Introduction
The Activity directory is a directory service applied in Windows Server 2003 standard, Windows Server 2003 Enterprise Edition and Windows Server 2003Datacenter. It can store information about objects on the network, enabling administrators and users to find this information - that is, providing a logical, hierarchical directory information organization structure. This part reviews the advantages, new features, and further improvements brought by the Active Directory in Windows Server 2003.
Advantage
Improvements on the active directory have brought a key strategic advantage to small, medium and large companies. By further expansion on the Windows 2000, Windows Server 2003 improves the versatility, manageability, and reliability of the active directory. Using Windows Server 2003, companies can further reduce corporate costs while also improving their efficiency of each of their constituent elements in the enterprise.
Features and improvements
Windows Server 2003 will bring more improvements to the active directory, making it more universal, reliable and economy.
characteristic
description
Cross-forest trust relationship and management
Users can safely access other forest resources without having to sacrifice only a single login and management of a user ID and password in the user's main forest. Additional security features make it easier to manage multi-forest and cross-domain trust relationships. The new voucher manager provides a secure storage of user certificates and X.509 certificates. In addition, forest trust relationships also provide a new type of Windows trust relationship to managing security relationships between two forests, which greatly simplifies safety management and certification of forests.
Rename
This feature supports changing the domain name system and / or NetBIOS name of the existing domain in a forest, making it "good form". This feature is especially useful in a company must change the domain name; for example, when a company is legally changing the name or some company mergers, I hope to have a consistent name. Using the rename domain is more efficient than traditional methods, traditional methods may involve creating a new domain and moves all users and computer objects to this new domain. A reunification name domain that is described by the domain global unique ID (GUID) and domain security ID (SID) itself will not change. In addition, a computer domain member qualification does not change since it is renamed it. Although this feature provides support tools for the renaming field, it is not seen that it does not mean a conventional IT operation. The renamper domain will cause a service interrupt, which requires restarting each domain controller. The renamed domain also requires a member computer of each renamed domain to restart twice.
Definition of properties and classes in architecture (SCHEMA)
The flexibility of the Activity Directory has been enhanced, which allows for disabling properties and classes definitions in the active directory architecture to redefine the properties and classes when an error occurs in the original definition. Disable is an reversible operation, so it can cancel an unexpected disabled. For example, if a new architecture object is incorrectly added to the directory, administrators can use this feature to disable this object and re-enter the correct definition for this object. If a new architecture object in an active directory schema introduced to a newer version is conflict with the user-introduced schema extension conflicts, the Windows2000 domain controller cannot upgrade to a newer server version. IT administrators can use architectural disable features to remove conflicting architectural objects to allow system upgrade to continue. This feature also enables developers to develop an active directory more flexibly. For example, if a developer is developing a new application, the presentation and class is included as an active directory schema schematic, and later find that the definition of an attribute is needed, this feature allows developers to do this at the same time. A similar change. Again, if a business group has replaced some applications, these applications extend the active directory architecture with a new program that uses the active directory architecture. This feature enables IT administrators to disable this replaced application unused architecture object to make them do not conflict with new extensions that may be installed.
Support for the inetorgperson class
IT administrators can use this feature to transfer their InetORGPERSON objects from an LDAP directory to an active directory, comparing information in the active directory and other LDAP directories, or create an InetORGPERSON object in the active directory. ISV can easily transfer the InetORGPERSON-based applications into the active directory. The Active directory supports the definition of user objects based on the InetORGPERSON class, as defined in RFC 2798. This feature includes these user objects to support attributes for infrastructure. The user interface that works with the user object also supports the InetorgPerson object. The auxiliary feature includes the user password defined in the user creation time, a SAMACCountName that is automatically generated without providing, and the user password userpassword property can set the account password using the standard text.
