Acknowledgements
Part 1
Chapter 1:　Using the Active Directory Library
How the Active Directory Library Is Structured
How the Active Directory Library Is Designed
Chapter 2:　What’s In This Volume?
Chapter 3:　Using Microsoft Reference Resources
The Microsoft Devdloper Netowrk
Comparing MSDN Omline
MSDN Subscriptions
MSDN Library Subscriptions
MSDN Professional Subscriptions
MSDN Universal Subscriptions
Purchasing an MSDN Subscriptions
Using MSDN
Navigating MSDN
Quick Tips
Using MSDN Omline
Navigating MSDN Online
MSDN Online Features
MSDN Online Registered Users
The Windows Programming Reference Series
Chapter 4:　Finding the Developer Resources You Need
Developer Support
Omline Resources
Learning Products
Conferences
Other Resources
Chapter 5:　What You Need to Know First About Active Dircetory
Active Directory Basice
What Is a Directory Service?
Why Have a Directory Service?
What Is Active Directory?
Active Directory Core Concepts
Scope
Namespsce
Object
Containers and Leaves
Object Names and Identities
Naming Contexts and Partitions
Domains
Domain Trees
Viewing Trust Relationships
Viewing the Namespace
Forests
Active Directory Servers and Dynamic DNS
Sites
Active Directory Architecture
Directory System Agent
Data Model
Schema
Administration Model
Global Catalog
Active Directory Security
Object and Attribute Protection
Delegation
Inheritance
Patr 2
Chapter 6:　Searching Active Directory
Deciding What to Find
Example Code for Searching for Users
Where to Search
Searching Domain Contents
Searching the Schema
Searching the Configuration Container
searching Global Catalog Contents
Choosing the Data Access Technology
Creating a Query Filter
Finding Objects by class
Finding Objects by Name
Example Code for Filtering Objects by Name
Finding a List of Attributes to Query
Checking the Query Filter Syntax
Specifying Comparison Values
Listing Properties to Retrieve for Each Object Found
Retrieving the objectClass Property
Binding to a Search Start Point
Specifying Other Search Options
Search Scope
Synchronous vs.Asynchronous
Paging
Result Caching
Sorting the Search Reaults
Referral Chasing
Size Limit
Server Time Limit
Client Time-Out
Returning Only Attribute Names
Example Code for Searching for Attributes
Checking Search Preferences
Example code for Checking the Status of ADS_SEARCHPREF_INFO
Effects of Security on Queries
Processing Query Results
Creating Efficient Queries
Referrals
Example Code for Binding to a Partitions Container
When Referrals are Generated
Creating an External Referral
Example Code for Creating an External crossRef Object
Chapter 7:　Binding
Serverless Binding and RootDSE
Binding to the Global Catalog
Using objectGUID to Bind to an Object
Reading an objecgGUID and Creating a String Representation of the GUID
Binding go Well-Known Objects Using WKGUID
Example Code for Creating a Bindable String Representation of a GUID
Enabling Rename-Safe Binding with the otherWellKnownObjects Property
Authentication
GetObject and ADsGetObject
Example Code for Binding to an Object Using ADsGetObject
ADsOpenObject and IADsOpenDSOject::OpenDSObject
Example Code for Binding to an Object Using ADsOpenObject
Binding with Encryption
Fast Binding Option for Batch Write/Modify Operations
Binding to an Object’s Parent Container
Binding to Child Objects
Choosing an Interface
Chapter 8:　Reading and Writing Properties of Active Directory Objects
　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　
Property Cache
Getting Properties
Get Method
GetEx Method
GetInfo Method
Optimization Using GetInfoEx
Getting Properties with the IDirectoryObject Interface
Setting Properties
Put Method
PutEx Method
SetInfo Method
Enumerating Properties
Providing Direct Access to the Property Cache
Chapter 9:　Controlling Access to Active Directory Objects
How Access Control Works in Active Directory
Controlling Access to Objects and Their Properties
Access Rights for Active Directory Objects
Security Contexts and Active Directory
How Security Affects Active Dircetory Operations
Access control and Read Operations
Access control and Write Operations
Access control and Object Creation
Access control and Object Deletion
APIs for Working with Security Descriptors
Using IADs to Get a Security Descriptor
Using IDirectoryObject to Get a Security Descriptor
Security Descriptor Components
Retrieving an Object’s DACL
Retrieving an Object’s SACL
Reading an Object’s Security Descriptor
Setting Access Rights on an Object
Example Code for Setting an ACE on a Directory Object
Setting Access Rights on the Entire Object
Setting Permissions to a Specific Property
Setting Permissions on a Group of Properties
Setting Permissions on Child Object Operations
How Security Descriptors are Set on New Directory Objects
Creating a Security Descriptor
Inheritance and Delegation of Administration
Access Control Inheritance
Setting Rights to specific Types of Objects
Setting rights to Specific Properties of Specific Types of Objects
Protecting Objects from the Effects of Inherited Rights
Default Security Descriptor
Reading the defaultSecurityDescriptor for an Object Class
Modifying the defaultSecurityDescriptor for an Object Class
Extended Rights
Creating an Extended Right ACE in an Object’s ACL
Checking an Extended Right in an Object’s ACL
Reading an Extended Right Set in an Object’s ACL
Chapter 10:　Extending the User Interface for Directory Objcets
About Active Dircetory User Interfaces
Display Specifiers
DisplaySpecifiers Container
Property Pages for Use with Display Specifiers
Implementing the Property Page COM Object
Registering the Property Page COM Object in a Display Specifier
Context Menus for Use with Display Specifiers
Implementing the Context Menu COM Object
Example Code for Implementation of the Context Menu COM Object
Registering the Context Menu COM Object in a Display Specifier
Registering a Context Menu ltem that Starts an Application in a Display Specifier
Class and Attribute Display Names
Class lcons
Viewing Containers as Leaf Nodes
Object Creation Wizards
Invoking Creation Wizards from Your Application
Using MSI and Windows 2000 Application Deployment to Distribute UIAdditions
Using Standard Dialog Boxes for Handling Active Directory Objects
Directory Object Picker
Domain Browser
Container Browser
How Applications Should Use Display Specifiers
Localization
User Interface Extension for New Object Classes
Creating Display Specifiers for New Classes
Modifying Existing Classes
Extending Active Directory Administrative Snap-ins Using MMC Extension Snap-ins
Context Menu Extension Tutorial
Registering Node Types for Active Directory Manager
MMC Node Types
Chapter 11:　Object Picker Dialog Box
About the Object Picker Dialog Box
Object Picker Scopes and Filters
Using the Object Picker Dialog Box
Displaying the Object Picker Dialog Box
Initializing the Object Picker Dialog Box
Processing the Selected Objects
Chapter 12:　Replication and Data Integrity
Active Directory Replication Model
What is the Active Directory Replication Model?
Why Active Directory Uses This Replication Model
A Programmer’s Model of Active Directory Replication
Active Directory Replication Behavior
Impact on Directory-Enabled Applications
Detecting and Avoiding Replication Latency
What Can You kNOW,and When Can You Know It?
Temporal Locality
Out-of-Band Signaling
Effective Date and Time
Checksums and Object Counts
Consistency GUIDs
Versioning and Fallback Strategies
Chapter 13:　Managing Users
Users in Active Directory
Security Principals
What Is a User?
