servers. “

For more info see

Group Nesting Reference Chart


The Active Directory Groups Nesting restrictions is an often-discussed topic among my peers especially in a multi-domain forest and often a question raised in forums and mailing lists. Although there have been some great blogs written that dive deep into the technical restrictions, I personally needed a simple reference chart that I could refer to and which serves me as a memory refresher. Between the two types of Active Directory Groups, Security and Distributions, there are restrictions in both but this attempted reference chart covers only Security type. There are three scopes of Security Groups. Domain Local, Global, and Universal. A leading practice for each of these scopes for NTFS permissions is as follows. Domain Local Groups are used for permissions (ACLs), Users are populated in Global Groups, and Universal Groups are used to manage Global Groups. But often times there are needs to circumvent this model and cross nesting is required especially in a multi-domain forest or in a large environment with multiple forests. The nesting restrictions of each group that you must know about can be broken into three questions and subsequent charts below :

Please note that these nesting restrictions assume Window 2000 native or Windows Server 2003 DFL.

1. Which particular group will take other scope type (nested) as its member i.e from the same domain and from a trusted domain ?

Chart 1 for Question # 1

Same Domain Can accept Domain Local Can accept Global Group Can accept Universal Group
Domain Local Yes Yes Yes
Global Group No Yes No
Universal Group No Yes Yes

Chart 2 for Question # 1

Trusted Domain Can accept Domain Local Can accept Global Group Can accept Universal Group
Domain Local No Yes Yes
Global Group No No No
Universal Group No Yes Yes

2. Where can a particular group be assigned permissions (ACL) i.e only in the domain where it resides and also cross domains ? (trusted or other child domains within the same forest )

All three scope types can be used to assign permissions in the same domain where the groups reside.

Chart 1 for Question # 2

Trusted Domain Can be used to assign permissions
Domain Local No
Global Group Yes
Universal Group Yes

3. Which group will accept users and computers from same and trusted domain ?

All three scope types will accept Users and Workstation from the same domain where they reside.

Chart 1 for Question # 3

Trusted Domain Will accept Users and Workstations
Domain Local Yes
Global Group No
Universal Group Yes

More information on the scope of these groups can be found here:

To learn about a leading access control model known as AGDLP see :,289483,sid68_gci1255549,00.html

Is there an Active Directory Visual Illustration/Diagram ?


A question was raised on ActiveDir, and I learned about an old TechNet Jigsaw on AD’s interworking.


























Along with that, there was a new Windows Server 2008 AD Feature Components which I received at Tech-Ed 2007 and it illustrates the new and improved AD pieces introduced with Windows Server 2008. This poster covers ADLDS, ADFS, ADRMS, and RODCs.



And an additional poster on general new Windows Server 2008 Feature Components that covers TS, NAP, IIS 7.0, Virtualization, Server Core and BitLocker.


Both of the above illustrations and very good quality large size posters (30x20in) and are good to hang in your office/cube. Printing them on regular printer may distort the quality, so you may try the plotter :). All three can be downloaded from the following links :

TechNet Magazine Active Directory Component Jigsaw Poster

Windows Server 2008 Component Posters (both)

P.S This is my first test post using WLW.