The Account and Resource Management console provides access to most of the DRA Assistant Administrator tasks, addressing enterprise management needs from basic administration to advanced Help Desk issues. Through the Account and Resource Management console, you can perform account and resource management tasks and manage Microsoft Exchange mailboxes.
The Account and Resource Management console contains the following nodes:
Enables you to manage objects, such as user accounts, groups, contacts, resources, dynamic groups, dynamic distribution groups, resource mailboxes, and public folders for each domain in which you have some power.
Enables you to manage group memberships for users who only need group membership for a specific time period.
Enables you to manage advanced queries available on the Administration server.
Enables you to manage deleted user accounts, groups, contacts, and resources, for any Microsoft Windows domain where the Recycle Bin is enabled.
To start the Account and Resource Management console interface, click Account and Resource Management in the Directory and Resource Administrator program folder.
When you start the Account and Resource Management console, you initially connect to the best available Administration server in the local domain. The best-available Administration server is the closest server, which is typically a server in the network site. By seeking the best available Administration server, DRA provides a quicker connection and improved performance.
To learn more about working in the Account and Resource Management console, see the following topics:
By default, DRA connects to the best available Administration server for a managed domain or computer. The best available Administration server is the closest server, which is typically a server in the network site. If the site does not include an Administration server, DRA connects to the next available server in the managed domain or managed subtree. You can also specify the Administration server or domain to which you want to connect.
When you first start the user interfaces, DRA initially connects to the domain of your logon account. If you are logged on to a domain that is not managed by an Administration server, or if DRA cannot connect to the Administration server for that domain, DRA may display an error message. Ensure the Administration server is available and try again.
To connect to an Administration server:
On the File menu, click Connect to DRA server.
Click Connect to this DRA server.
Type the name of the Administration server, using the following format: computername.
Click OK.
To connect to a managed domain or computer:
On the File menu, click Connect to DRA server.
Select the appropriate option, and then type the name of the managed domain or computer.
For example, to connect to the HOULAB domain, click Connect to a DRA server that manages this domain, and then type HOULAB.
To specify an Administration server for the managed domain or computer, click Advanced, and then select the appropriate option.
Click OK.
You can modify the information displayed in the title bar of the Account and Resource Management console. For convenience and clarity, you can add the user name with which the console was launched and the Administration server to which the console is connected. In complex environments in which you need to connect to multiple Administration servers using different credentials, this feature helps you quickly discern which console you need to use.
To modify the console title bar:
Start the Account and Resource Management console.
Click View > Options.
Select the Window Title tab.
Specify the appropriate options, and then click OK.
You can select which object properties DRA displays in list columns. This flexible feature enables you to customize the user interface, such as lists for search results, to better meet the specific demands of administrating your enterprise. For example, you can set columns to display the user logon name or group type, letting you quickly and effectively find and sort the data you need.
To customize list columns:
Select the appropriate node. For example, to choose which columns display when viewing search results on managed objects, select All My Managed Objects.
On the View menu, click Choose Columns.
From the list of properties available for this node, select the object properties you want to show.
To change the column order, select a column, and then click Move Up or Move Down.
To specify the column width, select a column, and then type the appropriate number of pixels in the provided field.
Click OK.
You manage objects in the Account and Resource Management console by selecting All My Managed Objects or a sub-node in the directory tree. From here, you can search by object type for objects in domains, containers, and OUs.
If you select an object in the search results list, all applicable actions that you can take on that object are available in the Tasks menu on the toolbar or in right-click menu. The options available are based on the object type selected, the components currently configured for DRA, and your assigned administrator privileges.
To edit an object’s properties, select the object and click Properties in the Tasks menu. From here, you can access all the object’s property pages by clicking page links in the left navigation pane.
IMPORTANT:If you want to protect an object from accidental deletion, select the object and open Properties, select General in the navigation pane, select the check box at the bottom of the page to enable this feature, and Apply the changes.
For more information about actions you can take on objects, see the following topics:
Using advanced queries, you can search for users, contacts, groups, computers, printers, OUs, and any other object that DRA supports. If you have the Execute Saved Advanced Queries power, you can execute advanced queries available in the Saved Queries list for any container in the Account and Resource Management node. For more information about your assigned powers, see Viewing Your Assigned Powers and Roles.
To execute saved advanced queries:
Expand Account and Resource Management > All My Managed Objects.
Select the appropriate container. For example, if you want DRA to search for user account information, select Users.
To view the advanced search pane, click Advanced Search.
In the advanced search pane, select an advanced query from the Saved Queries list.
Click Load Query, and then click Find Now.
DRA enables you to resize windows and then persists your window sizes. DRA also persists many other settings, including the last Administration server to which you connect, the columns you add or remove from list results, and column widths. If you want to restore these settings to the original setting with which you installed DRA, the Restore Default Settings option enables you to do so.
To restore default console settings:
Click View > Options.
Select the Saved Settings tab.
Review the information provided on the window, and then click Restore Default Settings.
