Terms of Use For FixedByVonnie

By proceeding to access fixedByVonnie.com, you expressly acknowledge, and agree to, all of the following:

fixedByVonnie.com is a personal website and blog owned by Security Plus Pro LLC, which is being presented for informational purposes only. The views on this website are solely those of the website owner (and not those of any employer or of any professional associations affiliated with the website owner).  Any views expressed in this website and any information presented on this website, or in any of its blog entries, should not be relied on for any purpose whatsoever other than as the personal opinions of the website owner.  The website owner expressly disclaims any and all liability for any information presented on this site.  The owner of this website and its blog posts shall not be held liable, and shall be held harmless, for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.  The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action, from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so solely at your own risk.

3 simple time saving tricks in Active Directory - fixedByVonnie

3 simple time saving tricks in Active Directory

Active Directory has always captivated me.  I know that sounds silly but it’s true.

When I was still a young buck in college, I remember logging into the computer lab and hearing rumors how the machines were “locked down” by the despotic Network Administrator.  I attended a small liberal arts state school so I knew exactly who the Network Administrator was (he was actually a student just like me!) but I couldn’t figure out why he would want to lock me down.  After all, I was a Computer Science major like him so why didn’t he trust me not to break the box?  It’s not like I was one of those impetuous English majors who clicked every link that said “Act now!”

But I digress.

As you already know, Active Directory is almost everywhere.  In fact you probably either currently log into an Active Directory machine at your job or have done so in the past.  Almost every company with more than a few dozen computers is using a Domain Controller running Active Directory to authenticate users.

It’s one of the easiest ways to manage users, grant permissions and organize resources.

My initial love for Active Directory started in college when I avowed to find a way to circumvent the restrictions of Group Policy. Fast forward 10 years.  I moved to New York City, got a wife, got a job, and started managing users in Active Directory.

And I developed my own habits.  

None of them were particularly bad but the problem was that they weren’t the best ways to get things done. I’ve been using Active Directory for over a decade but it wasn’t until a few days ago that I discovered three time saving tricks made my job a little more enjoyable.

I’ll pass over what I’ve learned to you!  I’ve got a handful of tricks you can start using right now in your Windows Server 2012 R2 Active Directory environments.

Let’s jump in!

1. Creating new accounts via Copy

Let’s say you have a four new hires on-boarding with your company tomorrow.  They will all report to the same manager and work in the same department.

How would you create these accounts?

Before I knew about the trick I’m about to share with you, I would find the Organizational Unit (OU) that contained my users. Then I would right click it and choose New from the context menu and pick User.

Next I would fill out the user’s first name, last name, password and configure his or her direct reports and group memberships.  I would repeat the process for each user.  Since I’ve been doing this for so long I could usually bang out a few users fairly quickly.

But let me tell you a secret: if you’re creating users in Active Directory this way, you’re doing it the hard way.

Since we know all our users have the same managers and group permissions all we need to do is find a “template” user and choose Copy from the right-click menu.  This will let us add that persons unique first name, last name and login name but keep all the other attributes.  So all the group memberships and reporting structure will simply be copied over.

Copy an existing Active Directory user as a template

It’s a huge time saver and I can’t believe I didn’t discover it earlier!

 2. Create your computer accounts before the domain join

What? Huh?

So let me ask you a candid question: how do you typically join new machines to the domain?

Most of the admins I know go to System and choose Change Settings join the domain there.  This is how I always did it and there’s nothing technically wrong with this method.  It works.

But did you know there’s a better, smarter way to join your PCs to the domain?

Whenever you join a Windows Pro machine to a Domain Controller (DC), it dumps a new computer object in the computers container.  The computer object is simply the hostname of the freshly joined PC.

The problem is that as you join dozens of computers they all pile up in this container.  Eventually it will get hard to figure out which machine goes with which OU.

Sure, you could manually drag them into the proper buckets after joining them but I’m here to tell you there’s an easier way.

Just add the computer object into the OU you want it to live in. Then, join the PC to the domain.

Create a new Computer object in Active Directory

Doing this prevents the machine from getting dumped in the generic Computers container.

Name the computer object the hostname

There won’t be any duplicates either.  It’s quite nice.

Since you created and placed the computer object before the domain join, Active Directory honors your forethought.

3. Easily find locked, stale, and expired accounts.

This last one is my favorite Active Directory trick.  It’s really not a trick I guess (you won’t oohh and ahhh in the same way the crowd does before a magician) but it will certainly make you smile.

Here’s the scenario:

Your boss comes to you at 9 in the morning and barks:

Hey, I need you to show me all users who haven’t logged into their machines in the last 120 days.  And make it quick, I’ve got a meeting in 5 minutes.

How would you pull this off?  Don’t even think about using PowerShell or Googling around.  There’s a super easy way to do this using the Active Directory Administration Center.

One minute later he comes back and says:

Oh yeah, and can you show me all the locked out accounts and everyone whose password is about to expire?  And one more thing: I want to know all the users in our Sales department.  I keep forgetting.

Is there anyway you can pull this off in four minutes?

There sure is.  It’s all right there in the Active Directory Administration Center.

Open the Server Manager, click Tools in the menu bar and choose Active Directory Administration Center.

Now select your domain from the left pane.

Active Directory Administrative Center

Click Search under this node in the right pane under Tasks.

Active Directory Administrative Center Search Under This Node

Click the little down arrow in the right corner to reveal the search criteria.

Expand search criteria in Active Directory

When you click the Add criteria drop down box you’ll see a myriad of options to search on.  Here are few of my favorites:

  • Users with disabled/enabled accounts
  • Users with an expired password
  • Users with enabled but locked accounts
  • Users with enabled accounts who have not logged on for more than a given number of days
  • Users with a password expiring in a given number of days
  • Department

Note: don’t do this on the parent domain, only do these global searches on an Organizational Unit or else you could really bog down the system.

Click Search to start the fun.

Active Directory Global Search Results

I modified the search criteria to only return users with accounts in the disabled state.

You can move, delete, enable, locate or reset the password of any account in the result list.  It’s pretty cool.

Using Global Search in the Active Directory Administrative Center

Incidentally, did you know if you accidentally delete an object in Active Directory you can recover it from a special recycle bin?

Just right click the domain name in the left pane of the Active Directory Administrative Center (also called ADAM) and pick Enable Recycle Bin.

Active Directory Enable Recycling Bin

Deleted objects will show up in a new Delete Objects container next to your other default containers such as Built-In, Computers and System.

The Bottom Line

So there you have it.

Now you know how to copy user accounts, correctly join computers and search for almost any criteria you need in Active Directory.

Do you know of any Active Directory time savers?  Please share in the comments below.


Connect with Vonnie on Twitter

Posted in Windows, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Vista, Windows XP Tagged with: , , ,
  • moedogs

    So is there no possible way to do the account copying in the ADAC? Why would that have been removed?