Saturday, April 25, 2009

Filtering in Active Directory Administrative Center

This is the post I have wanted to write for a long time. I had to wait until the designs had been shown in public (see bottom of this post). This is also the latest in a series on filter designs.

Let’s get back to our original goal of…

…making a filtering mechanism that works well for the majority of cases. ‘Works well’ means that it is easy to use and complete enough to cover 95% of the scenarios of the people who use our products. Getting deep on Filtering

We have looked at a number of different examples of Attribute based filtering and we need something that is as good as the Zune filter yet is much more scalable.

Enter the design for Active Directory Administrative Center. This is the application in all it simple might and glory once you have navigated to a folder (called Organizational Unit in Active Directory) full of user accounts.


In the following screens we will focus in on the list area:


  1. A: Title. Tells you the name of the folder and number of items in the folder or the number of items in the filter
  2. B: Free text filter. Filters across most attributes
  3. C: Add criteria button. Lets you add rules or attributes to your query
  4. D: Saved queries.
  5. E: Button for saving the current filter.

If you type in the free-text filter we filter the list as you type and update the title with (“number of matching records” of “total number of records”):image

We also change the background color to indicate that the list is filtered.  Hit ESC to clear the free-text filter. CTRL+E will set focus on the free-text filter.

We added the free-text filter because most times you can get by with a quick search even when you have a couple of thousand records in a given folder. If you have more than a couple of thousand records you may need more advanced filtering. The ‘Add criteria button’ provides a set of rules (see Different kinds of Filtering) and a list of attributes to filter on. Active Directory Administrative Center lets you filter on about 20 attributes. From a pure design point of view that number could be much bigger. From this applications’ perspective, we went through rounds of user testing to figure out what the right attributes were to include and it did simply not make sense to include all 150 or so attributes.

We added the idea of rules for two reasons. First of they are a helping hand in what we expect a lot of people to be filtering on all the time such as for instance “users with disabled/enabled accounts” which is really just a shortcut for “Object type = user AND Account state = disabled/enabled”. Rules can also be a way to package a filter that would otherwise not be possible to make with this design. More on that later.

The ‘Add criteria button’:image 

As soon as we add the ‘users with disabled/enabled accounts’ rule the filter is updated. image

To get the enabled accounts, simply click on the link “disabled” and you will get a dropdown with possible values.  And we could of course have added more than one rule and several attributes. Here is just one more attribute:


Notice the ‘and’ in the beginning of each line? We automatically AND the free-text filter and the rules and attributes together. this gets us to the core of this filter design:

Criteria on different attributes are AND’ed and Criteria on the same attribute are OR’ed.

Here is an example of this design rationale in effect:image

In the example above we have created a filter for

((Name starts with ‘t’) OR (Name starts with ‘a’)) AND (Type = User) AND (Free-text contains ‘hund’)

We do not allow you change the Boolean operators, and we do not allow you change the attribute once it has been added. you can remove a criteria (click the red x) and add new attributes. We do not allow you change the Boolean operators or change the attribute because that way we can take care of grouping automatically and prevent filters where you get the too much due to wrongly grouped ORs (the Cartesian product) or nothing at all due to wrongly placed ANDs.

On one hand we have avoided the raw Boolean logic exposed in products such as Winamp which we know most people have a really hard time getting right, and on the other hand we have avoided jumping through hoops as Itunes does or created a design that is inherently limited as Zune has done. 

We also have created a design that can take care of about 95% of the scenarios. And if 95% is too little there is room to improve it through rules that target special cases where a set of criteria across different attributes should be OR’ed. We don’t ship any of those in Active Directory Administrative Center. We could not come up with any even through extensive user testing.

What about the last 5%?

The Active Directory team has put a lot of effort into PowerShell in Windows Server 2008 R2 so if you need a really advanced filter you can always go to command line. The alternative would be to make a GUI design that covers all cases, but honestly, I don’t believe we could do that and still keep it usable. This is a trade-off, but by not designing for all edge cases we also don’t pollute the experience for the majority of people using the application.