Use media installation copies
This feature is not a complete backup of an active directory database from the web, but is back up for an existing DC or global directory server, allowing the administrator to find the initial copy from the created file. Especially in the case of limited bandwidth. For example, the company may wish to place a backup DC on a remote site of a low bandwidth network, and copying the entire directory under such a connection is time consuming. Backup files, whether or not, the backup tools related to what activities can be generated, such as tape, cd, DVD, or file copy to the candidate DC. This feature must run an active directory installation wizard in advanced mode.
Group member copy improvement
When adding, changing, or deleting a group member, only the part of the change can be replicated to reduce the network bandwidth and the occupied processor resource consumed during the replication process, and can effectively eliminate the possibility of update loss during the synchronous update process. In the Windows2000 Active Directory, group members are stored and replicated as a unit. Therefore, a change in a group with many members will result in copying the entire group member, which consumes extra network bandwidth flow and increases the processor's load. In addition, if you update a member of a group in two or more Windows 2000 domain controllers, then in the conflict resolution process of copying, some member updates may be lost. When the forest is upgraded to the forest native mode of the Windows Server 2003 family, the group member will be stored and replicated to individual members, rather than treating the entire member as a single unit. When the IT administrator is updated when the IT administrator updates the security group or mailing allocation list in the domain controller in the WINDOWS Server 2003 family mode, the update is kept.
Easy remote login
The connection between the branch and the global directory will no longer affect the login of the branch office. Branch using domain controllers can be logged in by providing user logins by high-speed buffering certificates, which is not required to connect global directorys, which improves system performance and health operation on unreliable wide area. In Windows 2000, the domain controller must connect to the global directory server to expand this user's global group member when the login request is handled in the domain user in this unit. This need forces some companies to install the global directory server in the remote office so that the login failed when the remote site is interrupted with the network connection of the company elsewhere. In Windows Server 2003, a DC that does not include a global directory server site can be configured through the active directory site and service bite to high speed to quickly buffer lookups for global group members when logging in. This allows DCs to be able to process login requests when they are not allowed to join global directorys or when global directories are not available. Group members of users who log in to this site will be buffered. The cache will be refreshed on the basis of the replication progress determination cycle. This also reduces the requirements for replication bandwidth.
Improved performance characteristics
Windows Server 2003 can manage replication and synchronization of the Active Directory information more efficiently. The administrator can better control the type of information that is replicated and synchronized between the domain controller, which may be inside one domain or cross-domain. In addition, the activity directory provides more features that can be intelligently selected to copy only the information that is changed - ie the entire portion of the directory is no longer needed. Improved synchronization characteristics
This feature enables companies to measure their businesses more effectively. When expanding the bias of the global directory, such as deploying an industry application or any management behavior, new features can minimize the impact on the infrastructure of the administrator network. Especially for large directory structures and networks that are too slow. Under Windows 2000, the global directory's bias set requires that the global directory initializes its read-only name context to the entire synchronization process of the read-only name context when the extended bias set (adding an attribute) propagating. Once this process is complete, it is the latest as the property extension of the image to other domain controllers. When an extended bias set is spread in the enterprise, this feature provides a mechanism for saving a global directory synchronization (without resetting it), and minimizing workload and backup data.
Enhanced reliability
Active directory contains new features that add reliability, such as health monitoring, which allows administrator to verify replications between domain controllers, improved global directory, and an updated station topology generator, this topology generator By supporting forests than Windows 2000 more sites to better measure. In Windows 2000, when a forest contains a large number of sites, you cannot automatically create a copy connection between domain controllers in different sites. Instead, the administrator must create and maintain a copy of the manual station. In Windows Server 2003, the station topology generator is updated to use improved algorithms and will support forests than Windows 2000 more sites. Because all domain controllers running iSTG roles in the forest must match the station copy topology, the new algorithm must be activated after the forest upgrade to the Windows Server 2003 family activities (described in the activity directory " : The level of forest and domain functions). After IT administrators upgrade the forest to the Windows Server 2003 Server Activity Directory Forest Features, the Active Directory will automatically use improved ISTG to generate a station copy topology.
Disable copy compression between sites
When some sites are connected to high-speed network bandwidth, you can selectively disable copy compression between domain controllers in different sites. This reduces the capacity of the CPU using domain controllers and increases availability.
