How to Configure Windows Server 2016 Active Directory Users and Computers

Active Directory Users and Computers (ADUC) is the primary management console for administering user accounts, computer accounts, groups, and other directory objects in Windows Server 2016. This Microsoft Management Console (MMC) snap-in is installed automatically on Domain Controllers and can also be installed on Windows 10 workstations through Remote Server Administration Tools (RSAT). Mastering ADUC is fundamental to day-to-day Active Directory administration.

Prerequisites

Before configuring ADUC, ensure the following prerequisites are in place. The server must be promoted to a Domain Controller with the Active Directory Domain Services (AD DS) role installed. You must have Domain Admin or equivalent privileges. The Active Directory Domain Services role must be fully configured with a valid domain name. On non-DC machines, RSAT must be installed to access ADUC remotely.

Opening Active Directory Users and Computers

There are multiple ways to open the ADUC console. The most direct method is through Server Manager. Once Server Manager is open, click Tools in the upper-right menu, then select Active Directory Users and Computers. Alternatively, you can open the Run dialog with Win+R and type the following command:

dsa.msc

You can also open it from the command line or PowerShell:

mmc dsa.msc

Understanding the ADUC Interface

The ADUC console displays a tree structure on the left panel representing the domain hierarchy. The root node shows the domain name. Under it you will find default containers such as Builtin, Computers, Domain Controllers, ForeignSecurityPrincipals, and Users. The right panel displays the objects contained within the selected node. The top menu provides access to actions like creating new objects, searching, and viewing advanced features.

To enable the Advanced Features view, which reveals additional containers and object attributes, click View in the menu bar and select Advanced Features. This exposes containers such as LostAndFound, System, and NTDS Quotas, and also enables viewing of object attributes through the Attribute Editor tab in object properties.

Creating a New User Account

To create a new user account, right-click the target Organizational Unit (OU) or the Users container, hover over New, and select User. The New Object – User wizard will open. Enter the user’s first name, last name, and user logon name. Click Next to configure the password. Set a strong initial password and choose appropriate password options such as requiring the user to change password at next logon. Click Next and then Finish to create the account.

You can also create user accounts using PowerShell for bulk operations:

New-ADUser -Name "John Smith" -GivenName "John" -Surname "Smith" -SamAccountName "jsmith" -UserPrincipalName "[email protected]" -Path "OU=Staff,DC=corp,DC=local" -AccountPassword (ConvertTo-SecureString "P@ssw0rd123" -AsPlainText -Force) -Enabled $true

Modifying User Account Properties

Double-clicking a user account opens the Properties dialog with multiple tabs. The General tab holds basic contact information. The Account tab configures the logon name, account options, and expiry. The Profile tab sets the profile path, logon script, and home folder. The Member Of tab shows group memberships. The Dial-in tab configures remote access permissions. The Environment, Sessions, Remote control, and Remote Desktop Services Profile tabs are relevant for Terminal Services environments.

To unlock a locked account via PowerShell:

Unlock-ADAccount -Identity jsmith

Resetting a User Password

To reset a password in ADUC, right-click the user account and select Reset Password. Enter and confirm the new password. You can also check the option to unlock the account if it is currently locked. This is one of the most common help desk tasks performed through ADUC.

Set-ADAccountPassword -Identity jsmith -Reset -NewPassword (ConvertTo-SecureString "NewP@ss2024" -AsPlainText -Force)
Set-ADUser -Identity jsmith -ChangePasswordAtLogon $true

Creating and Managing Groups

Groups in Active Directory are used to assign permissions and organize users. To create a group in ADUC, right-click an OU, select New, then Group. Enter a group name and choose the group scope (Domain Local, Global, or Universal) and group type (Security or Distribution). Add members by right-clicking the group and selecting Properties, then the Members tab.

New-ADGroup -Name "IT_Admins" -GroupScope Global -GroupCategory Security -Path "OU=Groups,DC=corp,DC=local"
Add-ADGroupMember -Identity "IT_Admins" -Members jsmith, bwilliams

Managing Computer Accounts

Computer accounts represent workstations and servers joined to the domain. In ADUC, the Computers container holds pre-staged and domain-joined computers. To pre-stage a computer account, right-click the target OU, select New, then Computer. Enter the computer name. This is useful for controlled deployments where you want the account to exist in a specific OU before the machine joins the domain.

New-ADComputer -Name "DESK-001" -Path "OU=Workstations,DC=corp,DC=local" -Enabled $true

Searching for Objects

ADUC includes a built-in search tool. Click the Find Objects button in the toolbar (binoculars icon) or press Ctrl+F to open the Find dialog. You can search for users, computers, groups, or custom LDAP queries. The Advanced tab allows constructing complex LDAP filter expressions for precise searches across the entire directory.

Get-ADUser -Filter {Department -eq "Finance"} -SearchBase "DC=corp,DC=local" | Select-Object Name, SamAccountName, Enabled

Delegating Control

ADUC includes a Delegation of Control Wizard that allows you to grant specific Active Directory permissions to users or groups without giving them full Domain Admin rights. Right-click an OU and select Delegate Control. Follow the wizard to choose users or groups and select the tasks to delegate, such as resetting passwords or managing group membership. This is a critical security practice for adhering to the principle of least privilege.

Enabling the Recycle Bin Feature

While the Recycle Bin has its own dedicated console, you can enable it from the ADUC interface if the domain and forest functional levels are at Windows Server 2008 R2 or higher. In ADUC, click Active Directory Users and Computers at the root, then under Tasks in the right pane you may find the Enable Recycle Bin option. Alternatively use the Active Directory Administrative Center for this feature.

Best Practices

Always use Organizational Units to organize objects by function, geography, or department rather than relying on the default containers. Apply the principle of least privilege when delegating administrative tasks. Use security groups for permission assignments rather than assigning permissions directly to users. Document all OU structures and delegation settings. Regularly audit user accounts, disabling or deleting accounts for departed employees promptly. Use PowerShell for bulk operations to ensure consistency and save time.

Active Directory Users and Computers remains one of the most heavily used tools in any Windows Server environment. Proficiency with ADUC, combined with PowerShell automation, enables efficient and secure management of your domain’s identity infrastructure.