Active Directory Web Administration

[localzuk]

I remember a thread about web administration of Active Directory and someone mentioned IIS having this as part of it? (IIRC it was Geoff who mentioned this).

Could someone point me in the right direction to allow me to investigate this?

[Geoff]

http://ldapweb.sourceforge.net/ ?

[localzuk]

Looks interesting. I have just found the old thread now and it was GrumbleDook who said

Yes ... all of this can be done through the Management section of IIS if you have it running on a DC.

For most people the idea of running IIS on a DC is scary as historically you had to spend time hardening the server, panicing everytime there was a new patch and checking the logs to see if people had tried to break it.

It is far easier to do it in taskpanes or via RDC.

Now ... the web front end in Server 2003 is quite robust ... you can set up self0signed certificates to run it over https and generally have an easy life ...

We don't do it here are we have the adminpak loaded on the loacal machines of the techies ... but Technet would be the best place to look.

Or if you like scripting you can build your own ... and I would recommend Thomas Eck's ADSI Scripting for Windows 2000 server as a good place to start.

So it sounds like there should be functionality built straight into IIS somewhere?

[bishopsgarthstockton]

we have viglen here, we can manage the active directory from a web interface any where in the school. Works ok, but now again we have to do a IISRESET. Ideal if your at the other end of the school, and need access.

[srochford]

Why not just use remote desktop? It's available on any Windows PC (or even from my PDA on the odd occasion when I've needed to do something and there's no PC near!)

[techyphil]

Sounds like a good idea - seems these days anything is possible via a browser :P

I suggested we use the Win2003 Admin Tools and install it on the machines in our office so we dont have to keep crossing over and logging into the servers.

But others cant digest the fact that more then 1 person can open AD at once :P lmao

"what if 2 people make a change.. who takes priorty"

heh I do try...

[localzuk]

I currently do use RDP but it is not the smoothest option. It means having multiple RDP sessions open to each server, rather than just doing things via a nice web interface.

@techyphil - you should point them at some of the MCSA core exam books for 2k3. It points out what happens with conflicts. :P

[_Bat_]

Why not just use remote desktop? It's available on any Windows PC (or even from my PDA on the odd occasion when I've needed to do something and there's no PC near!)

We just use this too.

[localzuk]

@_BAT_ and srochford - that isn't what I asked though. I'm asking about web administration...

[fooby]

I am sure I have heard something about this,

Something to do with Exchange group management web interface ithink

Will look more.

fooby

[Norphy]

If you install IIS on one of the DCs and install the Remote Administration (HTML) option which is under Application Server/IIS/World Wide Web Service, you can do this. It's not pretty but it's functional. If you install it on a member server you'll only see local users.

[srochford]

I suggested we use the Win2003 Admin Tools and install it on the machines in our office so we dont have to keep crossing over and logging into the servers.

We would generally put that on all IT support workstations but that's not necessarily useful when you're half a mile away :-)

But others cant digest the fact that more then 1 person can open AD at once :P lmao

"what if 2 people make a change.. who takes priorty"

that's going to be true for almost any way of editing AD - there's always the risk that 2 people are going to try and change simultaneously. the result will always be the same; last writer wins.

[fooby]

Thats only per object anyway.

Will 2 tech's be changing the password of the same user at the same time?

fooby