Knowledge and simplicity are key
If you're eager to investigate the new features of Windows NT 5.0, the Active Directory (AD) will probably interest you. AD is a directory service that stores information about users, servers, printers, shares, and other elements in a network. AD represents these elements as objects, each of which has one or more sets of properties. For example, an object representing a user might have the properties of office and home phone numbers. (For more information about AD objects and properties, see Sakari Kouti, "Manage Directory Resources with Active Directory Service Interfaces," November 1997.)
Users can query AD to get lists of objects and their properties. However, you might not want users to have access to all the properties of every object in AD. For example, you might not want users to have access to coworkers' home phone numbers. Although the NT 5.0 system default is to give everyone read access to all of AD's information, you can modify and add to the default permissions to limit access to certain information.
To set the permissions for objects and properties in AD, you need to know how to create and search for objects. Knowing what is possible will help you decide what objects and properties to restrict permissions for.
Creating Objects
Suppose you have a domain controller running NT 5.0 beta 1 for your domain, nt5domain. The domain's AD contains the NT server and one client (a PC running NT Workstation 5.0 beta 1). NT 5.0 comes with Microsoft Directory Service Manager, a Microsoft Management Console (MMC) snap-in. (For more information about MMC, see Darren Mar-Elia, "Microsoft Management Console," June 1998.) Directory Service Manager lets you easily access AD. Although you can use other tools to view and manipulate data in AD, they are more complicated to use.
As with Explorer, when you open Directory Service Manager, you see a two-pane window. On the left is the scope pane; on the right is the display pane. The scope pane contains a directory information tree (DIT), which provides a map for AD. The DIT starts with the root entry (i.e., the domain name) and then branches into container objects (herein referred to as containers). Containers are objects that can hold other objects of the same type, or class. The class specifies the required and optional properties of the objects in a particular category and the rules governing where those objects fit in the DIT.
The display pane shows the contents of a container. To view the contents, single-click the container in the scope pane. Containers hold other containers and noncontainer objects (herein referred to as noncontainers). A noncontainer is an object that cannot hold other objects of the same class, so noncontainers cannot hold containers or other noncontainers.
You can assign permissions to only two types of noncontainers: users and groups. A user represents one person; a group represents the members you assign it.
Screen 1 shows the default containers and noncontainers in Directory Service Manager for nt5domain. The left pane shows that the domain consists of the Computers, System, and Users containers. Although these three types of containers are common, many more types exist, such as print queue, volume, site, and organizational unit. The right pane shows the contents of the System container, which consists of user and group noncontainers.
Directory Service Manager lets you add and remove containers and noncontainers to customize your AD. For example, suppose you want to add TestOU1 (a container representing your company's primary testing lab) and TestUser1 (a noncontainer representing a member of that testing lab) to nt5domain. To add the container, highlight nt5domain in the scope pane and right-click the display pane. In the pop-up menu that appears, select New organizational unit. Enter TestOU1 in the Create organizational unit dialog box, and click OK. After you refresh the display, you can add the noncontainer by highlighting the newly created TestOU1 container in the scope pane and right-clicking the display pane. In the pop-up menu that appears, select New user and enter TestUser1 as the username and first name, last name, and password. Click OK. If you want to specify properties for a container or noncontainer, you right-click on the object from either pane and select Properties from the pop-up menu. Screen 2 shows the properties for TestUser1.
You cannot put a noncontainer in more than one container. For example, you can't put a user noncontainer (MarySmith) in two containers (Systems and Users). However, you can put MarySmith in the Systems container and then create a group (DataEntryGroup), assign MarySmith as a member, and put the DataEntryGroup in the Users container.