Chapter 13 - Working with the Active Directory | |
bySimon Robinsonet al. | |
Wrox Press 2002 | |
We will not really talk about the administration of the Active Directory. Administration is the responsibility of the Windows 2000 system administrators, and we want to talk about programming the Active Directory. However, looking into some of the administration tools can help to give us an idea of the Active Directory, what data is in there, and what can be done programmatically.
The system administrator has a lot of tools to enter new data, update data, and configure the Active Directory:
The Active Directory Users and Computers MMC snap-in is used to enter new users and update user data
The Active Directory Sites and Services MMC snap-in is used to configure sites in a domain and replication between these sites
The Active Directory Domains and Trusts MMC snap-in can be used to build up a trust relationship between domains in a tree
ADSI Edit is the editor of the Active Directory, where every object can be viewed and edited
In addition to the tools for the system administrator, we get a tool with the Microsoft Platform SDK: ADSI Viewer .
The Active Directory Users and Computers snap-in is the tool that's mainly used by System Administrators to manage users. Select Start Programs Administrative Tools Active Directory Users and Computers :
With this tool we can add new users, groups, contacts, organizational units, printers, shared folders, or computers, and modify existing ones. In the next screenshot you can see the attributes that can be entered for a user object: office, phone numbers , e-mail addresses, web pages, organization information, addresses, groups, and so on. This is much more information than was ever possible in an NT 4 domain:
Active Directory Users and Computers can also be used in big enterprises with maybe millions of objects. It's not necessary to look through a list with a thousand objects, because we can select a custom filter so that only some of the objects are displayed. We can also do an LDAP query to search for the objects in the enterprise. We shall explore these possibilities later in the chapter.
ADSI Edit is the editor of the Active Directory. This tool is not installed automatically; on the Windows 2000 Server CD you can find a directory named Supporting Tools . When the supporting tools are installed you'll find ADSI Edit from the start menu: Start Programs Windows 2000 Support Tools Tools ADSI Edit.
ADSI Edit offers greater control than the Active Directory Users and Computers tool; with ADSI Edit everything can be configured, and we can also look at the schema and the configuration. This tool is not that easy to use, however, and it is very easy to enter wrong data:
By opening the Properties window of an object, we can view and change every attribute of an object in the Active Directory. We see mandatory and optional attributes, with their types and values:
You should also install the Active Directory Browser that's part of the Microsoft Platform SDK. The Microsoft Platform SDK is not part of the Visual Studio .NET distribution. You get a CD with the MSDN subscription, or you can download it from the MSDN Web. After installing the Platform SDK you can start the tool by selecting Start Programs Microsoft Platform SDK Tools ADSI Viewer .
The ADSI Viewer has two modes. With File New we can start a query or use the Object Viewer to display and modify attributes of objects. After starting the Object Viewer we can specify an LDAP path , as well as username and password to open the object. In the next section, we will start doing this programmatically, and you will be able to see what form the LDAP path can take. Here I'm specifying LDAP://OU=Wrox Press, DC=eichkogelstrasse, DC=local to access a organizational unit object:
If the object we specify with the path and the username and password are valid, we get the Object Viewer screen, where we can view and modify the properties of the object and its child objects: