In a discussion on the ActiveDir.org mailing list today, it came up about searching Active Directory in Windows. From a Windows 2000, or Windows XP, this can be done from the start menu Find People dialog, but in Windows Vista this feature appears to be completely absent. The new search feature does not have a "Find People" function.
According to this article, based on a pre-release version of Vista, it does appear that searching Active Directory was built into the network explorer, but this feature does not seem to exist on my Windows Vista Enterprise x64 SP1 machine. So either this feature was removed prior to release, or I do not have this enabled. I imagine there maybe a group policy or registry key to allow this, but I have not been able to find one as of yet. I also thought that maybe something in Network explorer checks my network to see if an Active Directory server exists before making the option available, which may being blocked by a client firewall, but no luck.
So why would you want to search Active Directory from within Windows? One of the benefits is easy access to information stored within Active Directory, but it also served as a very simple self service update utility for contact information for end users. The defaultSecurityDescriptor for the user object in a new domain allows the SELF (the user account) the ability to read/write phone and contact via the Write Personal information, and the Write Phone and Mail options ACL.
A user could lookup his account in AD, and update his phone and contact information since by default he has the ability to modify these properties on his own account. Of course this was a free form update, so no data validation is done upon the update leaving a wide margin for error or garbage data entry.
This could be done through the Windows Address Book (wab.exe), which you could tell to search Active Directory for people which was a simple interface for LDAP searches. In Windows Vista, wab.exe directs you to Windows Contacts, which does appear to have the ability to search external directories.
Also this could be done on previous versions of Windows if you had the Administrative Tools (Adminpak) installed, and used the Active Directory Users and Computers to browse and search. The new Remote Server Administration Tools (RSAT) should be released soon now that SP1 is available, but this not something you would want to deploy to end users.
So I am left wondering if the Search Active Directory feature exists for me, or if somehow I have it disabled and can’t figure out how to enable it. I see references to "Search Active Directory" in the MUIcache registry keys suggesting the feature is in the network explorer, but no luck on finding it on this machine. If this feature was removed prior to release, then why?
Overall I wouldn’t recommend using the self update without better data controls such as with a web based self update tool, but if someone is used to using the Find People to manage their AD properties, this could be a feature they may miss. If you know how to enable this feature, please let me know so I can give up on trying to find it. I’m sure it’s something so obvious that I’ll feel dumb, but at least I would know 🙂
It appears that the "Find People" dialog is included in the Windows Mail client in Windows Vista. This does seem like an obscure place for this to exist since I don’t think many users within an enterprise with AD would be using Windows Mail. However it appears you can open the "Find People" dialog outside of Windows Mail by using the "/Find" command argument of wab.exe (wab /Find). Thanks to Michael Smith for pointing this out for me.
Another interesting thing, is that the "Search Active Directory" function appeared when I was on the same local LAN as my Active Directory, but did not appear when I had logged into my cached credentials and then opened up a RAS connection to the network.