In-Depth

User Administrators: More Efficient Management

.NET sports features that'll streamline lower-level admin tasks.

• By Bill Boswell
• 11/01/2002

If you work with AD Users and Computers in Win2K to do your daily account operations, I'm sure you'll agree that it's functional but not very efficient, especially if you manage thousands of users. The new AD Users and Computers console simplifies your work by making it possible to drag and drop to move objects between containers and change the properties of multiple objects at the same time. For example, when a new manager takes over for the Sales department, you can highlight all users in that department and change the Managed By attribute.

AD Users and Computers has another nifty addition that simplifies managing diverse users in the same container. You can now create custom LDAP queries that can be saved for repeated use. For example, you might have a single OU for all users in a particular office, but you want to select collections of users by their department, manager, building number, title, or so forth. You can do this very quickly using the LDAP query builder in .NET. Each time you click on the saved query, the list is created dynamically.

Also See: The Shadow-Copy Knows (Back to ".NET Leap of Faith")

.NET also resolves a usability problem with Win2K AD object management. In Win2K, if you have lots of users and groups and computers, you'll find out very quickly that the user interface only displays a limited number of the available objects, and the list seems to be in an arbitrary order. This becomes apparent when you want to select users to add to a group or place on the ACL for a file or folder. .NET implements a new LDAP control called Virtual List Views that executes the entire LDAP query at the server, sorts the resulting collection in alphabetical order, then delivers items from the collection in bunches so that you can scroll down the list seamlessly at your workstation. You can easily change the number of items in any given bunch from the user interface.

The console improvements are a welcome addition in .NET, but if you want to get some serious work done and not fool with the user interface, you'll appreciate all the new command-line tools in .NET. For example, .NET has a new credentials storage feature that permits caching of logon names and passwords used to connect with standalone servers. This simplifies managing standalone servers in a DMZ, for example. Control Panel has an applet for defining alternate credentials for a server, but instead, you can elect to make connection to the server with the NET USE command and include the new /Savecred switch, for example, net use * \\server1.company.com\sharepoint /savecred. The system prompts for a name and password, then stores the credentials in the credentials cache. The next time you touch a file share on the server, even after restarting your workstation, you're automatically logged on using those cached credentials. A new CMDKEY command places credentials directly in the cache if you don't want to make a connection with NET USE. The CMDKEY utility has a /smartcard switch, which tells the system to look for a smart token then next time you connect to the target server.

You also get more control over what runs on the desktops. .NET continues the precedent set by Win2K of controlling the lion's share of desktop settings using group policies. To simplify group policy management, .NET includes an integrated Resultant Set of Policies (RSoP) calculator, a feature first introduced by FullArmor Corp in FAZAM 2000. The RSoP calculator lists the computer and user policies that should appear at a desktop or server depending on the OUs, domain, and site that host a particular user and computer account.

In addition to the nine group policy types supported by Win2K, .NET Server adds 802.1x Wireless policies for managing secure wireless communication, Quality of Service (QoS) Packet Scheduler policies that control tagging for streaming media and VoIP (Voice over IP), and Software Restriction policies. Using Software Restrictions, you can take granular control over the applications permitted to run your desktops. For example, if you don't want users to load a particularly obnoxious game, you can identify the executable in a Software Restriction policy using a unique hash. Any user who falls under the scope of the policy gets an error when they try to launch the program. You can use software restrictions to limit access to all sorts of executable files, including scripts and ISAPI extensions buried in e-mail messages.

In addition to targeting group policies by container and group, .NET permits you to target policies using the result of WMI queries. With WMI, you can identify particular hardware and use that identification to control application of computer policies.

With all these new policies to play with, it can sometimes get challenging to find the one particular policy you're looking for. The GPO Editor in .NET includes a display filter that selects policies based on the operating system platform they're intended to manage. For example, you can filter out all policies from the display except for those intended specifically for .NET servers.

If you want to avoid supporting desktops completely and run thin clients instead, you'll like the improvements in the Remote Desktop Protocol (RDP) that ships with .NET and XP. RDP 5.2 in .NET supports 24-bit color, native clipboard redirection, native client drive and printer redirection, bandwidth throttling for dial-up connections, smart card logon, and time zone redirection. You might even save a little money if you don't need more than two processors because .NET Standard Server supports application sharing; you'll need at least one .NET Enterprise Server if you want to build a terminal server farm using network load balancing.