Old vs new! Batman vs Superman! Active Directory Users and Computers vs Active Directory Administrative Center. It’s time for a showdown!
Active Directory Users and Computers is the old, familiar approach to managing your domain. It uses a Microsoft Management Console (MMC) snap-in to provide the classic three-pane window with a navigation tree in the left, primary information with your user, computer, groups, and other objects in the center, and available actions in the right. ADUC is an oldie but goodie. It’s a classic that many an administrator are not prone to abandon. There’s already enough change in the IT field, why should we have to change our tools as well?
Active Directory Administrative Center is the relatively new kid in town. It has been around since Server 2008/Windows Vista and received a GUI overhaul with Server 2012/Windows 8 but does not seem to be nearly as common in IT Pro discussions as AD Users and Computers.
Do you have a preferred tool? Let’s duke it out and compare each tool’s strengths and weaknesses!
Active Directory Users and Computers
AD Users and Computers is the classic MMC snap-in. To get the most out of the tool, you need to go to the View menu and toggle on Advanced Features. This will get you additional information about your objects such as the Objects tab, which tells you the canonical name of an object, revealing the path to where the object resides.
One of the primary tasks with Active Directory management is finding those object in your environment so that you can manage them. Search is a weaker point of ADUC but it was sufficient all this time despite its annoyances. One such annoyance is having to specify if you are searching for a user/group, computer, printer, OU (Organizational Unit), or other objects. If you right-click on an OU and choose ‘Find’ the ‘In’ drop-down will start in that OU and only search in that area and below. If you want to search your whole forest or domain, you will have to change the drop-down or change where you click. This is the same case if you have an OU selected and go to the Action menu and start your search from choosing ‘Find’ there.
If you did one search in users, and say you forgot to specify computers first, you can change the drop-down. You will then receive the annoying pop-up telling you “this will clear your current search results.”
Having to specify the object type is an annoyance beyond just search. If you want to add a computer as a member of a group, you have to specify the object type when you are entering the computer’s name for AD to find the object and add it to the group.
Another annoying quirk with AD Users and Computers is that when you search an object, you are not able to view all of the tabs. The ‘Attribute Editor’ tab does not appear when you view the properties of an object from the search results. If you are using any attributes beyond the basic ones that appear in the normal tabs, this can be frustrating on a daily basis.
As a result of not getting the attributes tab, you might switch to the Object tab to find the object’s location. After you drill down to that location and view the properties of the object that way, you will see the Attribute Editor tab.
There’s a trick to make it faster to view the full object properties.
- Search for the object.
- Switch to the Member Of tab.
- Double-click on a group the object is a part of (hopefully one with few other members) to open the group’s properties.
- Close the object’s properties.
- On the group’s properties window, switch to the Members tab.
- Find the object you originally searched for and double-click it.
This will open up the object’s properties window with the attribute editor tab. Yes, sadly, those six steps can be a faster way of getting to the full object properties.
Moving objects is another common task in Active Directory management and another way that AD Users and Computers differs from AD Administrative Center. You can right-click on an object and choose ‘Move…’ from the context window. This will open up a dialog box with a compact version of the AD structure tree. You select the OU or container where you wish to move the object, click OK, and the object will be in its new home.
With AD Users and Computers, you can also use drag-and-drop to move objects to their new location. You might receive a warning if you have not dismissed it previously about “moving objects in Active Directory Domain Services” but it is basically telling you that Group Policy inheritance could differ from the old location to the new, and is safe to dismiss with that in mind.
One thing that might give AD Users and Computers a leg-up is that it is an MMC snap-in. This means you could customize your console to include all of your tools like AD, Group Policy, DNS, DHCP, all in one console. You could even take this a step further and give yourself some real convenience with taskpad views to have scripts and common commands readily available.
Active Directory Administrative Center
AD Administrative Center is the newer tool, so it should have the benefit of learning from the previous generation tool. It definitely improves some things but also introduces its own ways that it falls short.
Search is one of AD Administrative Center’s strong suits. Global Search is available right from the start page or from the left navigation column. When you search, it is searching all types of objects. You do not have to specify computers versus users or groups.
The global search also allows you to add criteria. This allows you to do more specific searches against specific attributes. This is handy but the implementation has its annoyances. You have to click the arrow on the right of the center pane to drop-down the advanced options. After that, you can add criteria such as Employee ID or other attributes. You can save your search criteria if it is common but you will have to select it each time you open AD Administrative Center as it will not remember the previous criteria as your default search.
You can also convert your search to LDAP, in case you need to test a search string against which objects are found, or just want to see the LDAP version of the search. This also allows you to just type (or copy+paste) your search queries.
When you open an object in AD Administrative Center, you can see all of the information pretty easily. There is a collapsed section at the bottom that you can expand to view more details such as last logon time, password last set, and even calculated password expiration dates. The canonical name is available in this section or as a column in the search results.
Scrolling down to the bottom of an object, there is a tabbed interface that looks a lot like Users and Computers. This ‘Extensions’ section looks a little out-of place but allows you quick access to things like the Attribute Editor tab, which appears whether you search or drill down to an object. Oddly, the Telephones tab did not make it to the Extensions section while not all fields are carried over to the other locations (except the Attribute Editor list, of course).
Beyond searching, you can explore your AD structure by expanding the domain listing in the left pane. If there are frequent locations that you use, you can pin those under the local domain.
Moving objects with AD Administrative Center gives you one choice, you can right-click and choose Move. This opens an expanding window where you can chase the structure through to the destination you which to move the objects. This interface seems similar to Apple’s OS X Finder. There is no drag-and-drop option here.
Lastly, AD Administrative Center has a unique feature where it will show you the PowerShell script executed to complete your previous tasks. This can help you learn PowerShell and using it to interact with Active Directory. You can copy the commands for future reference or if you need to repeat these tasks regularly.
Fortunately, you do not have to choose between the tools. Both are included with the Remote Server Administration Tools (RSAT) for your operating system. You can choose which you use and when, or for what task. Going through it above, I think each tool has strengths, weaknesses, preferences, familiarity, and shortcomings. In my case, I will prefer to use AD Administrative Center when I need to search for objects and look at their attributes quickly. I will prefer to use AD Users and Computers when viewing the tree structure matters, which helps when administering Group Policy, and when moving objects or rethinking the current structure.
So, to answer the earlier question, why should we have to change our tools as well? When it’s to our advantage!
If there are other noteworthy difference that you notice between these tools, let me know on social media.