Active Directory has always captivated me. I know that sounds silly but it’s true.
When I was still a young buck in college, I remember logging into the computer lab and hearing rumors how the machines were “locked down” by the despotic Network Administrator. I attended a small liberal arts state school so I knew exactly who the Network Administrator was (he was actually a student just like me!) but I couldn’t figure out why he would want to lock me down. After all, I was a Computer Science major like him so why didn’t he trust me not to break the box? It’s not like I was one of those impetuous English majors who clicked every link that said “Act now!”
But I digress.
As you already know, Active Directory is almost everywhere. In fact you probably either currently log into an Active Directory machine at your job or have done so in the past. Almost every company with more than a few dozen computers is using a Domain Controller running Active Directory to authenticate users.
It’s one of the easiest ways to manage users, grant permissions and organize resources.
My initial love for Active Directory started in college when I avowed to find a way to circumvent the restrictions of Group Policy. Fast forward 10 years. I moved to New York City, got a wife, got a job, and started managing users in Active Directory.
And I developed my own habits.
None of them were particularly bad but the problem was that they weren’t the best ways to get things done. I’ve been using Active Directory for over a decade but it wasn’t until a few days ago that I discovered three time saving tricks made my job a little more enjoyable.
I’ll pass over what I’ve learned to you! I’ve got a handful of tricks you can start using right now in your Windows Server 2012 R2 Active Directory environments.
Let’s jump in!
1. Creating new accounts via Copy
Let’s say you have a four new hires on-boarding with your company tomorrow. They will all report to the same manager and work in the same department.
How would you create these accounts?
Before I knew about the trick I’m about to share with you, I would find the Organizational Unit (OU) that contained my users. Then I would right click it and choose New from the context menu and pick User.
Next I would fill out the user’s first name, last name, password and configure his or her direct reports and group memberships. I would repeat the process for each user. Since I’ve been doing this for so long I could usually bang out a few users fairly quickly.
But let me tell you a secret: if you’re creating users in Active Directory this way, you’re doing it the hard way.
Since we know all our users have the same managers and group permissions all we need to do is find a “template” user and choose Copy from the right-click menu. This will let us add that persons unique first name, last name and login name but keep all the other attributes. So all the group memberships and reporting structure will simply be copied over.
It’s a huge time saver and I can’t believe I didn’t discover it earlier!
2. Create your computer accounts before the domain join
So let me ask you a candid question: how do you typically join new machines to the domain?
Most of the admins I know go to System and choose Change Settings join the domain there. This is how I always did it and there’s nothing technically wrong with this method. It works.
But did you know there’s a better, smarter way to join your PCs to the domain?
Whenever you join a Windows Pro machine to a Domain Controller (DC), it dumps a new computer object in the computers container. The computer object is simply the hostname of the freshly joined PC.
The problem is that as you join dozens of computers they all pile up in this container. Eventually it will get hard to figure out which machine goes with which OU.
Sure, you could manually drag them into the proper buckets after joining them but I’m here to tell you there’s an easier way.
Just add the computer object into the OU you want it to live in. Then, join the PC to the domain.
Doing this prevents the machine from getting dumped in the generic Computers container.
There won’t be any duplicates either. It’s quite nice.
Since you created and placed the computer object before the domain join, Active Directory honors your forethought.
3. Easily find locked, stale, and expired accounts.
This last one is my favorite Active Directory trick. It’s really not a trick I guess (you won’t oohh and ahhh in the same way the crowd does before a magician) but it will certainly make you smile.
Here’s the scenario:
Your boss comes to you at 9 in the morning and barks:
Hey, I need you to show me all users who haven’t logged into their machines in the last 120 days. And make it quick, I’ve got a meeting in 5 minutes.
How would you pull this off? Don’t even think about using PowerShell or Googling around. There’s a super easy way to do this using the Active Directory Administration Center.
One minute later he comes back and says:
Oh yeah, and can you show me all the locked out accounts and everyone whose password is about to expire? And one more thing: I want to know all the users in our Sales department. I keep forgetting.
Is there anyway you can pull this off in four minutes?
There sure is. It’s all right there in the Active Directory Administration Center.
Open the Server Manager, click Tools in the menu bar and choose Active Directory Administration Center.
Now select your domain from the left pane.
Click Search under this node in the right pane under Tasks.
Click the little down arrow in the right corner to reveal the search criteria.
When you click the Add criteria drop down box you’ll see a myriad of options to search on. Here are few of my favorites:
- Users with disabled/enabled accounts
- Users with an expired password
- Users with enabled but locked accounts
- Users with enabled accounts who have not logged on for more than a given number of days
- Users with a password expiring in a given number of days
Note: don’t do this on the parent domain, only do these global searches on an Organizational Unit or else you could really bog down the system.
Click Search to start the fun.
I modified the search criteria to only return users with accounts in the disabled state.
You can move, delete, enable, locate or reset the password of any account in the result list. It’s pretty cool.
Incidentally, did you know if you accidentally delete an object in Active Directory you can recover it from a special recycle bin?
Just right click the domain name in the left pane of the Active Directory Administrative Center (also called ADAM) and pick Enable Recycle Bin.
Deleted objects will show up in a new Delete Objects container next to your other default containers such as Built-In, Computers and System.
The Bottom Line
So there you have it.
Now you know how to copy user accounts, correctly join computers and search for almost any criteria you need in Active Directory.
Do you know of any Active Directory time savers? Please share in the comments below.