A new task-based, versus an object-based, Active Directory interface will give administrators the ability to set up or manage resources, such as printers, without having to sort through multiple sites and domains.
"Hierarchies can get really big because you are managing a lot of resources [and]… it's hard to manage [them] at the object level because you have to drill down the [AD] tree. So this new interface treats it like a task and just cuts through the tree," said Doug Leland, general manager of Microsoft's identity and access management business group.
The new management interface is only a prototype for a future version of AD, Leland said. Microsoft is still working on a release date for the next version of AD, and administrators will still be able to do object-based queries, he said.
The new interface will also let administrators send out a task query that only shows information related to that specific query, versus seeing dozens or hundreds of resources spread throughout the company, depending on the size of the organization.
With this management tool, administrators will notice a significant reduction in steps needed to perform tasks, said Brian Desmond, an Active Directory expert who works for a large outsourcing firm.
"The prototype -- it's not even an alpha release at this stage, pops up a window where you can plug in a [user's] name and reset a password in a little box," he said. "That takes a whole lot of steps out of the equation."
Administrators can control their view with check boxes or list boxes or hide views so they are in control of what the user interface looks like, Leland said. "This makes management of a large complex environment much simpler."
The features in the management interface prototype are built in as PowerShell scripts that can be customized.
Microsoft is also working on an Active Directory Federation Services [ADFS] management interface prototype that securely shares IDs and certifications back and forth between a company and outside organizations.
Tying ILM into Office
Microsoft integrates Identity Lifecycle Manager v2, due out the second half of this year, with Office 2007, putting the responsibility of managing identity profiles on users instead of IT.
By doing so, IT will not be responsible for adding a user to an Exchange or group distribution list, for example. Instead, a group leader would add or remove users from lists via Office.
"There is a set of profile characteristics about users maintained in Active Directory that quite frankly should be under the control of the user and not be a burden on IT," Leland said.
What's in Windows Server 2008
Microsoft has integrated its Rights Management Services with ADFS to let companies securely collaborate across corporate boundaries.
IT administrators no longer have to add a user or group from another company to their AD domain. Now administrators have the ability to authenticate users and have them share SharePoint documents or email. That way, an unauthorized user cannot open or see the documents without having to add the users to the AD domain.
"[With] pre-Windows Server 2008, it was fairly difficult for IT to set up these types of scenarios," Leland said. "There was an added management burden on IT and a security hole."