Getting More out of Active Directory
Go ahead -- you can call 'em the "5 Golden Truths of Active Directory"
- By Brandon Woo
- January 01, 2006
When you've been in the business of helping companies build and develop
their IT infrastructures for a while, certain truths become obvious, such
as the fact that Microsoft applications and operating systems are here
to stay. Despite the shortcomings many talk about, customers will continue
to standardize around the software giant's products for the foreseeable
In my company's experience of working with many IT staffs that concentrate
on Microsoft, we've found that, typically speaking, its software is easy
to use out of the box.
Still, there are many truths of the trade that come with experience.
If I had my way, they would be posted in every IT manager's cube. As a
step in that direction, I offer a few of them here.
1. There is almost always something else for which you could be using
Active Directory (AD) and Microsoft Group Policy. All of us install
products that we never fully utilize. The inherent functionality within
AD is no different. Put more specifically, companies often do a lot manually
that they could automate using AD and Group Policy. For example, customers
often don't use the Group Policy Management Console to prohibit users
from using computer functions, such as IM applications or Internet Explorer
plug-ins, that distract them from their jobs.
2. The user does not need to be the administrator to make applications
run best. When IT admins let end users have full rein over their machines,
users often end up downloading products that present a security risk.
The native controls offered by AD and Microsoft Group Policy can create
an environment in which all end-user applications operate correctly and
the security of each machine is not compromised by end-user admin-level
control. The best case scenario, which is fully attainable, is for end
users to not even notice they do not have admin-level control, unless
they are doing something they shouldn't be doing.
3. Things change. Companies grow. New applications are released. But
most important, things happen that require a response from the IT department.
Manual fixes are time consuming and costly, especially when tools inherent
to AD can streamline necessary alterations to machines. The beauty of
AD and Group Policy is that they enable you to make uniform changes to
the registry from a centralized position in the IT infrastructure.
4. Tools exist to help you do more. AD and Microsoft Group Policy
provide a lot of functionality, but they can't do everything. For example,
you can't use Group Policy to affect certain parts of the registry. Fortunately
for IT administrators and Microsoft integrators, a whole market of products
exists to make it easier to harness the power of such Microsoft features.
For example, we use Desktop
Authority from ScriptLogic Corp. to map user machines to specific
printers at user login or to control drive mappings. Desktop Authority's
interface is clean and intuitive, and so the process of setting policies
regarding specific registry settings is not hard at all. ScriptLogic's
well-known desktop management solution removes the need for handwritten
scripts and provides a seamless method for capitalizing on the Group Policy
Management tools within Microsoft systems.
Similarly, tools like the open source KiXtart
can provide logon scripting functionality for computers in a Windows network.
The KiXtart free-format scripting language can be used to display information,
set environment variables, start programs, connect to network drives,
and read or edit the registry. And solutions such as triCerat Inc.'s ScrewDrivers
can be used to manage printer drivers on Terminal Server and Citrix Systems
Inc. MetaFrame environments.
5. It's all about the users. Whatever process or solution works
best for you or for your customers, remember that the IT infrastructure
exists to make people more productive. This means making the end-user
environment convenient and easy-to-use for business functions, streamlining
the experience so it is familiar and consistent regardless of where an
employee works, and creating virtual methods to discourage users (including
IT staff) from distractions that hinder productivity.
In almost every one of our engagements, my firm puts in place a process
to lock down workstations so that they meet this goal and remain secure.
Using tools from Microsoft and select third-party companies gives us easy
access to the powerful security capabilities available in Microsoft applications
Brandon Woo is a systems engineer at Mainstream Networks Inc. , an IT reseller specializing in training, consulting, network design and implementation, installation and technical support.