The Many Faces of Windows XP

Now you know what the basics of what makes a network work. I've described how a network is composed of layers of software and hardware whose purpose is to let high-level client and server software provide useful services to you and the operating system. Security is a major concern in networks: after all, we can't have the mailroom staff looking up the executives' salaries.

The Windows approach to network security varies, depending on the type of network community to which it's connected. The following sections describe what these different network types are and how Windows XP changes with each one.

The Windows Peer-to-Peer Network

On a peer-to-peer or workgroup network, Windows XP Professional is a terrific member workstation, and you can set up shared folders with just the click of a mouse. XP Professional is also quite friendly with Windows 2000, NT, and 9x, and treats them as peers, too. It can attach to Novell NetWare and UNIX/Linux servers as well, if they're part of your network.

The downside of the peer-to-peer network is that each Windows workstation manages its own separate username/password database. Because there's no centralized control over user privileges, obtaining access to shared folders and printers on your LAN can be hit or miss. If you haven't been added as a user of the computer whose shared resources you want to use, you're out of luck.

Because networks are becoming so common even in the home, Microsoft introduced a feature with Windows XP called Simple File Sharing. With Simple File Sharing, passwords are dispensed with across the network. That is, files made available across the network are available to one and all. This is a fair compromise between simplicity and security for homes and small offices. The feature is optional on Windows XP Professional in a workgroup network, and is always enabled on Windows XP Home Edition.

To learn more about shared folder security, p. 835.

Administration of the computers on a peer-to-peer network is handled on an individual basis also. Each computer has its own privileged "Administrator" account, so anyone with his or her computer's administrator password can have at the Windows setup and configuration, and a network manager has to know each computer's individual Administrator password.

Finally, to locate resources on a peer-to-peer network, you might have to hunt around a bit. Either you must know the name of the computer whose resources you want to use, or you have to poke around My Network Places (called Network Neighborhood in earlier versions of Windows). Poking around is fine on small networks but can be cumbersome on large networks with more than a few dozen computers.

Now, let's see how a server based network is different.

The Windows 200x/NT Server Network

When a Windows XP Professional computer is part of a network managed by Windows Server 2003, Windows 2000 Server, or Windows NT Server, something different happens: Windows XP Pro relinquishes the job of identifying users and their passwords to the server.

This is a good thing. This is called a domain network. A domain is a group of computers under the control of a central set of one or more domain servers. As part of a domain, when you log in on any member computer, your identity is actually verified by the server, and you are then automatically recognized by every other Windows XP, 2000, and NT computer on the whole network. Permission to view files, of course, can be granted or taken away by the owner of each computer; I'll explain how to manage permissions in Chapter 27, "System Utilities." The point is that with a common user database you can better maintain good security practices, because you can manage access to resources in a much more coherent manner.

When you're part of a domain (or group of domains), locating shared resources is not necessarily any easier than it is on a peer-to-peer network. Either you need to know the name of the workstation or server you want to use, or you have to burrow through the domains and computers displayed in domain-sized groups on My Network Places.

Finally, as part of a server-based network, the "domain administrator"that is, the administrator of the server computercan exercise some serious control over what users of each computer can see and do, thanks to the Windows profile and policy systems. These features have two effects:

• They provide a way to deliver the same desktop, Control Panel, and software settings to a user no matter which computer he or she uses.

• They let the domain administrator individually remove or "lock down" Windows features and Control Panel options that change network, display, hardware, and network settings for individuals or groups of users. Maintenance and support costs are reduced by removing the users' ability to customize (in management's view: mess up) their own computers. Joking aside, this feature can save big companies serious money.

• They let the network manager instruct Windows to store your "My Documents" folder and your preference settings on a central server, so that your personal files and settings will be available no matter which computer you log on to; you should be able to use any computer in the organization. This not only makes your job easier, it makes it easier for the network administrators to back up everybody's files at once, so that they can be recovered in the event of a hardware crash.

Quite a personality change, isn't it? Of course, exercising this kind of control is completely up to the domain administratoruse of each of these features is optional.

The Active Directory Network

Finally, when Windows XP Professional is a member of a Windows 200x Server network with Active Directory, an even more comprehensive management structure comes into play. With Active Directory, the network administrators can do everything I mentioned in the preceding sections plus delegate management responsibilities to lower levels in the chain of command, at just about any level of detail they desire. This makes it possible for people in a big company's far-flung areas to manage computer resources for their local region, yet keep management privileges compartmentalized.

For example, a large company with many small branch offices could let branch managers assign users at their branches to departmental groups but not change their passwords. The network administrator could let the San Francisco network manager change network settings but not the Winnemucka manager, and so on. The level of what Microsoft calls granularity in control and delegation is nearly unlimited.

This capability could mean one of two things to you, the Windows XP Professional user:

• Nothing at all because you're not part of an Active-Directory based network

• Nothing at all because you are locked out of all this fun stuff by your network manager

I'm only partly kidding. If you're a Windows XP Professional user on an Active Directory network, these management features affect you only when they prevent you from doing something. The only new thing you have to learn is the telephone number of the network manager who's responsible for your computer. (This manager, on the other hand, has so much new to learn that he or she is probably in a class somewhere right now, on the verge of tears.)

Active Directory services also let network managers assign application software to users or groups, so your desktop automatically picks up icons for software you haven't even installed but your organization thinks you need. When you go to use it, Boom, it installs itself (in theory anyway).

Active Directory also lets you search for network resources and organizational information in a very useful, unified way. The Active Directory is designed to contain all kinds of information about the resources on a network, the network's users, and the structure of the organization itself. We're all used to the searching power on the World Wide Web, and Active Directory brings us the same power to search on a company's worldwide network. Want to find the email address of your pal Sal in the Sonoma Sales Center? No problem, Active Directory can find it in a flash. Need to find a printer in your building that can print on both sides in color? One click, and you'll have it.

I'll talk about Active Directory in more detail later in this chapter.

NOTE

Active Directory is based on the LDAP (Lightweight Directory Access Protocol) protocol, an Internet standard for querying hierarchical databases. Windows 200x Server runs an LDAP server on every Active Directory-enabled server computer. Administrative changes to the directory can occur on any member server, and the changes are replicated to all of the other servers. The location of the nearest Active Directory server is found using the standard DNS system. This makes it possible for a computer to join an Active Directory network and find its place in the world without any manual configuration: DHCP gives the computer its IP address and DNS servers, DNS locates Active Directory, and Active Directory delivers the rest of the information the computer needs to deliver any other appropriate services.

The Windows Offline/Remote Network

Windows XP Professional can also exhibit multiple personality disorder: Meet the remote workstation. Windows can behave like a standalone computer when you're toting your laptop around in the field, a workgroup computer when you're networked at home, and then it can act like a domain member when connected to the server-based network by modem or broadband connection from home or at a network cable or docking port at work.

An additional feature Windows XP Pro offers to the remote user is the "offline" file. Windows lets you mark files or folders for offline use and copies them from the network to your hard drive. When you're disconnected from the network, you'll have access to this copy, even though it still appears to be in a folder on another networked computer. When you reconnect, by modem or by plugging into the office network, Windows automatically synchronizes the offline files, copying anything you changed back to the network and retrieving any updated files from the network to your hard disk.

TIP

Offline files are similar to the My Briefcase function offered by Windows 9x. The advantage to offline files, however, is that they appear to stay in their original locations. Windows invisibly keeps track of the offline copies, so you don't have to worry about dragging files to and from the briefcase folder.

So, to My Briefcase: Good riddance! I have to admit I never understood or got My Briefcase to work anyway, and I suspect few people did.