Forest and domain functional level
There are some features in the Active Directory, such as group members, retrieved and station copy topology generators, which can only be activated after the domain controller in a forest is upgraded to the Windows Server 2003 family. Forest and domain functional levels provide a version mechanism to determine which features in a forest or one domain are available through the active directory core components. It can also be used to prevent the computer of the domain controller that runs the Windows Server 2003 operating system to join a forest or domain with activities that can only be applied to the Windows Server 2003 family operating system. In order to utilize the advanced features of Windows Server 2003 domain features, IT administrators can upgrade to all domain controllers in the forest or domain to upgrade the forest or domain function level to the Windows Server 2003 family after running the Windows Server 2003 operating system. This feature can be obtained from NTDSUTIL tools.
Upgrade forests and domains using ADPREP
Active directory adds some improvements on security and application support. These forests and domains must prepare these new features before running on a Windows Server 2003 operating system. These forests and domains must be prepared for these new features before upgrading in an existing forest or domain. ADPREP is a new tool for assisting forests and domain upgrades. When you upgrade from the Windows NT4 or on the active directory of the Active Directory on the server running with a Windows Server 2003 family operating system, it is not necessary. Preparing the forest, the administrator must run the ADPREP / ForestPrep on the architecture operation host; prepare the domain, the administrator must run the ADPREP / DomainPrep on the structure operation host in each domain. Lightweight Directory Access Protocol
Lightweight Directory Access Protocol is an industrial standard, which is the initial access criteria for the event directory. LDAP 3rd edition is defined by IETF (Internet Engineering Task force). Microsoft is responsible for incorporating changes into this standard on the content of the active directory. Administrators, application developers, and third-party ISV benefit by applying the latest advantages of LDAP standards. The Windows Server 2003 family contains some improvements to lightweight directory access protocol customers and servers. * Support Dynamic Record: Active directory can store dynamic records according to the IETF standard protocol RFC 2589. You can assign a survival time value for records in the directory, which is used to determine when this record is automatically deleted. * Support transport layer security: Connections to the Active Directory can now be protected using the IETF standard TLS security protocol specified in RFC 2830. * Support Summary Identity Authentication Mechanism: Connection to the Active Directory can now be authenticated using the Digest-MD5 SASL authentication mechanism specified in RFC 2829. * Virtual List View (VLV): When an LDAP query has a big result set, it is very low to pull the entire result set from the server from the server from the server application. The VLV allows a large set of result set "Window", without the need to transfer the entire set from the server. The VLV protocol is defined by the IETF's LDAP extension workgroup. * Support Dynamic Auxiliary Class: Active directory now supports dynamically link a secondary class (adding properties defined by the auxiliary class) to an individual object instance. In Windows 2000, a secondary class can only be staticly associated with a structural class definition in the architecture, which means that all instances of the structural class are acquired from the auxiliary class added to them. * Support "Rapid Bundle" and connection: Under countless ISV and application developers, we enhance the active directory to support fast bundling and connection. Many web applications use the active directory as an authentication store. Rapid Bundle Allows a network or any other application requests simple authentication authentication from the active directory, without having to generate Windows-specific authorization information, which improves the performance of these applications. An application can also reuse the initial connections to this directory on behalf of multiple queries of different users. This will also enhance performance because the application does not have to establish a connection to each query. This enhancement is especially important for web applications that provide services to countless network query.
Yuan directory support
Microelectrocial Directory services help companies integrate identity information from multi-directory, database, and files. Microsoft Directory Services provides a unified identity information view to the company with Microelectronic Directory services, and helps synchronize identity information in the company.
Dirsync control improvement
Windows 2000 Active Directory supports a lightweight directory access protocol control called Dirsync control, which can retrieve changes from the directory. This feature provides a method that gives the ability to perform access checks to Dirsync control, which is just as executed in a normal LDAP search.
WMI provider monitoring copy and trust relationship
It is easier to monitor trust relationships and active directory copies by using WMI. This feature provides WMI classes to monitor whether domain controllers have successfully copied the active directory information between them. Because many Windows 2000 components, such as the Active Directory replica, this characteristic also provides a method of monitoring the correct role in monitoring trust relationships. IT administrators or independent software developers can also use this feature to write scripts or applications to monitor the health status of the Active Directory copy and inter-domain trust relationship. Application Directory Partition
Some directory information does not need to be available globally. This feature provides data in the active directory while do not affect network performance, which is implemented by providing control of replication and copy placing. Active Directory Services allows you to create a new type of named name context, or partition, which is called an application partition. This named context can include hierarchies of any type of object other than security person in charge (user, group, and computer), and can also be configured to copy any set of domain controllers in the forest, they are not necessarily all A domain. This means that dynamic data from network services such as remote access services, RADIUS, dynamic host configuration protocols, and ordinary open policy services can be placed in a directory to facilitate access to them with an access method. Developers use this feature to write application data to a dedicated application directory partition instead of a domain partition.
Delay object delete mechanism
This feature prevents inconsistencies of various copies in the active directory, which may cause security issues and slow down the growth of the active directory database size. Delay objects may exist in an active directory due to unavailable domain controllers, in this unavailable time, the Tombstone survival period of the object has expired, and the Tombstone object is also deleted from the active directory. This feature provides the ability to delete delay objects in the active directory.
Prevent overload domain cluster
This feature prevents the first active directory domain controller from being overloaded, which is introduced into a domain that has already been upgraded with a large number of Windows 2000 and Windows Server 2003 families. This feature is useful when a Windows NT4 domain is running in Windows 2000, Windows XP Enterprise Edition and Windows Server 2003 family. When a primary domain controller is upgraded to the Windows 2000 Service Pack 2 or the Windows Server 2003 family, it can be configured to simulate the behavior of the Windows NT4 directory controller. The domain members running on Windows 2000 and Windows Server 2003 do not distinguish the upgraded DC from the DC's DC DC. In order to adapt to the special needs of IT administrators, the domain members running on Windows 2000 Service Pack 2 and Windows Server 2003 families can be configured to inform a directory controller running on Windows 2000 Service Pack 2 and Windows Server 2003 family in response to these Do not simulate the behavior of the Windows NT4 directory controller when a domain member. This configuration is performed by the registry editor.
Delete RDN restrictions unless -x500 compatible
In the active directory, the naming property (also called relative identification name, RDN, attribute) is defined in each class in the architecture. For example, user classes use normal names as naming properties. Classes that do not define naming properties inherit naming properties from its parent class. After selecting the naming property, it can no longer change. The activity directory has such a request, that is, the RDN must be unique in one container so that two users having the same RDN cannot be in one of the same containers. This feature is enhanced in the Windows Server 2003 family, it can delete inetorgperson (using normal names in the default architecture as naming properties), use any unified code string properties as naming properties to recreate it. In addition to normal names, any other properties can be used as naming properties. For example, if there are many users in the same OU with the same name, this feature allows the administrator to select an identification attribute for these users, which will guarantee no name conflict. This feature is also useful in the case of a directory merge, just like the company's acquisition. If a company gets another business that is running additional lightweight directory access protocol directory, this directory uses different naming properties for their Inetorgperson objects, and administrators can use this feature to change the naming properties, then from LDAP The inetorgperson object is transferred to the active directory in the catalog. Improved management and user interface
Windows Server 2003 enhances some active directory management interfaces. Administrators can now edit multiple user objects at the same time, reset the ACL permissions to default, display valid permissions to a security person in charge, and pointed out a parent of the inheritance.
