-------------------------------------------------------------------- SearchWin2000.com's Active Directory Tip -------------------------------------------------------------------- TODAY'S AD TIP: Using groups to administer AD resources ==================================================================== SPONSORED BY: NetIQ ==================================================================== FREE ACTIVE DIRECTORY AUDIOCAST: Need to overcome the challenges and reap the benefits of deploying Active Directory? Join industry experts, including the Gartner Group's John Enck, for NetIQ's FREE audiocast, "Tackling Active Directory: Successful AD Deployment and Management Strategies" on June 28. Get the answers you need and step-by-step advice on planning, deploying and managing Active Directory. http://webevents.road-show.com/netiq/20010628/start/register.asp?Origin=SearchDN620 ==================================================================== "Using groups to administer AD resources" By Kevin R. Sharp Groups are Active Directory objects designed to make a network administrator's life easier. They are designed to manage and grant access to shared resources, create e-mail distribution lists, and filter Group Policy. They differ from organization units in that a group can contain users, computers, and shared resources that may reside on a single server, within a single domain, or on multiple domains in a forest. Organization units contain objects within the context of a single domain. For details, including group nesting, scope, and the differences in group operation under native vs. mixed mode domain controllers, see http://msdn.microsoft.com/library/default.asp?URL=/library/psdk/adsi/glgroup_8cxl.htm. Let's say you have a large sales department consisting of "reps" and "management" users. Everyone in the department will need access to certain resources, like print queues and distribution lists, while only "management" users should be granted access to some objects. These users can best be managed through groups of type "security." First, create a department group sales. You'll need to assign a common name and set the group type to either: ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP | ADS_GROUP_TYPE_SECURITY_ENABLED, ADS_GROUP_TYPE_GLOBAL_GROUP | ADS_GROUP_TYPE_SECURITY_ENABLED, or ADS_GROUP_TYPE_UNIVERSAL_GROUP | ADS_GROUP_TYPE_SECURITY_ENABLED. Note that the latter scope is only supported on Win 2000 domains in native mode. Code to create the group can be found at http://msdn.microsoft.com/library/default.asp?URL=/library/psdk/adsi/glgroup_1kq8.htm Repeat the process to create a "reps" group and a "management" group. Add members to their proper (reps or management) group using IADsGroup::Add: (See http://msdn.microsoft.com/library/psdk/adsi/if_pers_8ulg.htm.) To add the user "jdoe" to the group reps on domain "TechTarget" using Windows NT provider services: Dim grp As IADsGroup Set grp = GetObject("WinNT://Techtarget/reps") grp.Add ("WinNT://Techtarget/jdoe") For snippets using LDAP provider services or C++, see http://msdn.microsoft.com/library/psdk/adsi/if_pers_8ulg.htm Repeat the process to add the reps and management groups to the sales group. You can now control access to data and resources through the groups instead of setting permissions for individual users. Print queues, for example, might grant access to the sales group, and therefore be available to all department personnel. Some distribution lists (another type of group) might be available only to reps, while other resources can be available to only management. When a new sales rep is hired, adding the new user account to the rep group will automatically provide the person with all the authorization to which they are entitled. -------------------------------------------------------------------- Kevin Sharp is a registered professional engineer and writer living in Tucson, Arizona who gains his expertise from a variety of professional activities. His engineering outlets include Web consulting for ID Systems Magazine, focusing on the fulfillment side of electronic commerce. ==================================================================== ADVICE FROM EXPERT ED TITTEL -------------------------------------------------------------------- Resident searchWin2000 certification expert, Ed Tittel will be on hand in our Administrator Forum to answer your questions for one special hour tomorrow! Don't miss out on this special opportunity to get qualified solutions to your pressing certification problems on THURSDAY, JUNE 20 FROM 3:00 P.M. TO 4:00 P.M EDT at http://searchwin2000.discussions.techtarget.com/WebX?[EMAIL PROTECTED]^[email protected]. =================================================================== VOTE AND WIN! WIN AND VOTE! -------------------------------------------------------------------- Our June Tip of the Month contest is moving full steam ahead. Don't miss your chance to win this month's prize - a Toshiba DVD-ROM/CD-RW burner! Check out the competition -- read the most recent tip submissions for the contest. And make sure to vote on them while you're there! Tip ratings count towards winning the grand prize! Just go to http://searchwin2000.techtarget.com/tipsIndex/0,289482,sid1_tax5e3,00.html. ==================================================================== FEATURED BOOK ==================================================================== "Windows 2000 Active Directory Black Book" Author: Adam Wood Publisher: Coriolis Group Published: Nov. 2000 Provides immediate solutions to the challenges of working with the most important feature of Windows 2000: Active Directory. Features detailed coverage of Active Directory security, auditing, and integration with existing applications. Explores distributed security applications such as Kerberos. Covers features such as IntelliMirror, application specification, terminal services, mobile devices, and more. http://www.digitalguru.com/dgstore/product.asp?isbn=1576102564&ac_id=73 ==================================================================== ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ DID YOU LIKE THIS TIP? ==================================================================== Whether you loved it or hated it, why not let us know? Just email us at mailto:[EMAIL PROTECTED]. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ==================================================================== If you no longer wish to receive this newsletter simply reply to this message with "REMOVE" in the subject line. Or, visit http://searchWin2000.techtarget.com/register and adjust your subscriptions accordingly. If you choose to unsubscribe using our automated processing, you must send the "REMOVE" request from the email account to which this newsletter was delivered. Please allow 24 hours for your "REMOVE" request to be processed.
