Windows 2000 Active Directory 2E


Updated coverage of the most confusing Windows 2000 component in this new edition of a Syngress bestseller.
Active Directory Services dramatically changes the way IT professionals design, plan, configure and administer their Windows NT networks. The primary benefits of Active Directory Services are its extensibility, scalability, and ease of management as compared to prior generations of Windows NT. Systems Engineers will probably spend much of their time over the next several ...

See more details below
Paperback (2ND)
$38.53 price
(Save 29%)$54.95 List Price
Other sellers (Paperback)
  • All (4) from $33.08   
  • New (3) from $54.42   
  • Used (1) from $33.08   
Sending request ...


Updated coverage of the most confusing Windows 2000 component in this new edition of a Syngress bestseller.
Active Directory Services dramatically changes the way IT professionals design, plan, configure and administer their Windows NT networks. The primary benefits of Active Directory Services are its extensibility, scalability, and ease of management as compared to prior generations of Windows NT. Systems Engineers will probably spend much of their time over the next several years planning for and deploying Active Directory Services in many different environments. Windows 2000 Active Directory, Second Edition gives IT professionals a head start; it provides updated coverage of everything they will need to succeed.

Many Windows 2000 administrators are struggling with Active Directory and need a comprehensive book on the subject
The first completely updated book on Active Directory to hit the market

Active Directory Services dramatically changes the way IT professionals design, plan, configure and administer their Windows NT networks. The primary benefits of Active Directory Services are its extensibility, scalability, and ease of management as compared to prior generations of Windows NT. This directory provides readers with updated coverage of everything they will need to succeed.

Read More Show Less

Editorial Reviews

From the Publisher
"The definitive work on Active Directory concepts and implementation." — Dean Tyree, Director of Microsoft Business Practice, MicroAge Technology Services, about the first edition
Read More Show Less

Product Details

  • ISBN-13: 9781928994602
  • Publisher: Elsevier Science
  • Publication date: 11/7/2001
  • Edition description: 2ND
  • Edition number: 2
  • Pages: 800
  • Product dimensions: 7.50 (w) x 9.25 (h) x 1.39 (d)

Read an Excerpt

As stated earlier, OUs are containers within a domain that can nest within each other to develop a hierarchy. They are used for group policy and for the delegation of administrative authority. One thing you must understand about an OU is that it is not a security principal. What this means is that you cannot apply access rights to the OU so that the users, groups, resources, other containers, and objects would inherit them. An OU is merely a container with no other capabilities. However, if you use OUs for group policy, then the group policies will flow down the tree structure that the OUs build. In addition, you can use the OUs to decentralize your administration without requiring a separate domain. An Active Directory user does not always have to navigate the OU hierarchy to locate services and information, so the optimal structure for OUs should reflect the boundaries needed for applying group policy or for delegating authority. It is a good rule of thumb to keep the OU names short enough to remember.

OU Objects in Active Directory

OUs are container objects within Active Directory. When you look at OUs in the Active Directory Users and Computers MMC, you can look at their properties, which include the Group Policies applied to them. OUs contain other objects, such as user account objects or other OUs. Policies can be applied to OUs, and those policies can be inherited by sub-OUs. Using the OU hierarchy, you can produce a granular system for managing the desktop environment, security, and a user’s network experience.

Group Policy and OUs

Group policy settings are applied to users and computers in order to manage the desktop configuration. A specific policy is applied to a site, domain, and/or an OU as needed. The group policy can be filtered to control access; otherwise it is inherited by child containers. Group policies will affect users’ login time when they are in a nested OU that has multiple group policies. Longer names for OUs will also affect processing at login time. See Chapter 13, “Intellimirror,” for information on how to apply group policies.

Delegating Administration

The legacy Windows NT delegation of administration did not offer much in the way of flexibility:

  • Administrators were forced to use built-in local groups on the servers for administrative authority.
  • They had to adjust predefined rights if they were not sufficient or if they were too lax.
  • Their administrative design typically resulted in oodles of Domain Administrators so that everyone could access what they needed to.
  • Administrators created resource domains just to delegate administration, which then resulted in too many domains and complex trust relationships.

    Delegating administration is more powerful and flexible in Windows 2000 than it was in earlier versions of NT. Using the flexibility of Active Directory, delegation of administrative responsibility can be applied at the OU level. The Administrator can assign administrative rights for each object ’s attribute, and whether that control can be inherited. The result is that the appropriate Administrators are granted the appropriate control of their assigned users and published resources. If an Administrator delegates Full Control to another user, then that user is able to delegate administrative authority to others. Otherwise, the delegation of administration is completed by selecting the authority level over each object class and the ability to modify specific attributes. The process is fairly simple:

    • 1. Create a group.
    • 2. Grant the group specific access.
    • 3. Populate the group with users.