Reading a User Object
Binding to a User Object
User Object Properties
Reading User Object Properties
Setting Properties on a User Object
Creating a User
Deleting a User
Enumerating Users
Querying for users
Moving Users
Managing Users on Member Servers and Windows 2000 Professional
Enumerating Users on Member Servers and Windows 2000 Professional
Creating Users on Member Servers and Windows 2000 Professional
Deleting Users on Member Servers and Windows 2000 Professional
Values for CountryCode
Chapter 14:　Managing Groups
Groups in Active Directory
Types of Groups
How Security Groups are Used in Acess Control
Where Groups Can Be Created
Scope of Groups
Group Scope and the Global Catalog
effects of Universal Groups on the Global catalog
What Type of Group to Use
Group objects
Groups on Mixed-and Native-Mode Domains
Detecting the Operation Mode of a Domain
Creating Groups in a Domain
Adding Members to Groups in a Domain
Removing Members from Groups in a Domain
Nesting a Group in Another Group
Nesting in Native Mode
Nesting in Mixed Mode
Common Errors
Determining a User’s or Group’s Membership in a Group
Enumerating Groups
Enumerating Groups in a Domain
Enumerating Groups by Scope or Type in a Domain
Enumerating Members in a Group
Enumerating Groups That Contain Many Members
ADO SQL Dialect
ADO LDAP Dialect
IDirectorySearch and IDirectoryObject
Querying for Groups in a Domain
Changing a Group’s Scope or Type
Deleting Groups
Moving Groups
Getting the Domain Account-Style Name of a Group
Groups on Member Servers and Windows 2000 Professional
Enumerating Groups on Member Servers and Windows 2000 Professional
Creating amachine Local Groups on Member Servers and Windows 2000 Professional
Deleting Groups on Member Servers and Windows 2000 Professional
Adding Domain Groups to Machine Local Groups on Member Servers and Windows 2000 Professional
What Application and Service Developers Need to Know About Groups
Chapter 15:　Tracking Change
Overview of Change Tracking Techmiques
Change Notifications in Active directory
Example Code for Receiving Change Notifications
Polling for Changes Using the DirSync Control
Example Code Using ADS_SEARCHPREF_DIRSYNC
Polling for Changes Using USNChanged
Example Code to Retrieve Changes Using USNChanged
Retrieving Deleted Objects
Chapter 16:　Service Publication
About Service Publication
Security Issues for Service Publication
Connection Points
Publishing with Service Connection Points
Where to Create a Service Connection Point
Publishing Under a Computer Object
Publishing in a Domain’s System Container
Service Connection Points for Replicated,Host-Based,and Database
Services
Service Connection Point Properties
Creating and Maintaining a Service Connection Point
Creating a Service Connection Point
Updating a Service Connection Point
How Clients Find and Use a Service Connection Piont
Publishing with the RPC Name Servece(RpcNs)
Example Code for Publishing an RPC Service
Example Code for an RPC Client Locating a Server
Publishing with Windows Sockets Registration and Resolution(RnR)
Example Code for Installing an RnR Service Class
Example Code for Implementing a Winsock Service with an RnR Publication
Example Code for Publishing the RnR Connection Point
Example Code for Removing the RnR Connection Point
Example Code for a Winsock Client locating a Service Using an RnR Query
Publishing COM+Services
Chapter 17:　Service Logon Accounts
About Service Logon Accounts
Guidelines for Silecting a Service Logon Account
Local User Accounts
Domain User Accounts
The LocalSystem Account
Setting up a Service’s User Account
Installing a Service on a Host Computer
Granting Logon as Service Right on the Host Computer
Testing Whether Calling Process is Running on a Domain Controller
Granting Access Rights to the Service Logon Account
Enabling Service Account to Access SCP Properties
Logon Account Maintenance Tadks
Changing the Password on a Service’s User Account
Enumerating the Replicas of a Service
Converting Domain Account Name Formats
Chapter 18:　Mutual Authentication Using Kerberos
About Mutual Authentication Using Kerberos
Security Providers
Integrity and privacy
Limitations of Mutual Authentication with Kerberos
Service Principal Names
Name Formats for Unique SPNs
How a Service Composes Its SPNs
How a Service Registers Its SPNs
How Clients Compose a Service’s SPN
Mutual Authentication in a Windows Sockets Service with an SCP
How a Client Authentecates an SCP-based Windows Sockets Service
Composing and Registering SPNs for an SCP-based Windows Sockets Service
Composing the SPNs for a Service with an SCP
Registering the SPNs for a Service
How a Windows Sockets Service Authenticates a Client
Mutual Authentication in RPC Applications
How a Client Authenticates an RpcNs Service
Mutual authentication in RPC Applications
How a Client Authenticates an RpcNs Service
Composing SPNs for an RpcNs Service
How an RpcNs Service Authenticates a Caller
Mutual Authentication in Windows Sockets Applications
Chapter 19:　Backing Up and Restoring Active Directory
Considerations for Active Directory Services Backup
Bacding Up Active Directory
Restoring Active Directory
Part 3-Glossary and Indexes
Glossary
Index 1:　Active Directory Programmer’s Guide Coverage
Index 2:　Active Directory Reference-alphabetical Listing
Index 3:　ADSI,ADSI Exchange,and Group Policy Programmer’s Guides Coverage
Index 4:　ADSI Rfefrence-Alphabetical Listing