At the widget company that I converted from NT4 to 2K the reason was simply self-preservation. The NT4 architecture was ready to blow at any second due to size, we were running with 80k users in a single domain, 75k users in another, 60k in yet another. Obviously the domain structures were ready to collapse at any time.
However once done, the automatic benefits of additional stability and delegation were well worth the move on their own even if the users didn't have anything to point at besides a possibly perceived stability increase[1]. Basically I am saying I agree with Neal. Users shouldn't even be aware of the underlying infrastructure let alone being sold on the benefits. In infrastructure ops positions I tend to say that the better things run, the less people know you and the things you work on exist. It isn't usually necessary to "invent" ways to use AD, things will crop up. Some ideas though: The first thing I would do is start ripping away native permissions from everyone but a couple of Ent Admins (say 3 or 4 tops) and everyone else gets by with delegated permissions, much easier to start that way versus trying to clean it up later. Goal, better security and enterprise stability. A strong step towards change control The next thing would be to start populating AD with object lifecycle management information. This includes object owners, review dates on when the owner has to say the object is still in use, expiration dates on when objects should be removed, etc. Again much easier to start that early versus later. Goal, a cleaner happier NOS Directory without baggage. Populate the organizational managament structures, location info, contact info, etc and set up a web site to allow creation of org charts and display user info. Don't store the pics in the directory, store them in a SQL Server or someplace else. Alternatively, stick all this info into AD/AM and leverage AD Auth to access the info. Check to see if the Polyarchy stuff ever made into a production setup in MIIS, that is an amazing way to display that info. If you have multiple platforms look to start using kerberos on them so you can have single sign on. Users should really notice this if they don't have it. Look at how or even if GPOs should be used for controlling machines and user experience. Publish printer and shared folder information. Set up a web based self password reset unlock system. See MIIS functionality or MTEC's PSYNCH. This could be done under NT4 as well but more secure I think under AD due to giving out delegated rights to do the work. Deploy Exchange 2003. joe [1] It couldn't be anything but perceived on the users side unless they were monitoring availability and performance which would be a stretch for those users. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Wednesday, June 01, 2005 5:21 AM To: '[email protected]' Subject: RE: [ActiveDir] Enhancement Question It's funny how people approach AD this way - i.e. deploy and look to justify its existence thereafter :) When AD was designed and a business case was created, what were the perceived benefits back then? Why not try to create additional benefit along those lines? We all have different reasons for deploying AD - to some it's simply an upgrade, to others it's seen as a way to simplify / improve the Windows environment in many different ways. Identify your initial reasons for deploying AD and then build from there. For the record, I would argue that the end user need not see real, tangible benefits in order that AD be seen to benefit the business itself. The real benefits are normally less tangible. neil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: 31 May 2005 16:05 To: '[email protected]' Subject: [ActiveDir] Enhancement Question This is an odd question. We have just about finished up rolling out AD 2003 (from an NT domain) and I have been charged with finding "several ways to utilize Active Directory to optimize the management of our applications and infrastructure. At least one of the solutions should enhance functionality directly for the user community." I'm having problems of finding ways to enhance functionally for the end-users. Besides tying the AD into a one of our outsourced web based applications to reduce their password count I'm stretching. I know of a number of management and infrastructure enhancements that could be made but none enhance the functionality of our end-users to a point where they will notice it and say "Wow, now that's cool". Does anyone know of a location where I can get ideas on this topic? Increased security, stability, management. These core things are not seen by the end-user even though they directly affect them. I need to find something that the end-users will like to see and something that benefits them. I'm just coming up blank on this. In the past, I have always been instructions to use AD in ways that the end-user doesn't notice but increases the functionality. Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