You cannot use the following special characters when naming user accounts, groups, contacts, OUs, computers, ActiveViews, AA groups, roles, policies, or automation triggers. These naming restrictions apply to the name of the object as well as the name of the rule that defines the object.
When specifying a pre-Windows 2000 name, you cannot use the following special characters:
|
Backslash |
\ |
|
Colon |
: |
|
Comma |
, |
|
Double quote |
" |
|
Equal sign |
= |
|
Forward slash |
/ |
|
Greater than |
> |
|
Left bracket |
[ |
|
Less than |
< |
|
Plus sign |
+ |
|
Right bracket |
] |
|
Semi colon |
; |
|
Vertical bar |
| |
IMPORTANT:For Public Folder Management the Backslash \ character is not supported.
When naming user accounts, groups, and computers in Microsoft Windows domains, you can use any special character.
When naming contacts and OUs, you can use any special character.
When naming ActiveViews, AA groups, and roles, you cannot use the backslash (\).
When naming policies and automation triggers, you cannot use the backslash (\).
Invalid characters will cause the synchronization between Office 365 and your on-premises directory to fail. See the "Directory object and attribute preparation" subtopic on the Microsoft Office support web site to learn more about these invalid characters.
To ensure that these characters are not used in your online mailbox properties, go to the Policy and Automation Management console and click Configure Exchange Policies. Click Office 365 Rules, click Enforce online mailbox policies for invalid characters and character length, and click OK.
DRA supports wildcard characters in many fields in the DRA consoles and in CLI commands. Wildcards enable you to define rules that match multiple objects to a specific condition or standard, such as a naming convention. You can use wildcards instead of regular expressions to narrow or broaden the scope of the rule. Wildcard matching is not case‑sensitive. You can also use the question mark (?), asterisk (*), or number sign (#) wildcard characters as normal characters by prefixing a backslash (\) to the particular wildcard character. For example, to search for abc*, type the search text abc\*.
DRA supports the following wildcard characters. You cannot use wildcard characters in names.
|
Match Item |
Character |
Definition |
|---|---|---|
|
Any character |
Question mark ? |
Matches exactly one character |
|
Any digit |
Number sign # |
Matches one digit |
|
Any character, 0 or more matches |
Asterisk * |
Matches zero or more characters |
The following table provides examples of wildcard character specifications and what they match and do not match.
|
Example |
Matches |
Does Not Match |
|---|---|---|
|
Den??? |
Denton and Dennis |
Denison |
|
El ????o |
El Campo and El Indio |
El Paso |
|
Houston, TX ##### |
Houston, TX 77024 |
Houston, TX USOFA |
DRA does not support wildcard specifications that contain logical operations.
Roles and powers define how you manage objects. A role is a set of powers that provides the permissions required to perform a specific administration task, such as creating a user account or moving shared directories.
The DRA Administrator assigns roles, adds you to specific AA groups, and associates you with ActiveViews (sets of domain objects you can manage). You can view these assignments through the Account and Resource Management console. You do not need any auxiliary powers to view the roles and powers assigned to you.
To view your assigned powers and roles:
On the File menu, click DRA Properties.
Click Powers.
Select the appropriate view. For example, click Flat View to see a table of your AA group memberships, assigned powers and roles, and associated ActiveViews.
Expand the appropriate item. For example, under Has Power column, expand Roles and Powers to view the individual roles or powers assigned to you.
Click OK.
You can view the product version number and installed hotfixes from the DRA Properties window. This window provides version numbers and lists of installed hotfixes for the Administration server and the DRA client computer.
To view the product version number and installed hotfixes:
On the File menu, click DRA Properties.
Click General.
View the information you need.
Click OK.
DRA requires a license key file. You can view your product license from any Administration server computer. You do not need any auxiliary powers to view the product license.
To view your license:
On the File menu, click DRA Properties.
Click License.
Review the license properties, and then click OK.
Microsoft BitLocker stores its recovery passwords in Active Directory. With the required powers, you can use the DRA BitLocker Recovery feature to find and recover lost BitLocker passwords for end users.
IMPORTANT:Before using the BitLocker Recovery Password feature, ensure that your computer is assigned to a domain and BitLocker is turned-on.
If the BitLocker password for a computer is lost, it can be reset using the Recovery Password key from the computer's properties in Active Directory. Copy the password key and provide it to the end user.
To view and copy the recovery password:
Launch the Account and Resource Management console and navigate to All My Managed Objects > Domain > Computers.
In the computers list, right-click the required computer, and select Properties> BitLocker Recovery Password.
Right-click and copy the BitLocker recovery password, and paste the password text into a text file.
If the name of a computer was changed, the Recovery Password must be searched for in the domain using the first eight characters of the Password ID.
To find a recovery password by using a password ID:
Launch the Account and Resource Management console, and navigate to All My Managed Objects.
Right-click the Managed Domain, and then click Find BitLocker Recovery Password.
To find the first eight characters of the recovery password, see Viewing and Copying a BitLocker Recovery Password.
In the Find BitLocker Recovery Password page, paste the copied characters in the search field, and then click Search.