A second example of common Active Directory management tasks
you can perform using ADAC is creating new user accounts and
managing existing user accounts. To create a new user account,
simply right-click on the appropriate organizational unit, select
New, and then select User. Then fill in the necessary information on
the Create User properties page, as shown in Figure 8.
After you click OK to create the new user account and return
the focus to ADAC, you can click the small caret at the bottom right
of ADAC to display the Windows PowerShell History Viewer, which
allows you to view the actual Windows PowerShell commands that are
executed whenever you perform administrative tasks with ADAC. Figure 9 shows the
commands involved during the creation of the new user account for
Karen Berg that was shown previously in Figure 8. Note that a
simple task like creating a single new user might require executing
several different Windows PowerShell commands.
The actual Windows PowerShell commands needed to create the
new user Karen Berg in the preceding example were as follows:
New-ADUser -DisplayName:"Karen Berg" -GivenName:"Karen" -Name:"Karen Berg"
-Path:"OU=Seattle Users OU,OU=Seattle OU,DC=corp,DC=contoso,DC=com"
-SamAccountName:"kberg" -Server:"SEA-SRV-1.corp.contoso.com"
-Surname:"Berg" -Type:"user" -UserPrincipalName:[email protected]
Set-ADAccountPassword -Identity:"CN=Karen Berg,OU=Seattle Users OU,
OU=Seattle OU,DC=corp,DC=contoso,DC=com" -NewPassword:"System.Security.SecureString"
-Reset:$null -Server:"SEA-SRV-1.corp.contoso.com"
Enable-ADAccount -Identity:"CN=Karen Berg,OU=Seattle Users OU,
OU=Seattle OU,DC=corp,DC=contoso,DC=com" -Server:"SEA-SRV-1.corp.contoso.com"
Set-ADObject -Identity:"CN=Karen Berg,OU=Seattle Users OU,
OU=Seattle OU,DC=corp,DC=contoso,DC=com" -ProtectedFromAccidentalDeletion:$true
-Server:"SEA-SRV-1.corp.contoso.com"
Set-ADAccountExpiration -DateTime:"09/02/2012 00:00:00" -Identity:"CN=Karen Berg,
OU=Seattle Users OU,OU=Seattle OU,DC=corp,DC=contoso,DC=com"
-Server:"SEA-SRV-1.corp.contoso.com"
Set-ADAccountControl -AccountNotDelegated:$false -
AllowReversiblePasswordEncryption:$true
-CannotChangePassword:$true -DoesNotRequirePreAuth:$false
-Identity:"CN=Karen Berg,OU=Seattle Users OU,OU=Seattle OU,DC=corp,DC=contoso,
DC=com" -PasswordNeverExpires:$true -Server:"SEA-SRV-1.corp.contoso.com"
-UseDESKeyOnly:$false
Set-ADUser -ChangePasswordAtLogon:$false -Identity:"CN=Karen Berg,
OU=Seattle Users OU,OU=Seattle OU,DC=corp,DC=contoso,DC=com"
-Server:"SEA-SRV-1.corp.contoso.com" -SmartcardLogonRequired:$false
To copy the commands shown in the History Viewer to your
clipboard, first click to select them and then click Copy at the top
of the Windows PowerShell History pane. You can then paste the
commands into an editor like Notepad, customize them as needed, and
use them as a basis for performing a bulk creation of new users with
the addition of some Windows PowerShell scripting.
Creating new groups, computer accounts, and
InetOrgPerson objects is a similar process to
the one just shown and should require no further explanation. Here
are some other tasks you can perform using ADAC:
-
Selecting a domain or domain controller to perform your
administrative tasks on
-
Raising the forest or domain functional level
-
Enabling the Active Directory Recycle Bin
-
Configuring fine-grained password policies
-
Configuring Dynamic Access Control
Note
Dynamic Access
Control
Dynamic Access Control (DAC) is another new feature of
Active Directory in Windows Server 2012. You use DAC to implement
a claims-based authorization solution. In this type of solution,
you use central access policies, rules, and claim types to enable
the use of file-classification information in authorization
decisions. With DAC, you can define access and audit policies in a
simple and flexible way that can significantly reduce the number
of groups you need to manage in your Active Directory environment.
