As the number of Internet users continues to grow, so does the number of Web-based provisioning tools that let those users perform administrative tasks within a Windows and IIS environment. The Microsoft Web Admin tool is one such application. Web Admin is a sample Web-based provisioning tool that demonstrates the use of Active Server Pages (ASP) and Microsoft Internet Explorer (IE) 4.0 or later to create, modify, and delete users, groups, and organizational units (OUs) from Windows 2000 Active Directory (AD). Web Admin uses ASP and VBScript to access the Windows Management Instrumentation (WMI) API and request information from AD. WMI translates these requests into DS Provider calls that communicate with the Active Directory Service Interfaces (ADSI) API and that translate each operation into a set of ADSI calls that can perform such tasks as creating OUs, adding users to an OU, or removing users from groups. The tool is an excellent starting point for Web developers who want to create an application that provides provisioning services to customers.
Because the tool is Web-based, an IIS administrator often must implement it—a more complicated process than simply setting up a new Web site, as the sidebar "Your Role in Implementing Web Admin" explains. The process includes preparing the IIS server, configuring Web Admin, and setting up customer organizations (which the tool adds to AD as OUs). To participate in this process, you need to understand the tool's setup and configuration and how Web Admin uses administrative roles, OUs, and Win2K security to provide a structure in which to deliver provisioning services.
Setting Up the IIS Server
To begin, download Web Admin from http://www.microsoft.com/serviceproviders/downloads/webadmin_overview.asp and install the tool on a Win2K Server member server or domain controller (DC) configured with IIS 5.0. (For performance and security reasons, I recommend against installing the tool on a DC.) The computer must be in the Win2K native-mode domain that you want to administer. Because of security-credential concerns, you must place the tool's files and folders in a folder on the local drive, and you must modify the permissions for that folder so that only the SYSTEM account and the local Administrators group account have Full Control.
Web Admin includes the adstype.dll file. For the tool to work properly, you must register this file on the IIS server. To do so, open a command prompt and run the following command:
regsvr32.exe
<path to Web Admin folder>
\com\adstype\adstype.dll
Note that the tool's documentation instructs you to include a build number placeholder in this command, but this instruction is incorrect. The application's folder structure doesn't include the build number.
After you register adstype.dll, set up a Web site or virtual directory named WebAdmin. (Although you can use a virtual directory in the Default Web site, Microsoft recommends against doing so.) During this process, you'll receive a prompt for a directory location; browse to the local Web Admin folder's HTML subfolder. You'll then receive a prompt to configure access permissions; leave them in their default state. Make sure to start the IIS service for whichever Web site you use.
Configure the Web site's properties to disable Anonymous access, enable Basic authentication, and set the Basic authentication domain name to a backslash (\). Enable Secure Sockets Layer (SSL) on the IIS server if your organization requires that you do so.
Configuring Web Admin
Configuring the tool is simply a matter of using IE to access Web Admin, then running the Web Admin Setup Wizard. Log on to the IIS server as a member of the Domain Admin group or Enterprise Admin group. (Be sure to log on to the domain and not just the local computer, which can sometimes happen when you log on with the Administrator account. If you log on locally, you won't be able to use Web Admin.) Open IE and go to http://servername/webadmin, where servername is the name of your IIS computer. Figure 1 shows the tool's initial interface.
In addition to logging on to the server, you need to log on to the Web Admin tool. You'll receive a prompt for a username and password when you first log on to the tool or after you begin to run the Web Admin Setup Wizard, depending on whether Integrated Windows authentication is enabled for the tool's Web site. (If Integrated Windows authentication is enabled, you'll receive the prompt when you run the Setup Wizard; otherwise, you'll receive the prompt as soon as you try to access the tool. Web Admin uses Basic authentication only. When you run the Setup Wizard, Web Admin disables Integrated Windows authentication if it's enabled; if you enable Integrated Windows authentication after you run the Setup Wizard, you won't be able to access the tool.)
After you run the Setup Wizard, you'll be prompted for a username and password whenever you try to access the tool. As when logging on to the IIS server, you must take into account special logon considerations when logging on to Web Admin. If the IIS computer is a member server and the local Administrator account password is the same as the domain Administrator account password, you must use the domain prefix (e.g., domain01\administrator) when you log on to Web Admin.
After the tool's opening screen appears, click Go Setup to launch the Web Admin Setup Wizard. By default, the wizard creates the Hosting OU and the Services OU and adds several security groups to the Services OU. The wizard also removes Authenticated Users from first-level containers. Be sure to notify your domain administrator about these changes before you implement the tool.
From the wizard's final screen, you can go to the tool's Configuration page or you can start using Web Admin. The Configuration page shows a list of options, derived from the tool's config.asp file, that you can use to configure the tool's features. Any changes you make on this page affect only the server you're connected to and remain in effect only until you restart the Web service or reboot the computer. To make permanent changes, you can modify config.asp directly. If you do so, however, you must edit every config.asp file on every server on which you place Web Admin to be sure that your changes are consistent across all the servers.