    Windows 2000 even supplies a Delegation of Control Wizard in the Active Directory Users and Computers Microsoft Management Console (MMC) utility (which can be found in the Administrative Tools folder under Programs in the Start menu). This makes the process even easier to execute. The following steps must be taken to use the Delegation of Control Wizard (see Figure 5.10) in order to delegate Full Control to another Administrator for a single OU (the OU is also called a folder in the wizard).

    • 1. Click Start | Programs | Administrative Tools on any DC.
    • 2. Select Active Directory Users and Computers.
    • 3. After the window opens, in the left pane of the window, navigate to the OU to which you will be delegating administrative rights.
    • 4. Right-click on the OU and select Delegate Control from the pop-up menu.
    • 5. The wizard box will start with a Welcome dialog. Click Next.
    • 6. The next screen will show the path of the folder. Click Next.
    • 7. The Group or User Selection screen will appear. Click Add.
    • 8. Select the group to which you will be giving administrative access.
    • 9. The group’s name will appear in the window. Verify it is correct and click Next.
    • 10. In the Predefined Delegations window, select Do customized delegation and click Next. Figure 5.10 Customized Delegation
    • 11. In the Active Directory object, type window. You can select either the entire folder or a custom list of objects that are in the folder. Select Entire folder and click Next.
    • 12. In the Permissions box, you can select a variety of permissions (see Figure 5.11). To delegate full administrative rights, you will need to select Full Control. Then click Next. Figure 5.11 Reset Password Is an Option in the Permissions Box for User Objects
    • 13. The final dialog will show you a summary of the options you have selected. Click Finish to enable delegation. If you click Back, you can change your options. If you click Cancel, no changes will be applied. (See Figure 5.12.) Figure 5.12 Summary Dialog

    After completing this exercise, there is a way to verify that the changes are applied. In the Active Directory Users and Computers window, select the View menu and then the Advanced Features option. You can then right-click the OU for which you delegated control, then select Properties. On the Security page, click Advanced. The Permissions tab will show you the additional permissions created for the group. If you double-click the group, you will see that it has been granted full rights to all of that OU and any OUs within it.

    Another way to verify that the group has been granted access correctly is to log on as a user account that is a member of that group. Then start the Active Directory Users and Computers Wizard and try creating a new group.

    There are some challenges with delegating administration. For many with experience in other directory services, the most difficult problem with delegating administration for a container is with somehow losing the delegated Administrator’s password—whether the Administrator has forgotten it, or left the company, or some other mishap has occurred. For this reason, it is a good practice always to have a master administrative account that is granted access to every container, even if it is intended to be completely cut off. The account should be set aside in a secure place for disaster recovery purposes only.
    Configuring and Implementing
    Controlling Who Can Reset Passwords

    One of the most common problems users run into is that they forget their password. Usually this happens the day after they were required to change their password. Only certain Administrators can access that type of user control in legacy environments, so this capability typically is retained by a high-level IT group. In a large organization, it can become a huge headache!

    Active Directory can be an aspirin for this particular headache, if an organization has a group such as a Help Desk that is connected to the network. In this case, Active Directory allows the delegation of only the password resetting right. The Help Desk would have no other rights to the directory and could handle the password resets immediately.

    To delegate this specific right, create a group for the Help Desk. Then follow the Delegation of Control process up to the Predefined Delegations window in step 10. Here you would select the Delegate one or more of the predefined delegations, and from the check-box list, select only Reset passwords on users accounts. It is a simple matter of finishing the wizard after that.

Read More Show Less

Table of Contents

Chapter  1 Introduction to Active Directory
Chapter  2 Assessing Your Environment
Chapter  3 Active Directory for Windows 2000 JumpStart Tutorial
Chapter  4 DNS and Naming Strategies
Chapter  5  Designing the Basic Structure
Chapter  6 Designing a Site Structure
Chapter  7 Designing: A Case Study
Chapter  8 Migrating from NT 3.51 or NT 4 to Active Directory
Chapter  9 Implementing a Domain
Chapter 10 Building Trees and Forests
Chapter 11 Implementing Sites
Chapter 12 Implementing Active Directory: A Case Study
Chapter 13 Intellimirror
Chapter 14 Publishing
Chapter 15 Modifying the Schema
Chapter 16 Using Active Directory: A Case Study
Chapter 17 Plugging into Active Directory
Chapter 18 Disaster Recovery for Active Directory
Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)