Summary

Using the ADSI LDAP service provider, you can programmatically manipulate Active Directory objects, attributes, and security descriptors in Windows 2000.

When creating a binding string, consider using the RootDSE, which allows you to determine the default naming context for a current user session. This can be a vital operation if you want the user to perform administration without specifying alternate credentials.

Using the IADsOpenDSObject interface, you can bind to the Active Directory with alternate credentials and specify the type of authentication to be used. This can be handy for managing domains in other forests or temporarily elevating the privilege of an operation without user intervention.

To aid performance and usability in large enterprise environments, Windows 2000 maintains a partial replica of the data in the directory in the global catalog. By binding to the global catalog, you can perform forest-wide searches and derive the data directly from the global catalog. If the attribute you want to query is not found in the global catalog, you can also derive the original location of the replicated object using the catalog.

By simply changing the object class within a generic object creation code segment, you can create entries in the directory of any type. This, of course, assumes that you have assigned all mandatory attributes before attempting to write the object into the directory. An object's class also allows you to use the IADsContainer Filter property to return a specific subset of objects when querying the directory.

Using the IADsDeleteOps interface, you can prune away entire branches of the directory structure. If you prefer not to delete an object but rather move it to a new location, you can use the IADsContainer MoveHere method to move or rename an object in the directory.

Lastly, ADSI allows you to fully manipulate the security descriptor for objects in the Active Directory to either establish security on a single object or establish an ACE for all child objects. Modifying the security descriptor on an OU and allowing objects with specific schemaIDGuid values to inherit the parent ACE can implement a delegation model that can allow administration down to the attribute level.

Combining the WinNT:, IIS:, and LDAP: ADSI service providers, you can programmatically manipulate almost every namespace- related element of a native or mixed mode Windows 2000 domain.

Whether you are attempting to decentralize administration, enforce specific standards in the enterprise, or simply reduce the repetition of a particular task, programmatic manipulation of the Active Directory and related namespaces will free you from some of the mundane tasks that plague your workday .