Partner View

Getting More out of Active Directory

Go ahead -- you can call 'em the "5 Golden Truths of Active Directory"

• By Brandon Woo
• January 01, 2006

In my company's experience of working with many IT staffs that concentrate on Microsoft, we've found that, typically speaking, its software is easy to use out of the box.

Still, there are many truths of the trade that come with experience. If I had my way, they would be posted in every IT manager's cube. As a step in that direction, I offer a few of them here.

1. There is almost always something else for which you could be using Active Directory (AD) and Microsoft Group Policy. All of us install products that we never fully utilize. The inherent functionality within AD is no different. Put more specifically, companies often do a lot manually that they could automate using AD and Group Policy. For example, customers often don't use the Group Policy Management Console to prohibit users from using computer functions, such as IM applications or Internet Explorer plug-ins, that distract them from their jobs.

2. The user does not need to be the administrator to make applications run best. When IT admins let end users have full rein over their machines, users often end up downloading products that present a security risk. The native controls offered by AD and Microsoft Group Policy can create an environment in which all end-user applications operate correctly and the security of each machine is not compromised by end-user admin-level control. The best case scenario, which is fully attainable, is for end users to not even notice they do not have admin-level control, unless they are doing something they shouldn't be doing.

3. Things change. Companies grow. New applications are released. But most important, things happen that require a response from the IT department. Manual fixes are time consuming and costly, especially when tools inherent to AD can streamline necessary alterations to machines. The beauty of AD and Group Policy is that they enable you to make uniform changes to the registry from a centralized position in the IT infrastructure.

4. Tools exist to help you do more. AD and Microsoft Group Policy provide a lot of functionality, but they can't do everything. For example, you can't use Group Policy to affect certain parts of the registry. Fortunately for IT administrators and Microsoft integrators, a whole market of products exists to make it easier to harness the power of such Microsoft features.

For example, we use Desktop Authority from ScriptLogic Corp. to map user machines to specific printers at user login or to control drive mappings. Desktop Authority's interface is clean and intuitive, and so the process of setting policies regarding specific registry settings is not hard at all. ScriptLogic's well-known desktop management solution removes the need for handwritten scripts and provides a seamless method for capitalizing on the Group Policy Management tools within Microsoft systems.

Similarly, tools like the open source KiXtart can provide logon scripting functionality for computers in a Windows network. The KiXtart free-format scripting language can be used to display information, set environment variables, start programs, connect to network drives, and read or edit the registry. And solutions such as triCerat Inc.'s ScrewDrivers can be used to manage printer drivers on Terminal Server and Citrix Systems Inc. MetaFrame environments.

5. It's all about the users. Whatever process or solution works best for you or for your customers, remember that the IT infrastructure exists to make people more productive. This means making the end-user environment convenient and easy-to-use for business functions, streamlining the experience so it is familiar and consistent regardless of where an employee works, and creating virtual methods to discourage users (including IT staff) from distractions that hinder productivity.

In almost every one of our engagements, my firm puts in place a process to lock down workstations so that they meet this goal and remain secure. Using tools from Microsoft and select third-party companies gives us easy access to the powerful security capabilities available in Microsoft applications and OSes.