I’ve been working with Active Directory Administrative Center (ADAC) for a while now, but didn’t have time to look at Delegation of Control lately. Yesterday I finally came round to configuring it and was baffled by a serious issue:
After delegating Account creation to a user, installing the Remote Server Administration Tools (RSAT) on the Windows 7 Enterprise workstation of the user and adding the Active Directory Administrative Center remote management feature on it, the tool wouldn’t work. Actually, the tool would start (slow as always, but would nonetheless start), would show its window, would show the icons for the containers, users, etc, but refused to show the corresponding texts in the Active Directory Administrative Center window. (or, at times, garbling text, rendering it unreadable)
I began troubleshooting the issue.
Messed up delegation?
I previously added the user to the Account Operators group in the domain. Perhaps this issue occurred because I messed up Delegation? Perhaps the user needed more rights? Perhaps a similar bug exists in Windows Server 2008 R2 where the Account Operators for some reason don’t have read rights on the Built-In OU? I checked the security permissions of the user and Account Operators group to the Users, Computers and Built-in containers in Active Directory, using SysInternals’ ADExplorer. I found nothing out of the ordinary and decided to supply the user access to the Active Directory Users and Computers MMC Snap-in (dsa.msc) to check things. After resetting passwords on a couple of test accounts, no Access Denied errors were thrown. I ruled out Delegation of Control as the cause of this issue.
Local administrator privileges needed?
The account I used did not have administrator privileges on the workstation. When starting up the Active Directory Administrative Center (dsac.exe) with the built-in Administrator account I’ve seen User Account Privilege (UAC) prompts, so perhaps the Active Directory Administrative Center needs local administrator privileges?
Adding the user account to the local administrators group and logging off and logging on the user on the workstation, did not resolve the issue, so I reversed the local administrator group membership…
PowerShell or the .Net Framework to blame?
I then started troubleshooting PowerShell. For some reason I found the same issue in the PowerShell ISE (text not showing after typing). I redeployed Windows 7 on the machine and the issue in the PowerShell ISE would reappear. I knew then, the RSAT were not to blame. This was not an Active Directory Administrative Center error!
Since PowerShell can’t be uninstalled and reinstalled in Windows 7, I ruled out blaming PowerShell or the underlying .Net Framework for this error. (else Microsoft would have made an option available to at least reset PowerShell on Windows 7, right?)
I reckoned this might be a display issue, not a PowerShell issue.
Windows Aero doesn’t play nice?
Next thing I checked was whether there was an issue between the Active Directory Administrative Center and Windows Aero. I switched to the Windows 7 Basic theme and restart the box. This is getting dull, since this also did not resolve the issue.
Display driver to blame?
I was on a hunch though, since, next, I decided to check for a newer driver for my display adapter. Sure enough, a new driver was available. I installed the newer display driver and again restarted the box.
After the reboot, I made the user log in and let him fire up the Active Directory Administrative Center (dsac.exe).
This time it showed the text as it should be:
When working with Active Directory Administrative Center (dsac.exe) and Delegation of Control:
- The Active Directory Administrative Center does not require administrative privileges on a workstation to work remotely through the Remote Server Administration Tools (RSAT).
- The Active Directory Administrative Center works on top of Windows PowerShell. Windows PowerShell cannot be uninstalled in Windows 7.
- Display drivers may cause issues with text display in Windows 7. These issues may affect the Active Directory Administrative Center.