Updates and Improvements to Active Directory in Windows Server 2012

The Active Directory Administrative Center, or ADAC, evolves from a Windows Server 2008 R2 version that was a moderately underwhelming console. It introduces distinctions between “tree view” (expandable, similar to Explorer) and “list view” (with cascading menus), and both views are present in Server 2012. This makes managing multiple forests easier, and it has a useful global search feature that lets you do handy things like see who hasn’t logged on for X number of days. ADAC in Windows Server 2012 has some convenient new capabilities that can make your life considerably easier. We discuss three of them here. 

AD Recycle Bin

If your Forest Functional Level (FFL) is at least Server 2008 R2 and you can raise it in the ADAC, then ADAC will let you enable the Recycle Bin via the domain’s context menu. Be advised that this step is irreversible, so if you decide you hate the AD Recycle Bin later, sorry, you’re stuck with it. 

Once you enable the AD Recycle Bin, a new domain container object is created called Deleted Objects, in which you can view, for example, deleted user accounts. Restoring a deleted user object is as simple as right-clicking it and choosing “Restore” from the menu. By choosing “Restore to…” you can specify a different container for the restored object. When you restore a deleted user object, that user’s group memberships get restored too; this is a significant improvement over earlier versions of Windows Server. 

If you’ve ever been through the process of restoring a deleted object in previous versions of Windows Server, you’ll appreciate how simple this new method is. 

Fine-Grained Password Policies

The second ease-of-use bonanza for users of the new ADAC is a graphical interface for setting Fine-Grained Password Policies (which aren’t actually policies in the sense of Group Policy). As long as the Domain Functional Level (DFL) is Server 2008 or higher, you can create customized password settings (called, Password Settings Objects or PSOs) and link them to security groups. 

Creating a new PSO is as easy as opening the System container for the desired domain in the navigation pane of ADAC, right-clicking Password Settings Container, and choosing New > Password Settings. Fill in the blanks, and if you’re ready to apply the PSO to an existing group, enter that group under Directly Applies To. You don’t have to get your hands dirty with ADSI Edit anymore. 

You can also apply a PSO in the properties for a group. Open the group’s property sheet and click Password Settings in the navigation pane. Then click the Assign button and choose a PSO. To resolve potential points of confusion (e.g., when more than one PSO might apply to a given user), you can graphically view the resultant password settings via a user object’s context menu. 

Dynamic Access Control

The third area of new interest in ADAC is something Microsoft calls Dynamic Access Control. This is an evolution of Server 2008 R2’s File Classification Infrastructure (FCI) that enabled manual and automated classification of files, auto-expiration to an archive, and so on. FCI was a feature of the File Services role and managed via the File Server Resource Manager. 

With Dynamic Access Control, which has its own node and subnodes in the navigation pane of ADAC, you can control access based on classification properties, audit access based on classification properties, and apply digital rights management controls based on classification properties. 

What are classification properties? Well, they can be things like “business impact” or “confidentiality”. You could also classify files in custom ways based on file content or user-supplied tags. The idea is that you use expressions to create rules governing access in ways that go beyond the classic NTFS Access Control Lists (although NTFS ACLs are still very much alive and well). You can combine a set of “central access rules” into a single “central access policy,” for example.

Obviously, Dynamic Access Control is a big subject, and we can only touch on it here briefly. Managing Active Directory in Windows Server 2012 gets a bit easier once you master the new Server Manager. Its multi-server focus, while imperfect, is a welcome change in direction. You won’t be able to do everything on remote servers unless they’re also running Server 2012, but if they’re running Server 2008 or R2, you can do quite a bit. The focus on server groups has shoved a lot of utility over to context menus and the Tools menu, but overall I think most administrators will welcome the changes. 

The Active Directory Administrative Center duplicated much of the functionality of other Active Directory consoles without adding a lot of new capabilities. The latest version streamlines the processes of assigning fine grained password policies and using the AD Recycle Bin, which raises its utility several notches. As we all get used to Dynamic Access Control, its utility should increase even further.

Excerpted and available for download from Global Knowledge Under the Hood: Updates and Improvements in Active Directory Tools for Windows Server 2012

Related Courses
Administering Windows Server 2012 (M20411)
Configuring Advanced Windows Server 2012 Services (M20412)
Installing and Configuring Windows Server 2012 (M20410)

In this article

Join the Conversation