characteristic
description
Improved installation and configuration
This feature simplifies the debugging, processing, and reporting of incorrect domain name system configuration, and facilitating the correct configuration of the domain name system infrastructure required for the active directory deployment * If you upgrade a domain controller in an existing forest, then an active directory installation The wizard will contact an existing directory controller to upgrade the directory and copy the desired directory section from the directory controller. If the wizard cannot locate a directory controller due to an incorrect domain name system or this directory controller, it will be commissioned and the report is due to this failure and how to solve this problem. * In order to make yourself to be positioned in the network, each directory controller must register in the domain name system record of the domain name system directory controller locator. The Active Directory Installation Wizard Domain Name System The infrastructure is the correct configuration to allow the new directory controller to execute the dynamic update of the domain name system record of its directory controller locator. If this check discovers the error-configured domain name system infrastructure, it will report this error and explain how to solve this problem. If the domain name system infrastructure is configured correctly to allow an active directory deployment, then IT administrators will not notice the existence of this feature. Otherwise, if the domain name system infrastructure is not properly configured, it also blocks the active directory deployment, it will pay attention to the administrator when trying to use the Active Directory installation wizard.
Active Directory Migration Tool
Through some improvements to the active directory transfer tool, it is easy to transfer the active directory. Active Directory Migration Tools 2 Edition now allows you to migrate your password from Windows NT4 to Windows2000 and Windows Server 2003, or from Windows 2000 and Windows Server 2003 to Windows 2000 and Windows Server 2003 family domain migration passwords. For most commonly used migration tasks, such as user, group, and computer migration, add a new script interface. Active Directory Migration Tool is now available in any language and supports COM interfaces, such as Visual Basic® scripts, Visual Basic and Visual C development systems. The script interface has expanded to support command line. All scriptures of all scripts can be executed directly from a command line or through a batch file. These scripts and COM interface improvements make developers more easily integrated the active directory migration tool into their application, and the active directory migration tool is only used for batch. Enhanced user interface
Because the person in charge wants to manage corporate identity, objects, and relationships, the Microsoft Management Console plug-in program is now included with the power of drag, multi-object selection, and saving and reuse queries.
Improvement of object selection
By improving the object's user interface and other management user interface, the management of the active directory is easier, which allows the administrator to select one or more users, computers, groups, or contacts. Object Selectors are used by many user interfaces and provide availability for third-party developers. Therefore, it provides public and private interfaces, and people running programs can use these interfaces to customize behavior that suits them. For example, it can be run in a single selection mode or multiple selection mode, or can also run it when only one specific type of object (eg, a user) is selected. Objects have been redesigned and enhanced, resulting in the following effects: * Optimized administrator workflow allows fast finding directory objects * Improved support for finding objects in a big directory * Reduce the impact of directory services on the network * You can set a search range * more flexible object-based properties in the directory to find the inquiry capabilities in the directory
Active Directory User and Computer: Saved Query
This feature allows for storage, reopen, refresh, and electronic mailing queries, which makes management easier. A query is a search on the content that matches a specific standard (such as a directory object property value) on a data set (directory). You can view and manipulate the query objects and results in the user interface. This feature has many benefits to administrators: * IT administrators can use this feature to output a result of an attribute query for reports or analysis. They can refresh this inquiry on the basis of a cycle so that they can save time when the management report is completed. * IT administrators can use this feature to select a group of users according to user properties, then add all them to a group. * IT administrator can find a set of specific user objects, then immediately edit attributes (in the "Active Directory: Multi-User Object" feature) * IT administrators can use this feature to identify all The disabled account, identify all accounts expired in a certain date, identify all accounts with unsuccessful password, identify all RAS-activated system accounts, find the password for a user account that is older than a specific number of days, find the RAS callback activation account You can also find all accounts without managers * IT administrators can query directorys to find a specific user object, then immediately edit attributes, just like "Active Directory Users and Computers: Multi-user objects Edit "The same described in the new feature.
