I wish that I could have seen the look on my face the first time that someone at Microsoft told me that Vista was going to contain a special applet that would allow users to search the Active Directory. I was in utter horror. My initial thought turned to complex LDAP queries. The next thing that I thought of was all of the information within the Active Directory that users have no business accessing (things like SIDs, security groups, application assignments, etc.). Panic then gave way to wondering how I could disable this search feature in an effort to keep it out of the users' hands. Now that Vista is in beta testing though, I have had a first hand look at this tool and I can tell you that it is a very practical, useful, and non threatening tool.
Before I Begin
Before I show you the Active Directory search tool though, I want to mention one thing. You have probably heard the computer related acronym GIGO (Garbage In, Garbage Out) at one time or another. The GIGO principle holds very true when it comes to the Active Directory search tool. When you create objects in the Active Directory, you usually have the chance to enter information related to a number of the object’s attributes. For example, if you are creating a user object, you must enter all of the usual information such as the username and password, but you can also enter other information such as the user’s address and phone number.
The reason why the GIGO principle applies here is that if you have entered lots of object attribute information and you keep that information up to date, then the Active Directory search tool will be an invaluable resource to your users. If on the other hand, you are the type of administrator that only enters the minimum required information when creating an Active Directory object, then the Active Directory search tool will be basically useless.
With that said, let’s take a look at the Active Directory search tool. You can access this tool by opening the Control Panel and clicking the Network and Internet link followed by the Network Center link and the Browse the Network link. You will now see a screen reminiscent of Windows 3.11 that displays the computers within the domain, as shown in Figure A.
Figure A: The network screen contains the Search Active Directory link
If you look at the top of this window, you will notice that there is an icon labeled Search Active Directory. Click this link and Windows will launch the Active Directory search tool, shown in Figure B.
Figure B: This is what the Active Directory search tool looks like
The search screen is very simple and well organized. At the top, you will see the Find drop down list. By default this list is designed to allow the user to search for users, contacts and groups, however users also have the option of searching for computers, printers, shared folders, or performing custom searches.
If you look just to the right of the Find drop down list, you will see that by default the tool is configured to search the entire Active Directory. The In drop down list gives you the option of searching an individual domain.
Users can perform a simple Active Directory query by simply entering a name or a description for the object that they are searching for and clicking the Find Now button. For example, if I were to enter the name of one of my users and click Find Now, Vista would return a list of user, contact and group objects that matched my query, as shown in Figure C. I could then double click on the object to view its attributes, as shown in Figure D.
Figure C: Vista displays all of the users, contacts, and groups that match your query
Figure D: When you double click on a found object, Vista displays the object’s attributes
If Figure D seemed a little anti-climatic, it’s because of the GIGO principle that I talked about earlier. User1 is just a test account on my domain, so there aren’t many attributes associated with it. As such, there really isn’t much for the search results to display. That’s why it’s important to actually fill out the extended attributes when you create a user object. Had the extended attributes been filled in, the user’s full contact information would be displayed.
If you still aren’t convinced of the need for or usefulness of filling in extended attributes for your Active Directory objects, the Advanced Search feature may change your mind. The Advanced tab, shown in Figure E, allows you to select a field, a condition, and a value for the search.
Figure E: This is the Active Directory Search tool’s Advanced tab
The Field drop down list allows you to search for a specific attribute type. For example, if you wanted to search for users in a specific city, you could select the User option from the Field drop down list, and then select the City attribute, as shown in Figure F.
Figure F: The Advanced search allows you to run queries against individual Active Directory attributes
The condition drop down list basically allows you to select an operator for the function. For example you could select things like Starts with, ends with is, is not, etc. Finally, the Value allows you to enter your search criteria. For example if you wanted to search for all of the users in the Miami office, you could select Users | City from the Field drop down list. Set the Condition to is (Exactly), and set the Value field to Miami.
As you can see, the Active Directory search tool brings the power of the Active Directory to the database. Users can extract information from the Active Directory without having to use complex LDAP queries.