The following is a collection of expert responses to reader questions by Laura Hunter.
I was wondering, how can I configure Active Directory and or all the workstations to show what computer and user accounts have local administrator access on the workstations?
The scenario is that some accounts may have been granted access via Active Directory in an organizational unit, while others the individual user in Active Directory may have been given the access to the local administrator group on the box.
I need to see a list so we can correct who should and who should not have local admin access.
Thank you for your help.
Laura Hunter: You can use the "net localgroup administrators" command on each workstation (probably in a login script so that it records its information to a central file for later review). This command will enumerate the members of the Administrators group on each machine you run it on. Alternately, you can use the Restricted Groups feature of Group Policy to restrict the membership of Administrators to only those users you want to belong.
What is the difference between Windows 2000 Active Directory and Windows 2003 Active Directory? Is there any difference in 2000 Group Polices and 2003 Group Polices? What is meant by ADS and ADS services in Windows 2003? Your help is greatly appreciated.
LH: Windows 2003 AD introduced a number of new security features, as well as convenience features such as the ability to rename a domain controller and even an entire domain – see Microsoft's website for more details. Windows Server 2003 also introduced numerous changes to the default settings that can be affected by Group Policy – you can see a detailed list of each available setting and which OS is required to support it by downloading the Group Policy Settings Reference here (free download). ADS stands for Automated Deployment Services, and is used to quickly roll out identically-configured servers in large-scale enterprise environments. You can get more information from the ADS homepage here
Can you provide a simple, easy to understand description of what the Active Directory is and how it is different from the old NT security model?
LH: Active Directory marked a shift in the way that Microsoft manages directory services, moving from the flat and fairly restrictive namespaces used by NT4 domains and moving to an actual hierarchical directory structure. There's a sample chapter from the Windows 2000 technical reference available here that will give you a good introduction into the major differences between the NT4 and Active Directory directory services.
I am upgrading from NT to 2003. The only things that are NT are the PDC and BDCs; everything else is 2000 or 2003 member servers. My question is, when I upgrade my NT domain controllers to 2003, will I need to do anything else to my Windows 2000/2003 member servers that were in the NT domain?
LH: Your existing member servers, regardless of operating system, will simply become member servers in your upgraded AD domain. If you will be using Organizational Units and Group Policy (and I hope you are), you'll probably want to move them to a specific OU for administration and policy application, since they'll be in the default "Computers" container immediately following the upgrade.
Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is a senior IT specialist with the University of Pennsylvania, where she provides network planning, implementation and troubleshooting services for business units and schools within the university. Hunter is a two-time recipient of the prestigious Microsoft "Most Valuable Professional" award in the area of Windows Server-Networking. She is the author of the Active Directory Field Guide (APress Publishing). You can contact her at firstname.lastname@example.org.