Active Directory User and Computer: Editing Multi-User Objects
This feature provides the ability to select a multi-user object, then give a list of properties, which will allow or set all the object properties of all selected objects. Only specific attributes and properties will be available to this multi-object editing. This feature can only change the attributes simultaneously with a few steps, which makes management easier. Improvement and new features in group strategies
Group Policy Allows you to define settings and allowed the user and computer. In contrast to the local strategy, you can use Group Policy to set up a specific site, one domain, or a company department in an active directory. Strategy-based management simplifies tasks such as system update operations, application installations, user profiles, and desktop system locks. Windows Server Edition 2003 adds more than 100 new policy objects.
characteristic
description
Strategy synthesis set
This tool allows an IT administrator to determine the synthesis set for a given user or computer in the case of actual and assumptions. The logging mode allows IT administrators to detect what actually handles on a specific computer. Planning mode allows IT administrators to "assume" analysis of a particular location, security group member, and WMI filter attribute in the directory. Policy Synthesis Set Wizard Indicates the administrator to create an appropriate target by the necessary steps, generating policy synthesis set data, and start policy synthesis tools to use this data. This tool can determine the status of an existing target and run the situation by manipulating a group policy. For a given target, it allows access and checking the policy synthesis set; in the simulation environment to a specific target, it also allows generation and checking the policy synthesis set; under the new standard, it allows easy difference inspections. Strategy Synthesis Sets through the Active Directory Users and Computer Microsoft Management Console bite or through the Policy Synthesis Collection of the Microsoft Management console.
Group strategy: new policy
These policies provide stronger management, customization, and control of operating system behavior for user groups. There are now more than 160 policy settings in the operating system. These new policy settings affect features such as control panels, error reporting, terminal services, remote help, network, and dial-up, domain name systems, network login, group policies, and roaming profiles. * Network login: Network login policy provides the ability to use Group Policy to configure network login settings on computers running Windows Server Edition 2003 family. This simplifies the steps required to configure domain members when regulating network login settings. These network login settings may have dynamic registration, periodic refresh of the domain name system records that enable and disable specific domain controller locator, enable and disable automatic site override and many other popular network login parameters. * Certificate Manager: Certificate Manager is used to use and manage user certificates. This group policy feature provides the ability to allow the certificate manager to be disabled. * 64-bit software: 64-bit software policies provide Group Policy support to 64-bit software deployment. The new options in the Application Deployment Editor can help determine if the 32-bit application should deploy to 64-bit customers. The application deployment editor also allows existing Windows 2000 deployment to be managed by the same grade feature provided by the Windows XP and Windows Server 2003 families. * Support URL: This feature provides the package with the ability to edit and add a support of the unified resource locator. When the application appears in the Add / Remove program of the target computer, the user can select the support information URL and point to the support web page. This feature helps reduce call help platforms or support groups. * Terminal Services: Now the terminal service policy is most of the configuration providing group policy settings. * My document: Through Group Policy, this feature provides the ability to redirect your document folder to their home directory.
Use Group Policy Management DNS
This feature allows administrators to use Group Policy to manage and configure domain name system client configurations on computers running Windows Server 2003 operating system families. This simplifies dynamic registration of DNS records such as clients to enable and disabling DNS records, and the steps required to configure domain members when they use the DNS suffix list during the name resolution. In addition to the simplification of management, the group policy support (DNS suffix search list) for the last parameter is considered a strategic feature, it is necessary when transferring to a missing NetBIOS environment. Software restriction strategy
This strategy enables you to enhance the management of computers running Windows XP and Windows Server 2003 families, which allows better defense of viruses, Trojan horses and harmful applications. Software Limit Policy provides a policy driver to identify software running on one domain and control it. It can identify malicious, or harmful software, block it from being executed on a computer running with Windows XP and Windows Server Edition 2003 families. This feature also allows you to limit software running on strict management workstations (such as information stations, task stations, or application stations) so that this software is only listed in a single software list. This feature helps to improve system stability and integrity for these computers. This feature is running from the management group policy bite.
Management template network view
This feature enhances the Group Policy Management Template extension bite, enabling it to view detailed information about differently available policy settings. When a policy setting is selected, the information for setting behavior and additional information is described in detail in the management template user interface, and these additional information is to be used with respect to settings. This information can also be obtained from the interpretation tab on each setting attribute page.