A little more on this specific Design

I am sure you could implement the core design idea differently and still get a great design. The following covers some specific choices we made for this implementation of the idea.

To get the query shown above we first selected Name and Type



…and then added Name again…


The new criteria is inserted under the existing criteria for Name and indented and OR’ed.


This may seem like a round-about way of adding the same attribute twice, but we chose to do it this first of all because we believe most filters will only use the same attribute once, and second because this allows us to insert the second instance of an attribute at the right spot and hence both take care of grouping and get it to visually line up without having to move criteria around after you have already interacted with them.

If you are an Active Directory admin you may very well be working across multiple domains. If you have 2 domains, say ‘Corp’ and ‘Sub’ and you want to find users with expired accounts in the User OU of either domain, you can create the query anywhere, save it and reapply it in a different OU:


I hope you have enjoyed reading about filtering as much as I have enjoyed designing for it and writing about it and if you have comments or questions, please leave them here or catch me at Twitter @rulerbreaker.


Like all other designs this was a team effort.  A lot of people from our UX team (Twitter @MS_ITPro_UX) have contributed and it should go without saying that so have the great Program Mangers, Developers, and Testers who have worked on this.

Active Directory Administrative Center will ship as part of Windows Server 2008 R2 which means it is not out yet but has been presented at TEC and will also be touched upon at TechEd 2009 (session SIA326 “What Windows Server 2008 R2 Does for Your Active Directory”).


  1. You've made some impressive improvements to the filtering mechanism.

    Out of curiosity, what was the reason for making the drop-downs look like links? Is this a standard MS UI pattern?

    Also, did you experiment with placing the drop-downs inside sentences?

    Your example includes a filtering declaration that is "and user accounts in this state: disabled".

    I'm guessing you tested "and /disabled/ user accounts", but assume you found that it didn't work out in practice.

    If you could share some details on your findings here, I'd be much obliged.

  2. Hi Fredrik,

    First to the question of the sentence structure. It was mainly a question of localisation/translation. We originally had the link all over in the sentences, but we got feedback from localisation that even though we provided a way for them to move the words around it simply would not work across all languages.

    As for the dropdowns being links. No, it is not really a MS standard. It is a combination of looking like the links in Outlook rules and of the visual desing of dropdowns being rather heavy. We felt that embedding dropdowns in sentences just did not read very well. It tests just fine but the reasoning is not more scientific than that. Behind the scenes they actually are dropdowns, so they are keyboard accessible just as a normal dropdown would be.


  3. Thanks for sharing your findings.

    In an ideal world, would you spend the required resources on making this dialog work properly in the various languages?

    Your link-as-drop-down explanation makes sense. Personally I'd prefer the fake drop-downs used on eBay, delicious etc, for their appearance, but I assume that custom drop-down styling would introduce extra costs that are hard to defend against.

    Keep up the good work!

  4. With regards to localisation. I don't know how to make it work differently across all languages without more or less redesigning it per language. I don't think the cost would outweigh the benefits. I can see making a Chinese and Arabic special dialog maybe, but I am not sure it would be worth it. Mostly I am just not sure.

    Can you show me one of the fake dropdowns you are talking about? I am not sure what you are referring to. I am looking at Ebay and all their dropdowns look like dropdowns.

    Thanks for all your feedback! It is very helpful to think through these problems again :)

  5. Hi Christian,

    with regards to "fake" drop-downs, I was merely referring to the use of non-HTML dropdowns at eBay and other places. You're already using this kind of visually embellished drop-downs in your filtering panel.

    One possible improvement is to turn the links in your filter panel into buttons onMouseOver. You could also use an embellishment different from underlined blue text to amplify the difference between what the link-drop-downs in your panel and hyperlinks online.

    However, as this is an app that will be used again and again, people will most likely learn this behavior and not think about it again, so it's no biggie.

    One localization question: if I assume that a very large proportion of users will see only the English version of this panel, would it have made sense to use the "and /disabled/ user accounts" pattern in the English version only, and do what you've done in all the other languages?

    It's simpler for, say, 50% of the users and a *little* more complex for the localization team. But that's mostly a theoretical question :-)