User Administrators: More Efficient Management
.NET sports features that'll streamline lower-level admin tasks.
- By Bill Boswell
If you work with AD Users and Computers in Win2K to do your daily account
operations, I'm sure you'll agree that it's functional but not very efficient,
especially if you manage thousands of users. The new AD Users and Computers
console simplifies your work by making it possible to drag and drop to
move objects between containers and change the properties of multiple
objects at the same time. For example, when a new manager takes over for
the Sales department, you can highlight all users in that department and
change the Managed By attribute.
AD Users and Computers has another nifty addition that simplifies managing
diverse users in the same container. You can now create custom LDAP queries
that can be saved for repeated use. For example, you might have a single
OU for all users in a particular office, but you want to select collections
of users by their department, manager, building number, title, or so forth.
You can do this very quickly using the LDAP query builder in .NET. Each
time you click on the saved query, the list is created dynamically.
.NET also resolves a usability problem with Win2K AD object management.
In Win2K, if you have lots of users and groups and computers, you'll find
out very quickly that the user interface only displays a limited number
of the available objects, and the list seems to be in an arbitrary order.
This becomes apparent when you want to select users to add to a group
or place on the ACL for a file or folder. .NET implements a new LDAP control
called Virtual List Views that executes the entire LDAP query at the server,
sorts the resulting collection in alphabetical order, then delivers items
from the collection in bunches so that you can scroll down the list seamlessly
at your workstation. You can easily change the number of items in any
given bunch from the user interface.
The console improvements are a welcome addition in .NET, but if you want
to get some serious work done and not fool with the user interface, you'll
appreciate all the new command-line tools in .NET. For example, .NET has
a new credentials storage feature that permits caching of logon names
and passwords used to connect with standalone servers. This simplifies
managing standalone servers in a DMZ, for example. Control Panel has an
applet for defining alternate credentials for a server, but instead, you
can elect to make connection to the server with the NET USE command and
include the new /Savecred switch, for example, net use * \\server1.company.com\sharepoint
/savecred. The system prompts for a name and password, then stores the
credentials in the credentials cache. The next time you touch a file share
on the server, even after restarting your workstation, you're automatically
logged on using those cached credentials. A new CMDKEY command places
credentials directly in the cache if you don't want to make a connection
with NET USE. The CMDKEY utility has a /smartcard switch, which tells
the system to look for a smart token then next time you connect to the
You also get more control over what runs on the desktops. .NET continues
the precedent set by Win2K of controlling the lion's share of desktop
settings using group policies. To simplify group policy management, .NET
includes an integrated Resultant Set of Policies (RSoP) calculator, a
feature first introduced by FullArmor Corp in FAZAM 2000. The RSoP calculator
lists the computer and user policies that should appear at a desktop or
server depending on the OUs, domain, and site that host a particular user
and computer account.
In addition to the nine group policy types supported by Win2K, .NET Server
adds 802.1x Wireless policies for managing secure wireless communication,
Quality of Service (QoS) Packet Scheduler policies that control tagging
for streaming media and VoIP (Voice over IP), and Software Restriction
policies. Using Software Restrictions, you can take granular control over
the applications permitted to run your desktops. For example, if you don't
want users to load a particularly obnoxious game, you can identify the
executable in a Software Restriction policy using a unique hash. Any user
who falls under the scope of the policy gets an error when they try to
launch the program. You can use software restrictions to limit access
to all sorts of executable files, including scripts and ISAPI extensions
buried in e-mail messages.
In addition to targeting group policies by container and group, .NET
permits you to target policies using the result of WMI queries. With WMI,
you can identify particular hardware and use that identification to control
application of computer policies.
With all these new policies to play with, it can sometimes get challenging
to find the one particular policy you're looking for. The GPO Editor in
.NET includes a display filter that selects policies based on the operating
system platform they're intended to manage. For example, you can filter
out all policies from the display except for those intended specifically
for .NET servers.
If you want to avoid supporting desktops completely and run thin clients
instead, you'll like the improvements in the Remote Desktop Protocol (RDP)
that ships with .NET and XP. RDP 5.2 in .NET supports 24-bit color, native
clipboard redirection, native client drive and printer redirection, bandwidth
throttling for dial-up connections, smart card logon, and time zone redirection.
You might even save a little money if you don't need more than two processors
because .NET Standard Server supports application sharing; you'll need
at least one .NET Enterprise Server if you want to build a terminal server
farm using network load balancing.
Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.