WMI filtering
Windows Management Test Device Filtering is an additional to the Group Policy infrastructure, which has the ability to determine a WMI-based query to filter group policy objects. This will also be an additional addition to a tabular to the Group Policy Object Properties page, which can be sure, create and edit a filter. Additionally, the support for allowing the policy synthesis set can be displayed either existing WMI filter while determining an alternating WMI filter. This is similar to the concept of secure group filtering implemented in Windows 2000.
Group Policy Management Console
Shortly after Windows Server 2003, the Group Policy Management Console is expected to be freely obtained on Microsoft's homepage, and the Group Policy Management Console provides a new architecture for the management group policy. Using Group Policy Management Console, group policies make it easier to use, which is the advantage of making more companies to better utilize active directory services and utilize its powerful cost savings feature. For example, the Group Policy Management Console makes the backup and re-storeing group policy objects, input / output, and copy / paste group policy objects, report group policy object settings, and policy synthesis data, and scripting all group policy management console operations. . For example, using the input and copy of the Group Policy object, the administrator can provide a variety of configuration maintenance group policy objects (strict management desktops, laptops, terminal services, swap servers, etc. on Windows Server 2003) ) And quickly deploy them throughout the company. In addition, the Group Policy Management Control Series allows administrators in a given forest into multiple domains and site management group policies. All of this is implemented in a simplified user interface supported by drag and drop. Using cross-forest trust relationships, administrators can manage group strategies from multiple forests from the same console. The Group Policy Management Console can also be WNDOWS 2000 or Windows Server 2003 domain management group strategies.
Cross forest support
Cross forest features in Windows Server 2003 make new conditions supported by some group policies possible. Although group strategy objects can only be linked to site, domain, or OUs in a given forest, Windows Server 2003 Group Policy can successfully support these new interactivity. For example, for a user in forest A, he can use their own policy set to log in to the computer in the forest B. Additionally, the settings inside a GPO can reference external forest servers, such as software release points. Software restriction strategy
This feature provides a policy-driven mechanism to identify software running in a domain and control its ability to perform. It recognizes malicious or harmful software and blocks it from being executed on a computer running Windows XP and Windows Server 2003 family. This allows you to use a way to better defense viruses, Trojan horses, and harmful applications to increase the management of computers running Windows XP and Windows Server 2003 families. This feature also allows you to limit the software running on a highly managed workstation (information station, task workstation, or application workstation) so that it can only be software in a single software. This helps improve the system stability and integrity of these computers. This feature can be obtained from the Group Policy Object Editor.
Group Policy Object Editor Enhanced User Interface
Use the network view integration in the Group Policy Object Editor to make it easier to understand, manage, and verify policy settings. Clicking a policy will immediately display its features and texts such as supporting the support environment that only support Windows XP or Windows 2000.
WMI filtering
The Windows Management Testing device enables administrators to determine whether a group policy object is applied to a specific computer or a user based on the target computer / user WMI property. This is similar to the concept of security group filtration implemented in Windows 2000.
Folder is reinforced
Administrators can now select the user's my document folder to the home directory to the user.
Enhancements to software versions based on group strategies
Microsoft has implemented the following enhancements in Windows Server 2003. Administrators can now select allocated applications to users and make them completely installed when the user launches the application, or installs according to the requirements. The choice of support is performed in the software setting node of the Group Policy Object Editor. Administrators now specify a URL in the user's add / delete program that will point to support information.
to sum up
Active directory in Windows Server 2003 is based on Windows 2000, which emphasizes simplified management, stronger versatility, and unmatched reliability. The activity directory has become a solid foundation for establishing a corporate network, and its unharenee ability is:
• Use the existing investment and directory consolidation management
• Extended management control and reduce redundant management tasks
• Simplify remote integration and use network resources more effectively
• Reduce TCO and improve the use of IT resources
More information
When the final version of Windows Server 2003 is available, Microsoft will publish a more detailed Windows Server Edition 2003 technology over the Internet. Links to these technical articles can be browsed directly:
http://www.microsoft.com/china/windowsserver
http://www.microsoft.com/china/technet
